Assessing and managing cyber threats
First Claim
1. A system comprising:
- one or more computers comprising one or more hardware processors;
one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising;
receiving, by the one or more computers, data indicating a list of observed computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, with data for each threat identifying frequency of occurrence, which may include at least one period of time and corresponding frequency of occurrence for a given time window having a beginning and end;
accessing, by the one or more computers, data specifying relationships between;
(i) IT system infrastructures representing computing devices of an organization and a network connecting the computing devices and their physical and logical location, defined by information such as identity, name and category identity;
(ii) system categories indicating characteristics of assets of the organization;
(iii) operational processes of an organization, defined by identity, a name and a value in terms of a monetary value for a given time window having a beginning and end;
(iv) mitigating actions representing the threat mitigation measures of the organization;
performing, by the one or more computers a plurality of simulations using a Monte Carlo method using the accessed data specifying relationships to predict a distribution of threat events, each simulation involving propagating data through stochastic modelling for a given time window having a beginning and end;
modelling threat events using at least two different stochastic models and obtaining at least two different sets of model parameters,sampling, by the one or more computers, outcomes of the plurality of simulations generated using a Monte Carlo method according to the set of threat events within a series of temporal profiles, each having a beginning and end;
sampling, by the one or more computers, a plurality of simulation outcomes of the plurality of simulations generated using a Monte Carlo method that include mitigating actions representing the threat mitigation measures of the organization for a series of given time windows, each having a beginning and end;
based on the sampled outcomes of the simulations, determining, by the one or more computers, measures of impact of the computer-related threats to the organization for a given time window having a beginning and end and providing, by the one or more computers and for output to a user, graphical representations of the determined measures of impact of the computer-based threats to the organization, for a given time window having a beginning and end, in a graphical user interface;
the one or more computers further configured to;
receive observed computer-based threat data;
receive input data of the number of viruses contracted by period and the number of new viruses worldwide;
extrapolating from the input data, using a Monte Carlo method, to predict future computer-based threat activity rates and types and;
outputting said predicted future computer-based threat activity into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems and apparatus, including computer programs encoded on a computer storage medium, for assessing and managing cyber threats. In some implementations, data specifying relationships between I.T. system infrastructures, system categories, operational processes, computer-based threats and mitigation actions is received. A plurality of simulations are performed using a Monte Carlo method, with each simulation involving propagating data through stochastic modeling for a given time window having a beginning and end. Outcomes of the plurality of simulations that include mitigating actions representing the threat mitigation measures of the organization, for a given time window, determine a measure of impact of cyber threats to the organization. The determined measure is provided for output to a user.
26 Citations
20 Claims
-
1. A system comprising:
-
one or more computers comprising one or more hardware processors;
one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising;receiving, by the one or more computers, data indicating a list of observed computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, with data for each threat identifying frequency of occurrence, which may include at least one period of time and corresponding frequency of occurrence for a given time window having a beginning and end; accessing, by the one or more computers, data specifying relationships between; (i) IT system infrastructures representing computing devices of an organization and a network connecting the computing devices and their physical and logical location, defined by information such as identity, name and category identity; (ii) system categories indicating characteristics of assets of the organization; (iii) operational processes of an organization, defined by identity, a name and a value in terms of a monetary value for a given time window having a beginning and end; (iv) mitigating actions representing the threat mitigation measures of the organization; performing, by the one or more computers a plurality of simulations using a Monte Carlo method using the accessed data specifying relationships to predict a distribution of threat events, each simulation involving propagating data through stochastic modelling for a given time window having a beginning and end; modelling threat events using at least two different stochastic models and obtaining at least two different sets of model parameters, sampling, by the one or more computers, outcomes of the plurality of simulations generated using a Monte Carlo method according to the set of threat events within a series of temporal profiles, each having a beginning and end; sampling, by the one or more computers, a plurality of simulation outcomes of the plurality of simulations generated using a Monte Carlo method that include mitigating actions representing the threat mitigation measures of the organization for a series of given time windows, each having a beginning and end; based on the sampled outcomes of the simulations, determining, by the one or more computers, measures of impact of the computer-related threats to the organization for a given time window having a beginning and end and providing, by the one or more computers and for output to a user, graphical representations of the determined measures of impact of the computer-based threats to the organization, for a given time window having a beginning and end, in a graphical user interface; the one or more computers further configured to; receive observed computer-based threat data; receive input data of the number of viruses contracted by period and the number of new viruses worldwide; extrapolating from the input data, using a Monte Carlo method, to predict future computer-based threat activity rates and types and; outputting said predicted future computer-based threat activity into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method performed by one or more computers, the method comprising:
