US 12,242,953 B2
Automatic triaging of network events
Kyle Armstrong, Eugene, OR (US); and Skyler Butler, Denver, CO (US)
Assigned to PROOFPOINT, INC., Sunnyvale, CA (US)
Filed by Proofpoint, Inc., Sunnyvale, CA (US)
Filed on Oct. 8, 2019, as Appl. No. 16/596,406.
Prior Publication US 2021/0103808 A1, Apr. 8, 2021
Int. Cl. G06N 3/08 (2023.01); G06N 3/04 (2023.01); H04L 9/40 (2022.01); H04L 41/06 (2022.01); H04L 41/16 (2022.01)
CPC G06N 3/08 (2013.01) [G06N 3/04 (2013.01); H04L 41/06 (2013.01); H04L 41/16 (2013.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
4. A method, comprising:
collecting, by a processor, incident data of an incident, the incident data containing:
afflicting content of the incident, wherein the incident is representative of a user activity violating a policy with respect to a data item; and
non-afflicting content, wherein the non-afflicting content comprises metadata associated with the incident but not directly indicative of the violating of the policy;
generating, by the processor, a profile of the incident, wherein the generating of the profile comprises:
extracting the non-afflicting content from the incident data;
determining a hash for the profile by hashing at least the extracted non-afflicting content of the incident; and
determining a network event type for the profile from the incident data, the network event type representative of a location where the incident occurred or is identified, wherein the network event type is associated with a set of attributes; and
provide the profile of the incident to a classification model for classifying the incident, which improves speed of classifying the incident.