Systems and methods for dynamic threat assessment

US 20050216764A1
Filed: 03/23/2004
Published: 09/29/2005
Est. Priority Date: 03/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically assessing threats to computers and computer networks using one or more security devices that generate events, comprising:

reading policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information;

generating one or more abstract data types for each of the one or more dynamic threat assessment rules;

collecting and storing events from the one or more security devices in an event collection database;

reading each event in the event collection database;

determining if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;

if the each event is a member of the each instance, adding the each event to the each instance and computing a probability of the each instance;

determining if the probability is greater than the global threat assessment event generation probability;

if the probability is greater than the global threat assessment event generation probability, generating a dynamic threat assessment event and placing the dynamic threat assessment event in the event collection database;

determining if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and

if the each event is a starting member of the instance, creating the instance and adding the each event to the instance.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The threat probability of events generated by a security device on a computer network is assessed by comparing the threat probability to a global threat probability. An abstract data type is used to describe how the events are combined to form a threat. If an event matches an unpopulated member of an instance of an abstract data type, the event is added to the instance and the probability of the instance is computed. If the probability of the instance is greater than a global threat probability, a dynamic threat assessment event is generated. A system for dynamically assessing threats to computers and computer networks system includes at least one security device that generates events, an event collection database, policy configuration information, and a dynamic threat assessment engine.

Citations

27 Claims

1. A method for dynamically assessing threats to computers and computer networks using one or more security devices that generate events, comprising:
- reading policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information;
  
  generating one or more abstract data types for each of the one or more dynamic threat assessment rules;
  
  collecting and storing events from the one or more security devices in an event collection database;
  
  reading each event in the event collection database;
  
  determining if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;
  
  if the each event is a member of the each instance, adding the each event to the each instance and computing a probability of the each instance;
  
  determining if the probability is greater than the global threat assessment event generation probability;
  
  if the probability is greater than the global threat assessment event generation probability, generating a dynamic threat assessment event and placing the dynamic threat assessment event in the event collection database;
  
  determining if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and
  
  if the each event is a starting member of the instance, creating the instance and adding the each event to the instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the one or more security devices comprise an intrusion detection system, a network intrusion detection system, a host intrusion detection system, a router, a firewall, and a system logger.
  - 3. The method of claim 1, wherein the policy configuration information further comprises rule probability thresholds.
  - 4. The method of claim 1, wherein the policy configuration information further comprises event collection database configurations.
  - 5. The method of claim 1, wherein the policy configuration information further comprises operation parameters.
  - 6. The method of claim 1, wherein the one or more abstract data types comprise graphs, trees, lists, state machines, hash tables, and Bayesian networks.
  - 7. The method of claim 1, wherein the probability of the each instance is computed based on one or more of the conditions comprising a number of other events, a type of the other events, an order of the other events, and a timing of the other events.
  - 8. The method of claim 3, further comprising determining if the probability is greater than a rule probability threshold for the each instance.
  - 9. The method of claim 8, further comprising if the probability is greater than the rule probability threshold for the each instance, generating a dynamic threat assessment event and placing it in the event collection database.
  - 10. The method of claim 1, further comprising receiving and storing events from the one or more security devices in the event collection database.
  - 11. The method of claim 1, further comprising removing the each instance from memory, if the probability is greater than the global threat assessment event probability.
  - 12. The method of claim 8, further comprising removing the each instance from memory, if the probability is greater than the rule probability threshold for the each instance.

13. A system for dynamically assessing threats to computers and computer networks, comprising:
- one or more security devices that generate events;
  
  an event collection database, wherein the event collection database collects and stores events of the one or more security devices;
  
  policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information; and
  
  a dynamic threat assessment engine, wherein the dynamic threat assessment engine accepts the policy configuration information;
  
  wherein the dynamic threat assessment engine generates one or more abstract data types for the one or more dynamic threat assessment rules;
  
  wherein the dynamic threat assessment engine reads each event in the event collection database;
  
  wherein the dynamic threat assessment engine determines if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;
  
  wherein if the each event is a member of the each instance, the dynamic threat assessment engine adds the each event to the each instance and computes a probability of the each instance;
  
  wherein the dynamic threat assessment engine determines if the probability is greater than the global threat assessment event generation probability;
  
  wherein if the probability is greater than the global threat assessment event generation probability, the dynamic threat assessment engine generates a dynamic threat assessment event and places the dynamic threat assessment event in the event collection database;
  
  wherein the dynamic threat assessment engine determines if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and
  
  wherein if the each event is a starting member of the instance, the dynamic threat assessment engine creates the instance and adds the each event to the instance.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 14. The system of claim 13, wherein the one or more security devices comprise an intrusion detection system, a network intrusion detection system, a host intrusion detection system, a router, a firewall, and a system logger.
  - 15. The system of claim 13, wherein the policy configuration information further comprises rule probability thresholds.
  - 16. The method of claim 13, wherein the policy configuration information further comprises event collection database configurations.
  - 17. The method of claim 13, wherein the policy configuration information further comprises operation parameters.
  - 18. The system of claim 13, wherein the one or more abstract data types comprise graphs, trees, lists, state machines, hash tables, and Bayesian networks.
  - 19. The system of claim 13, wherein the probability of the each instance is computed based on one or more of the conditions comprising a number of other events, a type of the other events, an order of the other events, and a timing of the other events.
  - 20. The system of claim 15, wherein the dynamic threat assessment engine determines if the probability is greater than a rule probability threshold for the each instance.
  - 21. The system of claim 20, wherein if the probability is greater than the rule probability threshold for the each instance, the dynamic threat assessment engine generates a dynamic threat assessment event and places it in the event collection database.
  - 22. The system of claim 13, wherein the event collection database receives and stores events from the one or more security devices.
  - 23. The method of claim 13, wherein the dynamic threat assessment engine removes the each instance from memory, if the probability is greater than the global threat assessment event probability.
  - 24. The method of claim 20, wherein the dynamic threat assessment engine removes the each instance from memory, if the probability is greater than the rule probability threshold for the each instance.
  - 25. The system of claim 13, wherein the event collection database comprises the logging system of a security device that generates events.
  - 26. The system of claim 13, further comprising a management console comprising the event collection database, the policy configuration information, and the dynamic threat assessment engine.

27. A method for assessing a threat probability of an event generated by a security device, comprising:
- receiving the event from the security device in an event collection database;
  
  if the event matches an unpopulated member of an instance of an abstract data type that represents a rule that describes how events are combined to form a threat, adding the event to the instance and computing a probability of the instance; and
  
  if the probability is greater than a global threat assessment event generation probability, generating a second event and placing the second event in the event collection database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Roelker, Daniel J., Norton, Marc A.

Granted Patent

US 7,313,695 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Systems and methods for dynamic threat assessment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for dynamic threat assessment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links