Probabilistic Model For Cyber Risk Forecasting

US 20150381649A1
Filed: 06/30/2014
Published: 12/31/2015
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:

receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization;

calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization;

modeling, by the processor, one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein at least one of the one or more likely future pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on an observed event;

estimating, by the processor, for the one or more likely future pathways;

probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event; and

determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network.

200 Citations

36 Claims

1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:
- receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization;
  
  calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization;
  
  modeling, by the processor, one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein at least one of the one or more likely future pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on an observed event;
  
  estimating, by the processor, for the one or more likely future pathways;
  
  probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event; and
  
  determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10, 31, 32, 35, 36)
- - 2. The method of claim 1, further comprising generating a report based on the modeling, wherein the report includes information for increasing the likelihood of detection of a threat at the at least one target organization, wherein the threat information characterizes exploits, vulnerabilities, or cyber threats to the networked system, wherein the cyber threats include intentional attacks, accidents, and system failures.
  - 3. The method of claim 1, wherein receiving the asset information characterizing assets of the at least one target organization includes obtaining information describing tangible or intangible assets that are available through the networked system, wherein existing and future cyber-related behaviors are modeled in hierarchical levels of cyber threat information, wherein partially known cyber threat information at a first level is dynamically aggregated with other known or partially known threat information as the other known or partially known cyber threat information is discovered, wherein the aggregated threat information is represented as a second level of cyber threat information, wherein the second level of cyber threat information is metadata for improving resolution of the modeling, and wherein portions of the results of the modeling are indicated in a report.
  - 4. The method of claim 1, further comprising establishing a probability distribution of financial values based on a determination of loss of one or more assets of at the least one target organization based on occurrence time, types and amounts of damage to the one or more assets.
  - 5. The method of claim 1, wherein receiving the system information characterizing the networked system includes obtaining information about a location, type, and configuration of one or more assets associated with the networked system and wherein the attacker characteristics includes one or more of a number of threat types based on asset attractiveness, attack campaign tactics, and time available to execute an attack on the target organization.
  - 7. The method of claim 1, wherein the probability distribution of damage to assets is a probability distribution of the occurrence time, the types, and amounts of assets of the least one target organization, wherein the probability distribution of damages to assets includes a probability of loss of access to services, assets, or data associated with the networked system.
  - 8. The method of claim 1, wherein the probability of damage to assets of at the least one target organization includes a probability of loss of goodwill, reputation, or business, including the time of such loss.
  - 9. The method of claim 1, further comprising calculating a financial loss from the damage, based on the determining of the probability of damage to the assets, including the time of such loss.
  - 10. The method of claim 1, further comprising modeling and estimating:
    - probabilities of one or more pathways for responding to the threats,threat remediation actions of security personnel or software, andprobability distributions of times for responding to the threats with at least one of the remediation actions.
  - 31. The method of claim 1, further comprising calculating the one or more threat characteristics based on a resource limitation of an attacker, wherein the resource limitation is one or more of time available to execute an attack on the target organization, capital, number of personnel and attacker skill level.
  - 32. The method of claim 1, wherein the resource limitation of the one or more attackers associated with the threats is based on expert opinion, historical data attacker behavior or attacker group behavior, wherein the resource limitation of the one or more attackers associated with the threats is manually obtained, wherein the resource limitation of the one or more attackers associated with the threats is automatically obtained and wherein receiving the system information characterizing the networked system includes obtaining information about one or more security policies or procedures.
  - 35. The method of claim 1, wherein the modeling is used to validate likely future pathways associated with a past cyber threat which resulted in an attack that was completed in the past.
  - 36. The method of claim 1, wherein the modeling is used to forecast financial losses from one or more cyber attacks over time windows looking forward from past, present, and future times.

6. (canceled)

11. A non-transitory storage medium storing instructions that, if executed by a processor of a computing system, cause the computing system to perform a method for estimating financial losses to a target organization based on time-varying risks of cyber threats, the method comprising:
- determining threat information relating to a networked system of the target organization, wherein the threat information is descriptive of one or more attacker characteristics and attack characteristics;
  
  determining a model that at least includes one or more likely future pathways of the cyber threat within the networked system, wherein at least one of the one or more likely future pathways includes a path segment based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on a known event;
  
  propagating probabilistic distributions of at least the unobserved event over time through the model; and
  
  determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions.
- View Dependent Claims (12, 13, 14, 15, 16, 19, 20, 21)
- - 12. The non-transitory storage medium of claim 11, wherein determining the model further includes determining risk probability distribution effects of cyber threats to the networked system of the target organization, wherein the model is a hierarchical model, wherein the hierarchical model has different levels of detail and dynamically augmented in response to receiving new data relating to the networked system of the target organization, and wherein the risk probability distribution effects are based on target organization characteristics and attacker characteristics.
  - 13. The non-transitory storage medium of claim 12, wherein the target organization characteristics include:
    - targeted physical and virtual network configuration, devices, and software,security control mitigation measures, including one or more physical access and network based measures,the likelihood of detecting the unobserved event,insider threats, andtargeted tangible and intangible assets.
  - 14. The non-transitory storage medium of claim 12, wherein the attacker characteristics are based on one or more of:
    - attacker goals and sub-goals,threat types based on asset attractiveness,attacker techniques, attack rates, or attack campaign tactics, andresource limitations, including one or more of capital, number of personnel, expertise, and time available to execute an attack on the target organization.
  - 15. The non-transitory storage medium of claim 11, further comprising determining probabilities of one or more vulnerabilities of, security control measures of, or trust relationships with one or more other organizations.
  - 16. The non-transitory storage medium of claim 11, wherein the propagating of probabilistic distributions of the unobserved event over time through the model includes forecasting cumulative effects of threat characteristics via multiple attack pathways and wherein forecasting cumulative effects of threat characteristics within the one or more likely future pathways of the cyber threat includes computing accumulated rewards and costs to the attacker along multiple potential event pathways.
  - 19. The non-transitory storage medium of claim 11, further comprising pricing expected losses over fixed and varying periods of time, wherein the propagating of probabilistic distributions of the unobserved event over time through the model includes stochastic forecasting of loss-generating attack pathways.
  - 20. The non-transitory storage medium of claim 11, wherein the determining of probabilistic damages to network-dependent assets of the target organization over a period of time includes propagating event-time distributions to forecast losses varying as a function of time based on uncertain vulnerabilities, exploits, system components, or security control measures, and determining the tradeoff between forecasts of the cost and effectiveness of possible security control options.
  - 21. The non-transitory storage medium of claim 11, wherein the determining of probabilistic damages to network-dependent assets of the target organization over a period of time includes determining an exceedance probability curve to estimate a likelihood of loss of value over a period of time.

17-18. -18. (canceled)

22. A computing system comprising:
- a processor;
  
  a computer-readable storage medium;
  
  an input component configured to receive, for a target site, site-specific data and site-independent data;
  
  a threat estimating component configured to estimate threat data for the target site based on the received site-specific data and site-independent data;
  
  a pathway probability component configured to calculate probability distributions of cost and time for identifying one or more potential attack pathways for the target site based on the estimated threat data for the target site, wherein at least one of the one or more potential attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more potential attack pathways includes a path segment based on an observed event; and
  
  a detection component configured to model a probability of attack along the one or more potential attack pathways based at least on the site-specific data,wherein components comprise computer-executable instructions stored in the computer-readable storage medium for execution by the processor.
- View Dependent Claims (23, 24, 25, 26, 27, 29)
- - 23. The system of claim 22, wherein the site-specific data includes, for a target site, one or more of:
    - site configuration data, asset location and valuation data, questionnaire data, evaluation data, penetration testing data, and monitoring data; and
      
      wherein the site-independent data includes one or more of attacker goal and resource data, asset valuation data, vulnerability and exploit data, attacker behavior data, and previous attack data, wherein the model is for determining recommendations for one or more security products by evaluating their effectiveness within the target site.
  - 24. The system of claim 22, wherein the threat data for the target site includes attacker attributes, attack rates, and exploits relevant to the target site, and wherein the site specific data includes data from user-defined collection configurations to determine one or more of a detection rate and asset loss for each configuration.
  - 25. The system of claim 22, wherein the threat estimating component is configured to determine likely attackers or attacker groups, and to compute, based on the determined likely attackers or attacker groups, a reward-cost for an attack on one or more sites or site categories associated with the target site, wherein the threat estimating component is further configured to determine a probabilistic ranking of sites possibly subject to attack.
  - 26. The system of claim 22, wherein, for security monitoring and alerting purposes at the target site, the pathway probability component is configured to determine:
    - a probability for each of one or more potential attack pathways based on at least one of reward-cost, detectability, or asset locations, anda likelihood that an attacker is executing, may execute, or has executed one or more actions along certain pathways in the network.
  - 27. The system of claim 22, wherein the detection component is configured to model a probability that attack activity is observed or not observed by sensors or software associated with the target site and wherein the analysis component is configured to determine plans in response to the modeled probability of attack detection, wherein the plans include site configuration, policy changes, or changes to detecting and monitoring the threats at the target site.
  - 29. The system of claim 22, further comprising a component configured to compute probabilistic asset damage or financial losses based on the probability of an attack succeeding without immediate detection at the target site.

28. (canceled)

30. A system, comprising:
- an input component for receiving a first set of data and a second set of data relating to a networked system, wherein the first set of data includes a first level of information and the second set of data includes information that refines the first level of information;
  
  one or more model components for;
  
  constructing a model of the networked system, based on the first set of data, and calibrating the model based on first set of data and the second set of data, wherein the model includes one or more potential future attack pathways, wherein at least one of the potential future attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, and wherein at least one of the one or more potential future attack pathways includes a path segment based on an observed event;
  
  one or more forecasting components for;
  
  determining probabilistic distributions of at least the unobserved event over time through the model,determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions,in response to receiving the second set of data relating to the networked system, aggregating one or more threats, systems, vulnerabilities, assets, and observations from the first data set and the second data set, anddetermining a probability distribution of detection to reduce false alarm rates over the false alarm rates associated with respective individual detectors; and
  
  a financial component for determining a cost benefit of purchasing or reconfiguring security products.

33-34. -34. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Craig Schultz, Jeffrey Starr, John Compton
Original Assignee
Neo Prime, LLC
Inventors
Schultz, Craig A., Nitao, John J., Starr, Jeffrey M., Compton, John

Granted Patent

US 9,680,855 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 10/0635   Risk analysis of enterprise...

G06Q 40/08   Insurance

G09C 1/00   Apparatus or methods whereb...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

Probabilistic Model For Cyber Risk Forecasting

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

200 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Probabilistic Model For Cyber Risk Forecasting

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

200 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links