Auto-detection of observables and auto-disposition of alerts in an endpoint detection and response (EDR) system using machine learning

Assignee

• International Business Machines Corporation · US

Inventors

• Aankur Bhatia · Levittown, US
• Abhishek Basu · Sherghati, IN
• Luiz Marcel Arbos · Warszawa, PL
• Terry Liggett · Henderson, US
• Kyle Proctor · Decatur, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1441
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A technique for threat response associated with an endpoint detection and response (EDR) system. The system uses a combination of automated observable detection, threat intelligence enrichment, graph analysis, and supervised machine learning to machine-predict analyst behavior in classifying (as ‘true’ or ‘false’ positives) the EDR alerts, and to support either (i) automated suppression of those alerts that the system classifies with sufficient confidence as either true or false, or (ii) for those alerts than cannot be so classified, the providing of recommendations to analysts to facilitate their activities. Auto-detection of observables for graph-based feature detection, together with the automated disposition of alerts where possible greatly reduces overall analyst workload for the EDR system. Further, and even where a machine-based prediction does not have sufficient confidence to enable bypassing the analyst, the system provides the analyst with additional context and enrichment to facilitate expedited (or at least more efficient) alert handling.