Network risk analysis

US 7,409,721 B2
Filed: 01/21/2003
Issued: 08/05/2008
Est. Priority Date: 01/21/2003
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing security risk in a computer network comprising:

constructing asset relationships among a plurality of objects in the computer network;

receiving an event associated with a selected object;

wherein the event has an event risk level;

dynamically updating the asset relationships, the update being based at least in part on an analysis of source or destination information associated with the event; and

propagating the event to objects related to the selected object, if the event risk level exceeds a propagation threshold.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for analyzing security risks in a computer network. The system constructs asset relationships among a plurality of objects in the computer network and receives an event associated with a selected object, where the event has an event risk level. The system also propagates the event to objects related to the selected object if the event risk level exceeds a propagation threshold.

43 Citations

View as Search Results

39 Claims

1. A method of analyzing security risk in a computer network comprising:
- constructing asset relationships among a plurality of objects in the computer network;
  
  receiving an event associated with a selected object;
  
  wherein the event has an event risk level;
  
  dynamically updating the asset relationships, the update being based at least in part on an analysis of source or destination information associated with the event; and
  
  propagating the event to objects related to the selected object, if the event risk level exceeds a propagation threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method of analyzing security risk in a computer network as recited in claim 1 wherein constructing asset relationships includes creating an asset graph.
  - 3. A method of analyzing security risk in a computer network as recited in claim 1 wherein the selected object has a plurality of associated attributes.
  - 4. A method of analyzing security risk in a computer network as recited in claim 1 further comprising determining an object risk level for the selected object.
  - 5. A method of analyzing security risk in a computer network as recited in claim 1 further comprising determining an object risk level for the selected object based on the event received and a time function that changes the object risk level over time.
  - 6. A method of analyzing security risk in a computer network as recited in claim 1 further comprising determining an object risk level for the selected object based on the event received and a time function;
    - wherein the time function is a decay function that decreases the object risk level over time.
  - 7. A method of analyzing security risk in a computer network as recited in claim 1 further comprising determining an object risk level for the selected object based on the event received and a time function;
    - wherein the time function is an exponential decay function that decreases the event risk level over time.
  - 8. A method of analyzing security risk in a computer network as recited in claim 1 further comprising determining an object risk level for the selected object and triggering a reaction once the object risk level reaches a triggering level.
  - 9. A method of analyzing security risk in a computer network as recited in claim 1 further comprising:
    - determining an object risk level for the selected object; and
      
      triggering a reaction once the object risk level reaches a triggering level;
      
      wherein the reaction includes notifying a user.
  - 10. A method of analyzing security risk in a computer network as recited in claim 1 further comprising:
    - determining an object risk level for the selected object; and
      
      triggering a reaction once the object risk level reaches a triggering level;
      
      wherein the reaction includes logging the event.
  - 11. A method of analyzing security risk in a computer network as recited in claim 1 further comprising:
    - determining an object risk level for the selected object; and
      
      triggering a reaction once the object risk level reaches a triggering level;
      
      wherein the reaction includes producing an analysis trail.
  - 12. A method of analyzing security risk in a computer network as recited in claim 1 further comprising:
    - determining an object risk level for the selected object; and
      
      triggering a reaction once the object risk level reaches a triggering level;
      
      wherein the reaction includes producing an analysis trail comprising information for tracing event effects.
  - 13. A method of analyzing security risk in a computer network as recited in claim 1 further comprising:
    - determining an object risk level for the selected object; and
      
      triggering a reaction once the object risk level reaches a triggering level;
      
      wherein the reaction includes producing an analysis trail comprising information for tracing event effects and reconstructing a chain of events that occurred previously using the analysis trail.
  - 14. A method of analyzing security risk in a computer network as recited in claim 1 further comprising propagating the event to dependent objects that have a dependency on the selected object;
    - wherein propagating the event to the dependent objects includes determining whether the event has an event risk level that exceeds a propagation threshold.
  - 15. A method of analyzing security risk in a computer network as recited in claim 1 further comprising normalizing the event risk level based on a canonical scale.
  - 16. A method of analyzing security risk in a computer network as recited in claim 1 wherein the selected object is a target object of the event.
  - 17. A method of analyzing security risk in a computer network as recited in claim 1 wherein the event received is real time input or stored data.

