System and method for predicting cyber threat

US 8,191,149 B2
Filed: 11/12/2007
Issued: 05/29/2012
Est. Priority Date: 11/13/2006
Status: Active Grant

First Claim

Patent Images

1. An intrusion detection system for quantifying a value within a low to a high range of values, which allows a user to take appropriate counter measures before a cyber threat occurs, the system comprising:

a processor and a memory, the memory having stored thereon;

an information collection-processing module for collecting and processing at least one of information on an intrusion detection event, statistical information on network traffic, cyber threat information of an Internet bulletin board, information from at least one to a plurality of first persons in response to predetermined questions asked related to at least one or more cyber threats,wherein the cyber threat information of the internet bulletin board is configured to be automatically collect information from predetermined articles on each of the at least one or more cyber threats from at least two or more predetermined Internet bulletin boards at predetermined time intervals prior to generating the predetermined questions for each of the respective cyber threats;

a engine sub-system for allowing the user to take the appropriate counter measures before the cyber threat actually occurs by using at least one of a time-series analysis method and a Delphi method according to the collected and processed information;

a database (DB) management module for storing and managing the collected and processed information of the engine sub-system,wherein each of the at least one to the plurality of first persons provide the respective information in response to the questions asked about the cyber threats is represented by a statistical value,wherein the statistical value is configured based on quantifying quantitative answers to at least one or more questions received from each of the at least one to the plurality of first persons respective information to generate a degree of the predicted occurrence of the cyber threat before the cyber threat occurs,wherein the degree of the quantified quantitative answer ranges from a most selected answer to a least selected answer,wherein the engine sub-system applies the time-series analysis of information on the intrusion detection event and the statistical information on network traffic with the generated degree of the quantified quantitative answers ranging from the most selected answer to the least selected answer to generate a value within the range of values for allowing the user to take the appropriate counter measures before the cyber threat occurs,wherein a low value indicates a low probability that the cyber threat will occur and a high value indicates a high probability that the cyber threat will occur; and

a result display graphic user interface (GUI)-management module for displaying the generated value within the range of values for allowing the user to determine whether take the appropriate counter measures before the cyber threat occurs of the engine sub-system on a screen.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a system and method for predicting a cyber threat. The system and method collect various variables and synthetically predict the frequency, dangerousness, possibility, and time of the occurrence of a cyber threat including hacking, a worm/virus, a Denial of Service (DoS) attack, illegal system access, a malicious code, a social engineering attack, system/data falsification, cyber terror/war, weakness exploitation, etc., using a time-series analysis method and a Delphi method, and inform a user in advance of the prediction result, thereby enabling the user to prepare against the cyber threat.

Citations

20 Claims

1. An intrusion detection system for quantifying a value within a low to a high range of values, which allows a user to take appropriate counter measures before a cyber threat occurs, the system comprising:
- a processor and a memory, the memory having stored thereon;
  
  an information collection-processing module for collecting and processing at least one of information on an intrusion detection event, statistical information on network traffic, cyber threat information of an Internet bulletin board, information from at least one to a plurality of first persons in response to predetermined questions asked related to at least one or more cyber threats,wherein the cyber threat information of the internet bulletin board is configured to be automatically collect information from predetermined articles on each of the at least one or more cyber threats from at least two or more predetermined Internet bulletin boards at predetermined time intervals prior to generating the predetermined questions for each of the respective cyber threats;
  
  a engine sub-system for allowing the user to take the appropriate counter measures before the cyber threat actually occurs by using at least one of a time-series analysis method and a Delphi method according to the collected and processed information;
  
  a database (DB) management module for storing and managing the collected and processed information of the engine sub-system,wherein each of the at least one to the plurality of first persons provide the respective information in response to the questions asked about the cyber threats is represented by a statistical value,wherein the statistical value is configured based on quantifying quantitative answers to at least one or more questions received from each of the at least one to the plurality of first persons respective information to generate a degree of the predicted occurrence of the cyber threat before the cyber threat occurs,wherein the degree of the quantified quantitative answer ranges from a most selected answer to a least selected answer,wherein the engine sub-system applies the time-series analysis of information on the intrusion detection event and the statistical information on network traffic with the generated degree of the quantified quantitative answers ranging from the most selected answer to the least selected answer to generate a value within the range of values for allowing the user to take the appropriate counter measures before the cyber threat occurs,wherein a low value indicates a low probability that the cyber threat will occur and a high value indicates a high probability that the cyber threat will occur; and
  
