Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

US 7,882,560 B2
Filed: 05/01/2006
Issued: 02/01/2011
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

controlling a computer to define at least one key event to be monitored by at least one agent;

controlling the computer to create a graphical model for the at least one key event;

controlling the computer to observe the at least one key event;

controlling the computer to infer a degree of attack on the computer system based on an automated observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical mode, where controlling the computer to infer the degree of attack on the computer system comprises modifying a probability of attack on the computer system based on the observation of the at least one key event in conjunction with the result of the effect the at least one key event has on the graphical model;

controlling the computer to monitor the output of the graphical model, the output indicating whether the probability of attack is greater than a threshold value; and

controlling the computer to automatically adjust a security policy based on an output of the graphical model, where adjusting the security policy is performed automatically without user intervention, and where adjusting the security policy includes re-posturing a probabilistic security policy to correspond to the degree of attack;

where the graphical model includes a plurality of nodes,where controlling the computer to create the graphical model for the at least one key event comprises controlling the computer to create at least one initial probability for nodes in the plurality of nodes in the graphical model and controlling the computer to adjust the at least one initial probability of at least one node in the plurality of nodes as a function of at least one statistical datum associated with a previous security attack,where the at least one initial probability is defined according to the probability security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.

121 Citations

29 Claims

1. A computerized method, comprising:
- controlling a computer to define at least one key event to be monitored by at least one agent;
  
  controlling the computer to create a graphical model for the at least one key event;
  
  controlling the computer to observe the at least one key event;
  
  controlling the computer to infer a degree of attack on the computer system based on an automated observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical mode, where controlling the computer to infer the degree of attack on the computer system comprises modifying a probability of attack on the computer system based on the observation of the at least one key event in conjunction with the result of the effect the at least one key event has on the graphical model;
  
  controlling the computer to monitor the output of the graphical model, the output indicating whether the probability of attack is greater than a threshold value; and
  
  controlling the computer to automatically adjust a security policy based on an output of the graphical model, where adjusting the security policy is performed automatically without user intervention, and where adjusting the security policy includes re-posturing a probabilistic security policy to correspond to the degree of attack;
  
  where the graphical model includes a plurality of nodes,where controlling the computer to create the graphical model for the at least one key event comprises controlling the computer to create at least one initial probability for nodes in the plurality of nodes in the graphical model and controlling the computer to adjust the at least one initial probability of at least one node in the plurality of nodes as a function of at least one statistical datum associated with a previous security attack,where the at least one initial probability is defined according to the probability security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, where the at least one key event comprises at least one of:
    - a system call, a buffer overflow, an instance of downloaded content, an instance of CPU utilization, at least one network connection, a process exception, a system configuration modification, an instance of a new software program installation, an instance of a new service installation, a first time instance of a application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, an instance of memory utilization, at least one transaction failure, and at least one loss of service.
  - 3. The method of claim 1, where controlling the computer to create the graphical model comprises:
    - assigning a weight to the at least one key event the graphical model, and identifying a step in a process at which the at least one key event occurred.
  - 4. The method of claim 1, where controlling the computer to create the graphical model for the at least one key event comprises:
    - creating a Bayesian network configured to detect the degree of attack on the computer system.
  - 5. The method of claim 1, comprising controlling the computer to selectively deny operation of at least one operation in the computer based, at least in part, on the adjusted initial probability.
  - 6. The method of claim 1, where controlling the computer to observe the at least one key event comprises:
    - detecting that the at least one key event is associated with a set of key events.
  - 7. The method of claim 1, where controlling the computer to infer a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model comprises:
    - controlling the computer to correlate the degree of attack to a configurable limit.
  - 8. The method of claim 1, where automatically adjusting the security policy based on the output of the graphical model comprises:
    - in response to the computer monitoring the output of the graphical model and the computer identifying that a likelihood of attack on the computer system is above the threshold value, controlling the computer to re-posture the probabilistic security policy.
  - 9. The method of claim 4, where controlling the computer to infer a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model comprises:
    - inferring the degree of attack on the computer system based on the Bayesian network.
  - 10. The method of claim 6, where detecting that the at least one event is associated with a set of key events comprises:
    - identifying that the at least one key event is related to the set of key events.
  - 11. The method of claim 6, where detecting that the at least one event is associated with a set of key events comprises:
    - identifying that the at least one key event is not related to the set of key events.
  - 12. The method of claim 6, where detecting that the at least one event is associated with a set of key events comprises:
    - observing an order of the set of key events, the order including a placement of the at least one key event in the order of the set of key events.
  - 13. The method of claim 7, where controlling the computer to correlate the degree of attack to a configurable limit comprises:
    - initializing the configurable limit of the degree of attack.
  - 14. The method of claim 7, where controlling the computer to correlate the degree of attack to a configurable limit comprises:
    - defining the configurable limit of the degree of attack as a range of configurable limits.

