×

Attack pattern framework for monitoring enterprise information systems

  • US 10,140,447 B2
  • Filed: 12/11/2015
  • Issued: 11/27/2018
  • Est. Priority Date: 12/11/2015
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

  • receiving, by the one or more processors, parameters defining a detection technique, an attack scenario, and a detection logic;

    receiving, by the one or more processors, configuration data that is specific to a target system that is to be monitored, the configuration data comprising non-technical parameters indicating a significance of the target system relative to an external network and technical parameters indicating features of the target system associated with the attack scenario;

    providing, by the one or more processors, an attack pattern using a specification language, the attack pattern being based on the parameters and the configuration data, the attack pattern being defined using a computer-executable description of the attack scenario and comprising a plurality of adjustable metrics defining a misuse of the target system and an anomaly of the target system, the specification language comprising a template of the attack pattern and supporting a definition, an update, and a management of the attack pattern relative to an attack pattern lifecycle;

    determining, by the one or more processors, a baseline behavior of the target system, the baseline behavior comprising adjustable parameters defining one or more thresholds of deviations from the baseline behavior corresponding to the anomaly;

    monitoring, by the one or more processors, the target system based on the baseline behavior, the attack pattern, and data provided by one or more logs of the target system;

    selectively generating, by the one or more processors and based on monitoring, an alert indicating at least one of a potential simple end-to-end intrusion into the target system and a potential complex end-to-end intrusion into the target system, the alert being associated with at least one of the misuse of the target system and the anomaly of the target system; and

    updating the configuration data, the baseline behavior, and the attack pattern, based on the alert, by modifying at least one of the plurality of adjustable metrics to reduce future false alerts.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×