Incident triage engine

US 9,369,481 B2
Filed: 04/08/2014
Issued: 06/14/2016
Est. Priority Date: 10/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

storing, by a device, a response queue that includes a list of a plurality of incidents within a computer network,the computer network including a plurality of linked network devices,the plurality of incidents including one or more of;

a denial of service attack,a virus,a worm,a Trojan horse,a backdoor, ora cookie tracker;

determining, by the device, a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue,the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list;

receiving, by the device and for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents;

calculating, by the device and for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents,the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents;

calculating, by the device and for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents;

arranging, by the device, an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast;

executing, by the device, a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and

repeating, by the device, the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue.

Citations

27 Claims

1. A method, comprising:
- storing, by a device, a response queue that includes a list of a plurality of incidents within a computer network,the computer network including a plurality of linked network devices,the plurality of incidents including one or more of;
  
  a denial of service attack,a virus,a worm,a Trojan horse,a backdoor, ora cookie tracker;
  
  determining, by the device, a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue,the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list;
  
  receiving, by the device and for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents;
  
  calculating, by the device and for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents,the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents;
  
  calculating, by the device and for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents;
  
  arranging, by the device, an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast;
  
  executing, by the device, a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and
  
  repeating, by the device, the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the plurality of linked network devices includes one or more of:
    - a database server,an application server,a firewall,an intrusion detection system,a router,a switch,a bridge,a repeater, oran end point device.
  - 3. The method according to claim 1, the method further comprising:
    - receiving attributes of the computer network, attributes of the plurality of linked network devices, and attributes of the plurality of incidents; and
      
      where calculating the cumulative queue loss forecast comprises;
      
      calculating the cumulative queue loss forecast based on the attributes of the computer network, the attributes of the plurality of linked network devices, and the attributes of the plurality of incidents.
  - 4. The method according to claim 3, wherein machine learning is used to associate each of the plurality of incidents with a course of action for resolving each of the plurality of incidents.
  - 5. The method according to claim 3, the method further comprising:
    - executing courses of action, associated with the plurality of incidents, in the order of the plurality of incidents within the list included in the response queue.
  - 6. The method according to claim 3, wherein the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list are continuously performed.
  - 7. The method according to claim 3, wherein:
    - the attributes of the computer network include an environmental factors attribute;
      
      the attributes of the plurality of incidents include one or more of an incident morbidity attribute or an incident infectiousness attribute,where the incident morbidity attribute includes one or more of a confidentiality impact of an incident, an integrity impact of an incident, an availability impact of an incident, a progression speed of an incident, or an incubation time of an incident, andwhere the incident infectiousness attribute includes one or more of a potency of an incident, a transmission mode of an incident, or a latency period of an incident; and
      
      the attributes of the plurality of linked network devices include one or more of a value attribute or an immunity attribute,where the value attribute includes one or more of a confidentiality value of a network device, an integrity value of a network device, an availability value of a network device, or a substitutability value of a network device, andwhere the immunity attribute includes a susceptibility value of a network device.
  - 8. The method according to claim 7, wherein the incident infectiousness attribute includes a value identifying an ability of an incident to spread to the plurality of linked network devices of the computer network.
  - 9. The method according to claim 7, wherein:
    - the environmental factors attribute includes a value identifying an ability of the computer network to limit a spread of incidents to the plurality of linked network devices.

10. A non-transitory computer-readable storage medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by at least one processor, cause the at least one processor to;
  
  store a response queue that includes a list of a plurality of incidents within a computer network,the computer network including a plurality of linked network devices,the plurality of incidents including one or more of;
  
  a denial of service attack,a virus,a worm,a Trojan horse,a backdoor, ora cookie tracker;
  
  determine a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue,the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list;
  
  receive, for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents;
  
  calculate, for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents,the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents;
  
  calculate, for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents;
  
  arrange an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast;
  
  execute a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and
  
  repeat the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable storage medium according to claim 10, wherein the plurality of linked network devices includes one or more of:
    - a database server,an application server,a firewall,an intrusion detection system,a router,a switch,a bridge,a repeater, oran end point device.
  - 12. The computer-readable storage medium according to claim 10, further comprising:
    - one or more instructions which, when executed by the at least one processor, cause the at least one processor to;
      
      receive attributes of the computer network, attributes of the plurality of linked network devices, and attributes of the plurality of incidents; and
      
      the one or more instructions that cause the at least one processor to calculate the cumulative queue loss forecast include;
      
      one or more instructions that cause the at least one processor to calculate the cumulative queue loss forecast based on the attributes of the computer network, the attributes of the plurality of linked network devices, and the attributes of the plurality of incidents.
  - 13. The computer-readable storage medium according to claim 12, wherein machine learning is used to associate each of the plurality of incidents with a course of action for resolving each of the plurality of incidents.
  - 14. The computer-readable storage medium according to claim 12, further comprising:
    - one or more instructions which, when executed by the at least one processor, cause the at least one processor to;
      
      execute courses of action, associated with the plurality of incidents, in the order of the plurality of incidents within the list included in the response queue.
  - 15. The computer-readable storage medium according to claim 12, further comprising:
    - one or more instructions which, when executed by the at least one processor, cause the at least one processor to;
      
      continuously perform the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list.
  - 16. The computer-readable storage medium according to claim 12, wherein:
    - the attributes of the computer network include an environmental factors attribute;
      
