Systems and methods for dynamic threat assessment
First Claim
1. A method for dynamically assessing threats to computers and computer networks using one or more security devices that generate events, comprising:
- reading policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information;
generating one or more abstract data types for each of the one or more dynamic threat assessment rules;
collecting and storing events from the one or more security devices in an event collection database;
reading each event in the event collection database;
determining if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;
if the each event is a member of the each instance, adding the each event to the each instance and computing a probability of the each instance;
determining if the probability is greater than the global threat assessment event generation probability;
if the probability is greater than the global threat assessment event generation probability, generating a dynamic threat assessment event and placing the dynamic threat assessment event in the event collection database;
determining if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and
if the each event is a starting member of the instance, creating the instance and adding the each event to the instance.
3 Assignments
0 Petitions
Accused Products
Abstract
The threat probability of events generated by a security device on a computer network is assessed by comparing the threat probability to a global threat probability. An abstract data type is used to describe how the events are combined to form a threat. If an event matches an unpopulated member of an instance of an abstract data type, the event is added to the instance and the probability of the instance is computed. If the probability of the instance is greater than a global threat probability, a dynamic threat assessment event is generated. A system for dynamically assessing threats to computers and computer networks system includes at least one security device that generates events, an event collection database, policy configuration information, and a dynamic threat assessment engine.
-
Citations
27 Claims
-
1. A method for dynamically assessing threats to computers and computer networks using one or more security devices that generate events, comprising:
-
reading policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information;
generating one or more abstract data types for each of the one or more dynamic threat assessment rules;
collecting and storing events from the one or more security devices in an event collection database;
reading each event in the event collection database;
determining if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;
if the each event is a member of the each instance, adding the each event to the each instance and computing a probability of the each instance;
determining if the probability is greater than the global threat assessment event generation probability;
if the probability is greater than the global threat assessment event generation probability, generating a dynamic threat assessment event and placing the dynamic threat assessment event in the event collection database;
determining if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and
if the each event is a starting member of the instance, creating the instance and adding the each event to the instance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for dynamically assessing threats to computers and computer networks, comprising:
-
one or more security devices that generate events;
an event collection database, wherein the event collection database collects and stores events of the one or more security devices;
policy configuration information, wherein the policy configuration information comprises a global threat assessment event generation probability and one or more dynamic threat assessment rules comprising event probability information; and
a dynamic threat assessment engine, wherein the dynamic threat assessment engine accepts the policy configuration information;
wherein the dynamic threat assessment engine generates one or more abstract data types for the one or more dynamic threat assessment rules;
wherein the dynamic threat assessment engine reads each event in the event collection database;
wherein the dynamic threat assessment engine determines if the each event is a member of each instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules;
wherein if the each event is a member of the each instance, the dynamic threat assessment engine adds the each event to the each instance and computes a probability of the each instance;
wherein the dynamic threat assessment engine determines if the probability is greater than the global threat assessment event generation probability;
wherein if the probability is greater than the global threat assessment event generation probability, the dynamic threat assessment engine generates a dynamic threat assessment event and places the dynamic threat assessment event in the event collection database;
wherein the dynamic threat assessment engine determines if the each event is a starting member of an instance of the one or more abstract data types for each of the one or more dynamic threat assessment rules; and
wherein if the each event is a starting member of the instance, the dynamic threat assessment engine creates the instance and adds the each event to the instance. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method for assessing a threat probability of an event generated by a security device, comprising:
-
receiving the event from the security device in an event collection database;
if the event matches an unpopulated member of an instance of an abstract data type that represents a rule that describes how events are combined to form a threat, adding the event to the instance and computing a probability of the instance; and
if the probability is greater than a global threat assessment event generation probability, generating a second event and placing the second event in the event collection database.
-
Specification