Methods and systems for defending cyber attack in real-time

US 10,185,832 B2
Filed: 07/19/2016
Issued: 01/22/2019
Est. Priority Date: 08/12/2015
Status: Active Grant

First Claim

Patent Images

1. A process for defending attack of one or more critical assets within a network of electronically interconnected devices in real-time comprising:

identifying a plurality of vulnerabilities on a network of electronically interconnected devices representing one or more critical assets;

determining dependencies between each vulnerability in said plurality of vulnerabilities;

creating a hidden Markov model for said plurality of vulnerabilities and their relevant observations, where each state of the model represents an attack state of a distinct vulnerability;

determining an exploit likelihood of each of said vulnerabilities at a first time;

determining an impact of exploitation of each of said vulnerabilities at said first time;

determining a most probable sequences or paths of attack states representing exploited vulnerabilities; and

identifying dynamically a risk of one or more of said critical assets based on exploit likelihood and exploitation impact of said sequences or paths of attack states,wherein said step of determining the exploit likelihood of each of said attack states at a first time comprises using state transition weights or probabilities of all incoming links of the attack state and calculating an impact of each attack state using the state transition weights or probabilities of outgoing links of each attack state in the hidden Markov model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are processes of monitoring or modifying a network of electronically connected assets that dynamically builds relationships and dependencies among detected vulnerabilities in one or more of the assets and sensor measurements so that risk assessment can be achieved more accurately and in real-time. A process includes: identifying a plurality of vulnerabilities on a network of electronically interconnected devices representing one or more critical assets; determining dependencies between each vulnerability in the plurality of vulnerabilities; creating a hidden Markov model representing an attack state of each vulnerability of the plurality of vulnerabilities; determining the exploit likelihood of each of the attack states at a first time; determining the most probable sequences or paths of the attack states; and identifying dynamically the risk of one or more of the critical assets based on the sequences or paths of attack states.

Citations

19 Claims

1. A process for defending attack of one or more critical assets within a network of electronically interconnected devices in real-time comprising:
- identifying a plurality of vulnerabilities on a network of electronically interconnected devices representing one or more critical assets;
  
  determining dependencies between each vulnerability in said plurality of vulnerabilities;
  
  creating a hidden Markov model for said plurality of vulnerabilities and their relevant observations, where each state of the model represents an attack state of a distinct vulnerability;
  
  determining an exploit likelihood of each of said vulnerabilities at a first time;
  
  determining an impact of exploitation of each of said vulnerabilities at said first time;
  
  determining a most probable sequences or paths of attack states representing exploited vulnerabilities; and
  
  identifying dynamically a risk of one or more of said critical assets based on exploit likelihood and exploitation impact of said sequences or paths of attack states,wherein said step of determining the exploit likelihood of each of said attack states at a first time comprises using state transition weights or probabilities of all incoming links of the attack state and calculating an impact of each attack state using the state transition weights or probabilities of outgoing links of each attack state in the hidden Markov model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The process of claim 1 wherein said step of determining dependencies between each vulnerability comprises obtaining a set of relevant electronic observations for said plurality of vulnerabilities.
  - 3. The process of claim 1 wherein said step of identifying a plurality of vulnerabilities comprises obtaining vulnerability data obtained from one or more vulnerability scanners.
  - 4. The process of claim 1 wherein one or more of said plurality of vulnerabilities is a group of two or more individual vulnerabilities.
  - 5. The process of claim 1 further comprising generating vulnerability-host information to associate each of said vulnerabilities with a host.
  - 6. The process of claim 1 further comprising assigning initial scores to each of said vulnerabilities based on a vulnerability scoring system.
  - 7. The process of claim 6 wherein said vulnerability scoring system is a common vulnerability scoring system.
  - 8. The process of claim 6 further comprising generating random numbers in an array of integer values;
    - creating a table of said vulnerabilities with qualitative attributes; and
      
      creating a table of said initial scores.
  - 9. The process of claim 1 wherein said step of creating a hidden Markov model comprises using a conditional probability table of a Dirichlet distribution.
  - 10. The process of claim 1 further comprising iteratively repeating said step of creating a hidden Markov model to reduce the margin of errors of emission rates.
  - 11. The process of claim 1 wherein said step of determining the exploit likelihood of each of said attack states further comprises:
    - considering weights of all incoming links; and
      
      determining the impact of each attack state by considering weights of all outgoing links.
  - 12. The process of claim 1 wherein said step of determining the most probable sequences or paths of attack states comprises determining which of said vulnerabilities are exploited.
  - 13. The process of claim 1 wherein said step of determining the most probable sequences or paths of attack states is determined using a Viterbi algorithm based on weights of state transition links and observations.
  - 14. The process of claim 1 further comprising creating a coupled hidden Markov model at a second time, where the coupled hidden Markov model has as many chains as number of vulnerabilities such that each chain'"'"'s states represent the attack state of a distinct vulnerability.
  - 15. The process of claim 14 further comprising recursively creating a plurality of coupled hidden Markov models over a plurality of time slices subsequent to said second time to measure risk.
  - 16. The process of claim 1 further comprising updating continuous state parameters corresponding to percentage of good, vulnerable and comprised nodes in a state space model of cyber systems using a Kalman filter to filter out noise in the computations of exploit likelihood and impact of vulnerability exploitation.
  - 17. The process of claim 16 further comprising iteratively determining vulnerability dependencies based on said state space model.
  - 18. The process of claim 17 further comprising creating a second hidden Markov model representing an attack state of each vulnerability of said plurality of vulnerabilities with vulnerability dependencies identified using said state space model;
    - determining a second exploit likelihood of each of said attack states at a third time;
      
      determining the most probable sequences or paths of attack states; and
      
      identifying dynamically the risk of one or more of said critical assets based on said sequences or paths of attack states.

19. A non-transient computer readable medium comprising computer instructions that, when executed by at least one processor, causes the at least one processor to perform a process for defending attack of one or more critical assets within a network of electronically interconnected devices in real-time, the process comprising:
- identifying a plurality of vulnerabilities on a network of electronically interconnected devices representing one or more critical assets;
  
  determining dependencies between each vulnerability in said plurality of vulnerabilities;
  
  creating a hidden Markov model for said plurality of vulnerabilities and their relevant observations, where each state of the model represents an attack state of a distinct vulnerability;
  
  determining an exploit likelihood of each of said vulnerabilities at a first time;
  
  determining an impact of exploitation of each of said vulnerabilities at said first time;
  
  determining a most probable sequences or paths of attack states representing exploited vulnerabilities; and
  
  identifying dynamically a risk of one or more of said critical assets based on exploit likelihood and exploitation impact of said sequences or paths of attack states,wherein said step of determining the exploit likelihood of each of said attack states at a first time comprises using state transition weights or probabilities of all incoming links of the attack state and calculating an impact of each attack state using the state transition weights or probabilities of outgoing links of each attack state in the hidden Markov model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The United States Of America As Represented By The Secretary Of The Army
Original Assignee
The United States Of America As Represented By The Secretary Of The Army
Inventors
Cam, Hasan
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Song, Hee K

Application Number

US15/213,434
Publication Number

US 20170046519A1
Time in Patent Office

917 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06N 5/043   Distributed expert systems;...

G06N 7/01   Probabilistic graphical mod...

Methods and systems for defending cyber attack in real-time

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for defending cyber attack in real-time

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links