Assessment of cyber threats

US 9,537,884 B1
Filed: 06/01/2016
Issued: 01/03/2017
Est. Priority Date: 06/01/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more computers comprising one or more hardware processors;

one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising;

receiving, by the one or more computers, data indicating a time window having a beginning and an end;

accessing, by the one or more computers, data indicating at least one dynamic Bayesian network (DBN) that specifies relationships among (i) infrastructure nodes representing computing devices of an organization and a network connecting the computing devices, (ii) asset nodes indicating characteristics of assets of the organization, (iii) threat nodes representing computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, and (iv) mitigation nodes representing threat mitigation measures of the organization;

performing, by the one or more computers, a plurality of simulations using the DBN, each simulation involving propagating data through the DBN for various time steps within the time window;

sampling, by the one or more computers, outcomes of the plurality of simulations according to the state of the DBN representing the end of the time window;

based on the sampled outcomes of the simulations, determining, by the one or more computers, a measure of impact of the computer-based threats to the organization over the time window; and

providing, by the one or more computers and for output to a user, a graphical representation of the determined measure of impact of the computer-based threats to the organization over the time window in a graphical user interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for assessing cyber threats. In some implementations, data indicating a time window is received. Data indicating at least one dynamic Bayesian network (DBN) is accessed. A plurality of simulations are performed using the DBN, and outcomes of the plurality of simulations are sampled according to the state of the DBN representing the end of the time window. Based on the sampled outcomes of the simulations, a measure of impact of the computer-based threats to the organization over the time window is determined. The determined measure is provided for output to a user.

Citations

20 Claims

1. A system comprising:
- one or more computers comprising one or more hardware processors;
  
  one or more computer-readable media storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising;
  
  receiving, by the one or more computers, data indicating a time window having a beginning and an end;
  
  accessing, by the one or more computers, data indicating at least one dynamic Bayesian network (DBN) that specifies relationships among (i) infrastructure nodes representing computing devices of an organization and a network connecting the computing devices, (ii) asset nodes indicating characteristics of assets of the organization, (iii) threat nodes representing computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, and (iv) mitigation nodes representing threat mitigation measures of the organization;
  
  performing, by the one or more computers, a plurality of simulations using the DBN, each simulation involving propagating data through the DBN for various time steps within the time window;
  
  sampling, by the one or more computers, outcomes of the plurality of simulations according to the state of the DBN representing the end of the time window;
  
  based on the sampled outcomes of the simulations, determining, by the one or more computers, a measure of impact of the computer-based threats to the organization over the time window; and
  
  providing, by the one or more computers and for output to a user, a graphical representation of the determined measure of impact of the computer-based threats to the organization over the time window in a graphical user interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein determining the measure of impact of the computer-based threats comprises determining a confidence interval for losses of the organization due to the computer-based threats.
  - 3. The system of claim 1, wherein each asset node has an amount of value assigned;
    - wherein performing the plurality of simulations comprises, for each of the plurality of the simulations, determining, based on parameters assigned to the threat nodes and the mitigation nodes, whether at least one of the computer-based threats is successful in accessing the asset nodes;
      
      wherein sampling outcomes of the plurality of simulations comprises, for each simulation, determining a combined amount of value for the asset nodes that were determined to be accessed by the computer-based threats during the simulation.
  - 4. The system of claim 1, wherein performing the plurality of simulations and sampling the outcomes comprise performing Monte Carlo simulations and sampling of the DBN.
  - 5. The system of claim 4, wherein the Monte Carlo simulations are conducted to determine a distribution of a total value that may be lost to the threats represented by the threat nodes, over the time window.
  - 6. The system of claim 1, wherein the operations further comprise:
    - determining a threshold value indicating a minimum level of accuracy; and
      
      determining a number of simulations needed to reach the minimum level of accuracy indicated by the threshold value; and
      
      wherein performing the plurality of simulations comprises performing at least the determined number of simulations.
  - 7. The system of claim 1, wherein a particular computer-based threat of the computer-based threats is represented in the DBN as a set of multiple threat nodes, each of the multiple threat nodes representing characteristics of a different stage.
  - 8. The system of claim 1, wherein the DBN represents a conditional probability distribution of each random variables is time-dependent for a discrete time index, and values determined for at least some of the nodes are conditioned on (i) the values of the node'"'"'s parents at a current time index, and (ii) values determined for the node for one or more prior time indexes.

