Probabilistic Model For Cyber Risk Forecasting
First Claim
1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:
- receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization;
calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization;
modeling, by the processor, one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein at least one of the one or more likely future pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on an observed event;
estimating, by the processor, for the one or more likely future pathways;
probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event; and
determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network.
200 Citations
36 Claims
-
1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:
-
receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization; calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization; modeling, by the processor, one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein at least one of the one or more likely future pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on an observed event; estimating, by the processor, for the one or more likely future pathways; probabilities that the unobserved event will occur, and probability distributions of times of occurrence of the unobserved event; and determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets. - View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 31, 32, 35, 36)
-
-
6. (canceled)
-
11. A non-transitory storage medium storing instructions that, if executed by a processor of a computing system, cause the computing system to perform a method for estimating financial losses to a target organization based on time-varying risks of cyber threats, the method comprising:
-
determining threat information relating to a networked system of the target organization, wherein the threat information is descriptive of one or more attacker characteristics and attack characteristics; determining a model that at least includes one or more likely future pathways of the cyber threat within the networked system, wherein at least one of the one or more likely future pathways includes a path segment based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on a known event; propagating probabilistic distributions of at least the unobserved event over time through the model; and determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions. - View Dependent Claims (12, 13, 14, 15, 16, 19, 20, 21)
-
-
17-18. -18. (canceled)
-
22. A computing system comprising:
-
a processor; a computer-readable storage medium; an input component configured to receive, for a target site, site-specific data and site-independent data; a threat estimating component configured to estimate threat data for the target site based on the received site-specific data and site-independent data; a pathway probability component configured to calculate probability distributions of cost and time for identifying one or more potential attack pathways for the target site based on the estimated threat data for the target site, wherein at least one of the one or more potential attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more potential attack pathways includes a path segment based on an observed event; and a detection component configured to model a probability of attack along the one or more potential attack pathways based at least on the site-specific data, wherein components comprise computer-executable instructions stored in the computer-readable storage medium for execution by the processor. - View Dependent Claims (23, 24, 25, 26, 27, 29)
-
-
28. (canceled)
-
30. A system, comprising:
-
an input component for receiving a first set of data and a second set of data relating to a networked system, wherein the first set of data includes a first level of information and the second set of data includes information that refines the first level of information; one or more model components for; constructing a model of the networked system, based on the first set of data, and calibrating the model based on first set of data and the second set of data, wherein the model includes one or more potential future attack pathways, wherein at least one of the potential future attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more potential future attack pathways includes a path segment based on an observed event; one or more forecasting components for; determining probabilistic distributions of at least the unobserved event over time through the model, determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions, in response to receiving the second set of data relating to the networked system, aggregating one or more threats, systems, vulnerabilities, assets, and observations from the first data set and the second data set, and determining a probability distribution of detection to reduce false alarm rates over the false alarm rates associated with respective individual detectors; and a financial component for determining a cost benefit of purchasing or reconfiguring security products.
-
-
33-34. -34. (canceled)
Specification