18. A computer program product for analyzing security risk in a computer network, the computer program product being embodied in a computer readable medium and comprising computer instructions for:
- constructing asset relationships among a plurality of objects in the computer network;
  
  receiving an event associated with a selected object;
  
  wherein the event has an event risk level;
  
  dynamically updating the asset relationships, the update being based at least in part on an analysis of source or destination information associated with the event; and
  
  propagating the event to objects related to the selected object, if the event risk level exceeds a propagation threshold.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 39)
- - 19. A computer program product for analyzing security risk in a computer network as recited in claim 18 wherein the selected object has a plurality of associated attributes.
  - 20. A computer program product for analyzing security risk in a computer network as recited in claim 18 further comprising computer instructions for determining an object risk level for the selected object.
  - 21. A computer program product for analyzing security risk in a computer network as recited in claim 20 wherein the object risk level for the selected object is determined based on the event received and one or more of the following:
    - a time function that changes the object risk level over time;
      
      a time function decreases the object risk level over time; and
      
      an exponential decay function that decreases the event risk level over time.
  - 22. A computer program product for analyzing security risk in a computer network as recited in claim 20 further comprising computer instructions for triggering a reaction once the object risk level reaches a triggering level.
  - 23. A computer program product for analyzing security risk in a computer network as recited in claim 22 wherein the reaction includes one or more of the following:
    - notifying a user;
      
      logging the event;
      
      producing an analysis trail;
      
      producing an analysis trail comprising information for tracing event effects;
      
      producing an analysis trail comprising information for tracing event effects and reconstructing a chain of events that occurred previously using the analysis trail.
  - 24. A computer program product for analyzing security risk in a computer network as recited in claim 18 further comprising computer instructions for propagating the event to dependent objects that have a dependency on the selected object;
    - wherein propagating the event to the dependent objects includes determining whether the event has an event risk level that exceeds a propagation threshold.
  - 25. A computer program product for analyzing security risk in a computer network as recited in claim 18 further comprising computer instructions for normalizing the event risk level based on a canonical scale.
  - 26. A computer program product for analyzing security risk in a computer network as recited in claim 18 wherein the selected object is a target object of the event.
  - 27. A computer program product for analyzing security risk in a computer network as recited in claim 18 wherein the event received is real time input or stored data.
  - 39. A computer program product for analyzing security risk in a computer network as recited in claim 18 wherein constructing asset relationships includes creating an asset graph.

28. A system for analyzing security risk in a computer network comprising:
- an input interface configured to receive an event associated with a selected object;
  
  a processor configured to;
  
  construct asset relationships among a plurality of objects in the computer network;
  
  dynamically update the asset relationships, the update being based at least in part on an analysis of source or destination information associated with the event; and
  
  propagate the event to objects related to the selected object, if the event risk level exceeds a propagation threshold.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. A system for analyzing security risk in a computer network as recited in claim 28 wherein the processor is configured to construct asset relationships at least in part by creating an asset graph.
  - 30. A system for analyzing security risk in a computer network as recited in claim 28 wherein the selected object has a plurality of associated attributes.
  - 31. A system for analyzing security risk in a computer network as recited in claim 28 wherein the processor is further configured to determine an object risk level for the selected object.
  - 32. A system for analyzing security risk in a computer network as recited in claim 31 wherein the processor is configured to determine the object risk level for the selected object based on the event received and one of more of the following:
    - a time function that changes the object risk level over time;
      
      a time function decreases the object risk level over time; and
      
      an exponential decay function that decreases the event risk level over time.
  - 33. A system for analyzing security risk in a computer network as recited in claim 31 wherein the processor is further configured to trigger a reaction once the object risk level reaches a triggering level.
  - 34. A system for analyzing security risk in a computer network as recited in claim 33 wherein the reaction includes one or more of the following:
    - notifying a user;
      
      logging the event;
      
      producing an analysis trail;
      
      producing an analysis trail comprising information for tracing event effects;
      
      producing an analysis trail comprising information for tracing event effects and reconstructing a chain of events that occurred previously using the analysis trail.
  - 35. A system for analyzing security risk in a computer network as recited in claim 28 wherein the processor is further configured to propagate the event to dependent objects that have a dependency on the selected object, including by determining whether the event has an event risk level that exceeds a propagation threshold.
  - 36. A system for analyzing security risk in a computer network as recited in claim 28 wherein the processor is further configured to normalize the event risk level based on a canonical scale.
  - 37. A system for analyzing security risk in a computer network as recited in claim 28 wherein the selected object is a target object of the event.
  - 38. A system for analyzing security risk in a computer network as recited in claim 28 wherein the event received is real time input or stored data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bennett, Jeremy, Hernacki, Brian
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US10/349,155
Publication Number

US 20040143753A1
Time in Patent Office

2,023 Days
Field of Search

726 22- 25, 713/151, 713165-167, 709/223, 709/224
US Class Current

726/25
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/14 for detecting or protecting...

Network risk analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Network risk analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links