Claims
- 1. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for prioritizing alerts comprising the steps of:
receiving alerts from the information security device; examining the received alerts for the presence of one or more relevant features; providing a summary or list of the features from at least a subset of the received alerts to a Bayes network for analysis; and assigning relevance scores to at least a subset of the received alerts, the relevance scores based at least in part on the analysis performed by the Bayes network.
- 2. The method of claim 1 wherein the features are selected from the following group:
attack or incident type; attack or incident outcome; attack or incident source; the information security device's confidence level in the attack or incident type and attack or incident outcome; and network resources affected by the attack or incident.
- 3. The method of claim 1 wherein the Bayes network uses conditional probability tables (CPTs) to model potential influence of the alert features on the relevance scores.
- 4. The method of claim 3 wherein the CPTs include network information selected from the following group:
the network's operating system vulnerabilities; the network's hardware vulnerabilities; the network's application vulnerabilities; and the relative importance of network resources and services to effective operation of the network.
- 5. The method of claim 4 further comprising the steps of:
comparing the relevance score with a second relevance score provided by a network operator; and adding a new row, weighted towards the second relevance score, to one or more of the CPTs.
- 6. In a computer network that has a plurality of information security devices, each of which generates alerts when attacks or anomalous incidents are detected, a method for prioritizing groups of related alerts comprising the steps of:
receiving the groups of related alerts; examining the received groups for the presence of one or more relevant features; providing a summary or list of the features from at least a subset of the received groups to a Bayes network for analysis; and assigning relevance scores to at least a subset of the received groups, the relevance scores based at least in part on the analysis performed by the Bayes network.
- 7. In a computer network having an information security device that generates alerts when attacks or anomalous incidents are detected, a method for assigning a relevance score to alerts comprising the steps of:
receiving a first alert; examining the first alert for the presence of one or more relevant features; providing a summary or list of the features from the first alert to a Bayes network for analysis; assigning a relevance score to the first alert, the relevance score based at least in part on the analysis performed by the Bayes network; receiving a second relevance score from a network operator; and modifying the Bayes network such that when a subsequent alert similar to the first alert is analyzed by the Bayes network, the subsequent alert is assigned a relevance score that more closely matches the second relevance score.
REFERENCE TO GOVERNMENT FUNDING
[0001] This invention was made with Government support under contract numbers F30602-99-C-0187 and F30602-99-C-0149 awarded by the Air Force Research Laboratory. The Government has certain rights in this invention.