  a result display graphic user interface (GUI)-management module for displaying the generated value within the range of values for allowing the user to determine whether take the appropriate counter measures before the cyber threat occurs of the engine sub-system on a screen.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the cyber threat includes at least one of hacking, a worm/virus, a Denial of Service (DoS) attack, illegal system access, a malicious code, a social engineering attack, system/data falsification, cyber terror-war, and exploitation.
  - 3. The system of claim 1, wherein the information collection-processing module comprises:
    - a monitoring system DB for storing the intrusion detection event information and the statistical network traffic information;
      
      an intrusion detection event information processing module for processing and storing time-series data according to day-specific numbers of occurrence of hacking, worm-virus infection, occurrence of a malicious code attack, occurrence of a social engineering attack, occurrence of a system-data falsification attack using the stored intrusion detection event information; and
      
      a traffic information processing module for storing the time-series data classified according to network flows using the stored statistical network traffic information.
  - 4. The system of claim 3, wherein the information collection-processing module further comprises:
    - a statistical network packet information collection module for collecting statistical network packet information on an illegal access and a DoS attack; and
      
      a network flow information processing module for processing the collected statistical network packet information into network traffic flow information and storing the network traffic flow information.
  - 5. The system of claim 3, wherein the information collection-processing module further comprises:
    - an Internet cyber threat information collection module for automatically collecting the respective articles on the cyber threats from the respective predetermined Internet bulletin boards at predetermined time intervals; and
      
      a non-quantitative information processing module for processing the collected article on the cyber threat into period-specific time-series data and storing the period-specific time-series data.
  - 6. The system of claim 5, wherein the information collection-processing module further comprises:
    - an information collection module for collecting each of the at least one to the plurality of first persons respective information obtained as the answers to the at least one or more questions with respect to the cyber threat; and
      
      an information processing module for quantifying each of the at least one to the plurality of first persons collected respective information, and then calculating and storing a statistically representative value.
  - 7. The system of claim 1, wherein the engine sub-system determines a time-series prediction model corresponding to a minimum error using the time-series analysis method on time-series data stored in the DB management module for allowing the user to determine whether to take the appropriate counter measures before the cyber threat occurs.
  - 8. The system of claim 7, wherein the engine sub-system system comprises at least one of a hacking prediction module, a worm-virus prediction module, a Denial of Service (DoS) attack prediction module, an illegal system access prediction module, a malicious code prediction module, a social engineering attack prediction module, and a system-data falsification prediction module for allowing the user to determine whether to take the appropriate counter measures before the cyber threat occurs.
  - 9. The system of claim 8, wherein the DoS attack prediction module calculates a network traffic flow entropy similarity of a DoS attack using network traffic flow information stored in the DB management module, stores the network traffic flow entropy similarity as time-series data, and predicts occurrence of a DoS attack using the stored time-series data for allowing the user to determine whether to take the appropriate counter measures before the cyber threat from the Dos attack occurs.
  - 10. The system of claim 1, wherein the engine sub-system synthesizes the information of each of the at least one to the plurality of first persons using a Delphi method on the information stored in the DB management module for allowing the user to determine whether to take the appropriate counter measures before the cyber threat occurs.
  - 11. The system of claim 10, wherein the engine sub-system comprises:
    - a cyber terror-war module and a weakness exploitation module for respectively predicting occurrence of cyber terror-war and exploitation on the basis of the most selected answer using information obtained by quantifying and storing each of the at least one to the plurality of first persons collected information as the answers to the at least one or more questions for allowing the user to determine whether to take the appropriate counter measures before the cyber threat from the cyber terror-war and exploitation occurring.
  - 12. The system of claim 1, wherein the result display GUI-management module provides the stored value result for allowing the user to determine whether to take the appropriate counter measures before the cyber threat occurs, which is done in a form of a GUI using a graph and text.

