Past signature and anomaly-based network security detection systems implement static approaches in determining the presence of a network threat or security event, such as a network attack or malware infection. In such systems, signatures are often assigned a static severity metric. For example, such static severity metrics may include predefined levels or alerts, such as Informational (e.g. general network update data), Low (e.g. low-threat), Medium (e.g. moderate-threat), High (e.g. high-threat), and Critical (e.g. severe-threat). When a security event occurs and an alert is raised, the assigned severity value may be reported.
However, the peculiarities and/or finer contextual details of an occurrence generally do not influence the severity level. For example, if a network security detection system detects a possible threat and issues a “Medium” alert, the alert data may lack information and/or context about the event. Conventional intrusion detection systems (IDS) often lack the ability to combine registered security events and assess their synergistic effect. Once reported, events exist in isolation and it is up to a human operator to analyze them and reconstruct a comprehensive view of the attack based on the operator's expert knowledge. The lack of information often forces a human operator (e.g. network administrator, security administrator) to make judgment calls in an informational vacuum; looking to estimate the real security threat and impact to their business caused by the event.
While some conventional detection systems have alert correlation capabilities—such as higher severity alerts superseding ones with lower severity in the same logical (e.g. detection) group—these measures are typically designed to reduce the noise level of the system and do not correct the problems caused by the lack of contextual information.
Additionally, in traditional network threat detection systems reported security events are often static in time. In these systems the sensors detect in “real-time”, and as such only detect network threats that are happening at the detection time that register at a significant enough level to be detected.
As is evident, there is a need for improved approaches for determining the seriousness of a collection of network threats.