-
receiving and accessing, by the one or more computers, data specifying relationships between; (i) IT system infrastructures representing computing devices of an organization and a network connecting the computing devices and their physical and logical location, defined by information such as identity, name and category identity; (ii) system categories indicating characteristics of assets of the organization; (iii) operational processes of an organization, defined by identity, a name and a value in terms of a monetary value for a given time window having a beginning and end; (iii) a list of observed computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, with data for each threat identifying frequency of occurrence, which may include at least one period of time and corresponding frequency of occurrence for a given time window having a beginning and end; (iv) mitigating actions representing the threat mitigation measures of the organization; the one or more computers performing a plurality of simulations using a Monte Carlo method using the accessed data specifying relationships, each simulation involving propagating data through stochastic modeling for a given time window having a beginning and end; sampling by the one or more computers, outcomes of the plurality of simulations generated using a Monte Carlo method, for a given time window having a beginning and end; sampling by the one or more computers, outcomes of the plurality of simulations generated using a Monte Carlo method, that include mitigating actions representing the threat mitigation measures of the organization for a given time window having a beginning and end; performing, based on the sampled outcomes of the simulations generated using a Monte Carlo method, determining, by the one or more computers, measures of impact of the computer-related threats to the organization for a given time window having a beginning and end and providing, by the one or more computers and for output to a user, graphical representations of the determined measures of impact of the computer-based threats to the organization, for a given time window having a beginning and end, in a graphical user interface; receive observed computer-based threat data; receive input data of the number of viruses contracted by period and the number of new viruses worldwide; extrapolating from the input data, using a Monte Carlo method, to predict future computer-based threat activity rates and types and; outputting said predicted future computer-based threat activity to one or more firewalls, to improve accuracy in identifying computer based threats on the one or more computer networks, strengthen their accuracy through the detection of anomalous firewall policy rules, into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy, wherein the method is performed by one or more computers comprising one or more hardware processors;
one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising:
-
receiving and accessing, by the one or more computers, data specifying relationships between; (i) IT system infrastructures representing computing devices of an organization and a network connecting the computing devices and their physical and logical location, defined by information such as identity, name and category identity; (ii) system categories indicating characteristics of assets of the organization; (iii) operational processes of an organization, defined by identity, a name and a value in terms of a monetary value for a given time window having a beginning and end; (iv) a list of observed computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, with data for each threat identifying frequency of occurrence, which may include at least one period of time and corresponding frequency of occurrence for a given time window having a beginning and end; (iv) mitigating actions representing the threat mitigation measures of the organization;
the one or more computers performing a plurality of simulations using a Monte Carlo method, each simulation involving propagating data through stochastic modeling for a given time window having a beginning and end;sampling by the one or more computers using the accessed data specifying relationships, outcomes of the plurality of simulations for a given time window having a beginning and end; sampling by the one or more computers using the accessed data specifying relationships, outcomes of the plurality of simulations that include mitigating actions representing the threat mitigation measures of the organization for a given time window having a beginning and end; based on the sampled outcomes of the simulations, determining, by the one or more computers, measures of impact of the computer-related threats to the organization for a given time window having a beginning and end and providing, by the one or more computers and for output to a user, graphical representations of the determined measures of impact of the computer-based threats to the organization, for a given time window having a beginning and end, in a graphical user interface; the one or more computers further configured to; receive observed computer-based threat data; receive input data of the number of viruses contracted by period and the number of new viruses worldwide; extrapolating from the input data, using a Monte Carlo method, to predict future computer-based threat activity rates and types and; outputting said predicted future computer-based threat activity to one or more firewalls, to improve accuracy in identifying computer based threats on the one or more computer networks, strengthen their accuracy through the detection of anomalous firewall policy rules, into the network and firewall logs, updating the firewall policy tree to define the action of accept or deny, according to the changes automatically made to the policy tree of rules in the sets of firewall rules, which in turn inserts updated rules into the firewall policy. - View Dependent Claims (18, 19, 20)
-
Specification