Attack pattern framework for monitoring enterprise information systems
First Claim
Patent Images
1. A computer-implemented method executed by one or more processors, the method comprising:
- receiving, by the one or more processors, parameters defining a detection technique, an attack scenario, and a detection logic;
receiving, by the one or more processors, configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;
providing, by the one or more processors, an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;
determining, by the one or more processors, a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;
monitoring, by the one or more processors, the target system based on the baseline behavior, the attack pattern, and data provided by one or more logs of the target system;
selectively generating, by the one or more processors and based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and
updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.
1 Assignment
0 Petitions
Accused Products
Abstract
Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving parameters defining a detection technique, an attack scenario, and detection logic, receiving configuration data that is specific to a target system that is to be monitored, providing an attack pattern based on the parameters and the configuration data, monitoring the target system based on the attack pattern and data provided by one or more logs of the target system, and selectively generating, based on monitoring, an alert indicating a potential end-to-end intrusion into the target system.
-
Citations
20 Claims
-
1. A computer-implemented method executed by one or more processors, the method comprising:
-
receiving, by the one or more processors, parameters defining a detection technique, an attack scenario, and a detection logic; receiving, by the one or more processors, configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario; providing, by the one or more processors, an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle; determining, by the one or more processors, a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly; monitoring, by the one or more processors, the target system based on the baseline behavior, the attack pattern, and data provided by one or more logs of the target system; selectively generating, by the one or more processors and based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
-
receiving parameters defining a detection technique, an attack scenario, and a detection logic; receiving configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario; providing an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle; determining a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly; monitoring the target system based on the baseline behavior, the attack pattern and data provided by one or more logs of the target system; selectively generating, based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a computing device; and a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations comprising; receiving parameters defining a detection technique, an attack scenario, and a detection logic; receiving configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario; providing an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle; determining a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly; monitoring the target system based on the baseline behavior, the attack pattern and data provided by one or more logs of the target system; selectively generating, based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification