Method and system for assessing attacks on computer networks using Bayesian networks

US 6,907,430 B2
Filed: 10/04/2001
Issued: 06/14/2005
Est. Priority Date: 10/04/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising the steps of:

managing a collection of data corresponding to events associated with the computer network;

establishing at least one model to correlate an occurrence of a predetermined set of events;

forming at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network; and

evaluating the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data, wherein the step of evaluating comprises the steps of;

automatically evaluating the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data; and

automatically evaluating the probabilistic assessments of the at least one hypothesis;

automatically providing requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network;

automatically generating at least one response to counter the particular activity if the particular activity is an attack associated with the computer network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are disclosed for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network. In accordance with exemplary embodiments of the present invention, a collection of data is managed that corresponds to events associated with the computer network. At least one model is established to correlate an occurrence of a predetermined set of events. At least one hypothesis is formed, using the at least one model, that characterizes the particular activity associated with the computer network. The at least one hypothesis is evaluated using the at least one model. The steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data.

126 Citations

17 Claims

1. A method for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising the steps of:
- managing a collection of data corresponding to events associated with the computer network;
  
  establishing at least one model to correlate an occurrence of a predetermined set of events;
  
  forming at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network; and
  
  evaluating the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data, wherein the step of evaluating comprises the steps of;
  
  automatically evaluating the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data; and
  
  automatically evaluating the probabilistic assessments of the at least one hypothesis;
  
  automatically providing requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network;
  
  automatically generating at least one response to counter the particular activity if the particular activity is an attack associated with the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the particular activity is an attack associated with the computer network.
  - 3. The method of claim 1, wherein the step of managing comprises the step of:
    - collecting, from at least one data source, information corresponding to events occurring within the computer network to generate the collection of data.
  - 4. The method of claim 1, wherein the at least one model is represented by a Bayesian network.
  - 5. The method of claim 1, wherein the at least one model is established using at least the collection of data.
  - 6. The method of claim 1, wherein the at least one model comprises:
    - at least one node, wherein at least one probabilistic relationship is assigned to at least one link between nodes of the at least one model, and wherein the at least one link represents a causal relationship between the nodes.
  - 7. The method of claim 1, wherein the step of evaluating comprises the step of:
    - reporting, to at least one operator, at least the particular activity and the evaluation of the probabilistic assessments.
  - 8. The method of claim 1, wherein the step of evaluating comprises the step of:
    - predicting at least one of a vulnerability and security state of at least one component in the computer network using the probabilistic assessments.
  - 9. The method claim 8, wherein the step of evaluating comprises the step of:
    - using the at least one of the vulnerability and security state of the at least one component in the computer network to generate the probabilistic assessments of the at least one hypothesis.

10. A system for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising:
- at least one data source for supplying data corresponding to events associated with the computer network;
  
  a memory that stores steps of a computer program to;
  
  manage a collection of data corresponding to events associated with the computer network, establish at least one model to correlate an occurrence of a predetermined set of events, form at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network;
  
  evaluate the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data;
  
  automatically evaluate the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data;
  
  automatically evaluate the probabilistic assessments of the at least one hypothesis;
  
  automatically provide requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network; and
  
  automatically generate at least one response to counter the particular activity if the particular activity is an attack associated with the computer network; and
  
  a processor for accessing the memory to execute the computer program.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the particular activity is an attack associated with the computer network.
  - 12. The system of claim 10, wherein the at least one model is represented by a Bayesian network.
  - 13. The system of claim 10, wherein the at least one model is established using at least the collection of data.
  - 14. The system of claim 10, wherein the at least one model comprises:
    - at least one node, wherein at least one probabilistic relationship is assigned to at least one link between nodes of the at least one model, and wherein the at least one link represents a causal relationship between the nodes.
  - 15. The system of claim 10, wherein the memory stores steps of a computer program to:
    - report, to at least one operator, at least the particular activity and the evaluation of the probabilistic assessments.
  - 16. The system of claim 15, wherein the memory stores steps of a computer program to:
    - predict at least one of a vulnerability and security state of at least one component in the computer network using the probabilistic assessments.
  - 17. The system of claim 16, wherein the memory stores steps of a computer program to:
    - use the at least one of the vulnerability and security state of the at least one component in the computer network to generate the probabilistic assessments of the at least one hypothesis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BOOZ Allen & Hamilton Incorporated (BOOZ Allen Hamilton Holding Corporation)
Original Assignee
BOOZ Allen & Hamilton Incorporated (BOOZ Allen Hamilton Holding Corporation)
Inventors
Chong, Chee-Yee, Smythe, Erich J., Gong, Lester J.
Primary Examiner(s)
Metjahic, Safet
Assistant Examiner(s)
Alaubaidi, Haythim

Application Number

US09/969,722
Publication Number

US 20030070003A1
Time in Patent Office

1,349 Days
Field of Search

713/152, 713/164, 713/166, 713/200, 713/201, 707/100, 707/10
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Method and system for assessing attacks on computer networks using Bayesian networks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

126 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for assessing attacks on computer networks using Bayesian networks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

126 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links