Search

US-20260129072-A1 - USER BASED THREAT RESPONSE RECOMMENDATIONS

US20260129072A1US 20260129072 A1US20260129072 A1US 20260129072A1US-20260129072-A1

Abstract

Techniques described herein can generate customized, user-based security response recommendations for users of security system(s), such as for security analysts tasked with performing responses to computing security threats. A user-based response recommendation engine can generate the user-based security response recommendations based on incident data associated with security incidents and based on historical user response data. Furthermore, user role inference techniques can optionally be used in conjunction with the user-based response recommendation engine.

Inventors

  • Yi Hong
  • Tian Bu

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20251230

Claims (20)

  1. 1 . A method, comprising: identifying a security incident within a network; generating a response recommendation, wherein the response recommendation recommends a response by a user to the security incident, and wherein generating the response recommendation comprises: obtaining incident data associated with the security incident; obtaining historical user response data comprising indications of previous responses by the user to previous security incidents, wherein the historical user response data comprises a historical user response feature vector; and predicting, based on the incident data and the historical user response data, a probable response by the user to the security incident, wherein the response recommendation comprises the probable response; and providing an output comprising the response recommendation to the user.
  2. 2 . The method of claim 1 , wherein the incident data comprises an incident feature vector comprising multiple incident features, and wherein the historical user response feature vector comprises multiple historical user response features.
  3. 3 . The method of claim 2 , wherein the incident feature vector comprises a binary vector including a representation of a description of the security incident.
  4. 4 . The method of claim 2 , wherein the multiple incident features comprise one or more of an indication of a source of the security incident, a description of the security incident.
  5. 5 . The method of claim 2 , wherein the multiple historical user response features comprise one or more of the user's age, education, work experience, location, or indications of actions included in the user's historical incident responses.
  6. 6 . The method of claim 1 , wherein predicting the probable response by the user to the security incident comprises providing the incident data and the historical user response data as two distinct inputs to a trained supervised machine learning model.
  7. 7 . The method of claim 6 , further comprising using the historical user response data and historical incident data associated with previous security incidents to train the trained supervised machine learning model.
  8. 8 . The method of claim 1 , wherein the response recommendation includes one or more of a quarantine, a system recovery, blocking an internet protocol address, or blocking a hostname.
  9. 9 . The method of claim 1 , wherein the response recommendation is different from an alternate response recommendation generated by the security system for an alternate user, wherein the alternate response recommendation recommends an alternate response by the alternate user to the security incident.
  10. 10 . A device comprising: one or more processors; one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: identifying a security incident within a network; generating a response recommendation, wherein the response recommendation recommends a response by a user to the security incident, and wherein generating the response recommendation comprises: obtaining incident data associated with the security incident; obtaining historical user response data comprising indications of previous responses by the user to previous security incidents, wherein the historical user response data comprises a historical user response feature vector; and predicting, based on the incident data and the historical user response data, a probable response by the user to the security incident, wherein the response recommendation comprises the probable response; and providing an output comprising the response recommendation to the user.
  11. 11 . The device of claim 10 , wherein the incident data comprises an incident feature vector comprising multiple incident features, and wherein the historical user response feature vector comprises multiple historical user response features.
  12. 12 . The device of claim 11 , wherein the incident feature vector comprises a binary vector including a representation of a description of the security incident.
  13. 13 . The device of claim 11 , wherein the multiple incident features comprise one or more of an indication of a source of the security incident, a description of the security incident.
  14. 14 . The device of claim 11 , wherein the multiple historical user response features comprise one or more of the user's age, education, work experience, location, or indications of actions included in the user's historical incident responses.
  15. 15 . The device of claim 10 , wherein predicting the probable response by the user to the security incident comprises providing the incident data and the historical user response data as two distinct inputs to a trained supervised machine learning model.
  16. 16 . The device of claim 15 , further comprising using the historical user response data and historical incident data associated with previous security incidents to train the trained supervised machine learning model.
  17. 17 . The device of claim 10 , wherein the response recommendation includes one or more of a quarantine, a system recovery, blocking an internet protocol address, or blocking a hostname.
