TACTICAL AND STRATEGIC ATTACK DETECTION AND PREDICTION

US 20070226796A1
Filed: 03/20/2007
Published: 09/27/2007
Est. Priority Date: 03/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving input data representing activities and events on a network;

detecting tactical attacks against one or more entities by analyzing the input data; and

dynamically determining when the one or more tactical attacks are indicative of a strategic attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

NETWAR provides a utility that enables detection of both tactical and strategic threats against an individual entity and interrelated/affiliated networks of entities. A distributed network of sensors and evaluators are utilized to detect tactical attacks against one or more entities. Events on the general network are represented as an input graph, which is searched for matches of example pattern graphs that represent tactical attacks. The search is performed using a scalable graph matching engine and an ontology that is periodically updated by a subject matter expert or analyst. NETWAR provides the functionality to determine/understand the strategic significance of the detected tactical attacks by correlating detected tactical attacks on the individual entities to identify the true motive of these attacks as a strategic attack. NETWAR also provides predictive capability to predict future entities and sub-entities that may be targeted based on evaluation of the attack data.

233 Citations

49 Claims

1. A method comprising:
- receiving input data representing activities and events on a network;
  
  detecting tactical attacks against one or more entities by analyzing the input data; and
  
  dynamically determining when the one or more tactical attacks are indicative of a strategic attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein said dynamically determining comprises:
    - evaluating a strategic motive, tactical means, and tactical opportunities (MMO) of a potential attacker by detecting one or more strategic actions within the input data, which identify the strategic attack; and
      
      fingerprinting the MMO for future detection of similar strategic attacks, said MMO identifying reconnaissance and attack activities;
  - 3. The method of claim 2, wherein:
    - said identifying of reconnaissance and attack activities involves accessing one or more automated reconnaissance tools, including open access and online tools and tools designed for supporting strategic attack detection to identify information vulnerabilities;
      
      said method further comprising;
      
      observing, via the online tools, intelligence gathering, planning, testing, and collaboration activities performed on the network; and
      
      generating multiple MMOs based on observed, known, and deduced attack and reconnaissance patterns.
  - 4. The method of claim 1, wherein said dynamically determining comprises:
    - matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks.
  - 5. The method of claim 1, wherein said dynamically determining comprises:
    - correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks.
  - 6. The method of claim 5, further comprising:
    - receiving, via the GAE, input data from data sources/sensors; and
      
      performing a data fusion on the input data utilizing a domain ontology to fuse the input data into an Attributed Relational Graph (ARG);
      
      wherein the GAE utilizes the domain ontology to (1) map sensor events to probable actions, (2) define threat patterns, and (3) provide ontological services to the pattern matcher.
  - 7. The method of claim 1, wherein said dynamically determining further comprises:
    - when an entity that may potentially be attacked has vulnerabilities outside of the entity'"'"'s own network, extrapolating beyond a network of the entity being attacked to enable detection of strategic attacks in a supply chain and other domains of affiliated entities.
  - 8. The method of claim 1, further comprising:
    - generating a user interface for enabling input, manipulation and control of information and data utilized during the dynamically determining step; and
      
      outputting results of said dynamically determining step via the user interface.
  - 9. The method of claim 1, further comprising:
    - generating an input graph representing the input data;
      
      sampling and evaluating the input data using a graph-based search engine;
      
      performing graph matching, anomaly detection and social network analysis within the input graph to determine presence in the input graph of tactical and strategic attack patterns; and
      
      dynamically determining a strategic motive, tactical means, and tactical opportunities (MMO) of an attacker; and
      
      automatically detecting and predicting strategic attacks by detecting strategic actions identified within the input graph and comprehending the MMO of the potential attacker.
  - 10. The method of claim 1, further comprising:
    - enabling creation of an ontology of example attack patterns that represent known and potential attack patterns; and
      
      enabling updates of the ontology to include newly detected attack patterns and remove patterns that are no longer classified as attack patterns.
  - 11. The method of claim 10, wherein said enabling creation further comprises:
    - storing graph patterns that identify tactical attacks within the network in a tactical attack ontology; and
      
      storing graph patterns that identify strategic attacks within the network in a strategic attack ontology;
      
      wherein said strategic attack ontology is cyber ontology including network vulnerability, network attacks and network threats.
  - 12. The method of claim 1, further comprising:
    - forwarding information related to a detected strategic attack to an analyst for evaluation; and
      
