Method and system for addressing intrusion attacks on a computer system

US 20050097339A1
Filed: 11/05/2003
Published: 05/05/2005
Est. Priority Date: 11/05/2003
Status: Active Grant

First Claim

Patent Images

1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:

receiving at least one packet corresponding to a potential attack on the computer;

calculating a risk rating for the potential attack by;

determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings;

determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings;

determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application;

determining a target value rating indicative of the perceived value of the computer;

calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;

ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;

ERR=the risk rating;

ASR=the attack severity rating;

SFR=the signature fidelity rating;

ARR=the attack relevance rating; and

TVR=the target value rating; and

responding to the attack based on the risk rating.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment of the invention, a computerized method for addressing intrusion attacks directed at a computer includes receiving a data stream corresponding to a potential attack on the computer and calculating an event risk rating for the data stream. Calculating the event risk rating includes determining at least one component risk rating. In one embodiment, the component risk ratings are: a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer. The method also includes responding to the potential attack based on the calculated risk rating.

Citations

25 Claims

1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
- receiving at least one packet corresponding to a potential attack on the computer;
  
  calculating a risk rating for the potential attack by;
  
  determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings;
  
  determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings;
  
  determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application;
  
  determining a target value rating indicative of the perceived value of the computer;
  
  calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;
  
  ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
  
  ERR=the risk rating;
  
  ASR=the attack severity rating;
  
  SFR=the signature fidelity rating;
  
  ARR=the attack relevance rating; and
  
  TVR=the target value rating; and
  
  responding to the attack based on the risk rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 13)
- - 2. The computerized method of claim 1, wherein the corresponding predetermined numerical attack severity ratings are selected from the group consisting of the numbers 25, 50, 75, and 100.
  - 3. The computerized method of claim 1, wherein the corresponding predetermined numerical signature fidelity ratings are based on at least one of the factors selected from the group consisting of:
    - the operating system of the computer;
      
      the service availability, the service application, and the version.
  - 4. The computerized method of claim 1, wherein the attack relevance rating has a value ranging from 77 to 127.
  - 5. The computerized method of claim 1, wherein the target value rating is selected from the group consisting of 90, 95, 100, 105, and 110.
  - 6. The computerized method of claim 1, wherein responding to the attack based on the risk rating comprises at least one of the actions selected from the group consisting of:
    - providing an alert if the risk rating exceeds a first particular value;
      
      logging the at least one packet if the risk rating exceeds a second particular value; and
      
      denying data flow to the computer if the risk rating exceeds a third particular value.
  - 7. The computerized method of claim 1, wherein responding to the attack based on the risk rating comprises performing one of a plurality of sets of actions based on the risk rating.
  - 13. The computerized method of claim 1, wherein responding to the attack based on the risk rating comprises performing one of a plurality of sets of actions based on the risk rating.

8. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
- receiving at least one packet corresponding to a potential attack on the computer;
  
  calculating a risk rating for the potential attack by;
  
  determining an attack severity rating indicative of the potential severity of the potential attack;
  
  determining a signature fidelity rating indicative of the likelihood the potential attach will affect the computer in the absence of knowledge regarding the computer;
  
  determining an attack relevance rating indicative of the relevance of the potential attack to the computer;
  
  determining a target value rating indicative of the perceived value of the computer; and
  
  calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and
  
  responding to the attack based on the calculated risk rating.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computerized method of claim 8, wherein determining an attack severity rating indicative of the potential severity of the potential attack comprises comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings.
  - 10. The computerized method of claim 8, wherein determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer comprises comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings.
  - 11. The computerized method of claim 8, wherein determining an attack relevance rating indicative of the relevance of the potential attack to the computer comprises determining the attack relevance rating based on an operating system of the computer, a service availability of the computer, an application running at the service port of the computer, and the version of the application
  - 12. The computerized method of claim 8, wherein the function is:
    - ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
      
      ERR=the risk rating;
      
      ASR=the attack severity rating;
      
      SFR=the signature fidelity rating;
      
      ARR=the attack relevance rating; and
      
      TVR=the target value rating.

14. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
- receiving a data stream corresponding to a potential attack on the computer;
  
  calculating a risk rating for the potential attack by;
  
  determining at least one component risk rating selected from the group consisting of;
  
  a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and
  
  calculating the risk rating based on at least one of the component risk ratings; and
  
  responding to the potential attack based on the calculated risk rating.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, and further comprising determining an attack severity rating indicative of the potential severity of the potential attack and wherein calculating the risk rating comprises calculating the risk rating based on the at least one component risk rating and on the attack severity rating.
  - 16. The method of claim 14, wherein determining at least one component risk rating comprises determining the signature fidelity rating, the attack relevance rating, and the target value.
  - 17. The method of claim 16, wherein calculating the risk rating based on at least one of the component risk rating comprises wherein calculating the risk rating based on the signature fidelity rating, the attack relevance rating, and the target value.
  - 18. The computerized method of claim 16, and further comprising determining an attack severity rating indicative of the potential severity of the potential attack and wherein the risk rating is calculated according to the formula:
    - ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
      
      ERR=the risk rating;
      
      ASR=the attack severity rating;
      
      SFR=the signature fidelity rating;
      
      ARR=the attack relevance rating; and
      
      TVR=the target value rating.
  - 19. The computerized method of claim 14, wherein responding to the attack based on the risk rating comprises performing one of a plurality of sets of actions based on the risk rating.

20. A system for addressing intrusion attacks directed at a computer, the system comprising:
- a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to;
  
  calculate a risk rating for a data stream received by the system embodying a potential attack by;
  
  determining at least one component risk rating selected from the group consisting of;
  
  a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and
  
  calculate the risk rating based on at least one of the component risk ratings; and
  
  initiate a response to the potential attack based on the risk rating.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20, and wherein the software program is further operable to determine an attack severity rating indicative of the potential severity of the potential attack and calculate the risk rating based at least on the at least one component risk rating and on the attack severity rating.
  - 22. The method of claim 20, wherein the software program is further operable to calculate the risk rating bases on the signature fidelity rating, the attack relevance rating, and the target value.
  - 23. The system of claim 22, wherein the software program is further operable to determine the risk rating according to the formula:
    - ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
      
      ERR=the risk rating;
      
      ASR=the attack severity rating;
      
      SFR=the signature fidelity rating;
      
      ARR=the attack relevance rating; and
      
      TVR=the target value rating.
  - 24. The system of claim 20, wherein the computer program is further operable to perform one of a plurality of sets of actions based on the risk rating.

25. A system for addressing intrusion attacks directed at a computer, the system comprising:
- means for receiving at least one packet corresponding to a potential attack on the computer;
  
  means for calculating a risk rating for the at least one packet by;
  
  determining an attack severity rating indicative of the potential severity of the potential attack;
  
  determining a signature fidelity rating indicative of the likelihood the potential attach will affect the computer in the absence of knowledge regarding the computer;
  
  determining an attack relevance rating indicative of the relevance of the potential attack to the computer;
  
  determining a target value rating indicative of the perceived value of the computer; and
  
  calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and
  
  means for responding to the attack based on the calculated risk rating.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gleichauf, Robert E., Lathem, Gerald S., Hall, Michael L., Wiley, Kevin L.

Granted Patent

US 7,526,806 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Method and system for addressing intrusion attacks on a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for addressing intrusion attacks on a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links