Abstract: An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat identified in an alert, a threat disposition score (TDS) is retrieved. The TDS is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The TDS is based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Abstract: An enhanced threat disposition analysis technique is provided. In response to receipt of a security threat, a threat disposition score (TDS) is retrieved. The threat disposition score is generated from a machine learning scoring model that is built from information about historical security threats, including historical disposition of one or more alerts associated with the historical security threats. The system augments an alert to include the threat disposition score, optionally together with a confidence level, to generate an enriched alert. The enriched alert is then presented to the security analyst for handling directly. Depending on the TDS (and its confidence level), the analyst may be able to respond to the threat immediately, i.e., without further detailed investigation. Preferably, the machine learning model is updated continuously as the system handles security threats, thereby increasing the predictive benefit of the TDS scoring.

Abstract: An example operation may include one or more of receiving storage requests endorsed by blockchain peers of a blockchain, selecting a group of the endorsed storage requests to be stored together and ordering the group of endorsed storage requests with respect to each other based on timestamps, encoding the group of ordered and endorsed storage requests into an image, and storing the encoded image within a data section of a block of the blockchain.

Abstract: Mitigating bias in a machine learning-augmented threat disposition platform can include generating a group of alerts in response to determining a similarity among the alerts. The alerts are generated in real time by a threat monitoring tool in response to one or more potential threats to a networked computing system. One or more alert spikes can be determined by partitioning the group into one or more alert spike subgroups. Each alert spike subgroup corresponds to an alert spike and contains two or more similar alerts that were generated within a predetermined time interval of one another. Duplicate alerts in each alert spike can be eliminated and each non-discarded alert labeled. The labeled alerts are used for training a reduced-bias machine learning model.

Abstract: An apparatus, a method, and a computer program product are provided that dynamically selects features and machine learning models for optimal accuracy when determining a threat disposition of a security alert. The method includes training a base machine learning model, determining impacts that features in the training dataset have on the trained base machine learning model when predicting threat disposition on security threats, and creating subsets of the features, based on threat dispositions, by analyzing the features with their corresponding impacts and placing common features and impacts into each subset of the subsets. The method also includes training a plurality of machine learning models and a machine learning feature predictor using the training dataset and the subsets. The method further includes selecting, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model trained based on the selected features.

Abstract: A method, a computer program product, and a system for performing a of threat similarity analysis for automated action on security alerts. The method includes receiving, by a threat similarity analysis system, a security alert relating to a security from a threat disposition system within an environment, performing, by the threat similarity analysis system, a similarity analysis on the security alert using a machine learning model. The similarity analysis compares the security alert with previous security alerts within a time window. The threat similarity analysis system can apply a cosine similarity analysis to perform the similarity analysis. The method also includes determining, based on the similarity analysis, the security alert matches at least one previous security alert from the previous security alerts within a predetermined degree, and associating the security alert into a same security incident as the previous security alert determined by similarity analysis.

Abstract: Techniques for improved cybersecurity are provided. A plurality of feature subsets are identified, each containing a respective subset of features from a plurality of features included in a set of training security logs. The plurality of feature subsets is modified using one or more genetic programming techniques, and each of the plurality of feature subsets is scored using a plurality of threat classifiers, where the plurality of threat classifiers comprise trained machine learning models. A set of feature subsets is selected, from the plurality of feature subsets, based on the scores. A type classifier is trained based on the set of feature subsets, where the type classifier comprises a trained machine learning model.

Abstract: Mechanisms are provided to implement an ensemble of unsupervised machine learning (ML) models. The ensemble of unsupervised ML models processes a portion of input data to generate an ensemble output and the ensemble output is output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device. The user feedback indicates a correctness of the ensemble output. The mechanisms modify at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models. Subsequent portions of input data are then processed using the modified ensemble of unsupervised ML models.

Abstract: A machine learning model selector is provided. A set of machine learning (ML) models are trained based on a first training dataset. The set of trained ML model is executed on a second training dataset to generate a corresponding output for a set of data instances in the second training dataset. For each data instance in the set of data instances, a corresponding ranking of ML models is generated based on the corresponding output for the data instance generated by the set of ML models. A ML model selector is trained based on the data instances in the set of data instances and the corresponding ranking of ML models, to select a trained ML model based on an input data instance.

Abstract: A method, a computer program product, and a system for performing a of threat similarity analysis for automated action on security alerts. The method includes receiving, by a threat similarity analysis system, a security alert relating to a security from a threat disposition system within an environment, performing, by the threat similarity analysis system, a similarity analysis on the security alert using a machine learning model. The similarity analysis compares the security alert with previous security alerts within a time window. The threat similarity analysis system can apply a cosine similarity analysis to perform the similarity analysis. The method also includes determining, based on the similarity analysis, the security alert matches at least one previous security alert from the previous security alerts within a predetermined degree, and associating the security alert into a same security incident as the previous security alert determined by similarity analysis.