      enabling analyst input in assessing a level of seriousness of a detected strategic attack.
  - 13. The method of claim 1, further comprising detecting supply chain attacks and technology-based attacks directed at a target system via an intermediary entity.
  - 14. The method of claim 1, further comprising:
    - analyzing the detected tactical attacks and strategic attacks;
      
      predicting possible occurrences of a future attack based on said analyzing a known context for precipitating said future attacks; and
      
      outputting an alert about the predicted future attacks.
  - 15. The method of claim 1, further comprising:
    - establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern;
      
      performing an inexact matching search utilizing said sensitivity cutoff;
      
      when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack;
      
      predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed;
      
      when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review;
      
      when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match; and
      
      when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack.
  - 16. The method of claim 15, further comprising:
    - when the inexact match is within a pre-set variance for the sensitivity cutoff;
      
      tagging the sequence of activities as a potential attack;
      
      monitoring subsequent activity to determine if the potential attack evolves into an actual attack; and
      
      updating the ontology with a morphed attack pattern when the inexact match is determined to be an attack.
  - 17. The method of claim 16, further comprising:
    - automatically accounting for evolving changes in attack pattern to enable detection of evolving attack patterns, wherein an evolved attack pattern is detected without requiring a full attack signature from input graph comparison.
  - 18. The method of claim 1, further comprising performing strategic attack detection within an in-memory graph search function, having a display architecture in which the set of all graph elements is known and available.
  - 19. The method of claim 1, further comprising:
    - storing the input data to a scalable database capable of managing a large amount of data at a time;
      
      monitoring the network in real time;
      
      updating the scalable database with new input data generated from the network; and
      
      performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database;
      
      wherein a clear separation of threat semantics and graph search functions for attack patterns is provided.
  - 20. The method of claim 19, further comprising:
    - converting ontology-based patterns into a precise pattern query language (PQL) supported by the graph analysis tool; and
      
      decomposing complete attack patterns stored in the strategic attack ontology into meaningful time-based sub-patterns that will match sequences of activity that are precursors to becoming a significant attack threat, wherein said decomposing enables a predictive capability for future attacks.
  - 21. The method of claim 1 further comprising:
    - sequencing input data points by time; and
      
      converting the sequenced input data points into textual descriptions of network activity.
  - 22. The method of claim 1, further comprising:
    - providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks;
      
      wherein the business threat ontology associated with strategic level GAEs contain one or more of;
      
      (1) descriptions of specifically identified target entities;
      
      (2) interdependencies between the individual target entities, including as supply chain dependencies;
      
      (3) business functions and services of the target entities;
      
      (4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
      
      (5) information about strategic threats and the threat'"'"'s likely motives;
      
      wherein the strategic level fusion provides attack patterns for one or more of;
      
      (1) supply chain availability attacks;
      
      (2) industrial espionage focused on exfiltration of information about specific technologies; and
      
      (3) strategic infiltration of an infrastructure to be leveraged in the future.

23. A computer program product comprising:
- a computer readable medium; and
  
  program code on the computer readable medium that when executed by a processor provides the functions of;
  
  receiving input data representing activities and events on a network;
  
  detecting tactical attacks against one or more entities by analyzing the input data; and
  
  dynamically determining when the one or more tactical attacks are indicative of a strategic attack.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The computer program product of claim 23, wherein said code for dynamically determining comprises code for:
    - evaluating a strategic motive, tactical means, and tactical opportunities (MMO) of a potential attacker by detecting one or more strategic actions within the input data, which identify the strategic attack; and
      
      fingerprinting the MMO for future detection of similar strategic attacks, said MMO identifying reconnaissance and attack activities;
  - 25. The computer program product of claim 24, wherein:
    - said code for identifying of reconnaissance and attack activities comprises code for accessing one or more automated reconnaissance tools, including open access and online tools and tools designed for supporting strategic attack detection to identify information vulnerabilities;
      
      said program code further comprising code for;
      
      observing, via the online tools, intelligence gathering, planning, testing, and collaboration activities performed on the network; and
      
      generating multiple MMOs based on observed, known, and deduced attack and reconnaissance patterns.
  - 26. The computer program product of claim 23, wherein said code for dynamically determining comprises code for one or more of:
    - matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks; and
      
      correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks.
  - 27. The computer program product of claim 26, further comprising code for:
    - receiving, via the GAE, input data from data sources/sensors; and
      
      performing a data fusion on the input data utilizing a domain ontology to fuse the input data into an Attributed Relational Graph (ARG);
      
      wherein the GAE utilizes the domain ontology to (1) map sensor events to probable actions, (2) define threat patterns, and (3) provide ontological services to the pattern matcher.
  - 28. The computer program product of claim 23, wherein said code for dynamically determining further comprises code for:
    - when an entity that may potentially be attacked has vulnerabilities outside of the entity'"'"'s own network, extrapolating beyond a network of the entity being attacked to enable detection of strategic attacks in a supply chain and other domains of affiliated entities.
  - 29. The computer program product of claim 23, further comprising code for:
    - analyzing the detected tactical attacks and strategic attacks;
      
      predicting possible occurrences of a future attack based on said analyzing a known context for precipitating said future attacks; and
      
      outputting an alert about the predicted future attacks.
  - 30. The computer program product of claim 23, further comprising code for:
    - establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern;
      
      performing an inexact matching search utilizing said sensitivity cutoff;
      
      when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack;
      
      predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed;
      
      when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review;
      
      when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match;
      
      when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack.
  - 31. The computer program product of claim 30, further comprising code for:
    - when the inexact match is within a pre-set variance for the sensitivity cutoff;
      
      tagging the sequence of activities as a potential attack;
      
      monitoring subsequent activity to determine if the potential attack evolves into an actual attack; and
      
      updating the ontology with a morphed attack pattern when the inexact match is determined to be an attack.
  - 32. The computer program product of claim 23, further comprising code for:
    - storing the input data to a scalable database capable of managing a large amount of data at a time;
      
      monitoring the network in real time;
      
      updating the scalable database with new input data generated from the network; and
      
      performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database;
      
      wherein a clear separation of threat semantics and graph search functions for attack patterns is provided.
  - 33. The computer program product of claim 32, further comprising code for:
    - converting ontology-based patterns into a precise pattern query language (PQL) supported by the graph analysis tool; and
      
      decomposing complete attack patterns stored in the strategic attack ontology into meaningful time-based sub-patterns that will match sequences of activity that are precursors to becoming a significant attack threat, wherein said decomposing enables a predictive capability for future attacks.
  - 34. The computer program product of claim 23, further comprising code for:
    - providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks;
      
      wherein the business threat ontology associated with strategic level GAEs contain one or more of;
      
      (1) descriptions of specifically identified target entities;
      
      (2) interdependencies between the individual target entities, including as supply chain dependencies;
      
      (3) business functions and services of the target entities;
      
      (4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
      
      (5) information about strategic threats and the threat'"'"'s likely motives;
      
      wherein the strategic level fusion provides attack patterns for one or more of;
      
      (1) supply chain availability attacks;
      
      (2) industrial espionage focused on exfiltration of information about specific technologies; and
      
      (3) strategic infiltration of an infrastructure to be leveraged in the future.

35. A system comprising:
- a processor;
  
  a memory coupled to the processor; and
  
  a utility, which executes on the processor to provide the functions of;
  
  receiving input data representing activities and events on a network;
  
  detecting tactical attacks against one or more entities by analyzing the input data; and
  
  dynamically determining when the one or more tactical attacks are indicative of a strategic attack.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 36. The system of claim 35, wherein said code for dynamically determining comprises code for:
    - evaluating a strategic motive, tactical means, and tactical opportunities (MMO) of a potential attacker by detecting one or more strategic actions within the input data, which identify the strategic attack; and
      
      fingerprinting the MMO for future detection of similar strategic attacks, said MMO identifying reconnaissance and attack activities;
  - 37. The system of claim 36, wherein:
    - said code for identifying of reconnaissance and attack activities comprises code for accessing one or more automated reconnaissance tools, including open access and online tools and tools designed for supporting strategic attack detection to identify information vulnerabilities;
      
      said utility further comprising code for;
      
      observing, via the online tools, intelligence gathering, planning, testing, and collaboration activities performed on the network; and
      
      generating multiple MMOs based on observed, known, and deduced attack and reconnaissance patterns.
  - 38. The system of claim 35, wherein said code for dynamically determining comprises code for performing one or more of:
    - matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks; and
      
      correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks.
  - 39. The system of claim 35, said utility further comprising code for:
    - receiving, via the GAE, input data from data sources/sensors; and
      
      performing a data fusion on the input data utilizing a domain ontology to fuse the input data into an Attributed Relational Graph (ARG);
      
      wherein the GAE utilizes the domain ontology to (1) map sensor events to probable actions, (2) define threat patterns, and (3) provide ontological services to the pattern matcher.
  - 40. The system of claim 35, wherein said code for dynamically determining further comprises code for:
    - when an entity that may potentially be attacked has vulnerabilities outside of the entity'"'"'s own network, extrapolating beyond a network of the entity being attacked to enable detection of strategic attacks in a supply chain and other domains of affiliated entities.
  - 41. The system of claim 35, said utility further comprising code for:
    - analyzing the detected tactical attacks and strategic attacks;
      
      predicting possible occurrences of a future attack based on said analyzing a known context for precipitating said future attacks; and
      
      outputting an alert about the predicted future attacks.
  - 42. The system of claim 35, said utility further comprising code for:
    - establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern;
      
      performing an inexact matching search utilizing said sensitivity cutoff;
      
      when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack;
      
      predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed;
      
      when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review;
      
      when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match; and
      
      when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack.
  - 43. The system of claim 42, said utility further comprising code for:
    - when the inexact match is within a pre-set variance for the sensitivity cutoff;
      
      tagging the sequence of activities as a potential attack;
      
      monitoring subsequent activity to determine if the potential attack evolves into an actual attack; and
      
      updating the ontology with a morphed attack pattern when the inexact match is determined to be an attack.
  - 44. The system of claim 35, said utility further comprising code for:
    - storing the input data to a scalable database capable of managing a large amount of data at a time;
      
      monitoring the network in real time;
      
      updating the scalable database with new input data generated from the network; and
      
      performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database;
      
      wherein a clear separation of threat semantics and graph search functions for attack patterns is provided.
  - 45. The system of claim 44, said utility further comprising code for:
    - converting ontology-based patterns into a precise pattern query language (PQL) supported by the graph analysis tool; and
      
      decomposing complete attack patterns stored in the strategic attack ontology into meaningful time-based sub-patterns that will match sequences of activity that are precursors to becoming a significant attack threat, wherein said decomposing enables a predictive capability for future attacks.
  - 46. The system of claim 35, said utility further comprising code for:
    - providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks;
      
      wherein the business threat ontology associated with strategic level GAEs contain one or more of;
      
      (1) descriptions of specifically identified target entities;
      
      (2) interdependencies between the individual target entities, including as supply chain dependencies;
      
      (3) business functions and services of the target entities;
      
      (4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
      
      (5) information about strategic threats and the threat'"'"'s likely motives;
      
      wherein the strategic level fusion provides attack patterns for one or more of;
      
      (1) supply chain availability attacks;
      
      (2) industrial espionage focused on exfiltration of information about specific technologies; and
      
      (3) strategic infiltration of an infrastructure to be leveraged in the future.
  - 47. The system of claim 35, wherein said utility comprises code for implementing:
    - a graph annotation engine that receives an input of strategic attack ontology and tactical attack ontology;
      
      a graph pattern compiler and a predictive graph pattern compiler, which both receive an input of said strategic attack ontology and tactical attack ontology, wherein said pattern compilers provide an output to the external match control function;
      
      an “
      
      events data”
      
      -specific ingest module, which operates to convert specific types of network events data in its standard form into the normalized graph form;
      
      a graph analysis tool which provides a graph search engine for searching through the normalized graph form;
      
      an external match control function; and
      
      an attack prediction engine.
  - 48. The system of claim 35, wherein said utility further comprises code for:
    - generating a highly usable thin client user interface; and
      
      publishing forensic analysis and indications and warnings.
  - 49. The system of claim 35, further comprising a distributed network of GAEs utilized to capture data utilized to detect tactical attacks against target entities and evaluate a context and strategic significance of the tactical attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
21st Century Technologies, Inc.
Inventors
Keen, Arthur, Gilbert, Logan, Morgan, Robert

Granted Patent

US 7,530,105 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

TACTICAL AND STRATEGIC ATTACK DETECTION AND PREDICTION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

233 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

TACTICAL AND STRATEGIC ATTACK DETECTION AND PREDICTION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links