Model-based computer attack analytics orchestration

US 10,262,132 B2
Filed: 07/01/2016
Issued: 04/16/2019
Est. Priority Date: 07/01/2016
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a hardware processor; and

a data storage device storing instructions executable on the hardware processor to;

generate, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first attack action;

identify, using the first hypothesis, an analytics instruction for determining whether the first attack action specified by the first hypothesis occurred on the computing system;

cause the analytics instruction to be executed on the computing system;

update a state of the attack model to produce an updated attack model based on a result of execution of the analytics instruction indicating whether the first attack action occurred on the computing system;

generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second attack action;

determine whether the second hypothesis is correct based on determining whether the second attack action occurred as determined using a different analytics instruction; and

in response to determining that the second attack action occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples relate to model-based computer attack analytics orchestration. In one example, a computing device may: generate, using an attack model that specifies behavior of a particular attack on a computing system, a hypothesis for the particular attack, the hypothesis specifying, for a particular state of the particular attack, at least one attack action; identify, using the hypothesis, at least one analytics function for determining whether the at least one attack action specified by the hypothesis occurred on the computing system; provide an analytics device with instructions to execute the at least one analytics function on the computing system; receive analytics results from the analytics device; and update a state of the attack model based on the analytics results.

27 Citations

View as Search Results

20 Claims

1. A computing device comprising:
- a hardware processor; and
  
  a data storage device storing instructions executable on the hardware processor to;
  
  generate, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first attack action;
  
  identify, using the first hypothesis, an analytics instruction for determining whether the first attack action specified by the first hypothesis occurred on the computing system;
  
  cause the analytics instruction to be executed on the computing system;
  
  update a state of the attack model to produce an updated attack model based on a result of execution of the analytics instruction indicating whether the first attack action occurred on the computing system;
  
  generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second attack action;
  
  determine whether the second hypothesis is correct based on determining whether the second attack action occurred as determined using a different analytics instruction; and
  
  in response to determining that the second attack action occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computing device of claim 1, wherein the attack model specifies a plurality of phases, and for each respective phase of the plurality of phases, attack actions that may occur in the respective phase.
  - 3. The computing device of claim 1, wherein the instructions are executable on the hardware processor to:
    - obtain contextual data describing a state of the computing system, and wherein the first hypothesis is further generated using the contextual data.
  - 4. The computing device of claim 3, wherein the instructions are executable on the hardware processor to:
    - select, using the contextual data, the attack model from a plurality of attack models.
  - 5. The computing device of claim 1, wherein the attack model is a continuous-time model.
  - 6. The computing device of claim 1, wherein the analytics instruction comprises an analytics query to query the computing system to determine whether the first attack action occurred.
  - 7. The computing device of claim 1, wherein the analytics instruction comprises an analytics function for execution on the computing system to determine whether the first attack action occurred.
  - 8. The computing device of claim 1, wherein the counter-measure comprises disabling the computing system.
  - 9. The computing device of claim 1, wherein each of the first hypothesis and second hypothesis represents a prediction of a current phase of the attack.
  - 10. The computing device of claim 1, wherein the instructions are executable on the hardware processor to output likelihoods of the attack being in respective phases of a plurality of phases of the attack, the plurality of phases of the attack comprising the first and second phases.
  - 11. The computing device of claim 1, wherein the updating of the state of the attack model is to reflect a likely phase of the attack.

12. A method performed by a device comprising a hardware processor, comprising:
- generating, using an attack model that specifies behavior of an attack on a computing system comprising one or more computing devices, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first plurality of attack actions;
  
  identifying, using the first hypothesis, an analytics instruction for obtaining analytics results relating to occurrence of the first plurality of attack actions on the computing system;
  
  updating a state of the attack model to produce an updated attack model based on the analytics results indicating whether the first plurality of attack actions occurred on the computing system;
  
  generating, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second plurality of attack actions;
  
  determining whether the second hypothesis is correct based on determining whether the second plurality of attack actions occurred as determined using a different analytics instruction; and
  
  in response to determining that the second plurality of attack actions occurred, performing a counter-measure addressing the attack on the computing system, and notifying one or more users of the computing system of the attack.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, further comprising:
    - obtaining contextual data describing a state of the computing system; and
      
      selecting, using the contextual data, the attack model from a plurality of attack models.
  - 14. The method of claim 12, further comprising:
    - outputting likelihoods of the attack being in respective phases of a plurality of phases of the attack, the plurality of phases of the attack comprising the first and second phases.
  - 15. The method of claim 12, wherein the updating of the state of the attack model is to reflect a likely phase of the attack.

16. A non-transitory machine-readable storage medium encoded with instructions that upon execution cause a computing device to:
- select an attack model from a plurality of attack models using contextual data that describes a state of a computing system comprising one or more computing devices, the attack model specifying behavior of an attack on the computing system;
  
  generate, using the attack model, a first hypothesis for the attack, the first hypothesis specifying, for a first phase of the attack, a first plurality of attack actions;
  
  identify, using the first hypothesis, an analytics instruction for determining whether the first plurality of attack actions specified by the first hypothesis occurred on the computing system;
  
  update a state of the attack model to produce an updated attack model based on analytics results obtained by the analytics instruction;
  
  generate, using the updated attack model, a second hypothesis for the attack, the second hypothesis specifying, for a second phase of the attack, a second plurality of attack actions;
  
  determine whether the second hypothesis is correct based on determining whether the second plurality of attack actions occurred as determined using a different analytics instruction; and
  
  in response to determining that the second plurality of attack actions occurred, perform a counter-measure addressing the attack on the computing system, and notify one or more users of the computing system of the attack.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory machine-readable storage medium of claim 16, wherein the attack model specifies a plurality of phases and, for each respective phase of the plurality of phases, attack actions that may occur in the respective phase.
  - 18. The non-transitory machine-readable storage medium of claim 17, wherein the state of the attack model is updated by confirming that the first plurality of attack actions specified by the attack model occurred.
  - 19. The non-transitory machine-readable storage medium of claim 16, wherein the analytics instruction comprises an analytics function for execution on the computing system or an analytics query to obtain information from the computing system.
  - 20. The non-transitory machine-readable storage medium of claim 16, wherein each of the first hypothesis and second hypothesis represents a prediction of a current phase of the attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
entIT Software LLC (Open Text Corporation)
Inventors
Reinecke, Philipp, Casassa Mont, Marco, Beresna, Yolanta
Primary Examiner(s)
Gracia, Gary S

Application Number

US15/201,186
Publication Number

US 20180004941A1
Time in Patent Office

1,019 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 16/90335   Query processing

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06N 5/02   Knowledge representation; S...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Model-based computer attack analytics orchestration

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Model-based computer attack analytics orchestration

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links