Search

US-12621201-B1 - Alert reduction using machine learning scoring

US12621201B1US 12621201 B1US12621201 B1US 12621201B1US-12621201-B1

Abstract

Reducing false positive computer security alerts is provided. A dataset is ingested that comprises a number of security alerts with resolution status. The alerts comprise data fields which are then tokenized. Cardinality is calculated for each tokenized data field compared against the whole dataset. Entropy is calculated for each tokenized value. A combined token score is generated for each tokenized field based on cardinality and entropy. Each combined token score is compared against all tokenized fields for the alerts. Each combined token score is adjusted based on the comparison. Any tokens resolved as true positives are excluded. A generative language model generates an exclusion condition based on the adjusted token scores. The exclusion condition is run against a second dataset to generate a score. The exclusion condition and its score are presented to a user. Responsive to user acceptance, the exclusion condition is deployed to filter false positive alerts.

Inventors

  • Joshua J. Powers
  • Christopher A. Kulakowski
  • Sophia Izokun

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260505
Application Date
20241014

Claims (20)

  1. 1 . A computer-implemented method of reducing false positive computer security alerts, the method comprising: ingesting a first dataset comprising a number of security alerts with resolution status, wherein the security alerts each comprise a number of data fields; tokenizing the data field within the security alerts; calculating cardinality for each tokenized data field compared against the whole first dataset; calculating entropy for each tokenized data field's values; generating a combined token score for each tokenized data field based on the cardinality and entropy; comparing each combined token score against all tokenized data fields for the security alerts in the first dataset; adjusting each combined token score based on the comparison; excluding any tokens that are present in security alerts resolved as true positives; generating, by a generative language model, a suggested exclusion condition based on the adjusted token scores; running the suggested exclusion condition against a second dataset to generate an exclusion condition score; presenting the suggested exclusion condition and exclusion condition score to a user; and responsive to acceptance by the user, deploying the suggested exclusion condition to filter false positive security alerts.
  2. 2 . The method of claim 1 , wherein ingesting the first dataset further comprises: identifying a number of data sources with incoming security alerts with resolution status; collecting, with application programming interface connectors, alert data from the data sources; integrating the data from the data sources to produce the first dataset; cleaning the first dataset; and pre-processing the first dataset.
  3. 3 . The method of claim 2 , wherein the data sources comprise at least one of: Security Information and Event Management; Endpoint Detection and Response; Web Application Firewall; Managed Detection and Response; or IT Service Management.
  4. 4 . The method of claim 2 , wherein integrating the data from the data sources further comprises filtering the data to extract only data from needed fields.
  5. 5 . The method of claim 1 , wherein tokenizing is performed using at least one of the following as delimiters: non-alphanumeric characters; new line; return carriages; or separators in key/value pairs.
  6. 6 . The method of claim 1 , wherein the generative language model generates the suggested exclusion condition within adjustable constraints provided through a user interface that has separate, respective slider controls for length and complexity of the exclusion condition.
  7. 7 . The method of claim 1 , generating the exclusion condition score further comprises: calculating an impact score based on total number of events in the second dataset that match the suggested exclusion condition; determining a true positive/false positive ratio based on past security alerts in the second dataset; and calculating a combined score from the impact score and true positive/false positive ratio.
  8. 8 . The method of claim 1 , wherein the second dataset used to generate the exclusion condition score includes crowd sourced data for security operations.
  9. 9 . A computer system for reducing false positive computer security alerts, comprising: one or more computer processors; one or more computer readable storage devices; and computer program instructions, the computer program instructions being stored on the one or more computer readable storage devices for execution by the one or more computer processors to perform one or more operations to: ingest a first dataset comprising a number of security alerts with resolution status, wherein the security alerts each comprise a number of data fields; tokenize the data field within the security alerts; calculate cardinality for each tokenized data field compared against the whole first dataset; calculate entropy for each tokenized data field's values; generate a combined token score for each tokenized data field based on the cardinality and entropy; compare each combined token score against all tokenized data fields for the security alerts in the first dataset; adjust each combined token score based on the comparison; exclude any tokens that are present in security alerts resolved as true positives; generate, by a generative language model, a suggested exclusion condition based on the adjusted token scores; run the suggested exclusion condition against a second dataset to generate an exclusion condition score; present the suggested exclusion condition and exclusion condition score to a user; and responsive to acceptance by the user, deploy the suggested exclusion condition to filter false positive security alerts.
  10. 10 . The system of claim 9 , wherein the program instructions that cause the system to ingest the first dataset further cause the system to: identify a number of data sources with incoming security alerts with resolution status; collect, with application programming interface connectors, alert data from the data sources; integrate the data from the data sources to produce the first dataset; clean the first dataset; and pre-process the first dataset.
  11. 11 . The system of claim 10 , wherein the data sources comprise at least one of: Security Information and Event Management; Endpoint Detection and Response; Web Application Firewall; Managed Detection and Response; or IT Service Management.
  12. 12 . The system of claim 10 , wherein the program instructions that cause the system to integrate the data from the data sources further cause the system to filter the data to extract only data from needed fields.
  13. 13 . The system of claim 9 , wherein tokenizing is performed using at least one of the following as delimiters: non-alphanumeric characters; new line; return carriages; or separators in key/value pairs.
  14. 14 . The system of claim 9 , wherein the generative language model generates the suggested exclusion condition within adjustable constraints provided through a user interface that has separate, respective slider controls for length and complexity of the exclusion condition.
  15. 15 . The system of claim 9 , wherein the program instructions that cause the system to generate the exclusion condition score further cause the system to: calculate an impact score based on total number of events in the second dataset that match the suggested exclusion condition; determine a true positive/false positive ratio based on past security alerts in the second dataset; and calculate a combined score from the impact score and true positive/false positive ratio.
  16. 16 . The system of claim 9 , wherein the second dataset used to generate the exclusion condition score includes crowd sourced data for security operations.
  17. 17 . A computer program product for reducing false positive computer security alerts, the computer program product comprising: a persistent storage medium having program instructions configured to cause one or more processors to: ingest a first dataset comprising a number of security alerts with resolution status, wherein the security alerts each comprise a number of data fields; tokenize the data field within the security alerts; calculate cardinality for each tokenized data field compared against the whole first dataset; calculate entropy for each tokenized data field's values; generate a combined token score for each tokenized data field based on the cardinality and entropy; compare each combined token score against all tokenized data fields for the security alerts in the first dataset; adjust each combined token score based on the comparison; exclude any tokens that are present in security alerts resolved as true positives; generate, by a generative language model, a suggested exclusion condition based on the adjusted token scores; run the suggested exclusion condition against a second dataset to generate an exclusion condition score; present the suggested exclusion condition and exclusion condition score to a user; and responsive to acceptance by the user, deploy the suggested exclusion condition to filter false positive security alerts.
  18. 18 . The computer program product of claim 17 , wherein the instructions to ingest the first dataset further comprise instructions to: identify a number of data sources with incoming security alerts with resolution status; collect, with application programming interface connectors, alert data from the data sources; integrate the data from the data sources to produce the first dataset; clean the first dataset; and pre-process the first dataset.
  19. 19 . The computer program product of claim 17 , wherein the generative language model generates the suggested exclusion condition within adjustable constraints provided through a user interface that has separate, respective slider controls for length and complexity of the exclusion condition.
  20. 20 . The computer program product of claim 17 , the instructions to generate the exclusion condition score further comprise instructions to: calculate an impact score based on total number of events in the second dataset that match the suggested exclusion condition; determine a true positive/false positive ratio based on past security alerts in the second dataset; and calculate a combined score from the impact score and true positive/false positive ratio.

