Model-based computer attack analytics orchestration
First Claim
1. A computing device comprising:
- a hardware processor; and
a data storage device storing instructions executable on the hardware processor to;
generate, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first attack action;
identify, using the first hypothesis, an analytics instruction for determining whether the first attack action specified by the first hypothesis occurred on the computing system;
cause the analytics instruction to be executed on the computing system;
update a state of the attack model to produce an updated attack model based on a result of execution of the analytics instruction indicating whether the first attack action occurred on the computing system;
generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second attack action;
determine whether the second hypothesis is correct based on determining whether the second attack action occurred as determined using a different analytics instruction; and
in response to determining that the second attack action occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack.
7 Assignments
0 Petitions
Accused Products
Abstract
Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results.
-
Citations
20 Claims
-
1. A computing device comprising:
-
a hardware processor; and a data storage device storing instructions executable on the hardware processor to; generate, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first attack action; identify, using the first hypothesis, an analytics instruction for determining whether the first attack action specified by the first hypothesis occurred on the computing system; cause the analytics instruction to be executed on the computing system;
update a state of the attack model to produce an updated attack model based on a result of execution of the analytics instruction indicating whether the first attack action occurred on the computing system;generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second attack action; determine whether the second hypothesis is correct based on determining whether the second attack action occurred as determined using a different analytics instruction; and in response to determining that the second attack action occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method performed by a device comprising a hardware processor, comprising:
-
generating, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first plurality of attack actions; identifying, using the first hypothesis, an analytics instruction for obtaining analytics results relating to occurrence of the first plurality of attack actions on the computing system; updating a state of the attack model to produce an updated attack model based on the analytics results indicating whether the first plurality of attack actions occurred on the computing system; generating, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second plurality of attack actions; determining whether the second hypothesis is correct based on determining whether the second plurality of attack actions occurred as determined using a different analytics instruction; and in response to determining that the second plurality of attack actions occurred, performing a counter-measure addressing the attack on the computing system, and notifying one or more users of the computing system of the attack. - View Dependent Claims (13, 14, 15)
-
-
16. A non-transitory machine-readable storage medium encoded with instructions that upon execution cause a computing device to:
-
select an attack model from a plurality of attack models using contextual data that describes a state of a computing system comprising one or more computing devices, the attack model specifying behavior of an attack on the computing system; generate, using the attack model, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first plurality of attack actions; identify, using the first hypothesis, an analytics instruction for determining whether the first plurality of attack actions specified by the first hypothesis occurred on the computing system; update a state of the attack model to produce an updated attack model based on analytics results obtained by the analytics instruction; generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second plurality of attack actions; determine whether the second hypothesis is correct based on determining whether the second plurality of attack actions occurred as determined using a different analytics instruction; and in response to determining that the second plurality of attack actions occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack. - View Dependent Claims (17, 18, 19, 20)
-
Specification