Probabilistic cyber threat recognition and prediction

US 9,367,694 B2
Filed: 05/16/2014
Issued: 06/14/2016
Est. Priority Date: 05/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method for recognizing a cyber threat comprising:

determining, using a processor, a network layout of a network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network;

receiving cyber sensor data indicating actions performed on the plurality of nodes of the network;

determining that the cyber sensor data does not sufficiently match known cyber threat profiles;

determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status;

calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and

determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally discussed herein are systems, apparatuses, or processes to recognize that a cyber threat exists or predict a future track of a cyber threat in a network. According to an example, a process for recognizing a cyber threat can include (1) determining a network layout of a network based on received network layout data, (2) receiving cyber sensor data indicating actions performed on the network, (3) calculating a first score associated with the cyber sensor data indicating that a cyber threat is present in the network by comparing a cyber threat profile of the cyber threat that details actions performed by the cyber threat to actions indicated by the cyber sensor data, (4) determining whether the calculated first score is greater than a specified threshold, or (5) determining that the cyber threat is present in response to determining the calculated first score is greater than the specified threshold.

28 Citations

View as Search Results

17 Claims

1. A method for recognizing a cyber threat comprising:
- determining, using a processor, a network layout of a network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network;
  
  receiving cyber sensor data indicating actions performed on the plurality of nodes of the network;
  
  determining that the cyber sensor data does not sufficiently match known cyber threat profiles;
  
  determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status;
  
  calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and
  
  determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - determining a vulnerability of a node of the plurality of nodes of the network and modifying the first score based on the proximity of the cyber threat to the vulnerability and based on the cyber threat being known to exploit the determined vulnerability.
  - 3. The method of claim 2, further comprising:
    - probabilistically determining, using Multiple Hypothesis Tracking (MHT) and a Kalman filtering, a future track of the cyber threat based on the network layout, the hybrid cyber threat profile despite missing evidence as indicated in the hybrid cyber threat profile, and the determined vulnerability, wherein a second score of a given future track is weighted based on the cyber threat profile, the network layout, and an importance of the node to the performance of the network, the future track indicating a next node and action to be taken on the next node by the cyber threat.
  - 4. The method of claim 3, wherein calculating the first score associated with the cyber sensor data indicating that a cyber threat is present in the network includes calculating, using a Kalman filter, the first score despite missing cyber sensor data that is expected to be detected from the cyber threat as detailed in the cyber threat profile.
  - 5. The method of claim 4, further comprising determining a fourth score indicating that multiple cyber threats are present in the network based on the cyber sensor data using a multiple hypothesis management process.
  - 6. The method of claim 5, wherein the cyber threat profile includes information detailing relative timing of when the evidence is left behind, and time between pieces of evidence being left behind, and the first score is further determined by comparing the time between cyber threat actions indicated by the cyber sensor data to the time range between corresponding actions detailed in the cyber threat profile.

7. A system for recognizing a cyber threat is present in a device network comprising:
- a network layout and vulnerability ingest module executable by one or more processors and configured to determine a network layout of the network based on received network layout data, the network layout data indicating connections between a plurality of nodes of the network;
  
  a cyber sensor data module executable by the one or more processors and configured to receive cyber sensor data indicating actions performed on the plurality of nodes of the network; and
  
  a prediction engine configured to;
  
  determine that the cyber sensor data does not sufficiently match known cyber threat profiles;
  
  determine, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, and escalating a user'"'"'s privilege status;
  
  calculate a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber to actions performed on the network as indicated by the cyber sensor data;
  
