| CPC H04L 63/1433 (2013.01) | 20 Claims |
|
1. A method for prioritizing security events, comprising:
receiving, by one or more processors of a computer system, a plurality of alerts generated by an endpoint agent response to a detected computer security activity;
extracting, by the one or more processors of a computer system, a plurality of feature vectors from the plurality of alerts;
computing, by the one or more processors of the computer system, a plurality of temporal features from the plurality of alerts, the temporal features including time pattern data of the detected computer security activity;
training, by the one or more processors of the computer system, a first classification model with the plurality of feature vectors;
training, by the one or more processors of the computer system, a second classification model with the plurality of temporal features;
combining, by the one or more processors of the computer system, the first classification model and the second classification model to form an ensemble model that processes an output of each of the first classification model and the second classification model to generate a computed feature result;
generating by the ensemble model from the computed feature result an alert-level risk score corresponding to a severity level value for each alert of the plurality of alerts; and
arranging the plurality of alerts for output to an analyst computer according to the alert-level risk scores.
|