Graphical models for cyber security analysis in enterprise networks

US 8,881,288 B1
Filed: 10/28/2009
Issued: 11/04/2014
Est. Priority Date: 10/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method of generating graphical models for providing security analysis in computer networks including the steps of:

providing an enterprise computer network;

generating a type abstract graph independent of said particular network that models abstract dependency relationships among attributes and exploits using a software tool;

generating a network-specific attack graph by combining said type abstract graph with specific information regarding said network using the software tool;

monitoring an intruder alert; and

generating a real-time attack graph of the network by correlating the intruder alert with said network-specific attack graph using the software tool.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of generating graphical models for providing security analysis in computer networks that in one embodiment includes the steps of generating a type abstract graph independent of particular networks that models abstract dependency relationships among attributes and exploits; generating network-specific attack graphs by combining the type abstract graph with specific network information; monitoring an intruder alert; and generating a real-time attack graph by correlating the intruder alert with the network-specific attack graph. The real-time attack graph can be generated using reachability checking, bridging, and exploit prediction based on consequence alerts and may further include the step of calculating the likelihood of queries using a Bayesian network model. The method may also include the steps of inferring unobserved attacks that may have been missed by intrusion detection sensors, and projecting on which hosts and using what exploits additional intruder attacks may occur. The method may further include the step of comparing alternate actions by computation, wherein the alternate actions include the step of patching some vulnerabilities, and wherein the specific network information includes network topology. The specific network information may also include firewall rules.

Citations

44 Claims

1. A method of generating graphical models for providing security analysis in computer networks including the steps of:
- providing an enterprise computer network;
  
  generating a type abstract graph independent of said particular network that models abstract dependency relationships among attributes and exploits using a software tool;
  
  generating a network-specific attack graph by combining said type abstract graph with specific information regarding said network using the software tool;
  
  monitoring an intruder alert; and
  
  generating a real-time attack graph of the network by correlating the intruder alert with said network-specific attack graph using the software tool.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said real-time attack graph is generated using reachability checking, bridging, and exploit prediction based on consequence of alerts and wherein a new attack graph is not regenerated when new information is collected, but is changed locally.
  - 3. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 2, including the step of calculating the likelihood of queries.
  - 4. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 2, wherein the likelihood of queries is calculated using a Bayesian network model.
  - 5. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 4, further including the step of inferring unobserved attacks that may have been missed by intrusion detection sensors.
  - 6. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein the network includes hosts and further including the step of projecting on which hosts and using what exploits additional intruder attacks may occur.
  - 7. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 6, further including the step of comparing alternate actions by computation.
  - 8. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 7, wherein the alternate actions include the step of patching some vulnerabilities.
  - 9. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said specific network information includes network topology.
  - 10. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said specific network information includes firewall rules.
  - 11. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said graphs enable static analysis.
  - 12. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said graphs enable situational awareness.
  - 13. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said graphs enable prediction of attacks.
  - 14. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said graphs enable action planning to subvert intruder attacks.
  - 15. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, wherein said graphs include sufficient semantics to provide real-time analysis, yet are scalable for network implementation.
  - 16. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, further including the step of mining attack data sets to provide information for said type abstract graph.
  - 17. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, including the step of providing views, awareness reports and recommendations.
  - 18. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 17, wherein one view is network topology.
  - 19. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 18, further including a future view which provides predictions of what might happen next and which hosts are likely targets.
  - 20. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 17, wherein the recommendations include static suggestions such as, which hosts are more vulnerable and dynamic recommendations such as given a particular situation, what is the best action to take.
  - 21. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, including the step of adding two state nodes and an edge to an empty graph when a first alert being a local exploit is raised.
  - 22. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 21, wherein the resulting graph will only show one host on the screen.
  - 23. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, including the step of adding three state nodes and two edges to the graph when a first alert is raised being a remote exploit.
  - 24. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 23, wherein the resulting graph will show two hosts on the screen.
  - 25. The method for generating graphical models for providing security analysis in computer networks as set forth in either claim 21 or claim 23, including the step of growing the graph when another alert is raised by reusing the existing state.
  - 26. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 25, wherein if the alert is a remote exploit, a reachability table is checked to determine if the exploit violates any reachability constraint, and if so, a low confidence level is assigned to the exploit indicating that the alert may be a false alert.
  - 27. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 25, wherein if a new alert is identified as an isolated island on the resulting graph, the network-specific attack graph is searched to determine if there is a potential bridge from the island to the mainland or to other islands.
  - 28. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 25, wherein if the alert is a consequence alert, new state nodes are added and the network-specific attack graph is searched to connect the new nodes to some existing nodes.
  - 29. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 28, further including the step of identifying bridges to connect the existing nodes with new states and after identifying the bridges, longer paths within the current graph are identified as a suspicious path.
  - 30. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 29, wherein longer paths are more likely to be a multiple-step attack, and further including the step of matching suspicious paths against the network-specific attack graph.
  - 31. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 30, wherein when a matched path is found, a graph is shown on both the suffix and prefix of the matched path wherein a suffix identifies what could happen next and a prefix identifies what has probably happened.
  - 32. The method for generating graphical models for providing security analysis in computer networks as set forth in claim 1, including the steps of an operator typing in a specific what-if question and the graph automatically changing to the real-time attack graph to show the answer.

33. A system for generating graphical models for providing security analysis in computer networks comprising:
- an enterprise computer network;
  
  a type abstract graph independent of said particular network that models abstract dependency relationships among attributes and exploits generated by a software tool; and
  
  a network-specific attack graph of said network based on said type abstract graph generated by a software tool, wherein the network-specific graph is at least partly defined by a reachability clause, a state clause of one or more hosts and a vulnerability clause.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 34. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein specific information about said network is combined with said type abstract graph to generate said network-specific attack graph.
  - 35. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein the system monitors for an intruder alert.
  - 36. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 35, wherein the system generates a real-time attack graph by correlating the intruder alert with said network-specific attack graph.
  - 37. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said specific network information includes network topology.
  - 38. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said specific network information includes firewall rules.
  - 39. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said graphs enable static analysis.
  - 40. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said graphs enable situational awareness.
  - 41. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said graphs enable prediction of attacks.
  - 42. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 33, wherein said graphs also enable action planning to subvert intruder attacks.
  - 43. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 35, wherein the software tool process includes:
  - 44. The system for generating graphical models for providing security analysis in computer networks as set forth in claim 35, wherein the software tool process includes:

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bluehalo Labs LLC
Original Assignee
Intelligent Automation, Inc.
Inventors
Liu, Peng, Levy, Renato, Li, Hongjun, Lyell, Margaret
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US12/589,738
Time in Patent Office

1,833 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Graphical models for cyber security analysis in enterprise networks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Graphical models for cyber security analysis in enterprise networks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links