Abstract: A technique for threat response associated with an endpoint detection and response (EDR) system. The system uses a combination of automated observable detection, threat intelligence enrichment, graph analysis, and supervised machine learning to machine-predict analyst behavior in classifying (as ‘true’ or ‘false’ positives) the EDR alerts, and to support either (i) automated suppression of those alerts that the system classifies with sufficient confidence as either true or false, or (ii) for those alerts than cannot be so classified, the providing of recommendations to analysts to facilitate their activities. Auto-detection of observables for graph-based feature detection, together with the automated disposition of alerts where possible greatly reduces overall analyst workload for the EDR system.

Abstract: An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat identified in an alert, a threat disposition score (TDS) is retrieved. The TDS is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The TDS is based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Abstract: An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Abstract: An example operation may include one or more of receiving storage requests endorsed by blockchain peers of a blockchain, selecting a group of the endorsed storage requests to be stored together and ordering the group of endorsed storage requests with respect to each other based on timestamps, encoding the group of ordered and endorsed storage requests into an image, and storing the encoded image within a data section of a block of the blockchain.

Abstract: Mitigating bias in a machine learning-augmented threat disposition platform can include generating a group of alerts in response to determining a similarity among the alerts. The alerts are generated in real time by a threat monitoring tool in response to one or more potential threats to a networked computing system. One or more alert spikes can be determined by partitioning the group into one or more alert spike subgroups. Each alert spike subgroup corresponds to an alert spike and contains two or more similar alerts that were generated within a predetermined time interval of one another. Duplicate alerts in each alert spike can be eliminated and each non-discarded alert labeled. The labeled alerts are used for training a reduced-bias machine learning model.

Abstract: An apparatus, a method, and a computer program product are provided that dynamically selects features and machine learning models for optimal accuracy when determining a threat disposition of a security alert. The method includes training a base machine learning model, determining impacts that features in the training dataset have on the trained base machine learning model when predicting threat disposition on security threats, and creating subsets of the features, based on threat dispositions, by analyzing the features with their corresponding impacts and placing common features and impacts into each subset of the subsets. The method also includes training a plurality of machine learning models and a machine learning feature predictor using the training dataset and the subsets. The method further includes selecting, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model trained based on the selected features.

Abstract: A method, a computer program product, and a system for performing a of threat similarity analysis for automated action on security alerts. The method includes receiving, by a threat similarity analysis system, a security alert relating to a security from a threat disposition system within an environment, performing, by the threat similarity analysis system, a similarity analysis on the security alert using a machine learning model. The similarity analysis compares the security alert with previous security alerts within a time window. The threat similarity analysis system can apply a cosine similarity analysis to perform the similarity analysis. The method also includes determining, based on the similarity analysis, the security alert matches at least one previous security alert from the previous security alerts within a predetermined degree, and associating the security alert into a same security incident as the previous security alert determined by similarity analysis.

Abstract: Techniques for improved cybersecurity are provided. A plurality of feature subsets are identified, each containing a respective subset of features from a plurality of features included in a set of training security logs. The plurality of feature subsets is modified using one or more genetic programming techniques, and each of the plurality of feature subsets is scored using a plurality of threat classifiers, where the plurality of threat classifiers comprise trained machine learning models. A set of feature subsets is selected, from the plurality of feature subsets, based on the scores. A type classifier is trained based on the set of feature subsets, where the type classifier comprises a trained machine learning model.

Abstract: Mechanisms are provided to implement an ensemble of unsupervised machine learning (ML) models. The ensemble of unsupervised ML models processes a portion of input data to generate an ensemble output and the ensemble output is output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device. The user feedback indicates a correctness of the ensemble output. The mechanisms modify at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models. Subsequent portions of input data are then processed using the modified ensemble of unsupervised ML models.

Abstract: A machine learning model selector is provided. A set of machine learning (ML) models are trained based on a first training dataset. The set of trained ML model is executed on a second training dataset to generate a corresponding output for a set of data instances in the second training dataset. For each data instance in the set of data instances, a corresponding ranking of ML models is generated based on the corresponding output for the data instance generated by the set of ML models. A ML model selector is trained based on the data instances in the set of data instances and the corresponding ranking of ML models, to select a trained ML model based on an input data instance.

Abstract: A computer assesses device log entries. The computer receives a training log entry and an input log entry from a log entry corpus. The computer determines for the training log entry, status indicators respective to the group of log entries, The indicators are based on processing the training log entry with a group of unsupervised Machine Learning models calibrated to identify outliers. The computer assigns an outlier status based on the processing to the training log entry. The computer trains a supervised ML learning model with a data pair of the training log entry and an associated data label representing the assigned outlier status value. The computer processes the input log entry with the supervised ML model to predict an input log classification, and the log classification indicates whether the input log is anomaly. The computer generates an input log entry assessment report including the input log entry classification.