      the attributes of the plurality of incidents include one or more of an incident morbidity attribute or an incident infectiousness attribute,where the incident morbidity attribute includes one or more of a confidentiality impact of an incident, an integrity impact of an incident, an availability impact of an incident, a progression speed of an incident, or an incubation time of an incident, andwhere the incident infectiousness attribute includes one or more of a potency of an incident, a transmission mode of an incident, or a latency period of an incident; and
      
      the attributes of the plurality of linked network devices include one or more of a value attribute or an immunity attribute,where the value attribute includes one or more of a confidentiality value of a network device, an integrity value of a network device, an availability value of a network device, or a substitutability value of a network device, andwhere the immunity attribute includes a susceptibility value of a network device.
  - 17. The computer-readable storage medium according to claim 16, wherein the incident infectiousness attribute includes a value identifying an ability of an incident to spread to the plurality of linked network devices of the computer network.
  - 18. The computer-readable storage medium according to claim 16, wherein:
    - the environmental factors attribute includes a value identifying an ability of the computer network to limit a spread of incidents to the plurality of linked network devices.

19. A system, comprising:
- one or more devices to;
  
  store a response queue that includes a list of a plurality of incidents within a computer network,the computer network including a plurality of linked network devices,the plurality of incidents including one or more of;
  
  a denial of service attack,a virus,a worm,a Trojan horse,a backdoor, ora cookie tracker;
  
  determine a plurality of different arrangements of the plurality of incidents within the list, of the plurality of incidents, included in the response queue,the plurality of different arrangements of the plurality of incidents including all possible arrangements of the plurality of incidents within the list;
  
  receive, for each of the plurality of incidents, a remediation time associated with a course of action for resolving each of the plurality of incidents;
  
  calculate, for each of the plurality of incidents, a loss forecast based on a total time to resolve each of the plurality of incidents,the total time to resolve each of the plurality of incidents being based on sum of the remediation time of each of the plurality of incidents and remediation times of incidents, of the plurality of incidents, at earlier positions in the list of the plurality of incidents;
  
  calculate, for each of the plurality of different arrangements of the plurality of incidents, a cumulative queue loss forecast based on a sum of the loss forecasts calculated for each of the plurality of incidents;
  
  arrange an order of the plurality of incidents within the list included in the response queue according to an arrangement of the plurality of incidents with a smallest cumulative queue loss forecast;
  
  execute a particular course of action associated with a particular incident arranged first in the order of the plurality of incidents within the list included in the response queue; and
  
  repeat the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list when a new incident is added to the list of the plurality of incidents or when an incident is removed from the list of the plurality of incidents.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system according to claim 19, wherein the plurality of linked network devices includes one or more of:
    - a database server,an application server,a firewall,an intrusion detection system,a router,a switch,a bridge,a repeater, oran end point device.
  - 21. The system according to claim 19, where the one or more devices are further to:
    - receive attributes of the computer network, attributes of the plurality of linked network devices, and attributes of the plurality of incidents; and
      
      when calculating the cumulative queue loss forecast, the one or more devices are to;
      
      calculate the cumulative queue loss forecast based on the attributes of the computer network, the attributes of the plurality of linked network devices, and the attributes of the plurality of incidents.
  - 22. The system according to claim 21, wherein machine learning is used to associate each of the plurality of incidents with a course of action for resolving each of the plurality of incidents.
  - 23. The system according to claim 21, where the one or more devices are further to:
    - execute courses of action, associated with the plurality of incidents, in the order of the plurality of incidents within the list included in the response queue.
  - 24. The system according to claim 21, wherein the determining the plurality of different arrangements of the plurality of incidents, the calculating the cumulative queue loss forecast, and the arranging the order of the plurality of incidents within the list are continuously performed.
  - 25. The system according to claim 24, wherein:
    - the attributes of the computer network include an environmental factors attribute;
      
      the attributes of the plurality of incidents include one or more of an incident morbidity attribute or an incident infectiousness attribute,where the incident morbidity attribute includes one or more of a confidentiality impact of an incident, an integrity impact of an incident, an availability impact of an incident, a progression speed of an incident, or an incubation time of an incident, andwhere the incident infectiousness attribute includes one or more of a potency of an incident, a transmission mode of an incident, or a latency period of an incident; and
      
      the attributes of the plurality of linked network devices include one or more of a value attribute or an immunity attribute,where the value attribute includes one or more of a confidentiality value of a network device, an integrity value of a network device, an availability value of a network device, or a substitutability value of a network device, andwhere the immunity attribute includes a susceptibility value of a network device.
  - 26. The system according to claim 25, wherein the incident infectiousness attribute includes a value identifying an ability of an incident to spread to the plurality of linked network devices of the computer network.
  - 27. The system according to claim 25, wherein:
    - the environmental factors attribute includes a value identifying an ability of the computer network to limit a spread of incidents to the plurality of linked network devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Howes, Joshua Z., Negm, Walid, Solderitsch, James J., Jotwani, Ashish, Carver, Matthew
Primary Examiner(s)
Lemma, Samson

Application Number

US14/247,322
Publication Number

US 20140223567A1
Time in Patent Office

798 Days
Field of Search

726 22- 24, 726/25, 713187-188
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/10   Office automation; Time man...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Incident triage engine

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Incident triage engine

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links