Detection of security incidents through simulations
First Claim
1. A computer implemented method to improve detection of security incidents, the method comprising:
- executing a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE);
based on a result of execution of the predefined attack,measuring a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and
measuring a protection level of the cloned version of the monitored system;
based on the detection rate and the protection level, determining an action to improve protection of the monitored system; and
based on the determined action, performing logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtual testing environment VTE is instantiated for automated measurement of performance of a security monitoring system (SMS). Predefined attacks are executed against a cloned version of a monitored system in the VTE. The predefined attacks are defined at an attack catalog. Based on an execution result of the predefined attacks, a detection rate of the SMS at the VTE and a protection level of the cloned version of the monitored system are measured. Based on the detection rate and the protection level, an action for improving SMS and the protection of the monitored system is determined. Based on the determined action, logic modifications related to SMS and improvement on protection measures for the monitored system are performed.
-
Citations
20 Claims
-
1. A computer implemented method to improve detection of security incidents, the method comprising:
-
executing a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE); based on a result of execution of the predefined attack, measuring a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and measuring a protection level of the cloned version of the monitored system; based on the detection rate and the protection level, determining an action to improve protection of the monitored system; and based on the determined action, performing logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer system to improve detection of security incidents, comprising:
-
a processor; a memory in association with the processor storing instructions related to; instantiate a virtual testing environment (VTE) for automated measurement of performance of a security monitoring system (SMS); execute a predefined attack against a cloned version of a monitored system in the VTE; based on a result of execution of the predefined attack, measure a detection rate of the predefined attack by the SMS at the VTE; and based on the result of execution of the predefined attack, measure a protection level of the cloned version of the monitored system; based on the detection rate and the protection level, determine an action for improving protection of the monitored system; and based on the determined action, perform logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents, and wherein the logic modifications include defining new detection rules in relation to the predefined attack. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium storing instructions, which when executed cause a computer system to:
-
execute a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE); based on a result of execution of the predefined attack, measure a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and based on the result of execution of the predefined attack, measure a protection level of the cloned version of the monitored system; based on the detection rate and the protection level, determine an action for improving protection of the monitored system; and based on the determined action, perform logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification