Risk analysis engine
First Claim
Patent Images
1. A method for risk analysis, comprising:
- analyzing, by a processor coupled to a memory, at least one of incident information and activity information;
identifying, by the processor, behavioral patterns by the analyzing of the one of incident information and the activity information;
producing, by the processor, observations of patterns and anomalies based on matches of the behavioral patterns to behavior specifications;
correlating, by the processor, the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets;
calculating, by the processor, a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component;
deriving, by the processor, a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets;
applying a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and
propagating a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets,wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset.
2 Assignments
0 Petitions
Accused Products
Abstract
In a risk analysis system, a risk analysis engine and a related method, incident information or activity information, which may be of a spatiotemporal nature, is analyzed. Behavioral patterns are identified in or derived from the incident information or the activity information. Observations are produced from matches of the behavioral patterns to behavior specifications. Based upon the observations, and asset vulnerability data, per-asset risks are derived.
-
Citations
17 Claims
-
1. A method for risk analysis, comprising:
-
analyzing, by a processor coupled to a memory, at least one of incident information and activity information; identifying, by the processor, behavioral patterns by the analyzing of the one of incident information and the activity information; producing, by the processor, observations of patterns and anomalies based on matches of the behavioral patterns to behavior specifications; correlating, by the processor, the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets; calculating, by the processor, a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component; deriving, by the processor, a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets; applying a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and propagating a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets, wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer program product, the computer program product comprising a computer readable storage medium having program instructions for risk analysis embodied therewith, the program instructions executable by a processor to cause the processor to operate:
-
a behavior discovery and suggestion subsystem, configured to recognize behavioral patterns based upon one of analysis of incident information and activity information, of a spatiotemporal nature; a predictive subsystem, configured to estimate one of a next occurrence and a probable activity, based upon the behavioral patterns; a behavior management subsystem, configured to produce observations of patterns and anomalies based on behavior specifications to which any of the behavioral patterns, the estimated next occurrences, and the estimated probable activities conform; and a threat evaluation subsystem, configured to; correlate the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets, calculate a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component, derive a per-asset risk for each of the plurality of assets on a spatiotemporal basis, based upon correlations between asset vulnerability data and the observations and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets, apply a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset, and propagate a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets, wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A risk analysis system, comprising:
-
a gateway configured to route at least one of incident information and activity information and respond to at least one of queries requesting the one of incident and activity information and regarding the one of incident and activity information; a tangible, non-transitory storage device configured to store asset vulnerability data; and a processor configured to communicate with the gateway and the storage device, the processor coupled to a memory storing program instructions, the program instructions executable by the processor to cause the processor to; receive the asset vulnerability data from the storage device; receive the one incident information and the activity information through the gateway; analyze the one of the incident information and the activity information; derive behavioral patterns from the analysis of the one of the incident information and the activity information; produce observations of patterns and anomalies based on the behavior specifications and the behavioral patterns; correlate the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets; calculate a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component; derive a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets; apply a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and propagate a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets, wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset. - View Dependent Claims (16, 17)
-
Specification