13. A method of providing information on a cyber threat comprising at least one of hacking, a worm/virus, a Denial of Service (DoS) attack, illegal system access, a malicious code, a social engineering attack, system/data falsification, cyber terror/war, and exploitation for quantifying a value within a low to a high range of values, which allows a user to take appropriate counter measures before the cyber threat occurs, the method comprising the steps of:
- providing a processor and a memory, the memory having stored thereon;
  
  (a) collecting cyber threat information,wherein the cyber threat information comprises at least one of information on an intrusion detection event, statistical information on network traffic, statistical information on a network packet, cyber threat information of an Internet bulletin board, and information from each of at least one to a plurality of first persons that predicts occurrence of the cyber threat;
  
  (b) processing the collected cyber threat information into time-series data and quantitative data, and storing the time-series data and the quantitative data;
  
  (c) providing information for predicting occurrence of the cyber threat before the cyber threat actually occurs by using at least one of a time-series models and a Delphi method according to a type of the cyber threat,wherein each of at least one to a plurality of first persons provide the respective information for predicting occurrence of the cyber threat before the cyber threat occurs,wherein each of the at least one to the plurality of first persons respective information for predicting occurrence of the cyber threat before the cyber threat occurs is represented by a statistical value,wherein the statistical value is based on quantifying quantitative answers to at least one or more questions received from each of the at least one to the plurality of first persons respective information to generate a degree of the occurrence of the cyber threat before the cyber threat actually occurs,wherein the questions are automatically generated from a user'"'"'s defined internet boards prior to generating the one or more questions,where the internet boards are selected based on the type of cyber threat,wherein the degree of the quantified quantitative answer ranges from a most selected answer to a least selected answer,wherein the providing information on the occurrence of the cyber threat applies the time-series analysis of information on the intrusion detection event and the statistical information on network traffic with the generated degree of the quantified quantitative answers ranging from the most selected answer to the least selected answer to generate a value within the range of values for allowing the user to take the appropriate counter measures before the cyber threat occurs,wherein a low value indicates a low probability that the cyber threat will actually occur and a high value indicates a high probability that the cyber threat will occur; and
  
  (d) storing the generated value within the range of values for allowing the user to determine whether take the appropriate counter measures before the cyber threat occurs and providing the generated value within the range of values for allowing the user to determine whether take the appropriate counter measures before the cyber threat occurs by using a graph or text according to the user'"'"'s request.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein the cyber threat information of step (a) includes at least one of information on an intrusion detection event, statistical information on network traffic, statistical information on a network packet, cyber threat information of an Internet bulletin board, and information of information security experts.
  - 15. The method of claim 14, wherein in step (b), the statistical network traffic information and the statistical network packet information are processed in a form of a traffic flow (a source IP (Internet protocol) address, a destination IP address, a source port, a destination port, a number of packets, and an amount of the packets), worm-virus information of the Internet bulletin board is processed in a form of a worm/virus table, and the information of information security experts is processed in a form of a database (DB) expert information table.
  - 16. The method of claim 13, wherein step (c) comprises the steps of:
    - (c1) when the type of the cyber threat is hacking, a worm/virus, a DoS attack, illegal system access, a malicious code, a social engineering attack, or system/data falsification, performing the time-series analysis method using the stored time-series data and thereby obtaining time-series prediction models;
      
      (c2) analyzing the time-series prediction models and selecting a time-series prediction model corresponding to a minimum error; and
      
