System and Method for Definition and Automated Analysis of Computer Security Threat Models

US 20080148398A1
Filed: 10/31/2006
Published: 06/19/2008
Est. Priority Date: 10/31/2006
Status: Abandoned Application

First Claim

Patent Images

1. A system for analyzing security related network activity comprising:

a common data event database configured to store device event data in a common data event format; and

a threat model analysis engine configured to;

read common event data from the common data event database;

analyze the common event data by comparing the common event data to a threat model definition; and

generate a threat model instance corresponding to the threat model definition if a set of requirements of the definition is met by the common event data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security analysis tool and related systems and methods are disclosed. The disclosed invention can accept user input to define network security threat models. The system can collect event data from one or more network devices and analyze that data for the existence of activity matching the defined threat models. The collected data can be translated into a common format for storage in a database of the invented system. The system can create threat models to track network threats found in the collected data that both partially and completely match one or more threat model definitions. The resulting threat models can be displayed on a console to show threat progression in near real time.

Citations

46 Claims

1. A system for analyzing security related network activity comprising:
- a common data event database configured to store device event data in a common data event format; and
  
  a threat model analysis engine configured to;
  
  read common event data from the common data event database;
  
  analyze the common event data by comparing the common event data to a threat model definition; and
  
  generate a threat model instance corresponding to the threat model definition if a set of requirements of the definition is met by the common event data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The system of claim 1, wherein the common data event format comprises a source Internet protocol address, a delimiter, and a source port.
  - 3. The system of claim 1, wherein the common data event format comprises a destination Internet protocol address, a delimiter, and a destination port.
  - 4. The system of claim 1 wherein the common data event format comprises a corroboration level field.
  - 5. The system of claim 4 wherein the corroboration level field is initially set to zero for a common data event record stored in the common data event database.
  - 6. The system of claim 1, wherein the common data event format comprises a timestamp.
  - 7. The system of claim 6 wherein the threat model definition comprises a step definition.
  - 8. The system of claim 7 wherein the step definition includes content criteria that identifies a common data type and an activity to be analyzed.
  - 9. The system of claim 8 wherein the step definition comprises an active activity threshold which indicates a volume of activity required during a time period for a threat model step to be created and granted an initial status.
  - 10. The system of claim 8 wherein the step definition comprises a sustained activity threshold which indicates a volume of activity required during a time period for the threat model step to be granted a sustained status.
  - 11. The system of claim 8 wherein the step definition comprises a persistence type which identifies attributes required to be shared by threat model steps for the activity corresponding to those steps to be regarded as part of a common threat model instance.
  - 12. The system of claim 6 wherein the threat model definition comprises a first step, a second step, and a relationship definition which identifies a relationship and inheritance properties between the first step and the second step.
  - 13. The system of claim 6 wherein the threat model definition comprises a first step, a second step, and a relationship type which identifies data to be inherited from the first step by the second step.
  - 14. The system of claim 13 wherein the threat model definition includes a source/destination switch indicator for switching destination information inherited from the first step by the second step to destination information.
  - 15. The system of claim 1 wherein the common data event database includes at least one corroboration strategy.
  - 16. The system of claim 1 further comprising:
    - an activity processor configured to;
      
      receive device event data;
      
      translate the data into a common data event format; and
      
      store the translated data into the common data event database.
  - 17. The system of claim 16 wherein the device event data is received from a first device and a second device, the data event data originating from an event log of the first device and an event log of the second device.
  - 18. The system of claim 16 wherein the common data event format comprises a source Internet protocol address, a delimiter, and a source port
  - 19. The system of claim 16 wherein the common data event format comprises a destination Internet protocol address, a delimiter, and a destination port
  - 20. The system of claim 16 wherein the common data event format comprises a corroboration level field.
  - 21. The system of claim 20 wherein the corroboration level field is initially set to zero for a common data event record stored in the common data event database.
  - 22. The system of claim 17 wherein the event log of the first device has a first format and the event log of the second device has a second format, the activity processor being configured to read device event data in the first format and convert the data into a common data event format and mad device event data in the second format and convert the data into the common data event format.
  - 23. The system of claim 26 wherein the activity processor comprises:
    - an activity collector module for collecting the device event data from one or more sources;
      
      a common data dictionary which comprises mapping rules for converting fields of device event logs to a common data format; and
      
