System and method for cyber security analysis and human behavior prediction
First Claim
1. A method for analyzing computer network security, comprising:
- establishing multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security;
creating an estimate for each node that estimates the ease of realizing the event, condition, or attribute of the node;
identifying attack paths based on attack vectors that may be used by actor, where the attack paths represent a linkage of nodes that reach a condition of compromise of network security;
calculating edge probabilities for the attack paths based on the estimates for each node along the attack path, where the node estimates and edge probabilities are determined by calculating a probability of likelihood for the nodes based on Markov Monte Carlo simulations of paths from an attacker to the nodes;
generating an attack graph that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions of compromise based on combined estimates of the ease of the attack paths and the application of actor attributes;
where events and conditions on the attack graph are connected to observable nodes associated with physical sensors on the network, where the physical sensors predict the events and conditions; and
detecting attacks on the computer network through a correlation of the observable nodes with the physical sensors.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the case of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Finally, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions.
-
Citations
12 Claims
-
1. A method for analyzing computer network security, comprising:
-
establishing multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security; creating an estimate for each node that estimates the ease of realizing the event, condition, or attribute of the node; identifying attack paths based on attack vectors that may be used by actor, where the attack paths represent a linkage of nodes that reach a condition of compromise of network security; calculating edge probabilities for the attack paths based on the estimates for each node along the attack path, where the node estimates and edge probabilities are determined by calculating a probability of likelihood for the nodes based on Markov Monte Carlo simulations of paths from an attacker to the nodes; generating an attack graph that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions of compromise based on combined estimates of the ease of the attack paths and the application of actor attributes; where events and conditions on the attack graph are connected to observable nodes associated with physical sensors on the network, where the physical sensors predict the events and conditions; and detecting attacks on the computer network through a correlation of the observable nodes with the physical sensors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for analyzing computer network security, comprising:
-
establishing multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security; establishing multiple edges representing progression, predicate, and requirement relationships; establishing nodes that are observed using sensors installed in the computer network and connected to events and conditions in an attack graph; creating an estimate for each node that estimates the ease of realizing the event, conditions associated with risks, or attribute of the node; identifying events and conditions to mitigate to prevent risks; identifying attack paths, where the attack paths represent a linkage of nodes that reach a risk; assigning node probabilities for the attack graph; calculating edge probabilities for the attack paths; and generating an attack graph that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions of compromise based on combined estimates of the ease of the attack paths and the application of actor attributes, where events and conditions on the attack graph are observed using physical sensors installed in the computer network, and where the physical sensors are connected to observable nodes with edge probabilities; and detecting attacks on the computer network through a correlation of the observable nodes with the physical sensors.
-
Specification