Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

US 8,255,995 B2
Filed: 05/27/2010
Issued: 08/28/2012
Est. Priority Date: 12/16/2005
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

at a client security agent;

initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy;

detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event;

selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values;

in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred;

wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring;

wherein the method is performed by one or more computing devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.

90 Citations

View as Search Results

15 Claims

1. A computerized method, comprising:
- at a client security agent;
  
  initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy;
  
  detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event;
  
  selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values;
  
  in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred;
  
  wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the plurality of key events comprises any of:
    - a system call, a buffer overflow, an instance of downloaded content, an instance of CPU utilization, at least one network connection, a process exception, a system configuration modification, an instance of a new software program installation, an instance of a new service installation, a first time instance of a application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, an instance of memory utilization, at least one transaction failure, and at least one loss of service.
  - 3. The method of claim 1, wherein applying the one or more first rules comprises assigning a weight to the key event.
  - 4. The method of claim 1, wherein modifying the probability settings comprises creating a Bayesian network model configured to detect a degree of attack, and denying an operation of a plurality of operations based, at least in part, on the modified probability settings.
  - 5. The method of claim 1, wherein detecting the occurrence of the key event comprises observing an order in which the key event occurred with respect to other events in the plurality of key events.

6. A apparatus, comprising:
- one or more processors;
  
  a memory, encoded with one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy;
  
  detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event;
  
  selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values;
  
  in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred;
  
  wherein the one or more corresponding threshold values represent respective percentages of probabilities that the new type of security attack is occurring.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the plurality of key events comprises any of:
    - a system call, a buffer overflow, an instance of downloaded content, an instance of CPU utilization, at least one network connection, a process exception, a system configuration modification, an instance of a new software program installation, an instance of a new service installation, a first time instance of a application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, an instance of memory utilization, at least one transaction failure, and at least one loss of service.
  - 8. The apparatus of claim 6, wherein the memory is further encoded with instructions, which when executed, cause the one or more processors to perform assigning a weight to the key event.
  - 9. The apparatus of claim 6, wherein the memory is further encoded with instructions, which when executed, cause the one or more processors to perform creating a Bayesian network model configured to detect a degree of attack, and denying an operation of a plurality of operations based, at least in part, on the modified probability settings.
  - 10. The apparatus of claim 6, wherein the memory is further encoded with instructions, which when executed, cause the one or more processors to perform observing an order in which the key event occurred with respect to other events in the plurality of key events.

11. A non-transitory computer readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy;
  
  detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event;
  
  selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values;
  
  in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy above the initial level, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred;
  
  wherein the one or more corresponding threshold values represent percentages of probabilities that the new type of security attack is occurring.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer readable storage medium of claim 11, wherein the plurality of key events comprises any of:
    - a system call, a buffer overflow, an instance of downloaded content, an instance of CPU utilization, at least one network connection, a process exception, a system configuration modification, an instance of a new software program installation, an instance of a new service installation, a first time instance of a application invocation, an instance of mobile code execution, an instance of at least one root-kit detection, an instance of memory utilization, at least one transaction failure, and at least one loss of service.
  - 13. The non-transitory computer readable storage medium of claim 11, further comprising instructions, which when executed, cause assigning a weight to the key event.
  - 14. The non-transitory computer readable storage medium of claim 11, further comprising instructions, which when executed, cause creating a Bayesian network model configured to detect a degree of attack, and denying an operation of a plurality of operations based, at least in part, on the modified probability settings.
  - 15. The non-transitory computer readable storage medium of claim 11, further comprising instructions, which when executed, cause observing an order in which the key event occurred with respect to other events in the plurality of key events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kraemer, Jeffrey A., Zawadowskiy, Andrew
Primary Examiner(s)
ZIA, SYED

Application Number

US12/789,339
Publication Number

US 20100242111A1
Time in Patent Office

824 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links