Prioritizing Bayes network alerts

US 7,379,993 B2
Filed: 09/13/2001
Issued: 05/27/2008
Est. Priority Date: 09/13/2001
Status: Active Grant

First Claim

Patent Images

1. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for prioritizing alerts comprising the steps of:

receiving alerts from the information security device;

examining the received alerts for the presence of one or more relevant features;

providing a summary or list of the features from at least a subset of the received alerts to a Bayes network for analysis; and

assigning priority scores to at least a subset of the received alerts, the priority scores reflecting an importance of an associated alert relative to other alerts and being based at least in part on the analysis performed by the Bayes network,where the Bayes network uses conditional probability tables (CPTs) to model potential influence of alert features on the priority scores, the CPTs including one or more rows that correspond to priority score states and one or more columns that correspond to alert feature states such that an element at an intersection of a row and a column of a CPT represents a likelihood of a priority score state given an alert feature state, where the CPTs are adjusted in response to a dominant priority score by adapting a first row of the CPT, the first row of the CPT corresponding to the dominant priority score, to increase a measure of likelihood of the dominant priority score across alert feature states represented in the first row, the adapting comprising;

converting each element in the first row of the CPT to an effective count to produce one or more effective counts, an effective count indicating a number of times that the dominant priority score has been observed for a corresponding alert feature state, wherein the dominant priority score is added as an additional effective count distributed over the alert feature states represented in the first row;

normalizing the first row of the CPT; and

recomputing the one or more effective counts for all priority score states.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention uses Bayesian techniques to prioritize alerts or alert groups generated by intrusion detection systems and other information security devices, such as network analyzers, network monitors, firewalls, antivirus software, authentication services, host and application security services, etc. In a preferred embodiment, alerts are examined for the presence of one or more relevant features, such as the type of an attack, the target of an attack, the outcome of an attack, etc. At least a subset of the features is then provided to a real-time Bayes network, which assigns relevance scores to the received alerts or alert groups. In another embodiment, a network manager (a person) can disagree with the relevance score assigned by the Bayes network, and give an alert or alert group a different relevance score. The Bayes network is then modified so that similar future alerts or alert groups will be assigned a relevance score that more closely matches the score given by the network manager.

67 Citations

View as Search Results

8 Claims

1. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for prioritizing alerts comprising the steps of:
- receiving alerts from the information security device;
  
  examining the received alerts for the presence of one or more relevant features;
  
  providing a summary or list of the features from at least a subset of the received alerts to a Bayes network for analysis; and
  
  assigning priority scores to at least a subset of the received alerts, the priority scores reflecting an importance of an associated alert relative to other alerts and being based at least in part on the analysis performed by the Bayes network,where the Bayes network uses conditional probability tables (CPTs) to model potential influence of alert features on the priority scores, the CPTs including one or more rows that correspond to priority score states and one or more columns that correspond to alert feature states such that an element at an intersection of a row and a column of a CPT represents a likelihood of a priority score state given an alert feature state, where the CPTs are adjusted in response to a dominant priority score by adapting a first row of the CPT, the first row of the CPT corresponding to the dominant priority score, to increase a measure of likelihood of the dominant priority score across alert feature states represented in the first row, the adapting comprising;
  
  converting each element in the first row of the CPT to an effective count to produce one or more effective counts, an effective count indicating a number of times that the dominant priority score has been observed for a corresponding alert feature state, wherein the dominant priority score is added as an additional effective count distributed over the alert feature states represented in the first row;
  
  normalizing the first row of the CPT; and
  
  recomputing the one or more effective counts for all priority score states.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the features are selected from the following group:
    - attack or incident type;
      
      attack or incident outcome;
      
      attack or incident source;
      
      the information security device'"'"'s confidence level in the attack or incident type and attack or incident outcome; and
      
      network assets affected by the attack or incident.
  - 3. The method of claim 1 wherein the CPTs include asset relevance information that includes one or more vulnerabilities selected from the following group:
    - an asset'"'"'s operating system vulnerabilities;
      
      an asset'"'"'s hardware vulnerabilities; and
      
      an asset'"'"'s application vulnerabilities.
  - 4. The method of claim 3 further comprising the steps of:
    - comparing the priority score with a second priority score provided by a network operator; and
      
      adding a new row, weighted towards the second priority score, to one or more of the CPTs.
  - 5. The method of claim 1, wherein an amount that a CPT is adjusted in response to a dominant priority score is inversely proportional to a frequency with which the dominant priority score is observed.
  - 6. The method of claim 1, wherein the normalizing comprises:
    - summing all elements in the first row of the CPT to produce a sum; and
      
      dividing each element in the first row of the CPT by the sum.

