Method and system for addressing intrusion attacks on a computer system
First Claim
1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
- receiving at least one packet corresponding to a potential attack on the computer;
calculating a risk rating for the potential attack by;
determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings;
determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings;
determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application;
determining a target value rating indicative of the perceived value of the computer;
calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;
ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
ERR=the risk rating;
ASR=the attack severity rating;
SFR=the signature fidelity rating;
ARR=the attack relevance rating; and
TVR=the target value rating; and
responding to the attack based on the risk rating.
1 Assignment
0 Petitions
Accused Products
Abstract
According to one embodiment of the invention, a computerized method for addressing intrusion attacks directed at a computer includes receiving a data stream corresponding to a potential attack on the computer and calculating an event risk rating for the data stream. Calculating the event risk rating includes determining at least one component risk rating. In one embodiment, the component risk ratings are: a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer. The method also includes responding to the potential attack based on the calculated risk rating.
-
Citations
25 Claims
-
1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving at least one packet corresponding to a potential attack on the computer;
calculating a risk rating for the potential attack by;
determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings;
determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings;
determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application;
determining a target value rating indicative of the perceived value of the computer;
calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;
ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100)where;
ERR=the risk rating;
ASR=the attack severity rating;
SFR=the signature fidelity rating;
ARR=the attack relevance rating; and
TVR=the target value rating; and
responding to the attack based on the risk rating. - View Dependent Claims (2, 3, 4, 5, 6, 7, 13)
-
-
8. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving at least one packet corresponding to a potential attack on the computer;
calculating a risk rating for the potential attack by;
determining an attack severity rating indicative of the potential severity of the potential attack;
determining a signature fidelity rating indicative of the likelihood the potential attach will affect the computer in the absence of knowledge regarding the computer;
determining an attack relevance rating indicative of the relevance of the potential attack to the computer;
determining a target value rating indicative of the perceived value of the computer; and
calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and
responding to the attack based on the calculated risk rating. - View Dependent Claims (9, 10, 11, 12)
-
-
14. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving a data stream corresponding to a potential attack on the computer;
calculating a risk rating for the potential attack by;
determining at least one component risk rating selected from the group consisting of;
a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and
calculating the risk rating based on at least one of the component risk ratings; and
responding to the potential attack based on the calculated risk rating. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system for addressing intrusion attacks directed at a computer, the system comprising:
-
a software program embodied in a computer readable medium, the software program, when executed by a processor, operable to;
calculate a risk rating for a data stream received by the system embodying a potential attack by;
determining at least one component risk rating selected from the group consisting of;
a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and
calculate the risk rating based on at least one of the component risk ratings; and
initiate a response to the potential attack based on the risk rating. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A system for addressing intrusion attacks directed at a computer, the system comprising:
-
means for receiving at least one packet corresponding to a potential attack on the computer;
means for calculating a risk rating for the at least one packet by;
determining an attack severity rating indicative of the potential severity of the potential attack;
determining a signature fidelity rating indicative of the likelihood the potential attach will affect the computer in the absence of knowledge regarding the computer;
determining an attack relevance rating indicative of the relevance of the potential attack to the computer;
determining a target value rating indicative of the perceived value of the computer; and
calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and
means for responding to the attack based on the calculated risk rating.
-
Specification