Detection of security incidents through simulations

US 10,089,475 B2
Filed: 11/25/2016
Issued: 10/02/2018
Est. Priority Date: 11/25/2016
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method to improve detection of security incidents, the method comprising:

executing a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE);

based on a result of execution of the predefined attack,measuring a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and

measuring a protection level of the cloned version of the monitored system;

based on the detection rate and the protection level, determining an action to improve protection of the monitored system; and

based on the determined action, performing logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual testing environment VTE is instantiated for automated measurement of performance of a security monitoring system (SMS). Predefined attacks are executed against a cloned version of a monitored system in the VTE. The predefined attacks are defined at an attack catalog. Based on an execution result of the predefined attacks, a detection rate of the SMS at the VTE and a protection level of the cloned version of the monitored system are measured. Based on the detection rate and the protection level, an action for improving SMS and the protection of the monitored system is determined. Based on the determined action, logic modifications related to SMS and improvement on protection measures for the monitored system are performed.

Citations

20 Claims

1. A computer implemented method to improve detection of security incidents, the method comprising:
- executing a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE);
  
  based on a result of execution of the predefined attack,measuring a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and
  
  measuring a protection level of the cloned version of the monitored system;
  
  based on the detection rate and the protection level, determining an action to improve protection of the monitored system; and
  
  based on the determined action, performing logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - instantiating the VTE for automated measurement of performance of the SMS.
  - 3. The method of claim 2, wherein the predefined attack is a hacking attack associated with the monitored system as defined at an Information Technology (IT) System Landscape, and wherein the SMS at the VTE utilizes a set of detection rules to detect the predefined attack.
  - 4. The method of claim 2, further comprising:
    - defining a set of detection rules to be applied for detection of attacks executed on cloned versions of monitored systems at the VTE; and
      
      defining an attack catalog associated with the VTE, wherein the attack catalog includes a set of attacks associated with the cloned versions of the monitored system at the VTE, wherein the set of detection rules is associated with the defined attacks at the attack catalog,wherein the SMS detects attacks and threats to cloned versions of systems at the VTE, and wherein the VTE is a cloud based environment where physical and cloud instances of the systems are simulated.
  - 5. The method of claim 1, further comprising:
    - measuring an efficiency rate of the SMS based on the execution result of the predefined attack.
  - 6. The method of claim 1, wherein performing the logic modifications includes:
    - performing logic adjustments to detection logic of the SMS, wherein the logic adjustments include defining of new detection rules in relation to the predefined attack.
  - 7. The method of claim 6, further comprising:
    - implementing additional protection logic to the protection logic defined by the cloned version of the monitored system to improve security protection.
  - 8. The method of claim 6, further comprising:
    - determining whether an improved SMS efficiency rate is achieved by the SMS based on the performed logic modifications.
  - 9. The method of claim 8, wherein determining whether the improved SMS efficiency rate is achieved to include:
    - performing a test simulation of the predefined attack against the cloned version of the monitored system after the logic adjustments are performed on the SMS.

10. A computer system to improve detection of security incidents, comprising:
- a processor;
  
  a memory in association with the processor storing instructions related to;
  
  instantiate a virtual testing environment (VTE) for automated measurement of performance of a security monitoring system (SMS);
  
  execute a predefined attack against a cloned version of a monitored system in the VTE;
  
  based on a result of execution of the predefined attack, measure a detection rate of the predefined attack by the SMS at the VTE; and
  
  based on the result of execution of the predefined attack, measure a protection level of the cloned version of the monitored system;
  
  based on the detection rate and the protection level, determine an action for improving protection of the monitored system; and
  
  based on the determined action, perform logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents, and wherein the logic modifications include defining new detection rules in relation to the predefined attack.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the instructions stored at the memory further comprise instructions to:
    - define a set of detection rules to be applied for detection of attacks executed on cloned versions of monitored systems at the VTE; and
      
      define an attack catalog associated with the VTE, wherein the attack catalog includes a set of attacks associated with the cloned versions of the monitored system at the VTE, wherein the set of detection rules is associated with the defined attacks at the attack catalog,wherein the SMS detects attacks and threats to cloned versions of systems at the VTE.
  - 12. The system of claim 10, further comprising instructions to:
    - measure an efficiency rate of the SMS based on the execution result of the predefined attack.
  - 13. The system of claim 10, further comprising instruction to:
    - implement additional protection logic to the protection logic defined by the cloned version of the monitored system.
  - 14. The system of claim 13, further comprising instructions to:
    - determine whether an improved SMS efficiency rate is achieved by the SMS based on the performed logic modifications; and
      
      perform a test simulation of the predefined attack against the cloned version of the monitored system after the security measures are performed on the cloned version of the monitored system and on the SMS.

15. A non-transitory computer-readable medium storing instructions, which when executed cause a computer system to:
- execute a predefined attack against a cloned version of a monitored system in a virtual testing environment (VTE);
  
  based on a result of execution of the predefined attack, measure a detection rate of the predefined attack by a security monitoring system (SMS) at the VTE; and
  
  based on the result of execution of the predefined attack, measure a protection level of the cloned version of the monitored system;
  
  based on the detection rate and the protection level, determine an action for improving protection of the monitored system; and
  
  based on the determined action, perform logic modifications on the SMS, where the logic modifications are associated with improved detection of security incidents.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, further storing instructions to:
    - instantiate the VTE for automated measurement of performance of the SMS.
  - 17. The computer-readable medium of claim 15, further storing instructions to:
    - define a set of detection rules to be applied for detection of attacks executed on cloned versions of monitored systems at the VTE; and
      
      define an attack catalog associated with the VTE, wherein the attack catalog includes a set of attacks associated with the cloned versions of the monitored system at the VTE, wherein the set of detection rules is associated with the defined attacks at the attack catalog,wherein the SMS detects attacks and threats to cloned versions of systems at the VTE.
  - 18. The computer-readable medium of claim 15, further storing instructions to:
    - measure an efficiency rate of the SMS based on the result of execution of the predefined attack.
  - 19. The computer-readable medium of claim 15, wherein the instructions to perform the logic modifications associated with security improvement include defining of new detection rules in relation to the predefined attack, and further storing instructions to:
    - implement additional protection logic to the protection logic defined by the cloned version of the monitored system.
  - 20. The computer-readable medium of claim 19, further storing instructions to:
    - determine whether an improved SMS efficiency rate is achieved by the SMS based on the performed security measures; and
      
      perform a test simulation of the predefined attack against the cloned version of the monitored system after the security measures are performed on the cloned version of the monitored system and on the SMS.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Adrian, Maximilian, Gerashchenko, Maxym, Frommer, Juri, Brencher, Bjoern
Primary Examiner(s)
Patel, Haresh N

Application Number

US15/361,288
Publication Number

US 20180150638A1
Time in Patent Office

676 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Detection of security incidents through simulations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of security incidents through simulations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links