Risk modeling

US 10,250,631 B2
Filed: 12/19/2016
Issued: 04/02/2019
Est. Priority Date: 08/11/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium that stores one or more sequences of instructions for modeling a risk of security breaches to a network, which when executed by one or more processors, cause:

one or more agents gathering, from multiple sources across the network, analysis data that identifies observed characteristics of one or more nodes of the network;

generating, using the analysis data, a multi-layer risk model for the network that comprises a first model layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics of the one or more nodes;

generating, using the multi-layer model, a statistical likelihood of a risk of security breach for each node of the network; and

providing, to a user, the statistical likelihood of the risk of security breach for at least one node of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for modeling a risk of security breaches to a network. Agents gather, from multiple sources across the network, analysis data that identifies observed characteristics of habitable nodes and opaque nodes. Using the analysis data a multi-layer risk model for the network is generated that comprises a first layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics. The model also comprises a second layer that models a present state of the inherent risk to the assets caused by global and temporal events. The model also comprises a third layer that models a change to the risk of security breaches in response to potential mitigative actions. The model may be used to understand how risk of a security breach is distributed and interdependent upon the nodes of the network so as to allow the most valuable preventive measures to be taken.

Citations

22 Claims

1. A non-transitory computer-readable storage medium that stores one or more sequences of instructions for modeling a risk of security breaches to a network, which when executed by one or more processors, cause:
- one or more agents gathering, from multiple sources across the network, analysis data that identifies observed characteristics of one or more nodes of the network;
  
  generating, using the analysis data, a multi-layer risk model for the network that comprises a first model layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics of the one or more nodes;
  
  generating, using the multi-layer model, a statistical likelihood of a risk of security breach for each node of the network; and
  
  providing, to a user, the statistical likelihood of the risk of security breach for at least one node of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the one or more nodes of the network comprise both one or more habitable nodes and one or more opaque nodes, wherein the one or more habitable nodes each possess a computing environment conducive to installation of at least one of said one or more agents, and wherein the one or more opaque nodes each possess a computing environment not conducive to installation of the one or more agents.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the multi-layer model further comprises a second model layer that models a present state of the inherent risk to the assets of said network caused by global and temporal events.
  - 4. The non-transitory computer-readable storage medium of claim 1, wherein the multi-layer model further comprises a third model layer that models a change to the risk of security breaches to the assets of said network in response to potential mitigative actions.
  - 5. The non-transitory computer-readable storage medium of claim 1, wherein said observed characteristics include network observations, device observations, user observations, asset observations, and cloud-storage observations.
  - 6. The non-transitory computer-readable storage medium of claim 1, wherein the multi-layer model models the risk of security breaches to the network based on a set of features possessed by one or more habitable nodes and the one or more opaque nodes, and wherein the set of features comprise (a) local features computed locally at the one or more habitable nodes, (b) local features computed by an agent in a local vicinity on the network of the one or more opaque nodes, and (c) remote features computed external to the node.
  - 7. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - programmatically generating a suggested impact value for a particular node by comparing a set of feature values for the particular node against a plurality of feature values for a plurality of other nodes.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - maintaining a separate copy of the multi-layer risk model for each of plurality of different networks, wherein said network is a member of said plurality of different networks; and
      
      evolving each copy of the multi-layer risk model over time to model the unique risks associated with a particular network, of said plurality of different networks, to which said each copy of the multi-layer risk model is associated.
  - 9. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - generating, using the multi-layer model, a data set identifying nodes of the network having a risk of security breach higher than a threshold that is programmatically determined based on features of a plurality of networks other than said network.
  - 10. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - generating, using the multi-layer model, a representation of a particular node'"'"'s risk of a security breach in relation to a plurality of features shared by nodes across a plurality of networks other than said network.
  - 11. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - generating, using the multi-layer model, a representation of the particular node'"'"'s risk of a security breach in relation to the plurality of features shared by other nodes on said network.
  - 12. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - presenting, for at least a portion of nodes of the network, a list of nodes of the network in order of their likelihood of being compromised due to a security breach.
  - 13. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - generating and displaying an ordered list of risks of security breaches to the network;
      
