CPC H04L 63/20 (2013.01) [G06F 16/9024 (2019.01); G06F 16/906 (2019.01)] | 20 Claims |
1. A computer-implemented method of grouping security alerts generated from a computer network and prioritizing grouped security alerts for analysis, including:
traversing a graph representing computer network entities as nodes and relationships between computer network entities as edges, and having starting nodes with non-zero native scores by visiting the nodes in the graph and propagating native scores from the starting nodes attenuated by a weight assigned to an edge traversed, the traversing extending for at least a predetermined span from the starting nodes, through and to neighboring nodes connected by the edges;
normalizing and accumulating propagated scores at visited nodes, summed with the native score assigned to the visited nodes to generate aggregate scores for the visited nodes, wherein normalizing the propagated scores at the visited nodes includes attenuating a propagated score based on a number of contributing neighboring nodes of a respective visited node to form a normalized score;
forming clusters of connected nodes in the graph that have a respective aggregate score above a selected threshold, which clusters are separated from other clusters through nodes that have a respective aggregate score below the selected threshold;
ranking and prioritizing for analysis, the clusters according to the aggregate scores of the nodes in the formed clusters; and
facilitating accelerated investigation of the clusters in accordance with the ranking and prioritizing.
|