CRITICALITY ANALYSIS OF ATTACK GRAPHS

US 20200137104A1
Filed: 10/21/2019
Published: 04/30/2020
Est. Priority Date: 10/26/2018
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network;

determining, for each asset, a criticality of the respective asset to operation of a process;

determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph;

determining a path value representative of a criticality in preventing an attack through the lateral movement path; and

providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network, determining, for each asset, a criticality of the respective asset to operation of a process, determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph, determining a path value representative of a criticality in preventing an attack through the lateral movement path, and providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

34 Citations

20 Claims

1. A computer-implemented method comprising:
- providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network;
  
  determining, for each asset, a criticality of the respective asset to operation of a process;
  
  determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph;
  
  determining a path value representative of a criticality in preventing an attack through the lateral movement path; and
  
  providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein determining, for each asset, a criticality of the respective asset to operation of the process comprises:
    - determining a locality of the asset;
      
      determining a centrality of the asset;
      
      determining a damage of the asset; and
      
      determining the criticality based on the locality of the asset, the centrality of the asset, and the damage of the asset.
  - 3. The method of claim 2, wherein determining a locality of the asset comprises:
    - determining a position of the node that corresponds to the asset in the enterprise network; and
      
      determining the locality of the asset based on the position of the node that corresponds to the asset in the enterprise network.
  - 4. The method of claim 2, wherein determining a centrality of the asset comprises:
    - determining a number of edges that are outgoing from the node that corresponds to the asset; and
      
      determining the centrality of the asset based on the number of edges that are outgoing from the node that corresponds to the asset.
  - 5. The method of claim 2, wherein determining a centrality of the asset comprises:
    - determining a number of unique edges that are outgoing from the node that corresponds to the asset; and
      
      determining the centrality of the asset based on the number of unique edges that are outgoing from the node that corresponds to the asset.
  - 6. The method of claim 2, wherein determining a centrality of the asset comprises:
    - providing a prompt for a user to indicate a type of asset; and
      
      determining the centrality of the asset based on the type of asset indicated by the user through the prompt.
  - 7. The method of claim 2, wherein determining a damage of the asset comprises:
    - determining a load served by an intended substation;
      
      determining a total load serving by an energy delivery system; and
      
      determining the damage based on the load served by an intended substation and the total load serving by the energy delivery system.
  - 8. The method of claim 1, wherein determining a path value representative of a criticality in preventing an attack through the lateral movement path comprises:
    - determining the path value based on the criticality of each of the assets represented by nodes along the lateral movement path.
  - 9. The method of claim 1, comprising:
    - remediating the attack through the lateral movement path.
  - 10. The method of claim 1, comprising:
    - determining a total risk for the enterprise network based on the graph; and
      
      providing an indication of the total risk to a user.

11. A system comprising:
- one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network;
  
  determining, for each asset, a criticality of the respective asset to operation of a process;
  
  determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph;
  
  determining a path value representative of a criticality in preventing an attack through the lateral movement path; and
  
  providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein determining, for each asset, a criticality of the respective asset to operation of the process comprises:
    - determining a locality of the asset;
      
      determining a centrality of the asset;
      
      determining a damage of the asset; and
      
      determining the criticality based on the locality of the asset, the centrality of the asset, and the damage of the asset.
  - 13. The system of claim 12, wherein determining a locality of the asset comprises:
    - determining a position of the node that corresponds to the asset in the enterprise network; and
      
      determining the locality of the asset based on the position of the node that corresponds to the asset in the enterprise network.
  - 14. The system of claim 12, wherein determining a centrality of the asset comprises:
    - determining a number of edges that are outgoing from the node that corresponds to the asset; and
      
      determining the centrality of the asset based on the number of edges that are outgoing from the node that corresponds to the asset.
  - 15. The system of claim 12, wherein determining a centrality of the asset comprises:
    - determining a number of unique edges that are outgoing from the node that corresponds to the asset; and
      
      determining the centrality of the asset based on the number of unique edges that are outgoing from the node that corresponds to the asset.
  - 16. The system of claim 12, wherein determining a centrality of the asset comprises:
    - providing a prompt for a user to indicate a type of asset; and
      
      determining the centrality of the asset based on the type of asset indicated by the user through the prompt.
  - 17. The system of claim 12, wherein determining a damage of the asset comprises:
    - determining a load served by an intended substation;
      
      determining a total load serving by an energy delivery system; and
      
      determining the damage based on the load served by an intended substation and the total load serving by the energy delivery system.
  - 18. The system of claim 11, wherein determining a path value representative of a criticality in preventing an attack through the lateral movement path comprises:
    - determining the path value based on the criticality of each of the assets represented by nodes along the lateral movement path.
  - 19. The system of claim 11, the operations comprising:
    - remediating the attack through the lateral movement path.

20. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
- providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph comprising nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, each edge representing at least a portion of one or more lateral movement paths between assets in the enterprise network;
  
  determining, for each asset, a criticality of the respective asset to operation of a process;
  
  determining a lateral movement path between a first node represented by a first asset and a second node represented by second asset within the graph;
  
  determining a path value representative of a criticality in preventing an attack through the lateral movement path; and
  
  providing an indication of the path value representative of the criticality in preventing an attack through the lateral movement path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Hasan, Kamrul, Nayak, Anup

Granted Patent

US 11,252,175 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06Q 10/0635   Risk analysis of enterprise...

G06Q 50/06   Energy or water supply

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

Y04S 40/18   Network protocols supportin...

Y04S 40/20   Information technology spec...

CRITICALITY ANALYSIS OF ATTACK GRAPHS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CRITICALITY ANALYSIS OF ATTACK GRAPHS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links