      in response to a selection of a particular risk in the ordered list of risks of security beaches, consulting the multi-layer model to obtain information about actionable drivers of the particular risk; and
      
      displaying the information about the actionable drivers of the particular risk.
  - 14. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - generating, using the multi-layer model, for at least a portion of nodes of the network, a determination of how each node of the portion of the network will likely be compromised due to a security breach based on a statistical analysis of observed features of those nodes in the portion of the network.
  - 15. The non-transitory computer-readable storage medium of claim 1, wherein said multi-layer risk model identifies, for each of the one or more habitable nodes and for each of the one or more opaque nodes, whether each node is located on a perimeter of the network or on a core of the network,wherein the perimeter of the network corresponds to a first set of nodes of the network which can directly communicate with a public network,wherein the core of the network corresponds to a second set of nodes of the network which do not directly communicate with a public network,and wherein the multi-layer risk model models a risk of security breach from the perimeter to each node residing in the core.
  - 16. The non-transitory computer-readable storage medium of claim 1, wherein said analysis data identifies, for each node in the core of the network, a path from the perimeter of the network to said each node in the core of the network having the highest likelihood of a security breach, wherein said path comprises two or more hops.
  - 17. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - identifying, using the analysis data, for each of a set of nodes on the network, a device type category and an operating system category based on a machine learning model.
  - 18. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - identifying, using the multi-layer risk model, a set of one or more direct risks to a particular node in a core of the network and a set of one or more indirect risks to the particular node in the core,wherein each of the one or more direct risks and each of the one or more indirect risks is associated with (a) a path from a perimeter to the core, and (b) an impact value expressing a measure of severity of the risk.
  - 19. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - identifying, using the multi-layer risk model, a statistical likelihood of how a security breach may propagate through the network over time.
  - 20. The non-transitory computer-readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - augmenting the multi-layer risk model with insight data, wherein the automatically generated insights represents expert knowledge pertinent to the observations identified by the analysis data, and wherein the generated insight identifies one or more suggested remedies to address one or more of risks presented by said observations identified by the analysis data; and
      
      presenting a subset of the insight data on a user interface, wherein said subset of insight data satisfies a set of automatically generated or user-specified criteria for filtering said insight data.

21. An apparatus for modeling a risk of security breaches to a network, comprising:
- one or more processors; and
  
  one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause;
  
  one or more agents gathering, from multiple sources across the network, analysis data that identifies observed characteristics of one or more nodes of the network;
  
  generating, using the analysis data, a multi-layer risk model for the network that comprises a first model layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics of the one or more nodes;
  
  generating, using the multi-layer model, a statistical likelihood of a risk of security breach for each node of the network; and
  
  providing, to a user, the statistical likelihood of the risk of security breach for at least one node of the network.

22. A method for modeling a risk of security breaches to a network, comprising:
- one or more agents gathering, from multiple sources across the network, analysis data that identifies observed characteristics of one or more nodes of the network, wherein said one or more agents are implemented in one or more of hardware and software;
  
  generating, using the analysis data, a multi-layer risk model for the network that comprises a first model layer that models an inherent risk of security breaches to assets of the network based on the observed characteristics of the one or more nodes;
  
  generating, using the multi-layer model, a statistical likelihood of a risk of security breach for each node of the network, wherein said analysis data and said statistical likelihood of a risk of security breach for each node of the network are generated using one or more entities that are implemented in one or more of hardware and software; and
  
  providing, to a user, the statistical likelihood of the risk of security breach for at least one node of the network, wherein said statistical likelihood of the risk is transmitted over a computer network or electronically displayed upon a physical display.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Balbix, Inc.
Original Assignee
Balbix, Inc.
Inventors
Sridhara, Vinay, Makh, Vansh Pal Singh, Banga, Gaurav, Gupta, Rajarshi
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/383,656
Publication Number

US 20180048668A1
Time in Patent Office

834 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1433 Vulnerability analysis

Risk modeling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Risk modeling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links