Systems and methods for generating security improvement plans for entities

US 10,726,136 B1
Filed: 07/17/2019
Issued: 07/28/2020
Est. Priority Date: 07/17/2019
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for statistical modeling of entities of a particular type, the method comprising:

obtaining entity data including a plurality of entity data sets, each entity data set associated with a respective entity and including values for one or more static parameters indicative of a type of the entity,wherein the values of the static parameters for each of the entity data sets indicate that the type of the entity matches the particular type, andwherein each entity data set further includes (i) values for one or more input parameters indicative of a security profile of the entity and (ii) a value of a security class parameter indicative of a security class of the entity based on the values of the input parameters,wherein the one or more input parameters indicative of the security profile of the entity comprise at least one of;

a number and/or severity of botnet infection instances of a computer system associated with the entity;

a number of spam propagation instances originating from a computer network associated with the entity;

a number of malware servers associated with the entity;

a number of potentially exploited devices associated with the entity;

a number of hosts authorized to send emails on behalf of each domain associated with the entity;

a determination of whether a DomainKeys Identified Mail (DKIM) record exists for each domain associated with the entity and/or a key length of a public key associated with a Domain Name System (DNS) record of each domain associated with the entity;

an evaluation of a Secure Sockets Layer (SSL) certificate and/or a Transport Layer Security (TLS) certificate associated with a computer system of the entity;

a number and/or type of service of open ports of a computer network associated with the entity;

an evaluation of security-related fields of an header section of HTTP response messages of hosts associated with the entity;

a rate at which vulnerabilities are patched in a computer network associated with the entity;

an evaluation of file sharing traffic originating from a computer network associated with the entity;

ora number of lost records and/or sensitivity of information in the lost records in a data breach of a computer system associated with the entity; and

training a statistical classifier to infer a value of the security class parameter indicative of the security class of a particular entity of the particular type based on values of one or more of the input parameters indicative of a security profile of the particular entity, wherein training the statistical classifier comprises fitting the statistical classifier to the plurality of entity data sets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method is provided for statistical modeling of entities of a particular type. The method can include obtaining entity data including a plurality of entity data sets, each entity data set associated with a respective entity and including values for one or more static parameters indicative of a type of the entity. Each entity data set can include (i) values for input parameter(s) indicative of a security profile of the entity and (ii) a value of a security class parameter indicative of a security class of the entity based on the values of the input parameters. The method can include training a statistical classifier to infer a value of the security class parameter indicative of the security class of a particular entity of the particular type based on values of one or more of the input parameters indicative of a security profile of the particular entity.

205 Citations

19 Claims

1. A computer-implemented method for statistical modeling of entities of a particular type, the method comprising:
- obtaining entity data including a plurality of entity data sets, each entity data set associated with a respective entity and including values for one or more static parameters indicative of a type of the entity,wherein the values of the static parameters for each of the entity data sets indicate that the type of the entity matches the particular type, andwherein each entity data set further includes (i) values for one or more input parameters indicative of a security profile of the entity and (ii) a value of a security class parameter indicative of a security class of the entity based on the values of the input parameters,wherein the one or more input parameters indicative of the security profile of the entity comprise at least one of;
  
  a number and/or severity of botnet infection instances of a computer system associated with the entity;
  
  a number of spam propagation instances originating from a computer network associated with the entity;
  
  a number of malware servers associated with the entity;
  
  a number of potentially exploited devices associated with the entity;
  
  a number of hosts authorized to send emails on behalf of each domain associated with the entity;
  
  a determination of whether a DomainKeys Identified Mail (DKIM) record exists for each domain associated with the entity and/or a key length of a public key associated with a Domain Name System (DNS) record of each domain associated with the entity;
  
  an evaluation of a Secure Sockets Layer (SSL) certificate and/or a Transport Layer Security (TLS) certificate associated with a computer system of the entity;
  
  a number and/or type of service of open ports of a computer network associated with the entity;
  
  an evaluation of security-related fields of an header section of HTTP response messages of hosts associated with the entity;
  
  a rate at which vulnerabilities are patched in a computer network associated with the entity;
  
  an evaluation of file sharing traffic originating from a computer network associated with the entity;
  
  ora number of lost records and/or sensitivity of information in the lost records in a data breach of a computer system associated with the entity; and
  
