Managing security configuration through machine learning, combinatorial optimization and attack graphs

US 8,683,546 B2
Filed: 01/26/2009
Issued: 03/25/2014
Est. Priority Date: 01/26/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors; and

memory, communicatively coupled to the one or more processors, storing an analysis component configured to;

present a first plurality of security configuration changes to an administrator;

receive feedback from the administrator on each of the first plurality of security configuration changes, wherein the feedback received from the administrator includes an approval or a disapproval of each of the first plurality of security configuration changes;

analyze the feedback;

store the feedback received from the administrator including the approval or the disapproval of each of the first plurality of security configuration changes; and

generate a second plurality of security configuration changes based at least in part on the feedback received from the administrator and previously stored feedback received from the administrator, wherein the second plurality of security configuration changes are different from the first plurality of security configuration changes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The claimed subject matter provides systems and/or methods that combat identity follow-on attacks. The system can include components for receiving a plurality of security configuration changes, selecting which of the changes included in the plurality of security changes to approve or disapprove, and based on which of the changes are approved or disapproved by an administrator, generating a further plurality of security configuration changes that the administrator can once again approve or disapprove until the administrator is satisfied with the security configuration changes.

Citations

20 Claims

1. A system comprising:
- one or more processors; and
  
  memory, communicatively coupled to the one or more processors, storing an analysis component configured to;
  
  present a first plurality of security configuration changes to an administrator;
  
  receive feedback from the administrator on each of the first plurality of security configuration changes, wherein the feedback received from the administrator includes an approval or a disapproval of each of the first plurality of security configuration changes;
  
  analyze the feedback;
  
  store the feedback received from the administrator including the approval or the disapproval of each of the first plurality of security configuration changes; and
  
  generate a second plurality of security configuration changes based at least in part on the feedback received from the administrator and previously stored feedback received from the administrator, wherein the second plurality of security configuration changes are different from the first plurality of security configuration changes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, the analysis component further configured to utilize the feedback received from the administrator to simulate approved changes of the first plurality of security configuration changes prior to generating the second plurality of security configuration changes.
  - 3. The system of claim 1, the analysis component constructs an attack graph that includes one or more of accounts, machines, or security groups, the one or more of accounts, machines, or security groups employed as a plurality of nodes in the attack graph, each of the plurality of nodes connected by one or more edges, the one or more edges created by directing the one or more edges from one or more machines to at least one of the one or more accounts or the one or more security groups.
  - 4. The system of claim 3, the analysis component performs a cut of the attack graph based at least in part on at least one of a relative edge distance assigned to each of the one or more edges or a density of the one or more edges that interconnect the one or more machines to the one or more accounts or to the one or more security groups.
  - 5. The system of claim 4, the analysis component associates a cost to each of the one or more edges, the cost associated with each of the one or more edges based at least in part on the feedback supplied by the administrator, the cost learned via a machine learning algorithm.
  - 6. The system of claim 1, the analysis component constructs an attack graph that includes one or more security groups nested hierarchically.
  - 7. The system of claim 1, the analysis component further configured to present the second plurality of security configuration changes to the administrator for additional feedback.
  - 8. The system of claim 1, the analysis component further configured to simulate the second plurality of security configuration changes.

9. A method comprising:
- executing an analysis component by a processor of a machine to generate a plurality of security configuration changes;
  
  receiving feedback in the form of an approval or a disapproval from an administrator of each change included in the plurality of security configuration changes;
  
  employing machine learning to learn new security configuration changes based on the received feedback and previously stored feedback from the administrator; and
  
  generating a further plurality of security configuration changes based at least in part on the machine learning, wherein the further plurality of security configuration changes includes the new security configuration changes learned from employing the machine learning.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising simulating the approved security configuration changes.
  - 11. The method of claim 9, the further plurality of security configuration changes determined based on an attack graph.
  - 12. The method of claim 11, the attack graph includes an account, a machine, or a security group, wherein the account, the machine, or the security group forms a node in the attack graph.
  - 13. The method of claim 12, the nodes in the attack graph connected by one or more edge that points from at least one of the account or the security group to the machine.
  - 14. The method of claim 13, wherein the one or more edge is associated with a cost, wherein the cost is assigned a value based at least in part on the feedback received from the administrator.
  - 15. The method of claim 12, the nodes in the attack graph connected by one or more edge from the account to the security group.
  - 16. The method of claim 12, wherein the security group forms a nested hierarchy with an additional security group.
  - 17. The method of claim 9, further comprising:
    - receiving additional feedback in the form of an approval or a disapproval from the administrator of each change included in the further plurality of security configuration changes;
      
      simulating each of the further plurality of security configuration changes on an attack graph based on the additional feedback received; and
      
      employing the machine learning method to learn additional security configuration changes based on the feedback and the additional feedback from the administrator.

18. A system comprising:
- one or more processors; and
  
  memory, communicatively coupled to the one or more processors, storing an analysis component configured to;
  
  construct an attack graph with nodes made from accounts, machines, or security groups, the nodes connected by an edge, wherein the edge represents a control relationship;
  
  estimate an edge cost, the edge cost being used at least in part to determine removal of the edge from the attack graph;
  
  receive feedback from an administrator on a willingness to implement a security configuration change;
  
  re-estimate the edge cost based on the feedback received from the administrator;
  
  compare the estimated edge cost to the re-estimated edge cost;
  
  employ machine learning to learn, based on the comparison, new security configuration changes the administrator is likely to select next; and
  
  produce a plurality of cut proposals of the attack graph based at least in part on the re-estimated edge cost.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the re-estimated edge cost is further based on the machine learning.
  - 20. The system of claim 18, wherein the plurality of cut proposals of the attack graph is determined by a sparsest cut algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dunagan, John D., Zheng, Alice Xiao-Zhou
Primary Examiner(s)
Smithers, Matthew

Application Number

US12/359,422
Publication Number

US 20100192195A1
Time in Patent Office

1,884 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Managing security configuration through machine learning, combinatorial optimization and attack graphs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Managing security configuration through machine learning, combinatorial optimization and attack graphs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links