  18. 18 . The device of claim 10 , wherein the response recommendation is different from an alternate response recommendation generated by the security system for an alternate user, wherein the alternate response recommendation recommends an alternate response by the alternate user to the security incident.
  19. 19 . A non-transitory computer-readable medium storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: identifying a security incident within a network; generating a response recommendation, wherein the response recommendation recommends a response by a user to the security incident, and wherein generating the response recommendation comprises: obtaining incident data associated with the security incident; obtaining historical user response data comprising indications of previous responses by the user to previous security incidents, wherein the historical user response data comprises a historical user response feature vector; and predicting, based on the incident data and the historical user response data, a probable response by the user to the security incident, wherein the response recommendation comprises the probable response; and providing an output comprising the response recommendation to the user.
  20. 20 . The non-transitory computer-readable medium of claim 19 , wherein the multiple historical user response feature vector comprises a total number of incidents to which the user has responded in a trailing time window.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a continuation of and claims priority to U.S. application Ser. No. 18/438,962, filed on Feb. 12, 2024 and entitled “USER BASED THREAT RESPONSE RECOMMENDATIONS,” the entirety of which is incorporated herein by reference. TECHNICAL FIELD The present disclosure relates generally to computing security, and to protecting network endpoints and other computing devices from security compromise in particular. BACKGROUND Today's computer systems face an ever-growing number of security threats. Attack surfaces have grown due to an increasing variety of device types and applications, and the number and variety of security threats has therefore grown as well. An ongoing arms race exists between attacks and attack detection techniques. More detection is generally perceived as better security, and as a result, detection has become increasingly aggressive. However, increasingly aggressive detection can run the risk of introducing more false positives which can be a drain on valuable security resources. Responding to security events is often complex and resource intensive. Security appliances deployed in a network and their associated policies can vary greatly. Making sense of different security events and then acting on such events is often tedious and requires deep knowledge and experience. Moreover, different organizations may have different threat response policies and different available resources for computing security. An organization such as a bank may invest heavily in computing security and may impose stringent security policies. In contrast, a school may not need a similar level of computing security and may not have the same tools and resources as the bank. Different security analysts within an organization can also be subject to different policies. Security analysts are also referred to herein as users due to their use of available security systems. More trusted or more highly skilled users may be allowed access to more sensitive information and more powerful tools than less trusted or less highly skilled users, and the more highly skilled users may likewise be subject to different security policies. The complexity of effective security response can lead some companies to ignore security events or tune down detection sensitivity thresholds in order to save resources. Security can become compromised as proper event response becomes unaffordable, sometimes resulting in a waste of money invested in detection. In view of the above, techniques are needed to make responding to security events more efficient and effective in part by efficiently and effectively determining different appropriate security responses for different security analysts within different organizations. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 illustrates an example network architecture including security system(s) adapted to generate and employ customized security response recommendations, in accordance with various aspects of the technologies disclosed herein. FIG. 2 illustrates example security system(s) which may implement the security system(s) introduced in FIG. 1, in accordance with various aspects of the technologies disclosed herein. FIG. 3 illustrates an example user journey graph that can be generated by a user role inference component such as the user role inference component introduced in FIG. 2, in accordance with various aspects of the technologies disclosed herein. FIG. 4 illustrates example operations of a user-based response recommendation engine in a training stage and in accordance with various aspects of the technologies disclosed herein. FIG. 5 illustrates example operations of a user-based response recommendation engine in a deployed stage and in accordance with various aspects of the technologies disclosed herein. FIG. 6 illustrates an example node that can be utilized to implement an endpoint in a network, in accordance with various aspects of the technologies disclosed herein. FIG. 7 illustrates an example computer hardware architecture that can implement the security system(s) disclosed herein, in accordance with various aspects of the technologies disclosed herein. FIG. 8 illustrates an example user role inference architecture, in accordance with various aspects of the technologies disclosed herein. FIG. 9 illustrates an example user-based response recommendation architecture, in accordance with various aspects of the technologies disclosed herein. FIG. 10 is a flow diagram that illustrates an example method pe