      (c3) predicting the frequency and the occurrence of the cyber threat using the time-series prediction model.
  - 17. The method of claim 16, wherein in step (c1), previously stored time-series data on a past frequency of the occurrence of the cyber threat is inserted into a time-series prediction model as a formula below, which is obtained by the time-series analysis method, to calculate coefficients a₁, a₂, . . . , a_nof the time-series prediction model, the calculated coefficients a₁, a₂, . . . , a_nare inserted into the formula below, and thereby the time-series prediction models are obtained,
    Y_t=a₁*Y_t-1+a₂*Y_{t-2+ . . . +}a_n*Y_t-n+z wherein Y_tdenotes a desired value at a point in time t, Y_t-1denotes time-series data at a point in time t-1, Y_t-2denotes time-series data at a point in time t-2, a_ndenotes a coefficient satisfying a₁+a₂+ . . . +a_n=1, and z denotes an error term.
  - 18. The method of claim 16, wherein step (c2) comprises the steps of:
    - predicting the frequency of the occurrence of the cyber threat using the obtained time-series prediction models;
      
      calculating an error between the predicted frequency and an actual frequency; and
      
      selecting the time-series prediction model corresponding to the minimum error.
  - 19. The method of claim 14, wherein in step (c), when the type of the cyber threat is cyber terror-war or exploitation, the Delphi method is performed on data obtained by quantifying the cyber threat from the at least one to the plurality of first persons respective information collected using the at least one to the plurality of questions and a time of at least one of the occurrence of the cyber terror-war and the exploitation before the cyber terror-war and the exploitation occurs are predicted on the basis of the most selected answer.

20. An intrusion detection system for quantifying a value within a low to a high range of values, which allows a user to take appropriate counter measures before a cyber threat occurs, the system comprising:
- a processor and a memory, the memory having stored thereon;
  
  an information collection-processing module for collecting and processing at least one of information on an intrusion detection event, statistical information on network traffic, cyber threat information of an Internet bulletin board, information from at least one to a plurality of first persons that predicts occurrence of the cyber threat before the cyber threat occurs;
  
  a engine sub-system for allowing the user to take the appropriate counter measures before the cyber threat occurs by using at least one of a time-series analysis method and a Delphi method according to the collected and processed information;
  
  a database (DB) management module for storing and managing the collected and processed information of the engine sub-system,wherein each of the at least one to the plurality of first persons provide the respective information that predicts occurrence of the cyber threat before the cyber threat occurs,wherein each of the at least one to the plurality of first persons respective information that predicts occurrence of the cyber threat before the cyber threat occurs is represented by a statistical value,wherein the statistical value is based on quantifying quantitative answers to at least one or more questions received from each of the at least one to the plurality of first persons respective opinion information on a degree of the occurrence of the cyber threat; and
  
  wherein the statistical value is configured based on quantifying quantitative answers to at least one or more questions received from each of the at least one to the plurality of first persons respective information to generate a degree of the predicted occurrence of the cyber threat before the cyber threat occurs,wherein the degree of the quantified quantitative answer ranges from a most selected answer to a least selected answer,wherein the questions are automatically generated from a user'"'"'s defined internet boards prior to generating the one or more questions,wherein each of the at least one to the plurality of first persons respective information that predicts occurrence of the cyber threat are pre-selected by the user in advance of receiving the questions,wherein the pre-selected first persons are selected by the user according the pre-selected first persons'"'"' expertise in the cyber threat, andwhere the internet boards are selected based on the cyber threat,a result display graphic user interface (GUI)-management module for displaying the prediction result of the prediction engine sub-system on a screen of the prediction of the frequency and time of the occurrence of the cyber threat at a future time in order for a user to prepare against the cyber threat to minimize damage from the cyber threat, and changing and managing configurations of the prediction engine sub-system and the information collection-processing module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nexway, Inc., Pizzlysoft Co., Ltd.
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Yun, Joo Beom, Paek, Seung Hyun, Park, In Sung, Lee, Eun Young, Lee, Do Hoon, Oh, Hyung Geun
Primary Examiner(s)
Tran, Ellen

Application Number

US11/938,356
Publication Number

US 20080115221A1
Time in Patent Office

1,660 Days
Field of Search

726/22, 726/23, 726/25
US Class Current

726/25
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/145 the attack involving the pr...

System and method for predicting cyber threat

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for predicting cyber threat

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links