CLAIMS

1. A method of evaluating a chain of alerts, comprising:

grouping a plurality of alerts into a plurality of sets of alerts based on at least one predetermined relationship between the alerts;

determining, for each set of alerts, a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts, to determine a plurality of scores for the sets;

forming a model that includes the determined scores;

receiving a chain of alerts;

determining if the chain of alerts corresponds to a score in the model;

in response to determining that the chain of alerts corresponds to a score in the model, determining whether the score in the model corresponding to the chain of alerts meets a predetermined criteria; and

in response to determining the score in the model corresponding to the chain of alerts meets the predetermined criteria, providing an indication to a user.

2. The method of claim 1, wherein said determining, for each set of alerts, a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts comprises, for each set of alerts:

determining each combination of unique associations between the alerts in the set of alerts;

calculating, for each combination of unique associations, a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts, to calculate a plurality of statistical likelihoods; and

determining a maximum value of the calculated statistical likelihoods to be the score for the set of alerts.

3. The method of claim 1, wherein said determining, for each set of alerts, a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts comprises:

calculating a lift score for at least one combination of alerts in the set of alerts.

4. The method of claim 1, wherein said determining whether the score in the model corresponding to the chain of alerts meets a predetermined criteria comprises:

determining whether the score in the model corresponding to the chain of alerts has a predetermined relationship with a threshold value, and

in response to determining the score in the model corresponding to the chain of alerts

has the predetermined relationship with the threshold value, providing an indication to a user.

5. The method of claim 1, wherein in response to determining the chain of alerts does not correspond to a score in the model or that the score in the model corresponding to chain of alerts does not meet the predetermined criteria,

iteratively creating additional sub-chains of alerts that include one less alert than a prior iteration and determining whether the additional sub-chains of alerts exist in the model until

an additional sub-chain is determined to exist in the model and a score corresponding to the additional sub-chain meets the predetermined criteria, or

only two alerts remain in the sub-chain of alerts that are not a chain of alerts with a corresponding score in the model.

6. The method of claim 5, further comprising:

discarding the chain of alerts in response to at least one of

determining the model does not contain a score for any chain of alerts or sub-chains of alerts, or

determining the score corresponding to each of the alerts or the sub-chains of alerts located in the model does not meet the predetermined criteria.

7. The method of claim 1, further comprising:

grouping a plurality of second alerts into a plurality of sets of second alerts based on at least one predetermined relationship between the second alerts;

determining, for each set of second alerts, a score representing a statistical likelihood that at least one alert in the set of second alerts is correlated to at least one other alert in the set of second alerts, to determine a plurality of second scores; and

updating the model based on the plurality of second scores, wherein said updating includes at least one of adding, removing, or revising scores in the model.

8. A chain of alert evaluating system in a computing device, comprising:

an alert set generator configured to group received alerts into a plurality of sets of alerts based on at least one predetermined relationship between the received alerts;

a score determiner that determines, for each set of alerts, a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts, to determine a plurality of scores for the sets, and stores the determined scores in a model;

an alert chain searcher that receives a chain of alerts, and is configured to determine

whether the received chain of alerts corresponds to a score in the model;

a score analyzer configured to, in response to a determination by the alert chain searcher that the chain of alerts corresponds to a score in the model, determine whether the score in the model corresponding to the chain of alerts meets a predetermined criteria; and a user interface configured to, in response to a determination by the score analyzer that the score in the model corresponding to the chain of alerts meets the predetermined criteria, provide an indication to a user of a received incident.

9. The system of claim 8, wherein said score determiner is further configured to: determine each combination of unique associations between the alerts in the set of alerts;

calculate, for each combination of unique associations, a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set of alerts, to calculate a plurality of statistical likelihoods; and

determine a maximum value of the calculated statistical likelihoods to be the score for the set of alerts.

10. The system of claim 8, wherein said score determiner is further configured to: calculate a lift score for at least one combination of alerts in the set of alerts.

11. The system of claim 8, wherein said score analyzer is further configured to:

determine whether the score in the model corresponding to the chain of alerts has a predetermined relationship with a threshold value, and

provide an indication to a user in response to determining the score in the model corresponding to the chain of alerts has the predetermined relationship with the threshold value.

12. The system of claim 8, wherein in response to a determination that the chain of alerts does not correspond to a score in the model or that the score in the model corresponding to chain of alerts does not meet the predetermined criteria, the alert chain searcher is further configured to:

iteratively generate additional sub-chains of alerts that include one less alert than a prior iteration and determine whether the additional sub-chains of alerts exist in the model until

an additional sub-chain is determined to exist in the model and a score corresponding to the additional sub-chain meets the predetermined criteria, or

only two alerts remain in the sub-chain of alerts that are not a chain of alerts with a corresponding score in the model.

13. The system of claim 12, wherein said alert chain searcher is further configured to: discard the chain of alerts in response to at least one of

a determination that the model does not contain a score for any chain of alerts or sub-chains of alerts, or

a determination that the score corresponding to each of the alerts or the sub-chains of alerts located in the model does not meet the predetermined criteria.

14. The system of claim 8, wherein said alert set generator is further configured to: group a plurality of second alerts into a plurality of sets of second alerts based on at least one predetermined relationship between the second alerts; and

wherein said score determiner is further configured to:

determine, for each set of second alerts, a score representing a statistical likelihood that at least one alert in the set of second alerts is correlated to at least one other alert in the set of second alerts, to determine a plurality of second scores; and

update the model based on the plurality of second scores, wherein an update includes at least one of adding, removing, or revising scores in the model.

15. A computer program product comprising a computer-readable medium having computer program logic recorded thereon, comprising:

computer program logic means for enabling a processor to perform any of claims 1- 7.