Method for simulation aided security event management

US 8,407,798 B1
Filed: 09/08/2008
Issued: 03/26/2013
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method for simulation aided security event management, the method comprises:

obtaining event data indicative of a security event identified by a computerized security event manager;

searching for a simulated attack step that resembles the security event; and

generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;

wherein the generating of the contextual information comprises extracting the contextual information from an attack simulation that determines possible multi-step attacks from start points to nodes and business assets within the network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for simulation aided security event management, the method includes: generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items; wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information; identifying security events in response to a correlation between simulation data items and event data; and prioritizing identified security events.

Citations

6 Claims

1. A method for simulation aided security event management, the method comprises:
- obtaining event data indicative of a security event identified by a computerized security event manager;
  
  searching for a simulated attack step that resembles the security event; and
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;
  
  wherein the generating of the contextual information comprises extracting the contextual information from an attack simulation that determines possible multi-step attacks from start points to nodes and business assets within the network.

2. A method for simulation aided security event management, the method comprises:
- obtaining event data indicative of a security event identified by a computerized security event manager;
  
  searching for a simulated attack step that resembles the security event; and
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;
  
  wherein the generating of the contextual information comprises extracting the contextual information from an attack graph that comprises graph nodes that represent attacker achievement, wherein transitions between the graph nodes represent attack steps or actions that enabled the attacker achievements.

3. A method for simulation aided security event management, the method comprises:
- obtaining event data indicative of a security event identified by a computerized security event manager;
  
  searching for a simulated attack step that resembles the security event;
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation; and
  
  generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
  
  wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information.

4. A computer program product that comprises a non-transitory computer readable medium that stores instructions for:
- obtaining event data indicative of a security event identified by a security event manager;
  
  searching for a simulated attack step that resembles the security event; and
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;
  
  wherein the computer readable medium stores instructions for extracting the contextual information from an attack simulation that determines possible multi-step attacks from start points to nodes and business assets within the network.

5. A computer program product that comprises a non-transitory computer readable medium that stores instructions for:
- obtaining event data indicative of a security event identified by a security event manager;
  
  searching for a simulated attack step that resembles the security event; and
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;
  
  wherein the computer readable medium stores instructions for extracting the contextual information from an attack graph that comprises graph nodes that represent attacker achievement, wherein transitions between the graph nodes represent attack steps or actions that enabled the attacker achievements.

6. A computer program product that comprises a non-transitory computer readable medium that stores instructions for:
- obtaining event data indicative of a security event identified by a security event manager;
  
  searching for a simulated attack step that resembles the security event; and
  
  generating contextual information indicative of next attack steps and risk associated with the next attack steps in response to an attack simulation;
  
  wherein the computer readable medium stores instructions for generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
  
  wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Cohen, Gideon, Lotem, Amnon, Ban Naon, Lior
Primary Examiner(s)
Shan, April

Application Number

US12/206,076
Time in Patent Office

1,660 Days
Field of Search

726/4, 726/22, 726/25, 726/18, 726/21, 726/23, 726/24, 705 51- 54, 713189-194, 717174-178
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Method for simulation aided security event management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Method for simulation aided security event management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links