SYSTEM AND METHOD FOR FORENSIC CYBER ADVERSARY PROFILING, ATTRIBUTION AND ATTACK IDENTIFICATION

US 20130312092A1
Filed: 05/13/2013
Published: 11/21/2013
Est. Priority Date: 05/11/2012
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing a cyber-attack, comprising:

collecting attack data, wherein the attack data comprises data associated with a cyber-attack;

extracting quantitative data from the attack data, wherein the extracted quantitative data (‘

EQD”

) comprises quantifiable metrics associated with a cyber-attack;

comparing the EQD with a database of existing adversary and attack data (“

AAD”

), wherein the AAD comprises quantifiable metrics of known adversaries and known adversary behavior; and

determining if the EQD is associated with a known adversary and/or known adversary behavior based on the comparison step.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is provided for identifying and analyzing cyber-attacks and profiling adversaries responsible for such attacks. The system and method allows for the quantitative measurement of adversary attack behavior. The system and method is able to extract quantitative data from raw attack data and compare the quantitative data to a database of quantifiable metrics associated with known adversaries. This allows for the possible linking of a cyber-attack to a known adversary or known adversary behavior.

83 Citations

View as Search Results

18 Claims

1. A method of analyzing a cyber-attack, comprising:
- collecting attack data, wherein the attack data comprises data associated with a cyber-attack;
  
  extracting quantitative data from the attack data, wherein the extracted quantitative data (‘
  
  EQD”
  
  ) comprises quantifiable metrics associated with a cyber-attack;
  
  comparing the EQD with a database of existing adversary and attack data (“
  
  AAD”
  
  ), wherein the AAD comprises quantifiable metrics of known adversaries and known adversary behavior; and
  
  determining if the EQD is associated with a known adversary and/or known adversary behavior based on the comparison step.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein it is determined whether the EQD is associated with a known adversary and/or known adversary behavior by:
    - determining correlation levels between the EQD and the profiles of known adversaries;
      
      determining probability values that the EQD is associated with known adversaries and/or known adversary behavior based on the correlation levels; and
      
      determining whether the EQD is associated with a known adversary and/or known adversary behavior based on the probability values.
  - 3. The method of claim 2, wherein the EQD is linked to a known adversary associated with the highest determined probability value.
  - 4. The method of claim 1, wherein it is determined whether the EQD is associated with a known adversary by:
    - determining if one or more probability values exceed a predetermined threshold;
      
      determining that the EQD is associated with an unknown adversary if no probability values exceed the predetermined threshold; and
      
      linking the EQD with a known adversary associated with the highest probability value that exceeds the predetermined threshold.
  - 5. The method of claim 1, wherein the quantifiable metrics associated with the cyber-attack and the quantifiable metrics of known adversaries and known adversary behavior are associated with at least one of the following categories:
    - (1) adversary sophistication level;
      
      (2) attack objectives;
      
      (3) attack targeting; and
      
      (4) technological specifics.

6. A system for analyzing a cyber-attack, comprising:
- a processor;
  
  processor memory; and
  
  a cyber profiling engine comprising a set of computer readable instructions stored in processor memory that are executable by the processor to;
  
  receive attack data, wherein the attack data comprises data associated with a cyber-attack,extract quantitative data from the attack data, wherein the extracted quantitative data (‘
  
  EQD”
  
  ) comprises quantifiable metrics associated with a cyber-attack,compare the EQD with a database of existing adversary and attack data (“
  
  AAD”
  
  ), wherein the AAD comprises quantifiable metrics of known adversaries and known adversary behavior, anddetermine if the EQD is associated with a known adversary and/or known adversary behavior based on the comparison step.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The system of claim 6, the processor determines whether the EQD is associated with a known adversary and/or known adversary behavior by:
    - determining correlation levels between the EQD and the profiles of known adversaries;
      
      determining probability values that the EQD is associated with known adversaries and/or known adversary behavior based on the correlation levels; and
      
      determining whether the EQD is associated with a known adversary and/or known adversary behavior based on the probability values.
  - 8. The system of claim 6, wherein the quantifiable metrics associated with the cyber-attack and the quantifiable metrics of known adversaries and known adversary behavior are associated with at least one of the following categories:
    - (1) adversary sophistication level;
      
