PROBABILISTIC MODEL FOR CYBER RISK FORECASTING

US 20170279843A1
Filed: 06/09/2017
Published: 09/28/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:

receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization;

calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization;

modeling, by the processor, one or more pathways for at least one of the threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein the one or more pathways includes at least one time-dependent event;

estimating, by the processor, for the one or more pathways;

probabilities that at least one of the time-dependent events will occur, andprobability distributions of times of occurrence of the at least one time-dependent events; and

determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network.

82 Citations

20 Claims

1. A method in a computing system having a processor for estimating risks related to threats to a networked system of at least one target organization, the method comprising:
- receiving one or more target organization information, asset information, system information, and threat information descriptive of at least one target organization;
  
  calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the one or more target organization information, asset information, system information, and threat information descriptive of the at least one target organization;
  
  modeling, by the processor, one or more pathways for at least one of the threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein the one or more pathways includes at least one time-dependent event;
  
  estimating, by the processor, for the one or more pathways;
  
  probabilities that at least one of the time-dependent events will occur, andprobability distributions of times of occurrence of the at least one time-dependent events; and
  
  determining, by the processor, based on the estimating, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more times of such damage to the assets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising generating a report based on the modeling, wherein the report includes information for increasing the likelihood of detection of a threat at the at least one target organization, wherein the threat information characterizes exploits, vulnerabilities, or cyber threats to the networked system, wherein the cyber threats include intentional attacks, accidents, and system failures.
  - 3. The method of claim 1, wherein receiving the asset information characterizing assets of the at least one target organization includes obtaining information describing tangible or intangible assets that are available through the networked system, wherein existing and future cyber-related behaviors are modeled in hierarchical levels of cyber threat information, wherein partially known cyber threat information at a first level is dynamically aggregated with other known or partially known threat information as the other known or partially known cyber threat information is discovered, wherein the aggregated threat information is represented as a second level of cyber threat information, wherein the second level of cyber threat information is metadata for improving resolution of the modeling, and wherein portions of the results of the modeling are indicated in a report.
  - 4. The method of claim 1, further comprising establishing a probability distribution of financial values based on a determination of loss of one or more assets of at the least one target organization based on occurrence time, types and amounts of damage to the one or more assets.
  - 5. The method of claim 1, wherein receiving the system information characterizing the networked system includes obtaining information about a location, type, and configuration of one or more assets associated with the networked system.
  - 6. The method of claim 1, wherein receiving the system information characterizing the networked system includes obtaining information about one or more security policies or procedures.
  - 7. The method of claim 1, wherein the probability distribution of damage to assets is a probability distribution of the occurrence time, the types, and amounts of assets of the least one target organization, wherein the probability distribution of damages to assets includes a probability of loss of access to services, assets, or data associated with the networked system.
  - 8. The method of claim 1, wherein the probability of damage to assets of at the least one target organization includes a probability of loss of goodwill, reputation, or business, including the time of such loss.
  - 9. The method of claim 1, further comprising calculating a financial loss from the damage, based on the determining of the probability of damage to the assets, including the time of such loss.
  - 10. The method of claim 1, further comprising modeling and estimating:
    - probabilities of one or more pathways for responding to the threats,threat remediation actions of security personnel or software, andprobability distributions of times for responding to the threats with at least one of the remediation actions.

11. A computer-readable storage medium storing instructions that, if executed by a processor of a computing system, cause the computing system to perform a method for estimating financial losses to a target organization based on time-varying risks of cyber threats, the method comprising:
- receiving data relating to a networked system of the target organization;
  
  determining a model of the networked system based on the data;
  
  propagating probabilistic distributions of cyber threat events over time through the model; and
  
  determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable storage medium of claim 11, wherein determining the model includes determining risk probability distribution effects of cyber threats to the networked system of the target organization, wherein the model is a hierarchical model, wherein the hierarchical model has different levels of detail and dynamically augmented in response to receiving new data relating to the networked system of the target organization, wherein one or more attacker pathways are determined based on at least one of the cyber threat events, and wherein the risk probability distribution effects are based on target organization characteristics and attacker characteristics.
  - 13. The computer-readable storage medium of claim 12, wherein the target organization characteristics include:
    - targeted physical and virtual network configuration, devices, and software,security control mitigation measures, including one or more physical access and network based measures,the likelihood of detecting attack events,insider threats, andtargeted tangible and intangible assets.
  - 14. The computer-readable storage medium of claim 12, wherein the attacker characteristics include one or more of:
    - a number of attackers,attacker goals and sub-goals,threat types based on asset attractiveness,attacker techniques, attack rates, or attack campaign tactics, andresource limitations, including one or more of capital, number of personnel, expertise, and time available to execute an attack on the target organization.
  - 15. The computer-readable storage medium of claim 11, further comprising determining probabilities of one or more vulnerabilities of, security control measures of, or trust relationships with one or more other organizations.
  - 16. The computer-readable storage medium of claim 11, wherein the propagating of probabilistic distributions of events over time through the model includes forecasting cumulative effects of threat characteristics via multiple attack pathways.
  - 17. The computer-readable storage medium of claim 16, wherein forecasting cumulative effects of threat characteristics via multiple attack pathways includes computing accumulated rewards and costs to the attacker along multiple potential event pathways.
  - 18. The computer-readable storage medium of claim 11, wherein the propagating of probabilistic distributions of events over time through the model includes stochastic forecasting of loss-generating attack pathways.
  - 19. The computer-readable storage medium of claim 11, further comprising pricing expected losses over fixed and varying periods of time.
  - 20. The computer-readable storage medium of claim 11, wherein the determining of probabilistic damages to network-dependent assets of the target organization over a period of time includes propagating event-time distributions to forecast losses varying as a function of time based on uncertain vulnerabilities, exploits, system components, or security control measures, and determining the tradeoff between forecasts of the cost and effectiveness of possible security control options.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Craig Schultz, Jeffrey Starr, John Compton
Original Assignee
Neo Prime, LLC
Inventors
Schultz, Craig A, Nitao, John J., Starr, Jeffrey M., Compton, John

Granted Patent

US 10,757,127 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06Q 10/0635   Risk analysis of enterprise...

G06Q 40/08   Insurance

G09C 1/00   Apparatus or methods whereb...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

PROBABILISTIC MODEL FOR CYBER RISK FORECASTING

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROBABILISTIC MODEL FOR CYBER RISK FORECASTING

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links