Probabilistic cyber threat recognition and prediction
First Claim
1. A method for recognizing a cyber threat comprising:
- determining, using a processor, a network layout of a network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network;
receiving cyber sensor data indicating actions performed on the plurality of nodes of the network;
determining that the cyber sensor data does not sufficiently match known cyber threat profiles;
determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status;
calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and
determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Generally discussed herein are systems, apparatuses, or processes to recognize that a cyber threat exists or predict a future track of a cyber threat in a network. According to an example, a process for recognizing a cyber threat can include (1) determining a network layout of a network based on received network layout data, (2) receiving cyber sensor data indicating actions performed on the network, (3) calculating a first score associated with the cyber sensor data indicating that a cyber threat is present in the network by comparing a cyber threat profile of the cyber threat that details actions performed by the cyber threat to actions indicated by the cyber sensor data, (4) determining whether the calculated first score is greater than a specified threshold, or (5) determining that the cyber threat is present in response to determining the calculated first score is greater than the specified threshold.
28 Citations
17 Claims
-
1. A method for recognizing a cyber threat comprising:
-
determining, using a processor, a network layout of a network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network; receiving cyber sensor data indicating actions performed on the plurality of nodes of the network; determining that the cyber sensor data does not sufficiently match known cyber threat profiles; determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status; calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for recognizing a cyber threat is present in a device network comprising:
-
a network layout and vulnerability ingest module executable by one or more processors and configured to determine a network layout of the network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network; a cyber sensor data module executable by the one or more processors and configured to receive cyber sensor data indicating actions performed on the plurality of nodes of the network; and a prediction engine configured to; determine that the cyber sensor data does not sufficiently match known cyber threat profiles; determine, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, and escalating a user'"'"'s privilege status; calculate a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber to actions performed on the network as indicated by the cyber sensor data; and determine that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable storage device including instructions for determining whether a cyber threat is present in a device network stored thereon, the instructions, which when executed by a machine, cause the machine to perform operations comprising:
-
receiving data detailing a network layout of the network, the network layout data indicating connections between a plurality of nodes of the network; receiving cyber sensor data indicating actions performed on the plurality of nodes of the network; determining that the cyber sensor data does not sufficiently match known cyber threat profiles; determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status; calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold. - View Dependent Claims (14, 15, 16, 17)
-
Specification