Incident triage engine
First Claim
1. A method, comprising:
- storing, by a device, a response queue that includes a list of a plurality of incidents within a computer network,the computer network including a plurality of linked network devices,the plurality of incidents including one or more of;
a denial of service attack,a virus,a worm,a Trojan horse,a backdoor, ora cookie tracker;
determining, by the device, a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue,the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list;
receiving, by the device and for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents;
calculating, by the device and for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents,the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents;
calculating, by the device and for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents;
arranging, by the device, an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast;
executing, by the device, a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and
repeating, by the device, the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents.
0 Assignments
0 Petitions
Accused Products
Abstract
An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.
-
Citations
27 Claims
-
1. A method, comprising:
-
storing, by a device, a response queue that includes a list of a plurality of incidents within a computer network, the computer network including a plurality of linked network devices, the plurality of incidents including one or more of; a denial of service attack, a virus, a worm, a Trojan horse, a backdoor, or a cookie tracker; determining, by the device, a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue, the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list; receiving, by the device and for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents; calculating, by the device and for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents, the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents; calculating, by the device and for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents; arranging, by the device, an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast; executing, by the device, a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and repeating, by the device, the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium storing instructions, the instructions comprising:
one or more instructions which, when executed by at least one processor, cause the at least one processor to; store a response queue that includes a list of a plurality of incidents within a computer network, the computer network including a plurality of linked network devices, the plurality of incidents including one or more of; a denial of service attack, a virus, a worm, a Trojan horse, a backdoor, or a cookie tracker; determine a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue, the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list; receive, for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents; calculate, for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents, the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents; calculate, for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents; arrange an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast; execute a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and repeat the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
19. A system, comprising:
one or more devices to; store a response queue that includes a list of a plurality of incidents within a computer network, the computer network including a plurality of linked network devices, the plurality of incidents including one or more of; a denial of service attack, a virus, a worm, a Trojan horse, a backdoor, or a cookie tracker; determine a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue, the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list; receive, for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents; calculate, for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents, the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents; calculate, for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents; arrange an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast; execute a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and repeat the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
Specification