System and method for visualizing and analyzing cyber-attacks using a graph model
First Claim
1. A computing system for assessing a computer network using a graph database, comprising:
- a plurality of network sensors;
one or more sensor interfaces configured to received data from the plurality of network sensors;
one or more processors;
memory; and
one or more programs stored in the memory that when executed by the one or more processors cause the one or more processors to;
receive data from the plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer;
receive a cyber-domain specific data query from a user of the computing system;
convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and
execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for implementing a graph database to analyze and monitor a status of an enterprise computer network is provided. In one example, a plurality of sensors can be inputted into sensor interface in which all of the data associated with the sensors in converted into a common data format. The data can be parsed into a data model that contains nodes and edges in order to generate a graph database model that can allow a network analyst to analyze the real-time status of a computer network. The graph database model can include multiple layers including an infrastructure layer, a cyber threats layer, a cyber posture layer, and a mission readiness layer. The graph database model can also be queried by a user using a domain-specific query language, so as to provide a user-friendly syntax in generating queries.
-
Citations
30 Claims
-
1. A computing system for assessing a computer network using a graph database, comprising:
-
a plurality of network sensors; one or more sensor interfaces configured to received data from the plurality of network sensors; one or more processors; memory; and one or more programs stored in the memory that when executed by the one or more processors cause the one or more processors to; receive data from the plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network; generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer; receive a cyber-domain specific data query from a user of the computing system; convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of assessing a computer network using a graph database, the method comprising:
-
receiving data from a plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network; generating a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer; receiving a cyber-domain specific data query from a user; converting the received cyber-domain specific data query to a graph database native query, comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and executing the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable storage medium having stored thereon a set of instructions for assessing a computer network using a graph database that when executed by a computing device, cause the computing device to:
-
receive data from a plurality of network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network; generate a graph model comprising a plurality of nodes and a plurality of edges based on the data converted to the common format and store the generated plurality of nodes and the plurality of edges within a graph database, wherein the graph model comprises a plurality of predetermined layers, each layer associated with a type of computer-network information and comprising a subset of the plurality of nodes and the plurality of edges that is generated from the received data supplying the type of computer-network information associated with that layer; receive a cyber-domain specific data query from a user; convert the received cyber-domain specific data query to a graph database native query comprising function calls for returning corresponding matching subgraphs from the plurality of predetermined layers of the graph model; and execute the graph database native query upon the graph database to provide the user with a visualization of the returned matching subgraphs from across the predetermined layers of the graph model. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification