SECURITY ALERT META-ANALYSIS FOR IDENTIFYING CAUSALLY RELATED EVIDENCE OF CYBERATTACKS

Abstract

A security alert meta-analysis (SAMA) system is disclosed capable of identifying causally related evidence of a cyberattack in a computing environment. In embodiments, the system builds a security data graph from security alerts generated by other security monitoring services. The security data graph links related entities (e.g. users and resources) in the computing environment and the entities to their associated security alerts. Edges in the graph are filtered based on edge weights to identify sub-graphs that represent clusters of causally related evidence probative of attacks. The evidence clusters are presented to analysts to be investigated further. In embodiments, the meta-analysis process is implemented as periodic jobs executed on a cluster of worker nodes. Advantageously, the disclosed system is able to filter through large volumes of alerts to reduce false positives, and group related alerts, possibly from different monitoring services, so that they can be investigated together.

CPC Classifications