Abstract: Mechanisms are provided to implement a hybrid machine learning (ML) anomaly detector comprising an ensemble of unsupervised ML models and a semi-supervised ML model. The ensemble of unsupervised ML models are executed on log data to generate, for each entry in the log data, a predicted anomaly score and corresponding anomaly classification label of the entry. A partially labeled dataset is generated based on a selected subset of entries and other unlabeled log data in the log data. A similarity analysis of the unlabeled log data with entries in the selected subset of entries is performed and anomaly classification labels of the selected subset of entries are propagated to the other unlabeled log data based on the similarity analysis.

Abstract: A method identifies and prioritizes anomalies in received monitoring logs from an endpoint log source. One or more processors identify anomalies in the monitoring logs by applying a plurality of disparate types of anomaly detection algorithms to the monitoring logs, and then determine a likelihood that the identified anomalies are anomalous based on outputs of the plurality of disparate types of anomaly detection algorithms. The processor(s) then prioritize the monitoring logs based on the likelihood that the identified anomalies are actually anomalous, and send prioritized monitoring logs that exceed a priority level to a security information and event management system (SIEM).

Abstract: An example operation may include one or more of retrieving a predefined image from a storage, encoding data attributes to be stored on a blockchain into one or more image layers of the predefined image to generate an encoded image, generating a data block comprising the encoded image including the data attributes which are encoded into the one or more image layers, and storing the data block via a hash-linked chain of data blocks on a distributed ledger.

Abstract: An anomaly detection system configured to generate a plurality of tensors based on spatial attributes of a set of cybersecurity data and temporal attributes of the set of cybersecurity data. The set of cybersecurity data comprising numeric data and textual data collected from a plurality of computational sources. The anomaly detection system can provide the plurality of tensors to a Hierarchical Temporal Memory (HTM) network. The HTM network can be configured to generate respective HTM outputs for respective regions of the HTM network. The anomaly detection system can determine that at least one HTM output indicates an anomaly, convert the at least one HTM output to a notification, and provide the notification to a user interface.

Abstract: Mechanisms are provided to implement an ensemble of unsupervised machine learning (ML) models. The ensemble of unsupervised ML models processes a portion of input data to generate an ensemble output and the ensemble output is output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device. The user feedback indicates a correctness of the ensemble output. The mechanisms modify at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models. Subsequent portions of input data are then processed using the modified ensemble of unsupervised ML models.

Abstract: Mechanisms are provided to implement a hybrid machine learning (ML) anomaly detector comprising an ensemble of unsupervised ML models and a semi-supervised ML model. The ensemble of unsupervised ML models are executed on log data to generate, for each entry in the log data, a predicted anomaly score and corresponding anomaly classification label of the entry. A partially labeled dataset is generated based on a selected subset of entries and other unlabeled log data in the log data. A similarity analysis of the unlabeled log data with entries in the selected subset of entries is performed and anomaly classification labels of the selected subset of entries are propagated to the other unlabeled log data based on the similarity analysis.

Abstract: A machine learning model selector is provided. A set of machine learning (ML) models are trained based on a first training dataset. The set of trained ML model is executed on a second training dataset to generate a corresponding output for a set of data instances in the second training dataset. For each data instance in the set of data instances, a corresponding ranking of ML models is generated based on the corresponding output for the data instance generated by the set of ML models. A ML model selector is trained based on the data instances in the set of data instances and the corresponding ranking of ML models, to select a trained ML model based on an input data instance.

Abstract: An example operation may include one or more of receiving storage requests endorsed by blockchain peers of a blockchain, selecting a group of the endorsed storage requests to be stored together and ordering the group of endorsed storage requests with respect to each other based on timestamps, encoding the group of ordered and endorsed storage requests into an image, and storing the encoded image within a data section of a block of the blockchain.

Abstract: A method identifies and prioritizes anomalies in received monitoring logs from an endpoint log source. One or more processors identify anomalies in the monitoring logs by applying a plurality of disparate types of anomaly detection algorithms to the monitoring logs, and then determine a likelihood that the identified anomalies are anomalous based on outputs of the plurality of disparate types of anomaly detection algorithms. The processor(s) then prioritize the monitoring logs based on the likelihood that the identified anomalies are actually anomalous, and send prioritized monitoring logs that exceed a priority level to a security information and event management system (SIEM).

Abstract: Mechanisms are provided to implement an image based event classification engine having an event image encoder and a first neural network computer model. The event image encoder receives an event data structure comprising a plurality of event attributes, where the event data structure represents an event occurring in association with a computing resource. The event image encoder executes, for each event attribute, a corresponding event attribute encoder that encodes the event attribute as a pixel pattern in a predetermined grid of pixels, corresponding to the event attribute, of an event image. The event image is into to a neural network computer model which applies one or more image feature extraction operations and image feature analysis algorithms to the event image to generate a classification prediction classifying the event into one of a plurality of predefined classifications and outputs the classification prediction.