| CPC H04L 63/1425 (2013.01) [H04L 63/1416 (2013.01)] | 21 Claims |
|
1. A computer implemented method for processing alerts, the computer implemented method comprising:
creating, by a computer system, a representation of an alert received for processing;
determining, by the computer system, a similarity of the alert with previously processed alerts using the representation of the alert and representations of the previously processed alerts;
evaluating, by a first evaluator in the computer system, an alert level for the alert based on previously processed similar alerts in response to the similarity being above a similarity threshold for similar alerts, wherein evaluating, by the first evaluator in the computer system, the alert level for the alert based on previously processed similar alerts in response to the similarity being above the similarity threshold for similar alerts comprises:
collecting, by the computer system, previously processed alerts that are identical to the alert and the previously processed alerts that are above the similarity threshold to form previously processed similar alerts;
determining, by the computer system, an aggregated verdict using the previously processed similar alerts;
determining, by the computer system, whether the aggregated verdict is ambiguous; and
marking, by the computer system, the alert as ambiguous in response to the aggregated verdict of the previously processed similar alerts being ambiguous; and
evaluating, by a second evaluator in the computer system, the alert level for the alert using a machine learning model in response to the similarity not being above the similarity threshold, wherein evaluating, by the second evaluator in the computer system, the alert level for the alert further comprises:
identifying, by the second evaluator in the computer system, the alert as serious if an alert score is greater than or equal to a serious threshold;
identifying, by the second evaluator in the computer system, the alert as ambiguous if the alert score is greater than an inconsequential threshold and less than the serious threshold; and
identifying, by the second evaluator in the computer system, the alert as inconsequential if the alert score is less than or equal to the inconsequential threshold.
|