7. In a computer network that has a plurality of information security devices, each of which generates alerts when attacks or anomalous incidents are detected, a method for prioritizing groups of related alerts comprising the steps of:
- receiving the groups of related alerts;
  
  examining the received groups for the presence of one or more relevant features;
  
  providing a summary or list of the features from at least a subset of the received groups to a Bayes network for analysis; and
  
  assigning priority scores to at least a subset of the received groups, the priority scores reflecting an importance of an associated alert relative to other alerts and being based at least in part on the analysis performed by the Bayes network,where the Bayes network uses conditional probability tables (CPTs) to model potential influence of alert features on the priority scores, the CPTs including one or more rows that correspond to states of the priority scores and one or more columns that correspond to states of the alert features such that an element at an intersection of a row and a column of a CPT represents a likelihood of a priority score state given an alert feature state, where the CPTs are adjusted in response to a dominant priority score by adapting a first row of the CPT, the first row of the CPT corresponding to the dominant priority score, to increase a measure of likelihood of the dominant priority score across alert feature states represented in the first row, the adapting comprising;
  
  converting each element in the first row of the CPT to an effective count to produce one or more effective counts, an effective count indicating a number of times that the dominant priority score has been observed for a corresponding alert feature state, wherein the dominant priority score is added as an additional effective count distributed over the alert feature states represented in the first row;
  
  normalizing the first row of the CPT; and
  
  recomputing the one or more effective counts for all priority score states.

8. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for assigning a priority score to alerts comprising the steps of:
- receiving a first alert;
  
  examining the first alert for the presence of one or more relevant features;
  
  providing a summary or list of the features from the first alert to a Bayes network for analysis;
  
  assigning a priority score to the first alert, the priority score reflecting an importance of an associated alert relative to other alerts and being based at least in part on the analysis performed by the Bayes network, where the Bayes network uses conditional probability tables (CPTs) to model potential influence of alert features on the priority scores, the CPTs including one or more rows that correspond to states of the priority scores and one or more columns that correspond to states of the alert features such that an element at an intersection of a row and a column of a CPT represents a likelihood of a priority score state given an alert feature state, where the CPTs are adjusted in response to a dominant priority scoreby adapting a first row of the CPT, the first row of the CPT corresponding to the dominant priority score, to increase a measure of likelihood of the dominant priority score across alert feature states represented in the first row, the adapting comprising;
  
  converting each element in the first row of the CPT to an effective count to produce one or more effective counts, an effective count indicating a number of times that the dominant priority score has been observed for a corresponding alert feature state, wherein the dominant priority score is added as an additional effective count distributed over the alert feature states represented in the first row;
  
  normalizing the first row of the CPT; and
  
  recomputing the one or more effective counts for all priority score states;
  
  receiving a second priority score from a network operator, the second priority score reflecting an importance of the first alert relative to other alerts; and
  
  modifying the Bayes network such that when a subsequent alert similar to the first alert is analyzed by the Bayes network, the subsequent alert is assigned a priority score that more closely matches the second priority score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Valdes, Alfonso De Jesus, Fong, Martin Wayne, Porras, Phillip Andrew
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Bruckart, Benjamin R.

Application Number

US09/952,080
Publication Number

US 20030093514A1
Time in Patent Office

2,448 Days
Field of Search

709/224, 709/223, 709/226, 709/229, 713/164, 713/188, 718/102, 718/103, 379/38.09, 726/22, 726/23, 726/25
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Prioritizing Bayes network alerts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritizing Bayes network alerts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links