Intelligent remediation of security-related events

摘要

An information processing system implements an intelligent remediation system for security-related events. The intelligent remediation system comprises a classifier configured to process information characterizing the events in order to generate respective risk scores, and a data store coupled to the classifier and configured to store feedback from one or more users regarding the risk scores. The classifier is configured to utilize the feedback regarding the risk scores to learn riskiness of particular events and to adjust its operation based on the learned riskiness, such that the risk score generated by the classifier for a given one of the events is based at least in part on the feedback received regarding risk scores generated for one or more previous ones of the events. A user interface is provided to allow one or more users to supply the feedback regarding the risk scores.

主权项

1. An apparatus comprising:
at least one processing device comprising a processor coupled to a memory and implementing an intelligent remediation system in a security operations center, the intelligent remediation system comprising: a classifier; a data store comprising a first set of storage locations for storing information identifying previous events designated as false positives, a second set of storage locations for storing information identifying previous events designated as true positives and a third set of storage locations for storing information identifying new events not yet designated by a user as false positives or true positives; and a user interface; wherein the classifier is configured to receive one or more new events from one or more event generators associated with one or more processing platforms of information technology infrastructure associated with the security operations center, the event generators being associated with respective products implemented in the information technology infrastructure and the one or more new events being generated based on rules or other triggers associated with the respective products; wherein the classifier is configured to process the one or more new events to classify each of the one or more new events as one of a true positive event and a true negative event based at least in part on information stored in the first and second sets of storage locations of the data store; wherein the classifier is configured to generate a risk score for each of the one or more new events, the risk scores being configured to indicate how dissimilar respective ones of the new events are to previous events designated as false positives in the first set of storage locations of the data store and how similar respective ones of the new events are to previous events designated as true positives in the second set of storage locations of the data store; wherein the classifier is configured to store the one or more new events and their associated risk scores in the third set of storage locations of the data store; wherein the user interface is configured to present the one or more new events stored in the third set of storage locations of the data store as an ordered list prioritized by risk score; wherein the user interface provides feedback controls allowing the user to designate respective ones of the new events stored in the third set of storage locations of the data store as one of: a true positive event associated with a valid incident considered important by the user; a non issue event associated with a valid incident not considered important by the user; and a false positive event associated with an incident that is not valid; wherein responsive to designation of a given one of the new events as a false positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the first set of storage locations in the data store; and wherein responsive to designation of the given new event as a true positive using the feedback controls, information identifying the given event is moved from the third set of storage locations in the data store to the second set of storage locations in the data store.