Graph-based approach to deterring persistent security threats

US 8,813,234 B1
Filed: 06/29/2011
Issued: 08/19/2014
Est. Priority Date: 06/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising the steps of:

assigning attack-escalation states of a persistent security threat to respective nodes in a graph, wherein assigning attack-escalation states of the persistent security threat to respective nodes in the graph comprises assigning initial and final attack-escalation states to respective source and target nodes in the graph;

assigning defensive costs to respective edges in the graph for preventing transitions between pairs of the nodes, wherein the defensive costs represent costs for preventing respective attack actions;

computing a minimum cut of the graph to identify a set of one or more edges that if removed from the graph will prevent the persistent security threat from proceeding from the source node to the target node; and

determining a defensive strategy based on the minimum cut;

wherein a system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat; and

wherein the steps are performed by a processing device comprising a processor coupled to a memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.

49 Citations

View as Search Results

20 Claims

1. A method comprising the steps of:
- assigning attack-escalation states of a persistent security threat to respective nodes in a graph, wherein assigning attack-escalation states of the persistent security threat to respective nodes in the graph comprises assigning initial and final attack-escalation states to respective source and target nodes in the graph;
  
  assigning defensive costs to respective edges in the graph for preventing transitions between pairs of the nodes, wherein the defensive costs represent costs for preventing respective attack actions;
  
  computing a minimum cut of the graph to identify a set of one or more edges that if removed from the graph will prevent the persistent security threat from proceeding from the source node to the target node; and
  
  determining a defensive strategy based on the minimum cut;
  
  wherein a system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat; and
  
  wherein the steps are performed by a processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the step of assigning attack-escalation states of the persistent security threat to respective nodes of a graph further comprisesassigning additional attack-escalation states to respective additional nodes of the graph between the source and target nodes.
  - 3. The method of claim 1 wherein the initial attack-escalation state comprises a state in which there is no compromise of the system.
  - 4. The method of claim 1 wherein the final attack-escalation state comprises a state in which a specified system resource is compromised.
  - 5. The method of claim 4 wherein the final attack-escalation state comprises a state in which designated sensitive information is extracted from the system.
  - 6. The method of claim 2 wherein the additional attack-escalation states comprise an infect virtual machine state and a compromise client machine state.
  - 7. The method of claim 6 wherein the nodes of the graph to which the respective infect virtual machine state and compromise client machine state are assigned are connected by at least one edge associated with opening an infected file at a particular time relative to a designated time after entry into the infect virtual machine state.
  - 8. The method of claim 7 wherein the nodes of the graph to which the respective infect virtual machine state and compromise client machine state are assigned are connected by a first edge associated with opening an infected file at a time that is less than the designated time after entry into the infect virtual machine state and by a second edge associated with opening an infected file at a time that is greater than the designated time after entry into the infect virtual machine state.
  - 9. The method of claim 8 wherein the defensive costs assigned to the first and second edges comprise costs of providing a log analysis defense and a re-hosting defense, respectively.
  - 10. The method of claim 6 wherein the nodes of the graph to which the respective initial attack-escalation state and the infect virtual machine state are assigned are connected by at least one edge associated with exploitation of a server.
  - 11. The method of claim 6 wherein the nodes of the graph to which the compromise client machine state and final attack-escalation state are assigned are connected by at least one edge associated with logging into a sensitive repository.
  - 12. The method of claim 11 wherein the defensive costs assigned to the edge associated with logging into a sensitive repository includes costs of providing an adaptive authentication defense.
  - 13. The method of claim 1 wherein the defensive costs assigned to respective edges of the graph are indicative of relative difficulties associated with preventing an attacker from advancing along the respective edges between pairs of nodes in the graph.
  - 14. The method of claim 1 wherein the processing device is implemented within the information technology infrastructure of the system.
  - 15. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by the processing device implement the steps of the method of claim 1.

16. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  wherein the memory is configured to store information characterizing a graph in which attack-escalation states of a persistent security threat are assigned to respective nodes in the graph and defensive costs are assigned to respective edges in the graph for preventing transitions between pairs of the nodes;
  
  wherein the attack-escalation states of the persistent security threat that are assigned to respective nodes in the graph comprise initial and final attack-escalation states assigned to respective source and target nodes in the graph;
  
  wherein the defensive costs represent costs for preventing respective attack actions;
  
  wherein the processing device under control of the processor is operative;
  
  to compute a minimum cut of the graph to identify a set of one or more edges that if removed from the graph will prevent the persistent security threat from proceeding from the source node to the target node; and
  
  to determine a defensive strategy based on the minimum cut; and
  
  wherein a system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.
- View Dependent Claims (17, 18)
- - 17. The apparatus of claim 16 wherein the processing device is implemented within the information technology infrastructure of the system.
  - 18. The apparatus of claim 16 wherein the information technology infrastructure comprises distributed virtual infrastructure of a cloud service provider.

19. An information processing system comprising:
- information technology infrastructure subject to a persistent security threat; and
  
  at least one processing device;
  
  wherein the processing device is configured;
  
  to assign attack-escalation states of the persistent security threat to respective nodes in a graph, the assigned attack-escalations states comprising initial and final attack-escalation states assigned to respective source and target nodes in the graph;
  
  to assign defensive costs to respective edges in the graph for preventing transitions between pairs of the nodes, the defensive costs representing costs for preventing respective attack actions;
  
  to compute a minimum cut of the graph to identify a set of one or more edges that if removed from the graph will prevent the persistent security threat from proceeding from the source node to the target node; and
  
  to determine a defensive strategy based on the minimum cut; and
  
  wherein the information technology infrastructure is configured in accordance with the defensive strategy in order to deter the persistent security threat.
- View Dependent Claims (20)
- - 20. The information processing system of claim 19 wherein the information technology infrastructure comprises at least one processing platform comprising a plurality of processing devices with each such processing device of the processing platform comprising a processor coupled to a memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Bowers, Kevin D., Juels, Ari, Oprea, Alina M., Rivest, Ronald L., Triandopoulos, Nikolaos, van Dijk, Marten E.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
PARSONS, THEODORE C

Application Number

US13/171,759
Time in Patent Office

1,147 Days
Field of Search

726/25, 726/26
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Graph-based approach to deterring persistent security threats

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Graph-based approach to deterring persistent security threats

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others