US 11,991,201 B2
Likelihood assessment for security incident alerts
Hani Hana Neuvirth, Tel-Aviv (IL); Ishai Wertheimer, Givat Shmuel (IL); Ely Abramovitch, Tel-Aviv (IL); Yaron David Fruchtmann, Herzliya (IL); and Amir Keren, Givatayim (IL)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Jun. 18, 2021, as Appl. No. 17/352,008.
Prior Publication US 2022/0407882 A1, Dec. 22, 2022
Int. Cl. H04L 41/0604 (2022.01); G06F 18/214 (2023.01); H04L 9/40 (2022.01)
CPC H04L 63/1433 (2013.01) [G06F 18/214 (2023.01); H04L 41/0627 (2013.01); H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A method for providing a list of new security alerts that each include a likelihood of being a valid security incident, the method comprising:
access a labelled set of previous security incident alerts generated within a network environment controlled by an organization, each security incident alert of the labelled set of previous security incident alerts being labelled by the organization with a validity assessment of the respective security incident alert;
training an assessment model with the accessed labelled set to configure the assessment model to perform a “likelihood validity assessment” for future security incident alerts generated as a result of security incidents within the network environment,
the likelihood validity assessment comprising an estimate of a validity of a respective security incident whether the security incident is a true positive or false positive and a likelihood level of the estimate;
for each of a plurality of security incident alerts arising from within the network environment after the training:
detecting a respective security incident alert that was generated within the network environment; and
in response to the detection, using the trained assessment model to perform the likelihood validity assessment on the respective security incident alert, the likelihood validity assessment include an estimate of a validity of the respective security incident and a likelihood level of the estimate;
sorting the plurality of security incident alerts based on a weighted combination of the plurality of likelihood validity assessments and incident severity; and
causing the sorted plurality of likelihood validity assessments to be reported to the organization.