In some known network systems, analysts can calculate threat scores for devices in a network system. These scores can factor temporal distance from cyber-threat events via logarithmic decay. These threat scores can act as a scalar summation of a multi-dimensional problem to include time since last threat event, nature of the threat event, number of threat events, and network distance from threat events against other devices. Analysts may manipulate, calculate, or disable such threat scores.
In such known network systems, however, analysts are unable to update threat scores based on historical data; that is, analysts can be unable to incorporate temporal delays from threat event time to the time of ingest and realization in such network systems. Additionally, in other known network systems, analysts store discrete threat scores for particular periods of time to allow analysts to modify historical threat scores, requiring such known network systems to store multiple discrete threat scores for each network system, and/or requiring such known network systems to store multiple representations of the network system to allow the analyst to calculate threat scores for various periods of time for the network system. Thus, even when some known network systems allow analysts to modify historical threat data, such known network systems require storing large quantities of data, and/or processing large quantities of data, thereby creating storage and processing inefficiencies that limit the scalability and responsiveness of such systems.
Accordingly, a need exists for methods and apparatus that efficiently allow analysts to store historical threat data, and that efficiently allow analysts to update threat scores for a network system using the historical threat data, without requiring the analyst to store large quantities of data or to process large quantities of data.