Attack pattern framework for monitoring enterprise information systems

US 10,140,447 B2
Filed: 12/11/2015
Issued: 11/27/2018
Est. Priority Date: 12/11/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

receiving, by the one or more processors, parameters defining a detection technique, an attack scenario, and a detection logic;

receiving, by the one or more processors, configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;

providing, by the one or more processors, an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;

determining, by the one or more processors, a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;

monitoring, by the one or more processors, the target system based on the baseline behavior, the attack pattern, and data provided by one or more logs of the target system;

selectively generating, by the one or more processors and based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and

updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving parameters defining a detection technique, an attack scenario, and detection logic, receiving configuration data that is specific to a target system that is to be monitored, providing an attack pattern based on the parameters and the configuration data, monitoring the target system based on the attack pattern and data provided by one or more logs of the target system, and selectively generating, based on monitoring, an alert indicating a potential end-to-end intrusion into the target system.

Citations

20 Claims

1. A computer-implemented method executed by one or more processors, the method comprising:
- receiving, by the one or more processors, parameters defining a detection technique, an attack scenario, and a detection logic;
  
  receiving, by the one or more processors, configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;
  
  providing, by the one or more processors, an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;
  
  determining, by the one or more processors, a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;
  
  monitoring, by the one or more processors, the target system based on the baseline behavior, the attack pattern, and data provided by one or more logs of the target system;
  
  selectively generating, by the one or more processors and based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and
  
  updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the configuration data comprises one or more of exploitability, target significance, potential downtime, social media impact, patch provision window, legal implication, and corporate requirement relevance.
  - 3. The method of claim 1, wherein the configuration data comprises one or more of vulnerability type, severity level, log relevance, security notes, and execution frequency.
  - 4. The method of claim 1, further comprising tuning the attack pattern by adjusting one or more thresholds.
  - 5. The method of claim 1, wherein providing the attack pattern comprises providing one or more query scripts based on the parameters and the configuration data, the one or more query scripts being executed over the data provided by one or more logs during monitoring of the target system.
  - 6. The method of claim 1, wherein the attack pattern is one of a misuse pattern and an anomaly pattern.
  - 7. The method of claim 1, wherein monitoring comprises:
    - comparing the data provided by one or more logs of the target system to parameters of the attack pattern; and
      
      determining that at least a portion of the data matches the parameters of the attack pattern, and in response, generating the alert.

8. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
- receiving parameters defining a detection technique, an attack scenario, and a detection logic;
  
  receiving configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;
  
  providing an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;
  
  determining a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;
  
  monitoring the target system based on the baseline behavior, the attack pattern and data provided by one or more logs of the target system;
  
  selectively generating, based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and
  
  updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the configuration data comprises one or more of exploitability, target significance, potential downtime, social media impact, patch provision window, legal implication, and corporate requirement relevance.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the configuration data comprises one or more of vulnerability type, severity level, log relevance, security notes, and execution frequency.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein operations further comprise tuning the attack pattern by adjusting one or more thresholds.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein providing the attack pattern comprises providing one or more query scripts based on the parameters and the configuration data, the one or more query scripts being executed over the data provided by one or more logs during monitoring of the target system.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the attack pattern comprises one of a misuse pattern and an anomaly pattern.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein monitoring comprises:
    - comparing the data provided by one or more logs of the target system to parameters of the attack pattern; and
      
      determining that at least a portion of the data matches the parameters of the attack pattern, and in response, generating the alert.

15. A system, comprising:
- a computing device; and
  
  a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations comprising;
  
  receiving parameters defining a detection technique, an attack scenario, and a detection logic;
  
  receiving configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;
  
  providing an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;
  
  determining a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;
  
  monitoring the target system based on the baseline behavior, the attack pattern and data provided by one or more logs of the target system;
  
  selectively generating, based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and
  
  updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the configuration data comprises one or more of exploitability, target significance, potential downtime, social media impact, patch provision window, legal implication, and corporate requirement relevance.
  - 17. The system of claim 15, wherein the configuration data comprises one or more of vulnerability type, severity level, log relevance, security notes, and execution frequency.
  - 18. The system of claim 15, wherein operations further comprise tuning the attack pattern by adjusting one or more thresholds.
  - 19. The system of claim 15, wherein providing the attack pattern comprises providing one or more query scripts based on the parameters and the configuration data, the one or more query scripts being executed over the data provided by one or more logs during monitoring of the target system.
  - 20. The system of claim 15, wherein the attack pattern comprises one of a misuse pattern and an anomaly pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Rahaman, Mohammad Ashiqur, Hebert, Cedric, Frank, Juergen
Primary Examiner(s)
Alata, Ayoub

Application Number

US14/966,885
Publication Number

US 20170169217A1
Time in Patent Office

1,082 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 5/047   Pattern matching networks; ...

Attack pattern framework for monitoring enterprise information systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Attack pattern framework for monitoring enterprise information systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links