      (2) attack objectives;
      
      (3) attack targeting; and
      
      (4) technological specifics.
  - 9. The system of claim 6, further comprising:
    - at least one sensor node, wherein each sensor node comprises a sensor node processor and sensor node memory; and
      
      a respective data monitor associated with each sensor node, wherein each data monitor comprises a set of computer readable instructions stored in sensor node memory that are executable by the sensor node processor to;
      
      collect the attack data, andtransmit the attack data to the cyber profiling engine.
  - 10. The system of claim 6, wherein the processor comprises a first processor and a second processor, and wherein the processor memory comprises first processor memory associated with the first processor and second processor memory associated with the second processor.
  - 11. The system of claim 10, wherein the cyber profiling engine comprises:
    - an analysis engine comprising a set of computer readable instructions stored in first processor memory that are executable by the first processor to;
      
      receive the attack data, andextract the quantitative data from the attack data; and
      
      an intelligence engine comprising a set of computer readable instructions stored in second processor memory that are executable by the second processor to;
      
      receive the EQD,compare the EQD with the database of AAD, anddetermine if the EQD is associated with a known adversary and/or known adversary behavior based on the comparison step.

12. A system for analyzing a cyber-attack, comprising:
- at least one attack and adversary intelligence system (“
  
  AAIS”
  
  ), wherein each AAIS comprises an AAIS processor and AAIS memory;
  
  at least one data aggregator associated with each AAIS, wherein each data aggregator comprises a data aggregator processor and data aggregator memory;
  
  a respective analysis engine associated with each data aggregator comprising a set of computer readable instructions stored in data aggregator memory that are executable by the data aggregator processor to;
  
  receive attack data, wherein the attack data comprises data associated with a cyber-attack,extract quantitative data from the attack data, wherein the extracted quantitative data (‘
  
  EQD”
  
  ) comprises quantifiable metrics associated with a cyber-attack;
  
  a respective database associated with each AAIS comprising a set of computer readable instructions stored in AAIS memory that are executable by the AAIS processor to store existing adversary and attack data (“
  
  AAD”
  
  ), wherein the AAD comprises quantifiable metrics of known adversaries and known adversarial behavior; and
  
  a respective intelligence engine associated with each AAIS comprising a set of computer readable instructions stored in AAIS memory that are executable by the AAIS processor to;
  
  receive the EQD,compare the EQD with the AAD, anddetermine if the EQD is associated with a known adversary and/or known adversarial behavior based on the comparison step.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, further comprising:
    - at least one sensor node associated with each data aggregator, wherein each sensor node comprises a sensor node processor and sensor node memory; and
      
      a respective data monitor associated with each sensor node, wherein each data monitor comprises a set of computer readable instructions stored in sensor node memory that are executable by the sensor node processor to;
      
      collect the attack data, andtransmit the attack data to its respective data aggregator.
  - 14. The system of claim 13, wherein the at least one AAIS comprises a plurality of AAIS'"'"'s, and wherein at least two data aggregators are associated with each AAIS.
  - 15. The system of claim 14, wherein the plurality of AAIS'"'"'s maintain their respective databases in synchronization over a network.
  - 16. The system of claim 14, wherein a plurality of sensor nodes are associated with each data aggregator.
  - 17. The system of claim 12, wherein the quantifiable metrics associated with the cyber-attack and the quantifiable metrics of known adversaries and known adversarial behavior are associated with at least one of the following categories:
    - (1) adversary sophistication level;
      
      (2) attack objectives;
      
      (3) attack targeting; and
      
      (4) technological specifics.
  - 18. The system of claim 12, wherein the at least one AAIS and the at least one data aggregator communicate over at least one network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thomas W. Parker
Original Assignee
Wintermute LLC (Wintermute Trading Ltd.)
Inventors
PARKER, Thomas W.

Granted Patent

US 9,661,003 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

SYSTEM AND METHOD FOR FORENSIC CYBER ADVERSARY PROFILING, ATTRIBUTION AND ATTACK IDENTIFICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR FORENSIC CYBER ADVERSARY PROFILING, ATTRIBUTION AND ATTACK IDENTIFICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links