9. A method performed by one or more computers, the method comprising:
- receiving, by the one or more computers, data indicating a time window having a beginning and an end;
  
  accessing, by the one or more computers, data indicating at least one dynamic Bayesian network (DBN) that specifies relationships among (i) infrastructure nodes representing computing devices of an organization and a network connecting the computing devices, (ii) asset nodes indicating characteristics of assets of the organization, (iii) threat nodes representing computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, and (iv) mitigation nodes representing threat mitigation measures of the organization;
  
  performing, by the one or more computers, a plurality of simulations using the DBN, each simulation involving propagating data through the DBN for various time steps within the time window;
  
  sampling, by the one or more computers, outcomes of the plurality of simulations according to the state of the DBN representing the end of the time window;
  
  based on the sampled outcomes of the simulations, determining, by the one or more computers, a measure of impact of the computer-based threats to the organization over the time window; and
  
  providing, by the one or more computers and for output to a user, a graphical representation of the determined measure of impact of the computer-based threats to the organization over the time window in a graphical user interface.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein determining the measure of impact of the computer-based threats comprises determining a confidence interval for losses of the organization due to the computer-based threats.
  - 11. The method of claim 9, wherein each asset node has an amount of value assigned;
    - wherein performing the plurality of simulations comprises, for each of the plurality of the simulations, determining, based on parameters assigned to the threat nodes and the mitigation nodes, whether at least one of the computer-based threats is successful in accessing the asset nodes;
      
      wherein sampling outcomes of the plurality of simulations comprises, for each simulation, determining a combined amount of value for the asset nodes that were determined to be accessed by the computer-based threats during the simulation.
  - 12. The method of claim 9, wherein performing the plurality of simulations and sampling the outcomes comprise performing Monte Carlo simulations and sampling of the DBN.
  - 13. The method of claim 12, wherein the Monte Carlo simulations are conducted to determine a distribution of a total value that may be lost to the threats represented by the threat nodes, over the time window.
  - 14. The method of claim 9, wherein the operations further comprise:
    - determining a threshold value indicating a minimum level of accuracy; and
      
      determining a number of simulations needed to reach the minimum level of accuracy indicated by the threshold value; and
      
      wherein performing the plurality of simulations comprises performing at least the determined number of simulations.
  - 15. The method of claim 9, wherein a particular computer-based threat of the computer-based threats is represented in the DBN as a set of multiple threat nodes, each of the multiple threat nodes representing characteristics of a different stage.
  - 16. The method of claim 9, wherein the DBN represents a conditional probability distribution of each random variables is time-dependent for a discrete time index, and values determined for at least some of the nodes are conditioned on (i) the values of the node'"'"'s parents at a current time index, and (ii) values determined for the node for one or more prior time indexes.

17. A non-transitory computer-readable medium storing instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
- receiving, by the one or more computers, data indicating a time window having a beginning and an end;
  
  accessing, by the one or more computers, data indicating at least one dynamic Bayesian network (DBN) that specifies relationships among (i) infrastructure nodes representing computing devices of an organization and a network connecting the computing devices, (ii) asset nodes indicating characteristics of assets of the organization, (iii) threat nodes representing computer-based threats including at least one selected from the group consisting of a virus, malware, a network intrusion, and a denial of service attack, and (iv) mitigation nodes representing threat mitigation measures of the organization;
  
  performing, by the one or more computers, a plurality of simulations using the DBN, each simulation involving propagating data through the DBN for various time steps within the time window;
  
  sampling, by the one or more computers, outcomes of the plurality of simulations according to the state of the DBN representing the end of the time window;
  
  based on the sampled outcomes of the simulations, determining, by the one or more computers, a measure of impact of the computer-based threats to the organization over the time window; and
  
  providing, by the one or more computers and for output to a user, a graphical representation of the determined measure of impact of the computer-based threats to the organization over the time window in a graphical user interface.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein determining the measure of impact of the computer-based threats comprises determining a confidence interval for losses of the organization due to the computer-based threats.
  - 19. The non-transitory computer-readable medium of claim 17, wherein each asset node has an amount of value assigned;
    - wherein performing the plurality of simulations comprises, for each of the plurality of the simulations, determining, based on parameters assigned to the threat nodes and the mitigation nodes, whether at least one of the computer-based threats is successful in accessing the asset nodes;
      
      wherein sampling outcomes of the plurality of simulations comprises, for each simulation, determining a combined amount of value for the asset nodes that were determined to be accessed by the computer-based threats during the simulation.
  - 20. The non-transitory computer-readable medium of claim 17, wherein performing the plurality of simulations and sampling the outcomes comprise performing Monte Carlo simulations and sampling of the DBN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberPoint International, LLC
Original Assignee
CyberPoint International, LLC
Inventors
Raugas, Mark V., Ulrich, James L.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/170,369
Time in Patent Office

216 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/1441 Countermeasures against mal...

Assessment of cyber threats

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Assessment of cyber threats

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links