System and method for visualizing and analyzing cyber-attacks using a graph model

US 10,313,382 B2
Filed: 03/29/2016
Issued: 06/04/2019
Est. Priority Date: 03/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computing system for assessing a computer network using a graph database, comprising:

a plurality of network sensors;

one or more sensor interfaces configured to received data from the plurality of network sensors;

one or more processors;

memory; and

one or more programs stored in the memory that when executed by the one or more processors cause the one or more processors to;

receive data from the plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;

generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer;

receive a cyber-domain specific data query from a user of the computing system;

convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and

execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for implementing a graph database to analyze and monitor a status of an enterprise computer network is provided. In one example, a plurality of sensors can be inputted into sensor interface in which all of the data associated with the sensors in converted into a common data format. The data can be parsed into a data model that contains nodes and edges in order to generate a graph database model that can allow a network analyst to analyze the real-time status of a computer network. The graph database model can include multiple layers including an infrastructure layer, a cyber threats layer, a cyber posture layer, and a mission readiness layer. The graph database model can also be queried by a user using a domain-specific query language, so as to provide a user-friendly syntax in generating queries.

Citations

30 Claims

1. A computing system for assessing a computer network using a graph database, comprising:
- a plurality of network sensors;
  
  one or more sensor interfaces configured to received data from the plurality of network sensors;
  
  one or more processors;
  
  memory; and
  
  one or more programs stored in the memory that when executed by the one or more processors cause the one or more processors to;
  
  receive data from the plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer;
  
  receive a cyber-domain specific data query from a user of the computing system;
  
  convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and
  
  execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing system of claim 1, wherein a layer of the plurality of predetermined layers comprise a subset of the generated plurality of nodes and a subset of the plurality of edges that convey information about a mission readiness state of the computer network.
  - 3. The computing system of claim 2, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 4. The computing system of claim 3, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 5. The computing system of claim 4, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 6. The computing system of claim 3, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 7. The computing system of claim 1, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about potential cyber threats to the computer network.
  - 8. The computing system of claim 1, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about a cyber posture of the computer network.
  - 9. The computing system of claim 1, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about an infrastructure of the computer network.
  - 10. The computing system of claim 1 comprising:
    - a document-oriented database configured to receive the data from the plurality of sensors and convert the received data into one or more entries in the document-oriented database, and wherein the graph database is configured to generate the plurality of nodes and the plurality of edges based on the one or more entries in the document-oriented database.

11. A method of assessing a computer network using a graph database, the method comprising:
- receiving data from a plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generating a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer;
  
  receiving a cyber-domain specific data query from a user;
  
  converting the received cyber-domain specific data query to a graph database native query, comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and
  
  executing the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein a layer of the plurality of predetermined layers comprise a subset of the generated plurality of nodes and a subset of the plurality of edges that convey information about a mission readiness state of the computer network.
  - 13. The method of claim 12, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 14. The method of claim 13, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 15. The method of claim 14, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 16. The method of claim 13, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 17. The method of claim 11, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about potential cyber threats to the computer network.
  - 18. The method of claim 11, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about a cyber posture of the computer network.
  - 19. The method of claim 11, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about an infrastructure of the computer network.
  - 20. The method of claim 11, comprising:
    - receiving the data from the one or more sensors and converting the received data into one or more entries in a document-oriented database, and wherein generating the plurality of nodes and the plurality of edges is based on the one or more entries in the document-oriented database.

21. A non-transitory computer readable storage medium having stored thereon a set of instructions for assessing a computer network using a graph database that when executed by a computing device, cause the computing device to:
- receive data from a plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer;
  
  receive a cyber-domain specific data query from a user;
  
  convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and
  
  execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer readable storage medium of claim 21, wherein a layer of the plurality of predetermined layers comprise a subset of the generated plurality of nodes and a subset of the plurality of edges that convey information about a mission readiness state of the computer network.
  - 23. The non-transitory computer readable storage medium of claim 22, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 24. The non-transitory computer readable storage medium of claim 23, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 25. The non-transitory computer readable storage medium of claim 24, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 26. The non-transitory computer readable storage medium of claim 23, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 27. The non-transitory computer readable storage medium of claim 21, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about potential cyber threats to the computer network.
  - 28. The non-transitory computer readable storage medium of claim 21, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about a cyber posture of the computer network.
  - 29. The non-transitory computer readable storage medium of claim 21, wherein a layer of the plurality of predetermined layers comprise one or more nodes and one or more edges that convey information about an infrastructure of the computer network.
  - 30. The non-transitory computer readable storage medium of claim 21, wherein the computing device is further caused to:
    - receive the data from the plurality of sensors and convert the received data into one or more entries in a document-oriented database, and wherein generating the plurality of nodes and the plurality of edges is based on the one or more entries in the document-oriented database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
Noel, Steven, Harley, Eric, Tam, Kam Him, Limiero, Michael, Share, Matthew
Primary Examiner(s)
Doan, Trang T

Application Number

US15/084,153
Publication Number

US 20170289187A1
Time in Patent Office

1,162 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/28   Databases characterised by ...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/01   Protocols

H04L 67/12   specially adapted for propr...

H04L 67/565   Conversion or adaptation of...

System and method for visualizing and analyzing cyber-attacks using a graph model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for visualizing and analyzing cyber-attacks using a graph model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links