Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
First Claim
Patent Images
1. A computerized method, comprising:
- at a client security agent;
initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy;
detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event;
selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values;
in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred;
wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring;
wherein the method is performed by one or more computing devices.
0 Assignments
0 Petitions
Accused Products
Abstract
A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.
-
Citations
15 Claims
-
1. A computerized method, comprising:
-
at a client security agent; initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred; wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A apparatus, comprising:
-
one or more processors; a memory, encoded with one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred; wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred; wherein the one or more corresponding threshold values represent percentages of probabilities that the new type of security attack is occurring. - View Dependent Claims (12, 13, 14, 15)
-
Specification