Tactical and strategic attack detection and prediction
First Claim
1. A method comprising:
- receiving input data representing activities and events on a network;
detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack; and
matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks.
3 Assignments
0 Petitions
Accused Products
Abstract
NETWAR provides a utility that enables detection of both tactical and strategic threats against an individual entity and interrelated/affiliated networks of entities. A distributed network of sensors and evaluators are utilized to detect tactical attacks against one or more entities. Events on the general network are represented as an input graph, which is searched for matches of example pattern graphs that represent tactical attacks. The search is performed using a scalable graph matching engine and an ontology that is periodically updated by a subject matter expert or analyst. NETWAR provides the functionality to determine/understand the strategic significance of the detected tactical attacks by correlating detected tactical attacks on the individual entities to identify the true motive of these attacks as a strategic attack. NETWAR also provides predictive capability to predict future entities and sub-entities that may be targeted based on evaluation of the attack data.
207 Citations
46 Claims
-
1. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; and matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack; andcorrelating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks. - View Dependent Claims (11)
-
-
12. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; generating an input graph representing the input data; sampling and evaluating the input data using a graph-based search engine; performing graph matching, anomaly detection and social network analysis within the input graph to determine presence in the input graph of tactical and strategic attack patterns; and dynamically determining a strategic motive, tactical means, and tactical opportunities (MMO) of an attacker; and automatically detecting and predicting strategic attacks by detecting strategic actions identified within the input graph and comprehending the MMO of the potential attacker.
-
-
13. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; enabling creation of an ontology of example attack patterns that represent known and potential attack patterns; and enabling updates of the ontology to include newly detected attack patterns and remove patterns that are no longer classified as attack patterns. - View Dependent Claims (14)
-
-
15. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern; performing an inexact matching search utilizing said sensitivity cutoff; when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack; predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed; when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review; when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match; and when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack. - View Dependent Claims (16, 17)
-
-
18. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; storing the input data to a scalable database capable of managing a large amount of data at a time; monitoring the network in real time; updating the scalable database with new input data generated from the network; and performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database; wherein a clear separation of threat semantics and graph search functions for attack patterns is provided. - View Dependent Claims (19)
-
-
20. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; sequencing input data points by time; and converting the sequenced input data points into textual descriptions of network activity.
-
-
21. A method comprising:
-
receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks; wherein the business threat ontology associated with strategic level GAEs contain one or more of;
(1) descriptions of specifically identified target entities;
(2) interdependencies between the individual target entities, including as supply chain dependencies;
(3) business functions and services of the target entities;
(4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
(5) information about strategic threats and the threat'"'"'s likely motives;wherein the strategic level fusion provides attack patterns for one or more of;
(1) supply chain availability attacks;
(2) industrial espionage focused on exfiltration of information about specific technologies; and
(3) strategic infiltration of an infrastructure to be leveraged in the future.
-
-
22. A computer program product comprising:
-
a computer readable medium; and program code on the computer readable medium that when executed by a processor provides the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks; and correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A computer program product comprising:
-
a computer readable medium; and program code on the computer readable medium that when executed by a processor provides the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack;establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern; performing an inexact matching search utilizing said sensitivity cutoff; when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack; predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed; when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review; when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match; when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack. - View Dependent Claims (29)
-
-
30. A computer program product comprising:
-
a computer readable medium; and program code on the computer readable medium that when executed by a processor provides the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack;storing the input data to a scalable database capable of managing a large amount of data at a time; monitoring the network in real time; updating the scalable database with new input data generated from the network; and performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database; wherein a clear separation of threat semantics and graph search functions for attack patterns is provided.
-
-
31. A computer program product comprising:
-
a computer readable medium; and program code on the computer readable medium that when executed by a processor provides the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack;converting ontology-based patterns into a precise pattern query language (PQL) supported by the graph analysis tool; and decomposing complete attack patterns stored in the strategic attack ontology into meaningful time-based sub-patterns that will match sequences of activity that are precursors to becoming a significant attack threat, wherein said decomposing enables a predictive capability for future attacks.
-
-
32. A computer program product comprising:
-
a computer readable medium; and program code on the computer readable medium that when executed by a processor provides the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack;providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks; wherein the business threat ontology associated with strategic level GAEs contain one or more of;
(1) descriptions of specifically identified target entities;
(2) interdependencies between the individual target entities, including as supply chain dependencies;
(3) business functions and services of the target entities;
(4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
(5) information about strategic threats and the threat'"'"'s likely motives;wherein the strategic level fusion provides attack patterns for one or more of;
(1) supply chain availability attacks;
(2) industrial espionage focused on exfiltration of information about specific technologies; and
(3) strategic infiltration of an infrastructure to be leveraged in the future.
