Invention Title:

SECURITY ALERT META-ANALYSIS FOR IDENTIFYING CAUSALLY RELATED EVIDENCE OF CYBERATTACKS

Publication number:

US20260081937

Publication date:

2026-03-19

Section:

Electricity

Class:

H04L63/1416

Inventors:

Andrew Gorelik 🇺🇸 Newton, MA, United States

Ruslan Vaulin 🇺🇸 Holliston, MA, United States

Christopher B McCubbin 🇺🇸 Amherst, MA, United States

Michael Buciuman-Coman 🇺🇸 Lexington, MA, United States

Keith J Gilbert 🇺🇸 Enfield, NH, United States

Assignee:

AMAZON TECHNOLOGIES, INC. 🇺🇸 Seattle, WA, United States

Applicant:

Amazon Technologies, Inc. 🇺🇸 Seattle, WA, United States

Smart overview of the Invention

The Security Alert Meta-Analysis (SAMA) system is designed to improve the identification of cyberattacks by analyzing security alerts from various monitoring services. It constructs a security data graph that links entities, such as users and resources, to their respective alerts. By filtering the graph based on edge weights, the system identifies sub-graphs that represent clusters of causally related evidence indicative of attacks. These clusters are presented to security analysts for further investigation, thus reducing false positives and enabling a more comprehensive analysis of potential threats.

Challenges in Current Security Systems

Current security detection tools, like Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM), generate a high volume of alerts, many of which are false positives. These systems often focus on a single type of log data, limiting their effectiveness across large enterprise networks. Analysts face the daunting task of manually triaging these alerts, leading to alert fatigue and many alerts going uninvestigated. Studies indicate that analysts can only examine a small fraction of daily alerts, highlighting the need for a more efficient alert management system.

Methodology and Implementation

The SAMA system performs meta-analysis by modeling cyberattacks as causally related actions and events. It uses algorithms to uncover relationships among alerts, combining them into evidence clusters that provide a more complete picture of attack activity. The system aggregates data into a security data graph, where vertices represent network entities and edges denote relationships or actions. By applying Bayesian statistics, graph clustering, and machine learning, the system filters out weak connections, creating clusters that enhance detection confidence and reduce false positives.

Operational Contexts and Benefits

Depending on the context, the SAMA system can operate in a distributed manner, generating periodic reports based on new alerts, or perform on-demand graph searches for specific investigations. This flexibility allows the system to adapt to different investigative workflows. By grouping related alerts, the system provides a comprehensive view of potential attacks, enabling analysts to make informed triaging decisions. The system's ability to generate detailed reports enhances the efficiency and effectiveness of cyberattack monitoring.

Technical Implementation and Advantages

The SAMA system is implemented using scalable and efficient computing resources, such as serverless execution services and auto-scaled clusters, to manage resource usage effectively. It can partition security data graphs for security isolation and scale to handle large volumes of data. The system includes a configuration interface for deploying new analytic jobs and a monitoring component for job management. These features address existing technical challenges, improving the performance of current security systems and offering significant advantages in cyberattack detection and analysis.