Abstract: Embodiments provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement the method of identifying an exploit kit, the method comprising: receiving, by the processor, a web page; extracting, by the processor, a plurality of features of the web page; and determining, by the processor, whether the web page is associated with an exploit kit, through an ensemble classifier model trained using the extracted features.

Abstract: Mechanisms are provided to perform security incident disposition operations. A security incident is received that includes a security incident data structure comprising metadata describing properties of the security incident, and a corresponding security knowledge graph which includes nodes representing elements associated with the security incident and edges representing relationships between the nodes. The security incident data structure and security knowledge graph are processed to extract a set of security incident features corresponding to the security incident and input the extracted set of security incident features into a trained security incident machine learning model. The model generates a disposition classification output based on results of processing the extracted set of security incident features. The disposition classification output is output to the source of the security incident data structure.

Abstract: An approach is provided in which the approach receives a global trending threat corresponding to an incident occurring in an industry. The approach identifies a set of local Indicators of Concern (IoCs) within an entity that corresponds to the global trending threat, and computes an alert priority based on the set of local IoCs and the global trending threat. The approach adjusts the alert priority based on comparing entity properties of the entity with threat properties of the global trending threat, and dispatches an alert based on the adjusted alert priority.

Abstract: A cognitive security analytics platform is enhanced by providing a technique for automatically inferring temporal relationship data for cybersecurity events. In operation, a description of a security event is received, typically as unstructured security content or data. Information such as temporal data or cues, are extracted from the description, along with security entity and relationship data. Extracted temporal information is processing according to a set of temporal markers (heuristics) to determine a time value marker (i.e., an established time) of the security event. This processing typically involves retrieval of information from one or more structured data sources. The established time is linked to the security entities and relationships. The resulting security event, as augmented with the identified temporal data, is then subjected to a management operation.

Abstract: Mechanisms are provided to perform security incident disposition operations. A security incident is received that includes a security incident data structure comprising metadata describing properties of the security incident, and a corresponding security knowledge graph which includes nodes representing elements associated with the security incident and edges representing relationships between the nodes. The security incident data structure and security knowledge graph are processed to extract a set of security incident features corresponding to the security incident and input the extracted set of security incident features into a trained security incident machine learning model. The model generates a disposition classification output based on results of processing the extracted set of security incident features. The disposition classification output is output to the source of the security incident data structure.

Abstract: A cognitive security analytics platform is enhanced by providing a technique for automatically inferring temporal relationship data for cybersecurity events. In operation, a description of a security event is received, typically as unstructured security content or data. Information such as temporal data or cues, are extracted from the description, along with security entity and relationship data. Extracted temporal information is processing according to a set of temporal markers (heuristics) to determine a time value marker (i.e., an established time) of the security event. This processing typically involves retrieval of information from one or more structured data sources. The established time is linked to the security entities and relationships. The resulting security event, as augmented with the identified temporal data, is then subjected to a management operation.

Abstract: Embodiments provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement the method of identifying an exploit kit, the method comprising: receiving, by the processor, a web page; extracting, by the processor, a plurality of features of the web page; and determining, by the processor, whether the web page is associated with an exploit kit, through an ensemble classifier model trained using the extracted features.