  training a statistical classifier to infer a value of the security class parameter indicative of the security class of a particular entity of the particular type based on values of one or more of the input parameters indicative of a security profile of the particular entity, wherein training the statistical classifier comprises fitting the statistical classifier to the plurality of entity data sets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the static parameters comprise at least one of (i) entity size, (ii) entity industry, and/or (iii) entity location.
  - 3. The method of claim 1, wherein the values of two or more static parameters for each of the entity data sets indicate that the type of the entity matches the particular type.
  - 4. The method of claim 1, further comprising:
    - selecting a target value for the security class parameter indicative of the security class for the particular entity,wherein the plurality of entity data sets includes at least one entity data set for which the value of the security class parameter is lower than the target value and at least one entity data set for which the value of the security class parameter is at or above than the target value.
  - 5. The method of claim 4, wherein the plurality of entity data sets includes at least three entity data sets for which the value of the security class parameter is lower than the target value and at least three entity data set for which the value of the security class parameter is at or above than the target value.
  - 6. The method of claim 1, wherein the security profile comprises security practices and/or a security record of an entity.
  - 7. The method of claim 1, wherein the one or more input parameters indicative of the security profile of the entity comprise at least one of:
    - an amount of capital investment in security of the entity;
      
      a measure of employee training in security of the entity;
      
      a measure of organization of a team dedicated to information security;
      
      oran amount of budget dedicated to information security.
  - 8. The method of claim 1, wherein the security class is a security rating of the entity.
  - 9. The method of claim 1, wherein the value of the security class parameter is indicative of a security class above or below a target security rating.
  - 10. The method of claim 1, wherein the statistical classifier is one of the group consisting of:
    - (i) a K-nearest neighbor algorithm, (ii) a support vector machine (SVM) model, or (iii) random forest classifier.
  - 11. The method of claim 1, wherein each entity data set includes values for two or more input parameters indicative of the security profile of the entity, the method further comprising:
    - for a first input parameter of the two or more input parameters;
      
      determining a relationship between at least one value of the first input parameter and at least one value of a second input parameter; and
      
      storing the relationship in a database.
  - 12. The method of claim 11, further comprising:
    - determining relationships between a plurality of values of the first input parameter and a plurality of values of the second input parameter, wherein the plurality of values of the first input parameter comprises the at least one value of the first input parameter and the plurality of values of the second input parameter comprises the at least one value of the second input parameter.
  - 13. The method of claim 11, further comprising:
    - receiving values of the two or more input parameters for the particular entity;
      
      adjusting the value of the first input parameter of the two or more input parameters;
      
      determining the value of the second input parameter of the two or more input parameters based on the stored relationship in the database;
      
      using the trained statistical classifier on the adjusted value of the first input parameter and the determined value of the second input parameter to infer a value of the security class parameter indicative of the security class of the particular entity; and
      
      comparing the value of the security class parameter to a target value to determine whether the adjustment of the value of the first input parameter results in a value of the security class parameter at, above, or below the target value.
  - 14. The method of claim 13, wherein, if the adjustment of the value of the first input parameter results in a value above the target value, the method further comprises:
    - generating a security improvement plan based on the adjusted value of the first input parameter and the determined value of the second input parameter, such that, if executed by the particular entity, increases the value of the security class parameter of the particular entity to or above the target value.
  - 15. The method of claim 14, wherein the security improvement plan comprises a target value for at least one input parameter for the particular entity, the target value being different than the value of the at least one input parameter.
  - 16. The method of claim 14, further comprising:
    - presenting the security improvement plan via a user interface.
  - 17. The method of claim 14, wherein the security improvement plan includes a prescription to adjust at least one of the input parameters, the method further comprising:
    - determining an explanation for the prescription using one or more explanation techniques selected from the group consisting of;
      
      (i) local interpretable model-agnostic explanation (LIME), (ii) high-precision model-agnostic explanation, (iii) Skater model interpretation, or (iv) random forest feature tweaking.
  - 18. The method of claim 17, further comprising:
    - presenting the explanation via the user interface.
  - 19. The method of claim 13, further comprising:
    - if the adjustment of the value of the first input parameter results in the value of the security class parameter being at or above the target value, determining a target value for the first input parameter by;
      
      receiving two or more values of the first input parameter from two or more entity data sets of entities having a value of the security class parameter greater than the target value;
      
      determining a mean of the two or more values; and
      
      generating a security improvement plan prescribing the mean value for the first input parameter of the particular entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BitSight Technologies, Inc.
Original Assignee
BitSight Technologies, Inc.
Inventors
Light, Marc Noel
Primary Examiner(s)
Getachew, Abiy

Application Number

US16/514,771
Time in Patent Office

377 Days
Field of Search
US Class Current
CPC Class Codes

G06F 17/18   for evaluating statistical ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

G06N 20/20   Ensemble learning

G06N 5/01   Dynamic search techniques; ...

G06N 5/04   Inference or reasoning models

G06N 7/01   Probabilistic graphical mod...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

Systems and methods for generating security improvement plans for entities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

205 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for generating security improvement plans for entities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links