      a common data translator module for translating the collected device data into the common data format based on the mapping rules of the common data dictionary.
  - 24. The system of claim 1 wherein the threat model analysis engine generates the threat model instance corresponding to the threat model definition if a requisite volume of an activity defined in the threat model definition is met.
  - 25. The system of claim 24 wherein the threat model analysis engine creates a first state of the threat model instance upon generation of the threat model instance.
  - 26. The system of claim 25 wherein the threat model analysis engine creates a second state of the threat model instance for a target identified in the activity corresponding to the first state.
  - 27. The system of claim 26 wherein the threat model analysis engine creates a state representing a second step in threat progression for a first and a second target identified in the activity corresponding to the first state.
  - 28. The system of claim 27 wherein the threat model analysis engine monitors the common event data for additional threat model instance related activity corresponding to the first target and the second target.
  - 29. The system of claim 25 wherein the threat model analysis engine monitors the activity volume of activity corresponding to the first step, compares the activity volume to a sustained activity threshold of the threat model definition, and determines that the first step is still active if the activity volume is meets the sustained activity threshold.
  - 30. The system of claim 25 wherein the threat model instance includes a threat model instance identifier.
  - 31. The system of claim 26 wherein the second state includes an indication of whether or not the activity corresponding to the state as defined in the threat model definition has occurred.
  - 32. The system of claim 26 wherein the second state includes a list of the common data event records associated with the second state having met criteria defined in the threat model definition.
  - 33. The system of claim 26 wherein the second state includes a list of values inherited from the first step.
  - 34. The system of claim 26 wherein the second state Includes an indication of whether the state has been promoted, being promoted indicating that the state will continue to be monitored based on the status of the first state.
  - 35. The system of claim 1 further comprising an interface console, the interface console being configured to accept threat model definition criteria from a user for creation of a threat model definition.
  - 36. The system of claim 1 further comprising an interface console, the interface console being configured to demonstrate a threat model instance on a display of the console.
  - 37. The system of claim 1 further comprising:
    - a corroboration job processor, the corroboration job processor being configured to;
      
      retrieve a set of corroboration strategies;
      
      retrieve security attributes associated with a common data event;
      
      retrieve security attributes associated with a targeted service; and
      
      return a risk assessment based on a comparison of the common data event security attributes and the targeted service security attributes.

38. A system for creating a threat model definition comprising:
- a processor;
  
  a computer readable memory;
  
  an interface console; and
  
  instructions for making the processor operable to;
  
  prompt a user for threat model definition parameters;
  
  receive threat model definition parameters from the user;
  
  generate a threat model definition based on the threat model definition parameters received from the user.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46)
- - 39. The system of claim 38 wherein the user prompting includes a prompt for a name of the threat model definition being created.
  - 40. The system of claim 38 wherein the user prompting includes a prompt for step definition parameters, the step definition parameters including a common data type and at least one parameter identifying an activity to be analyzed in the step.
  - 41. The system of claim 40 wherein the step definition parameters further include an active activity threshold representing a volume of activity required during a period of time for a threat to be granted initial status.
  - 42. The system of claim 40 wherein the step definition parameters further include a sustained activity threshold representing a volume of activity required during a period of time for a threat to be granted a sustained status.
  - 43. The system of claim 40 wherein the step definition parameters further include a persistence type identifying one or more attributes required to be shared among activity meeting the step criteria.
  - 44. The system of claim 40 wherein the step definition parameters further include a relationship definition identifying the relationship between two steps of the threat model definition.
  - 45. The system of claim 40 wherein the step definition parameters further include a relationship type identifying fields of data to be inherited by one step of the threat model definition from another.
  - 46. The system of claim 40 wherein the step definition parameters further include a source/destination switch indicator which indicates whether the destination:
    - information from one step of the threat model definition is to be used as source information for another.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
EnterEdge Technology LLC (Kudelski SA)
Original Assignee
EnterEdge Technology LLC (Kudelski SA)
Inventors
Mezack, Derek John, Hodges, Donald Jay, Hodges, David M.

Application Number

US11/555,031
Publication Number

US 20080148398A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

System and Method for Definition and Automated Analysis of Computer Security Threat Models

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Definition and Automated Analysis of Computer Security Threat Models

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links