Abstract: Embodiments of a method are disclosed. The method includes determining that the event type of an event log of a security information and event management (SIEM) cannot be identified. The method further includes generating a vectorized log using a cleaned, tokenized, and padded version of the event log. Additionally, the method includes generating a classification for the vectorized log using a deep learning classification model that is trained to identify a potential event type for the event log based on deep learning training using multiple parsed logs. The method also includes determining that a confidence level of the classification meets a predetermined threshold. The method further includes parsing the event log based on the classification.

Abstract: A method, a computer program product, and a system for performing a of threat similarity analysis for automated action on security alerts. The method includes receiving, by a threat similarity analysis system, a security alert relating to a security from a threat disposition system within an environment, performing, by the threat similarity analysis system, a similarity analysis on the security alert using a machine learning model. The similarity analysis compares the security alert with previous security alerts within a time window. The threat similarity analysis system can apply a cosine similarity analysis to perform the similarity analysis. The method also includes determining, based on the similarity analysis, the security alert matches at least one previous security alert from the previous security alerts within a predetermined degree, and associating the security alert into a same security incident as the previous security alert determined by similarity analysis.

Abstract: Methods and a system of classifying unrecognized logs in an environment. The method includes inputting a log unrecognized during event collection into a machine learning model and predicting, by the machine learning model, a log source type of the log to allow for normalization of the log. The method also includes producing, by the machine learning model, a confidence score relating to the source type prediction, determining the confidence score exceeds a predetermined threshold, and submitting the log for normalization based on the log source type prediction. The method can also include predicting, by the machine learning model, an event name relating to the log, producing, by the machine learning model, a second confidence score relating to the event name prediction, determining the second confidence score exceeds another predetermined threshold, and submitting the log for normalization based on the identified log source type and the predicted event name.

Abstract: A method provides an intermediate mitigation of a vulnerability in a particular computer system. One or more processors receive a description of a vulnerability of a computer system to a malicious attack. The processor(s) perform an NLP analysis of the description of the vulnerability in order to extract risk information related to the vulnerability, where the risk information includes an identity of a type of vulnerable computer system resource in the computer system. The processor(s) match the vulnerable computer system resource to a computer system resource in a particular computer system, and perform an intermediate mitigation action that reduces a functionality of the computer system resource in the particular computer system until a solution is implemented that both restores the functionality of the computer system resource in the particular computer system and mitigates the vulnerability of the particular computer system to the malicious attack.

Abstract: Mechanisms are provided to implement a hybrid machine learning (ML) anomaly detector comprising an ensemble of unsupervised ML models and a semi-supervised ML model. The ensemble of unsupervised ML models are executed on log data to generate, for each entry in the log data, a predicted anomaly score and corresponding anomaly classification label of the entry. A partially labeled dataset is generated based on a selected subset of entries and other unlabeled log data in the log data. A similarity analysis of the unlabeled log data with entries in the selected subset of entries is performed and anomaly classification labels of the selected subset of entries are propagated to the other unlabeled log data based on the similarity analysis.

Abstract: Embodiments of a method are disclosed. The method includes determining that the event type of an event log of a security information and event management (SIEM) cannot be identified. The method further includes generating a vectorized log using a cleaned, tokenized, and padded version of the event log. Additionally, the method includes generating a classification for the vectorized log using a deep learning classification model that is trained to identify a potential event type for the event log based on deep learning training using multiple parsed logs. The method also includes determining that a confidence level of the classification meets a predetermined threshold. The method further includes parsing the event log based on the classification.

Abstract: A method assigns a particular rule for a previous client to a new client for use in executing a security feature on a computer system used by the new client. One or more processors match a new client profile for the new client to a previous client profile for the previous client. The new client profile is based on types of one or more client assets of the new client and an intrusion detection alert history of the new client. The processor(s) assign the particular rule for the previous client to the new client based on the new client profile matching the previous client profile. The processor(s) receive information indicating that a violation of the particular rule has occurred, and execute a security feature of the computer system used by the new client in order to resolve the violation of the particular rule.

Abstract: A method identifies and prioritizes anomalies in received monitoring logs from an endpoint log source. One or more processors identify anomalies in the monitoring logs by applying a plurality of disparate types of anomaly detection algorithms to the monitoring logs, and then determine a likelihood that the identified anomalies are anomalous based on outputs of the plurality of disparate types of anomaly detection algorithms. The processor(s) then prioritize the monitoring logs based on the likelihood that the identified anomalies are actually anomalous, and send prioritized monitoring logs that exceed a priority level to a security information and event management system (SIEM).

Abstract: An example operation may include one or more of retrieving a predefined image from a storage, encoding data attributes to be stored on a blockchain into one or more image layers of the predefined image to generate an encoded image, generating a data block comprising the encoded image including the data attributes which are encoded into the one or more image layers, and storing the data block via a hash-linked chain of data blocks on a distributed ledger.