-
-
33. A system comprising:
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; matching strategic attack graph patterns against an input graph representing the relationships and affiliations among the entities and the tactical attacks the entities have been victim to, in order to determine a strategic significance of detected tactical attacks; and correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on completed tactical attacks, and predicting likely conclusions to ongoing attacks. - View Dependent Claims (34, 35, 36, 37, 38)
-
-
39. A system comprising:
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; and correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on competed tactical attacks, and predicting likely conclusions to ongoing attacks; receiving, via the GAE, input data from data sources/sensors; and performing a data fusion on the input data utilizing a domain ontology to fuse the input data into an Attributed Relational Graph (ARG); wherein the GAE utilizes the domain ontology to (1) map sensor events to probable actions, (2) define threat patterns, and (3) provide ontological services to the pattern matcher.
-
-
40. A system comprising:
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; establishing a sensitivity cutoff, which indicates a match percentage less than a complete match desired to determine when a detected pattern is a likely candidate as an attack pattern; performing an inexact matching search utilizing said sensitivity cutoff; when an inexact match is identified, evaluating if the inexact match is a match of one of a current attack, a future attack, and a failed attack; predicting a likely outcome of an ongoing attacks by analyzing partial matches of attack patterns, wherein, if a predicted attack step in the attack pattern is not observed over a pre-established time, the attack is assumed to have failed; when the inexact match is identified as one of a current attack, a future attack and a failed attack, updating a history table of inexact matches and forwarding the inexact match along with corresponding context information for review; when the inexact match is confirmed by an analyst as an attack, updating the ontology of attack patterns to include the inexact match; and when the inexact match indicates a possible future predicted attack, generating an alert predicting the future attack. - View Dependent Claims (41)
-
-
42. A system comprising:
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; storing the input data to a scalable database capable of managing a large amount of data at a time; monitoring the network in real time; updating the scalable database with new input data generated from the network; and performing the analysis of the input data for detection of strategic attacks via a database graph search functionality of a graph analysis tool capable of retrieving graph elements directly from the scalable database and providing direct queries to the input graph provided within the scalable database; wherein a clear separation of threat semantics and graph search functions for attack patterns is provided. - View Dependent Claims (43)
-
-
44. A system comprising;
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data;
dynamically determining when the one or more tactical attacks are indicative of a strategic attack;providing fusion of data at a strategic level, wherein said fusion accounts for inputs from Internet sensors, open sources, and search engine statistics, wherein the strategic level fusion utilizes a business threat ontology and strategic level GAEs to understand strategic attacks; wherein the business threat ontology associated with strategic level GAEs contain one or more of;
(1) descriptions of specifically identified target entities;
(2) interdependencies between the individual target entities, including as supply chain dependencies;
(3) business functions and services of the target entities;
(4) relationships between the network assets and business assets of the target entities, including strategic information, functions, and services; and
(5) information about strategic threats and the threat'"'"'s likely motives;wherein the strategic level fusion provides attack patterns for one or more of;
(1) supply chain availability attacks;
(2) industrial espionage focused on exfiltration of information about specific technologies; and
(3) strategic infiltration of an infrastructure to be leveraged in the future.
-
-
45. A system comprising:
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining;
when the one or more tactical attacks are indicative of a strategic attack;a graph annotation engine that receives an input of strategic attack ontology and tactical attack ontology; a graph pattern compiler and a predictive graph pattern compiler, which both receive an input of said strategic attack ontology and tactical attack ontology, wherein said pattern compilers provide an output to the external match control function; an “
events data”
-specific ingest module, which operates to convert specific types of network events data in its standard form into the normalized graph form;a graph analysis tool which provides a graph search engine for searching through the normalized graph form; an external match control function; and an attack prediction engine.
-
-
46. A system comprising;
-
a processor; a memory coupled to the processor; and a utility, which executes on the processor to provide the functions of; receiving input data representing activities and events on a network; detecting tactical attacks against one or more entities by analyzing the input data; dynamically determining when the one or more tactical attacks are indicative of a strategic attack; and correlating events from multiple sensors throughout the network to understand tactical attacks, wherein said correlating is completed via one or more graph analysis engines (GAEs) and includes detecting ongoing tactical attacks, performing forensics on competed tactical attacks, and predicting likely conclusions to ongoing attacks; further comprising a distributed network of GAEs utilized to capture data utilized to detect tactical attacks against target entities and evaluate a context and strategic significance of the tactical attacks.
-
Specification