Intrusion Event Correlation System

US 20100192226A1
Filed: 04/12/2010
Published: 07/29/2010
Est. Priority Date: 03/10/2005
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a) an attack graph generator configured to construct an attack graph for a network by mapping interdependencies among a multitude of exploits with respect to a multitude of conditions on a multitude of processing machines in said network, at least one of said multitude of exploits including at least one precondition mapped to at least one postcondition, said multitude of conditions including at least one of said at least one precondition and at least one of said at least one postcondition;

b) an exploit distance calculator configured to determine exploit distances for at least one exploit pair, each of said at least one exploit pair being a pair of said multitude of exploits on said attack graph;

c) an intrusion detector configured to generate a multitude of event reports, each of said multitude of event reports used to report detected intrusions;

d) an event report/exploit associator configured to associate each of said multitude of event reports with at least one of said multitude of exploits;

e) an event graph creator configured to create an event graph by mapping at least one of said multitude of event reports to at least one other of said multitude of event reports;

f) an event graph distance calculator configured to determine event graph distances for at least one event pair, each of said at least one event pair being a pair of said multitude of event reports on said event graph;

g) a correlation value calculator configured to calculate a multitude of correlation values, each of said multitude of correlation values calculated for at least one of said at least one event pair using said event graph distances; and

h) a coordinated attack analyzer configured to look for coordinated attacks by analyzing said multitude of correlation values using a correlation threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Citations

11 Claims

1. A system comprising:
- a) an attack graph generator configured to construct an attack graph for a network by mapping interdependencies among a multitude of exploits with respect to a multitude of conditions on a multitude of processing machines in said network, at least one of said multitude of exploits including at least one precondition mapped to at least one postcondition, said multitude of conditions including at least one of said at least one precondition and at least one of said at least one postcondition;
  
  b) an exploit distance calculator configured to determine exploit distances for at least one exploit pair, each of said at least one exploit pair being a pair of said multitude of exploits on said attack graph;
  
  c) an intrusion detector configured to generate a multitude of event reports, each of said multitude of event reports used to report detected intrusions;
  
  d) an event report/exploit associator configured to associate each of said multitude of event reports with at least one of said multitude of exploits;
  
  e) an event graph creator configured to create an event graph by mapping at least one of said multitude of event reports to at least one other of said multitude of event reports;
  
  f) an event graph distance calculator configured to determine event graph distances for at least one event pair, each of said at least one event pair being a pair of said multitude of event reports on said event graph;
  
  g) a correlation value calculator configured to calculate a multitude of correlation values, each of said multitude of correlation values calculated for at least one of said at least one event pair using said event graph distances; and
  
  h) a coordinated attack analyzer configured to look for coordinated attacks by analyzing said multitude of correlation values using a correlation threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A system according to claim 1, wherein said coordinated attack analyzer uses at least one filter.
  - 3. A system according to claim 2, wherein said at least one filter includes at least one of the following:
    - a) a low pass filter;
      
      b) a linear filter;
      
      c) a non-linear filter;
      
      d) a moving average filter;
      
      e) a weighed filter; and
      
      f) a weighted moving average filter.
  - 4. A system according to claim 1, wherein said attack graph uses a low-order polynomial representation.
  - 5. A system according to claim 1, wherein said event graph uses a low-order polynomial representation.
  - 6. A system according to claim 1, wherein said exploit distance calculator pre-computes at least one of the following:
    - a) a minimum exploit distance;
      
      b) an average exploit distance;
      
      c) a mean exploit distance;
      
      d) a maximum exploit distance; and
      
      e) a weighted exploit distance.
  - 7. A system according to claim 1, wherein at least one of said at least one precondition includes elements of a computer network that contributes to a network attack vulnerability.
  - 8. A system according to claim 1, wherein at least one of said at least one postcondition includes elements of a computer network that contributes to a network attack vulnerability.
  - 9. A system according to claim 1, wherein the system is implemented as computer instructions residing on a tangible computer readable medium.
  - 10. A system according to claim 1, wherein the system is implemented using at least one processor connected to said network.
  - 11. A system according to claim 1, wherein the system is implemented using at least one processor not connected to said network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Intellectual Properties, Inc.
Original Assignee
George Mason University
Inventors
Jajodia, Sushil, Robertson, Eric B., Noel, Steven E.

Granted Patent

US 8,181,252 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 41/12 Discovery or management of ...

H04L 63/1425 Traffic logging, e.g. anoma...

Intrusion Event Correlation System

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion Event Correlation System

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links