Method for simulation aided security event management
First Claim
Patent Images
1. A method for simulation aided security event management, the method comprises:
- generating and storing attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
wherein the generating of the attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
identifying security events in response to a correlation between simulation data items and event data;
determining a confidence level for each of the identified security events;
prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold.
6 Assignments
0 Petitions
Accused Products
Abstract
A method for simulation aided security event management, the method comprises: generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items; wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information; identifying security events in response to a correlation between simulation data items and event data; and prioritizing identified security events.
-
Citations
18 Claims
-
1. A method for simulation aided security event management, the method comprises:
- generating and storing attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
wherein the generating of the attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
identifying security events in response to a correlation between simulation data items and event data;
determining a confidence level for each of the identified security events;
prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold. - View Dependent Claims (2, 3, 4)
- generating and storing attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
-
5. A method for simulation aided security event management, the method comprises:
- generating a new attack starting point or updating an existing attack starting point in response to an identified security event that has a priority that exceeds a priority threshold;
wherein security events are identified in response to a correlation between simulation data items and event data;
determining a priority level for each of the identified security events;
ignoring the identified security events that have a priority level below the priority threshold, while prioritizing the identified security events that have a priority level exceeds the priority threshold;
running an attack simulation which is based on a network model using the new attack starting point;
storing attack simulation results; and
analyzing risk and extracting contextual information.
- generating a new attack starting point or updating an existing attack starting point in response to an identified security event that has a priority that exceeds a priority threshold;
-
6. A non-transitory computer readable medium that stores instructions for generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
- wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
identifying security events in response to a correlation between simulation data items and event data;
determining a confidence level for each of the identified security events;
prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
-
15. A non-transitory computer readable medium that stores instructions for generating a new attack starting point or updating an existing attack starting point in response to an identified security event that has a priority that exceeds a priority threshold;
- wherein security events are identified in response to a correlation between simulation data items and event data;
determining a priority level for each of the identified security events;
ignoring the identified security events that have a priority level below the priority threshold, while prioritizing the identified security events that have a priority level exceeds the priority threshold;
running an attack simulation which is based on a network model using the new attack starting point; and
analyzing risk and extracting contextual information. - View Dependent Claims (16, 17, 18)
- wherein security events are identified in response to a correlation between simulation data items and event data;
Specification