Online alert ranking and attack scenario reconstruction
Abstract:
Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action is performed based on the ranked alerts.
Public/Granted literature
Information query
Patent Agency Ranking
0/0