Threat scoring system and method for intrusion detection security networks
First Claim
1. A method of analyzing an event detected in a distributed computer system, comprising:
- determining an attack validation value associated with said event;
determining a target exposure value associated with a host targeted by said event;
determining an attacker rating value associated with an attacker originating said event; and
determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value.
12 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a security expert system (SES) that automates intrusion detection analysis and threat discovery that can use fuzzy logic and forward-chaining inference engines to approximate human reasoning process. Embodiments of the SES can analyze incoming security events and generate a threat rating that indicates the likelihood of an event or a series of events being a threat. In one embodiment, the threat rating is determined based on an attacker rating, a target rating, a valid rating, and, optionally, a negative rating. In one embodiment, the threat rating may be affected by a validation flag. The SES can analyze the criticality of assets and calibrate/recalibrate the severity of an attack accordingly to allow for triage. The asset criticality can have a user-defined value. This ability allows the SES to protect and defend critical network resources in a discriminating and selective manner if necessary (e.g., many attacks).
-
Citations
26 Claims
-
1. A method of analyzing an event detected in a distributed computer system, comprising:
-
determining an attack validation value associated with said event;
determining a target exposure value associated with a host targeted by said event;
determining an attacker rating value associated with an attacker originating said event; and
determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification