Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
First Claim
1. A computerized method for determining security risks of a network that includes user accounts accessing different network devices included in the network, the method comprising:
- by a computing device having one or more computer processors and a non-transitory computer readable storage device storing software instruction for execution by the one or more computer processors,receiving information indicating respective compromise likelihoods of a set of user accounts of the network;
obtaining information describing a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, each node being associated with a compromise likelihood, each edge being associated with a communication weight, and wherein one or more nodes are high value nodes;
determining, for a particular user account of the set of user accounts, expected values associated with a plurality of unique paths to a particular high value node of the one or more high value nodes, each of the plurality of unique paths initiating at a node to which the particular user account can authenticate and each associated expected value indicating risk associated with access to the particular high value node by the particular user account from the node, and wherein determining the expected values comprises;
accessing user access logs identifying nodes to which user accounts are authorized to authenticate, and identifying, based on the user access logs, a plurality of nodes to which the particular user account is authorized to authenticate,determining a first unique path and a second unique path of the plurality of unique paths to the particular high value node, the first unique path initiating at a first of the identified nodes to which the particular user account is authorized to authenticate and the second unique path initiating at a second of the identified nodes to which the particular user account is authorized to authenticate, anddetermining, for the particular user account, a first expected value for the first unique path and a second expected value for the second unique path based on the information describing the network topology and the compromise likelihood of the particular user account, including respective communication weights included in the first unique path and the second unique path of the network topology, wherein the communication weights are indicative of probabilities associated with user transition between nodes; and
generating, for presentation, an interactive user interface describing one or more of the first unique path and the second unique path of the plurality of unique paths.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for computer network security risk assessment. One of the methods includes obtaining compromise likelihoods for user accounts. Information describing a network topology of a network is obtained, with the network topology being nodes each connected by an edge to other nodes, each node being associated with a compromise likelihood, and one or more nodes are high value nodes associated with a compromise value. Unique paths to each of the high value nodes are determined for a particular user account. An expected value for each path is determined based on the compromise likelihood of the particular user account, the compromise likelihood of each node included in the path, the communication weight of each edge included in the path, and the compromise value associated with the high value node. User interface data is generated describing at least one path.
-
Citations
21 Claims
-
1. A computerized method for determining security risks of a network that includes user accounts accessing different network devices included in the network, the method comprising:
-
by a computing device having one or more computer processors and a non-transitory computer readable storage device storing software instruction for execution by the one or more computer processors, receiving information indicating respective compromise likelihoods of a set of user accounts of the network; obtaining information describing a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, each node being associated with a compromise likelihood, each edge being associated with a communication weight, and wherein one or more nodes are high value nodes; determining, for a particular user account of the set of user accounts, expected values associated with a plurality of unique paths to a particular high value node of the one or more high value nodes, each of the plurality of unique paths initiating at a node to which the particular user account can authenticate and each associated expected value indicating risk associated with access to the particular high value node by the particular user account from the node, and wherein determining the expected values comprises; accessing user access logs identifying nodes to which user accounts are authorized to authenticate, and identifying, based on the user access logs, a plurality of nodes to which the particular user account is authorized to authenticate, determining a first unique path and a second unique path of the plurality of unique paths to the particular high value node, the first unique path initiating at a first of the identified nodes to which the particular user account is authorized to authenticate and the second unique path initiating at a second of the identified nodes to which the particular user account is authorized to authenticate, and determining, for the particular user account, a first expected value for the first unique path and a second expected value for the second unique path based on the information describing the network topology and the compromise likelihood of the particular user account, including respective communication weights included in the first unique path and the second unique path of the network topology, wherein the communication weights are indicative of probabilities associated with user transition between nodes; and generating, for presentation, an interactive user interface describing one or more of the first unique path and the second unique path of the plurality of unique paths. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system comprising one or more computers and one or more computer storage media storing instructions that when executed by the one computers cause the one or more computers to perform operations comprising:
-
receiving information indicating respective compromise likelihoods of a set of user accounts of the network; obtaining information describing a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, each node being associated with a compromise likelihood, each edge being associated with a communication weight, and wherein one or more nodes are high value nodes; determining, for a particular user account of the set of user accounts, expected values associated with a plurality of unique paths to a particular high value node of the one or more high value nodes, each of the plurality of unique paths initiating at a node to which the particular user account can authenticate and each associated expected value indicating risk associated with access to the particular high value node by the particular user account from the node, and wherein determining the expected values comprises; accessing user access logs identifying nodes to which user accounts are authorized to authenticate, and identifying, based on the user access logs, a plurality of nodes to which the particular user account is authorized to authenticate, determining a first unique path and a second unique path of the plurality of unique paths to the particular high value node, the first unique path initiating at a first of the identified nodes to which the particular user account is authorized to authenticate and the second unique path initiating at a second of the identified nodes to which the particular user account is authorized to authenticate, determining, for the particular user account, respective expected values for the first unique path and the second unique path based on the information describing the network topology and the compromise likelihood of the particular user account, including respective communication weights included in the unique paths of the network topology, wherein the communication weights are indicative of probabilities associated with user transition between nodes; and generating user interface data describing at least one of the unique paths. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A non-transitory computer storage medium storing instructions that when executed by a system of one or more computers cause the one or more computers to perform operations comprising:
-
receiving information indicating respective compromise likelihoods of a set of user accounts of the network; obtaining information describing a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, each node being associated with a compromise likelihood, each edge being associated with a communication weight, and wherein one or more nodes are high value nodes; determining, for a particular user account of the set of user accounts, expected values associated with a plurality of unique paths to a particular high value node of the one or more high value nodes, each of the plurality of unique paths initiating at a node to which the particular user account can authenticate and each associated expected value indicating risk associated with access to the particular high value node by the particular user account from the node, and wherein determining the expected values comprises; accessing user access logs identifying nodes to which user accounts are authorized to authenticate, and identifying, based on the user access logs, a plurality of nodes to which the particular user account is authorized to authenticate, determining a first unique path and a second unique path of the plurality of unique paths to the particular high value node, the first unique path initiating at a first of the identified nodes to which the particular user account is authorized to authenticate and the second unique path initiating at a second of the identified nodes to which the particular user account is authorized to authenticate, determining, for the particular user account, respective expected values for the first unique path and the second unique path based on the information describing the network topology and the compromise likelihood of the particular user account, including respective communication weights included in the unique paths of the network topology, wherein the communication weights are indicative of probabilities associated with user transition between nodes; and generating user interface data describing at least one of the unique paths. - View Dependent Claims (19, 20, 21)
-
Specification