15. A computer apparatus, comprising:
- a memory;
  
  a processor;
  
  a communications interface; and
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  the memory being encoded with an application providing probabilistic security policy re-posturing that, when performed on the processor, controls the processor to;
  
  provide an event correlation engine in communication with an application file interceptor;
  
  where the event correlation engine defines at least one key event to be monitored by at least one agent,where the event correlation engine creates a graphical model for the at least one key event,where the event correlation engine observes the at least one key event,where the event correlation engine infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model, andwhere the event correlation engine adjusts a security policy based on an output of the graphical model, where adjusting the security policy includes re-posturing a probabilistic security policy to correspond to the degree of attack.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer apparatus of claim 15, wherein the memory is further encoded with instructions that when performed cause the event correlation engine to create a graphical model for the at least one key event by assigning a weight to the at least one key event of the graphical model, and identifying a step in a process at which the at least one key event occurred.
  - 19. The computer apparatus of claim 15, wherein the memory is further encoded with instructions that when performed cause the event correlation engine to further selectively deny operation of at least one operation in the computer based, at least in part, on an adjusted initial probability.
  - 20. The computer apparatus of claim 15, wherein the memory is further encoded with instructions that when performed cause the event correlation engine to observe the at least one key event by detect that the at least one key event is associated with a set of key events.
  - 21. The computer apparatus of claim 20, wherein the memory is further encoded with instructions that when performed cause the event correlation engine to detect that the at least one event is associated with a set of key events by identifying that the at least one key event is related to the set of key events.

16. A computer readable medium storing computer executable instructions that when executed by a computer cause the computer to perform:
- instructions for defining at least one key event to be monitored by at least one agent;
  
  instructions for creating a Bayesian network model for the at least one key event;
  
  instructions for observing the at least one key event;
  
  instructions for inferring a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the Bayesian model; and
  
  instructions for adjusting a security policy based on an output of the graphical model, where adjusting the security policy includes re-posturing a probabilistic security policy to correspond to the degree of attack.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer-readable medium of claim 16, further storing instructions, which when executed by the computer, perform assigning a weight to the at least one key event of the graphical model, identifying a step in a process at which the at least one key event occurred.
  - 23. The computer-readable medium of claim 16, further storing instructions, which when executed by the computer, perform selectively denying operation of at least one operation in the computer based, at least in part, on an adjusted initial probability.
  - 24. The computer-readable medium of claim 16, further storing instructions, which when executed by the computer, perform detecting that the at least one key event is associated with a set of key events.
  - 25. The computer-readable medium of claim 24, further storing instructions, which when executed cause detecting that the at least one key event is associated with a set of key events by identifying that the at least one key event is related to the set of key events.

17. A computerized device, comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  the memory being encoded with a probabilistic security policy reposturing application that when executed on the processor configures the computerized device with a means for re-posturing a security policy, the means for re-posturing comprising;
  
  means for defining at least one key event to be monitored by at least one agent;
  
  means for inferring a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model; and
  
  means for adjusting a security policy based on an output of the graphical model, where adjusting the security policy includes re-posturing a probabilistic security policy to correspond to the degree of attack.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The computerized device of claim 17, where the means for creating a graphical model of the at least one key event comprises means for assigning a weight to the at least one key event of the graphical model, means for identifying a step in a process at which the at least one key event occurred.
  - 27. The computerized device of claim 17, where the means for inferring a degree of attack on the computer system further comprises means for selectively denying operation of at least one operation in the computer based, at least in part, on an adjusted initial probability.
  - 28. The computerized device of claim 17, where the means for inferring a degree of attack one the computer system further comprises means for detecting that the at least one key event is associated with a set of key events.
  - 29. The computerized device of claim 28, where the means for detecting that the at least one key event is associated with a set of key events comprises means for identifying that the at least one key event is related to the set of key events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zawadowskiy, Andrew, Kraemer, Jeffrey A.
Primary Examiner(s)
ZIA, SYED

Application Number

US11/415,022
Publication Number

US 20070143850A1
Time in Patent Office

1,737 Days
Field of Search

709/223, 709/224
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others