  anddetermine that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the network layout and vulnerability ingest module is further configured to determine a vulnerability of a node of the plurality of nodes of the network, and wherein the prediction engine is further configured to modify the first score based on the proximity of the cyber threat to the vulnerability and based on the cyber threat being known to exploit the determined vulnerability.
  - 9. The system of claim 8, wherein the prediction engine is further configured to probabilistically determine, using Multiple Hypothesis Tracking (MHT) and a Kalman filtering process, a future track of the cyber threat based on the network layout, the hybrid cyber threat profile despite missing evidence as indicated in the hybrid cyber threat profile, and the determined vulnerability, wherein the prediction engine is further configured to weight a second score of a given future track based on the cyber threat profile, the network layout, and an importance of the node to the performance of the network, the future track indicating a next node and action to be taken on the next node by the cyber threat.
  - 10. The system of claim 9, wherein the prediction engine configured to calculate the first score associated with the cyber sensor data indicating that a cyber threat is present in the network includes the prediction engine configured to calculate, using a Kalman filter, the first score despite missing cyber sensor data that is expected to be detected from the cyber threat as detailed in the cyber threat profile.
  - 11. The system of claim 10, wherein the prediction engine is further configured to determine, using a multiple hypothesis management process, a fourth score indicating that multiple cyber threats are present in the network based on the cyber sensor data and a plurality of cyber threat profiles.
  - 12. The system of claim 7, wherein the cyber threat profile includes information detailing relative timing of when the evidence is left behind, and a time range between pieces of evidence being left behind, and the prediction engine is further configured to determine the first score by comparing the time between cyber threat actions indicated by the cyber sensor data to the time range between corresponding pieces of evidence detailed in the cyber threat profile.

13. A non-transitory computer readable storage device including instructions for determining whether a cyber threat is present in a device network stored thereon, the instructions, which when executed by a machine, cause the machine to perform operations comprising:
- receiving data detailing a network layout of the network, the network layout data indicating connections between a plurality of nodes of the network;
  
  receiving cyber sensor data indicating actions performed on the plurality of nodes of the network;
  
  determining that the cyber sensor data does not sufficiently match known cyber threat profiles;
  
  determining, using an Interacting Multiple Model (IMM), one or more hybrid cyber threat profiles, the hybrid cyber threat profiles including a combination of portions of two or more of the known cyber threat profiles, each of the hybrid cyber threat profiles and the known cyber threat profiles indicating evidence left behind by an associated cyber threat and hybrid cyber threat, respectively, wherein the evidence includes two or more of a security or application log being created, a login attempt, a file or program being accessed, a program being run, determining a layout of at least a portion of the network, scanning, enumeration, gaining access to the network, escalating a user'"'"'s privilege status;
  
  calculating, using the processor, a first score associated with the cyber sensor data indicating that the hybrid cyber threat is present in the network by comparing the cyber threat profile of the hybrid cyber threat to actions performed on the network as indicated by the cyber sensor data; and
  
  determining that the hybrid cyber threat is present in response to determining the calculated first score is greater than a specified threshold.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer readable storage device of claim 13, further comprising instructions stored thereon, which when executed by the machine, cause the machine to perform operations comprising:
    - receiving data detailing a vulnerability of a node of the plurality of nodes of the network and modifying the first score based on the proximity of the cyber threat to the vulnerability and based on the cyber threat being known to exploit the determined vulnerability.
  - 15. The computer readable storage device of claim 14, further comprising instructions stored thereon, which, when executed by the machine, cause the machine to perform operations comprising:
    - probabilistically determining, using Multiple Hypothesis Tracking (MHT) and a Kalman filtering process, a future track of the cyber threat based on the network layout, the hybrid cyber threat profile, and the determined vulnerability, wherein a second score of a given future track is weighted based on the cyber threat profile, the network layout, and an importance of the node to the performance of the network, the future track indicating a next node and action to be taken on the next node by the cyber threat.
  - 16. The computer readable storage device of claim 15, wherein the instructions for calculating the score associated with the cyber sensor data indicating that a cyber threat is present in the network include instructions, which when executed by the machine, cause the machine to perform operations comprising calculating, using a Kalman filter, the first score despite missing cyber sensor data that is expected to be detected from the cyber threat as detailed in the cyber threat profile.
  - 17. The computer readable storage device of claim 14, wherein the cyber threat profile includes information detailing relative timing of when the evidence is left behind, and time between pieces of evidence being left behind, and wherein the instructions for determining the first score further include instructions, which when executed by the machine, cause the machine to perform operations comprising determining the first score by comparing the time between cyber threat actions indicated by the cyber sensor data to the time range between corresponding evidence detailed in the cyber threat profile.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon BBN Technlogies Corp. (Rtx Corporation)
Original Assignee
Raytheon BBN Technlogies Corp. (Rtx Corporation)
Inventors
Eck, Christopher R., Hassell, Suzanne P., Mastropietro, Brian J., Beraud, Paul F. III
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/279,869
Publication Number

US 20150332054A1
Time in Patent Office

760 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Probabilistic cyber threat recognition and prediction

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Probabilistic cyber threat recognition and prediction

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links