Method and system for assessing attacks on computer networks using Bayesian networks
First Claim
1. A method for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising the steps of:
- managing a collection of data corresponding to events associated with the computer network;
establishing at least one model to correlate an occurrence of a predetermined set of events;
forming at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network; and
evaluating the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data, wherein the step of evaluating comprises the steps of;
automatically evaluating the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data; and
automatically evaluating the probabilistic assessments of the at least one hypothesis;
automatically providing requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network;
automatically generating at least one response to counter the particular activity if the particular activity is an attack associated with the computer network.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and system are disclosed for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network. In accordance with exemplary embodiments of the present invention, a collection of data is managed that corresponds to events associated with the computer network. At least one model is established to correlate an occurrence of a predetermined set of events. At least one hypothesis is formed, using the at least one model, that characterizes the particular activity associated with the computer network. The at least one hypothesis is evaluated using the at least one model. The steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data.
126 Citations
17 Claims
-
1. A method for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising the steps of:
-
managing a collection of data corresponding to events associated with the computer network;
establishing at least one model to correlate an occurrence of a predetermined set of events;
forming at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network; and
evaluating the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data, wherein the step of evaluating comprises the steps of;
automatically evaluating the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data; and
automatically evaluating the probabilistic assessments of the at least one hypothesis;
automatically providing requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network;
automatically generating at least one response to counter the particular activity if the particular activity is an attack associated with the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for processing data from a computer network to determine an occurrence of and characterize a particular activity associated with the computer network, comprising:
-
at least one data source for supplying data corresponding to events associated with the computer network;
a memory that stores steps of a computer program to;
manage a collection of data corresponding to events associated with the computer network, establish at least one model to correlate an occurrence of a predetermined set of events, form at least one hypothesis, using the at least one model, that characterizes the particular activity associated with the computer network;
evaluate the at least one hypothesis using the at least one model, wherein the steps of forming and evaluating are performed interactively with the step of managing to iteratively update the collection of data;
automatically evaluate the collection of data using the at least one model to generate probabilistic assessments of the at least one hypothesis that characterize the particular activities by matching predictions of the at least one model with the collection of data;
automatically evaluate the probabilistic assessments of the at least one hypothesis;
automatically provide requirements to the step of managing for updating the collection of data if additional data is required to determine whether the occurrence of the particular activity is an attack associated with the computer network; and
automatically generate at least one response to counter the particular activity if the particular activity is an attack associated with the computer network; and
a processor for accessing the memory to execute the computer program. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
Specification