Method and system for addressing intrusion attacks on a computer system
First Claim
1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
- receiving at least one packet corresponding to a potential attack on the computer;
calculating a risk rating for the potential attack by;
determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings;
determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings;
determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application;
determining a target value rating indicative of the perceived value of the computer;
calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;
ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;
ERR=the risk rating;
ASR=the attack severity rating;
SFR=the signature fidelity rating;
ARR=the attack relevance rating; and
TVR=the target value rating; and
responding to the attack based on the risk rating.
1 Assignment
0 Petitions
Accused Products
Abstract
According to one embodiment of the invention, a computerized method for addressing intrusion attacks directed at a computer includes receiving a data stream corresponding to a potential attack on the computer and calculating an event risk rating for the data stream. Calculating the event risk rating includes determining at least one component risk rating. In one embodiment, the component risk ratings are: a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer. The method also includes responding to the potential attack based on the calculated risk rating.
-
Citations
25 Claims
-
1. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving at least one packet corresponding to a potential attack on the computer; calculating a risk rating for the potential attack by; determining an attack severity rating indicative of the potential severity of the potential attack by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical attack severity ratings; determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer by comparing the type of potential attack to stored information having a plurality of attacks with corresponding predetermined numerical signature fidelity ratings; determining an attack relevance rating indicative of the relevance of the potential attack to the computer based on an operating system of the computer, a service availability of the computer, an application running at a service port of the computer, and the version of the application; determining a target value rating indicative of the perceived value of the computer; calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating, wherein the function is;
ERR=floor(((ASR)*(SFR)*(ARR)*(TVR))/1000000,100) where;ERR=the risk rating; ASR=the attack severity rating; SFR=the signature fidelity rating; ARR=the attack relevance rating; and TVR=the target value rating; and responding to the attack based on the risk rating. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving at least one packet corresponding to a potential attack on the computer; calculating a risk rating for the potential attack by; determining an attack severity rating indicative of the potential severity of the potential attack; determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer; determining an attack relevance rating indicative of the relevance of the potential attack to the computer; determining a target value rating indicative of the perceived value of the computer; and calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and responding to the potential attack based on the calculated risk rating. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computerized method for addressing intrusion attacks directed at a computer, the method comprising:
-
receiving a data stream corresponding to a potential attack on the computer; calculating a risk rating for the potential attack by; determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, determining at least one component risk rating selected from the group consisting of; an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and calculating the risk rating based on the signature fidelity rating and at least one of the component risk ratings; and responding to the potential attack based on the calculated risk rating. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system for addressing intrusion attacks directed at a computer, the system comprising:
-
a software program embodied in a computer readable storage medium, the software program, when executed by a processor, operable to; calculate a risk rating for a data stream received by the system embodying a potential attack by; determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer, determining at least one component risk rating selected from the group consisting of; an attack relevance rating indicative of the relevance of the potential attack to the computer, and a target value rating indicative of the perceived value of the computer; and calculate the risk rating based on the signature fidelity rating and at least one of the component risk ratings; and initiate a response to the potential attack based on the risk rating. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A system for addressing intrusion attacks directed at a computer, the system comprising:
-
means for receiving at least one packet corresponding to a potential attack on the computer; means for calculating a risk rating for the at least one packet by; determining an attack severity rating indicative of the potential severity of the potential attack; determining a signature fidelity rating indicative of the likelihood the potential attack will affect the computer in the absence of knowledge regarding the computer; determining an attack relevance rating indicative of the relevance of the potential attack to the computer; determining a target value rating indicative of the perceived value of the computer; and calculating the risk rating as a function of the attack severity rating, the signature fidelity rating, the attack relevance rating, and the target value rating; and means for responding to the potential attack based on the calculated risk rating; wherein the means for calculating a risk comprises software embodied in a computer readable storage medium and an associated processor for executing the software.
-
Specification