Description

BACKGROUND The disclosure relates generally to computer security alerts, and more specifically to reducing security alert false positives. Security Operation Center (SOC) personnel triage and investigate alerts, working through their process to eventually change the status of the alert to an end state. One such classification of the status of the alert is False Positive (FP). A False Positive is an indicator that an alert is non-malicious and does not require remediation steps. Such FPs take analysts' time away from other alerts that could be more serious. SOC teams often have a high number of FPs in large organizations, and more time is spent on tuning. Tuning is the process of excluding conditions that are deemed non-malicious wherein the organization accepts the risk that no alert or investigation is necessary when these conditions exist. The tuning effort reduces the FP rate and allows the SOC to spend more time focusing on high fidelity alerts that could require remediation actions to protect the organization or business. The process of tuning requires multiple steps such as finding alerts that are classified as FP grouped by the alert name, gathering all the alert data, looking for commonalities within the data, devising a proposed condition for which the business would accept the risk, etc. At the end of an incident response life cycle is a post-review phase in which everything that occurred during the incident is reviewed for any gaps or improvements that could be made to reduce the risk to the organization. During this post-review phase, alerts are sometimes classified as FP and further analyzed for potential tuning opportunities. SUMMARY An illustrative embodiment provides a computer-implemented method of reducing false positive computer security alerts. The method comprises ingesting a first dataset comprising a number of security alerts with resolution status, wherein the security alerts each comprise a number of data fields which are then tokenized. Cardinality is calculated for each tokenized data field compared against the whole first dataset. Entropy is calculated for each tokenized data field's values. A combined token score is generated for each tokenized data field based on the cardinality and entropy. Each combined token score is compared against all tokenized data fields for the security alerts in the first dataset. Each combined token score is then adjusted based on the comparison. Any tokens that are present in security alerts resolved as true positives are excluded. A generative language model generates a suggested exclusion condition based on the adjusted token scores. The suggested exclusion condition is run against a second dataset to generate an exclusion condition score. The suggested exclusion condition and exclusion condition score are presented to a user. Responsive to acceptance by the user, the suggested exclusion condition is deployed to filter false positive security alerts. According to other illustrative embodiments, a computer system and a computer program product for reducing false positive computer security alerts is provided. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of a computing environment in accordance with an illustrative embodiment; FIG. 2 depicts a block diagram illustrating an overview of a SOC process in accordance with an illustrative embodiment; FIG. 3 depicts a block diagram illustrating data integration in accordance with an illustrative embodiment; FIG. 4 depicts an example of a user interface sliding mechanism to adjust length and complexity of tuning proposals in accordance with an illustrative embodiment; FIG. 5 depicts a table of tuning proposal scores in accordance with an illustrative embodiment; FIG. 6 depicts a table illustrating an analysis of an alert with crowd sourced input in accordance with an illustrative embodiment; FIG. 7 depicts a table of example resolved security incident tickets to which the illustrative embodiments can be applied; FIG. 8 depicts a flowchart illustrating a process for reducing false positive computer security alerts in accordance with an illustrative embodiment; FIG. 9 depicts a flowchart illustrating a process for data ingestion in accordance with an illustrative embodiment; and FIG. 10 depicts a flowchart for generating the exclusion condition score in accordance with an illustrative embodiment. DETAILED DESCRIPTION The illustrative embodiments recognize and take into account that tuning to screen out false positives comprises a life cycle of identification, analysis, monitoring, and deployment. Identification involves marking one or more false positive (FP) alerts as potential tuning candidate. The tuning candidates are then sent to the backlog and assigned a resource once available to work on the analysis phase. During the analysis phase the assigned resource analyzes the rule logic, the incident details, and the rule context or the intention of the rule. This is important as the rule logic w