SYSTEM AND METHOD FOR VISUALIZING AND ANALYZING CYBER-ATTACKS USING A GRAPH MODEL

US 20170289187A1
Filed: 03/29/2016
Published: 10/05/2017
Est. Priority Date: 03/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

one or more network sensors;

one or more sensor interfaces configured to received data from the one or more network sensors; and

one or more processors, the one or more processors configured to;

receive data from the one or more network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;

generate a plurality of nodes and a plurality edges based on the received data and store the generated plurality of nodes and the plurality of edges within a graph database; and

receive a domain specific data query from a user of the computing system, convert the received domain specific data query to a graph database native query, and execute the graph database native query upon the graph database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for implementing a graph database to analyze and monitor a status of an enterprise computer network is provided. In one example, a plurality of sensors can be inputted into sensor interface in which all of the data associated with the sensors in converted into a common data format. The data can be parsed into a data model that contains nodes and edges in order to generate a graph database model that can allow a network analyst to analyze the real-time status of a computer network. The graph database model can include multiple layers including an infrastructure layer, a cyber threats layer, a cyber posture layer, and a mission readiness layer. The graph database model can also be queried by a user using a domain-specific query language, so as to provide a user-friendly syntax in generating queries.

Citations

30 Claims

1. A computing system comprising:
- one or more network sensors;
  
  one or more sensor interfaces configured to received data from the one or more network sensors; and
  
  one or more processors, the one or more processors configured to;
  
  receive data from the one or more network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generate a plurality of nodes and a plurality edges based on the received data and store the generated plurality of nodes and the plurality of edges within a graph database; and
  
  receive a domain specific data query from a user of the computing system, convert the received domain specific data query to a graph database native query, and execute the graph database native query upon the graph database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing system of claim 1, wherein a subset of the generated plurality of nodes and a subset of the plurality of edges convey information about a mission readiness state of the computer network.
  - 3. The computing system of claim 2, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 4. The computing system of claim 3, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 5. The computing system of claim 4, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 6. The computing system of claim 3, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 7. The computing system of claim 1, wherein the generated one or more nodes and one or more edges convey information about potential cyber threats to the computer network.
  - 8. The computing system of claim 1, wherein the generated one or more nodes and one or more edges convey information about a cyber posture of the computer network.
  - 9. The computing system of claim 1, wherein the generated one or more nodes and one or more edges convey information about an infrastructure of the computer network.
  - 10. The computing system of claim 1 comprising:
    - a document-oriented database configured to receive the data from the one or more sensors and convert the received data into one or more entries in the document oriented database, and wherein the graph database is configured to generate the plurality of nodes and the plurality of edges based on the one or more entries in the document-oriented database.

11. A method of generating a graph database, the method comprising:
- receiving data from one or more network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generating a plurality of nodes and a plurality edges based on the received data and store the generated plurality of nodes and the plurality of edges within a graph database;
  
  receiving a domain specific data query;
  
  converting the received domain specific data query to a graph database native query; and
  
  executing the graph database native query upon the graph database.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein a subset of the generated plurality of nodes and a subset of the plurality of edges convey information about a mission readiness state of the computer network.
  - 13. The method of claim 12, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 14. The method of claim 13, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 15. The method of claim 14, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 16. The method of claim 13, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 17. The method of claim 11, wherein the generated one or more nodes and one or more edges convey information about potential cyber threats to the computer network.
  - 18. The method of claim 11, wherein the generated one or more nodes and one or more edges convey information about a cyber posture of the computer network.
  - 19. The method of claim 11, wherein the generated one or more nodes and one or more edges convey information about an infrastructure of the computer network.
  - 20. The method of claim 11, comprising:
    - receiving the data from the one or more sensors and converting the received data into one or more entries in a document-oriented database, and wherein generating the plurality of nodes and the plurality of edges is based on the one or more entries in the document-oriented database.

21. A non-transitory computer readable storage medium having stored thereon a set of instructions for generating a graph database that when executed by a computing device, cause the computing device to:
- receive data from one or more network sensors and convert the received data to a common format, wherein the received data is based on a present state of a computer network;
  
  generate a plurality of nodes and a plurality edges based on the received data and store the generated plurality of nodes and the plurality of edges within a graph database;
  
  receive a domain specific data query;
  
  convert the received domain specific data query to a graph database native query; and
  
  execute the graph database native query upon the graph database.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer readable storage medium of claim 21, wherein a subset of the generated plurality of nodes and a subset of the plurality of edges convey information about a mission readiness state of the computer network.
  - 23. The non-transitory computer readable storage medium of claim 22, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a mission objective of the computing network.
  - 24. The non-transitory computer readable storage medium of claim 23, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a task of the computing network, wherein the task is based on the mission objective of the computing network.
  - 25. The non-transitory computer readable storage medium of claim 24, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about an information asset of the computing network, wherein the information asset is based on the task of the computing network.
  - 26. The non-transitory computer readable storage medium of claim 23, wherein at least one node and at least one edge of the plurality of nodes and plurality of edges convey information about a cyber asset of the computing network, wherein the cyber asset is based on the information asset of the computing network.
  - 27. The non-transitory computer readable storage medium of claim 21, wherein the generated one or more nodes and one or more edges convey information about potential cyber threats to the computer network.
  - 28. The non-transitory computer readable storage medium of claim 21, wherein the generated one or more nodes and one or more edges convey information about a cyber posture of the computer network.
  - 29. The non-transitory computer readable storage medium of claim 21, wherein the generated one or more nodes and one or more edges convey information about an infrastructure of the computer network.
  - 30. The non-transitory computer readable storage medium of claim 21, wherein the computing device is further caused to:
    - receive the data from the one or more sensors and convert the received data into one or more entries in a document oriented database, and wherein generating the plurality of nodes and the plurality of edges is based on the one or more entries in the document-oriented database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
NOEL, Steven, HARLEY, Eric, TAM, Kam Him, LIMIERO, Michael, SHARE, Matthew

Granted Patent

US 10,313,382 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/28   Databases characterised by ...

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 67/01   Protocols

H04L 67/12   specially adapted for propr...

H04L 67/565   Conversion or adaptation of...

SYSTEM AND METHOD FOR VISUALIZING AND ANALYZING CYBER-ATTACKS USING A GRAPH MODEL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR VISUALIZING AND ANALYZING CYBER-ATTACKS USING A GRAPH MODEL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links