Risk analysis engine

US 9,652,813 B2
Filed: 02/22/2013
Issued: 05/16/2017
Est. Priority Date: 08/08/2012
Status: Active Grant

First Claim

Patent Images

1. A method for risk analysis, comprising:

analyzing, by a processor coupled to a memory, at least one of incident information and activity information;

identifying, by the processor, behavioral patterns by the analyzing of the one of incident information and the activity information;

producing, by the processor, observations of patterns and anomalies based on matches of the behavioral patterns to behavior specifications;

correlating, by the processor, the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets;

calculating, by the processor, a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component;

deriving, by the processor, a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets;

applying a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and

propagating a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets,wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a risk analysis system, a risk analysis engine and a related method, incident information or activity information, which may be of a spatiotemporal nature, is analyzed. Behavioral patterns are identified in or derived from the incident information or the activity information. Observations are produced from matches of the behavioral patterns to behavior specifications. Based upon the observations, and asset vulnerability data, per-asset risks are derived.

108 Citations

View as Search Results

17 Claims

1. A method for risk analysis, comprising:
- analyzing, by a processor coupled to a memory, at least one of incident information and activity information;
  
  identifying, by the processor, behavioral patterns by the analyzing of the one of incident information and the activity information;
  
  producing, by the processor, observations of patterns and anomalies based on matches of the behavioral patterns to behavior specifications;
  
  correlating, by the processor, the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets;
  
  calculating, by the processor, a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component;
  
  deriving, by the processor, a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets;
  
  applying a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and
  
  propagating a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets,wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the behavioral patterns include time information and physical location information, from the incident information or the activity information.
  - 3. The method of claim 1, wherein the behavior specifications act as templates for matches from the incident information or the activity information, with each behavior specification pertaining to one of:
    - an incident, an activity, a pattern of incidents, and a pattern of activities.
  - 4. The method of claim 1, further comprising:
    - tracking contributing observations for one of the per-asset risks, under an identifier.
  - 5. The method of claim 1, further comprising:
    - applying the risk score to a special event represented in the plurality of assets of the asset vulnerability data.
  - 6. The method of claim 1, wherein representation of a special event in the asset vulnerability data includes a time influence of the special event and a distance influence of the special event.
  - 7. The method of claim 1, further comprising:
    - decreasing the risk score as a function of time, for an asset represented in the plurality of assets of the asset vulnerability data.
  - 8. The method of claim 1, wherein analyzing the incident or activity information includes:
    - applying fuzzy logic;
      
      applying association rules;
      
      determining a pattern;
      
      determining a pattern tree;
      
      determining a temporal spike;
      
      determining a periodic temporal pattern;
      
      ordetermining an anomaly in a temporal pattern.
  - 9. The method of claim 1, wherein the propagating of the vulnerability risk and the threat from the common asset is further performed on each remaining asset in accordance with a number of relationships that that remaining asset is away from the common asset.

10. A computer program product, the computer program product comprising a computer readable storage medium having program instructions for risk analysis embodied therewith, the program instructions executable by a processor to cause the processor to operate:
- a behavior discovery and suggestion subsystem, configured to recognize behavioral patterns based upon one of analysis of incident information and activity information, of a spatiotemporal nature;
  
  a predictive subsystem, configured to estimate one of a next occurrence and a probable activity, based upon the behavioral patterns;
  
  a behavior management subsystem, configured to produce observations of patterns and anomalies based on behavior specifications to which any of the behavioral patterns, the estimated next occurrences, and the estimated probable activities conform; and
  
  a threat evaluation subsystem, configured to;
  
  correlate the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets,calculate a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component,derive a per-asset risk for each of the plurality of assets on a spatiotemporal basis, based upon correlations between asset vulnerability data and the observations and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets,apply a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset, andpropagate a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets,wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer program product of claim 10, wherein the behavior specifications are further based upon at least one selected from a group consisting of:
    - precursor behaviors, indicator behaviors, asset-specific rules, and activity sequences.
  - 12. The computer program product of claim 10, wherein the behavior discovery and suggestion subsystem is further configured to apply human feedback to the behavioral patterns.
  - 13. The computer program product of claim 10, wherein the predictive subsystem is further configured to offer a completion estimate of behavioral indicators based upon partial sequence matches in the behavioral patterns.
  - 14. The computer program product of claim 10, wherein the subsystems are further configured to store one of the observations, the incident information, and the activity information that contribute to the per-asset risks, with an identifier.

15. A risk analysis system, comprising:
- a gateway configured to route at least one of incident information and activity information and respond to at least one of queries requesting the one of incident and activity information and regarding the one of incident and activity information;
  
  a tangible, non-transitory storage device configured to store asset vulnerability data; and
  
  a processor configured to communicate with the gateway and the storage device, the processor coupled to a memory storing program instructions, the program instructions executable by the processor to cause the processor to;
  
  receive the asset vulnerability data from the storage device;
  
  receive the one incident information and the activity information through the gateway;
  
  analyze the one of the incident information and the activity information;
  
  derive behavioral patterns from the analysis of the one of the incident information and the activity information;
  
  produce observations of patterns and anomalies based on the behavior specifications and the behavioral patterns;
  
  correlate the observations to asset vulnerability data to determine whether and how the observations affect a plurality of assets;
  
  calculate a risk score for each of the plurality of assets based upon a threat component, a vulnerability component, and a consequence component;
  
  derive a per-asset risk for each of the plurality of assets based upon the correlation of the observations to the asset vulnerability data and by applying each risk score to each per-asset risk based on a common asset of the plurality of assets;
  
  apply a distance filter to the calculation of each risk score to adjust that risk score based on a location of critical infrastructure with respect to the common asset; and
  
  propagate a vulnerability risk and a threat from the common asset represented in the asset vulnerability data to each remaining asset of the plurality of assets,wherein the propagating of the vulnerability risk and the threat from the common asset is performed on each remaining asset in accordance with a weighted contribution of the vulnerability risk and the threat to that remaining asset.
- View Dependent Claims (16, 17)
- - 16. The risk analysis system of claim 15, wherein the program instructions are further executable by the processor to cause the processor to lower a risk score over time, as applied to one of the per-asset risks.
  - 17. The risk analysis system of claim 15, wherein the program instructions are further executable by the processor to cause the processor to store identifiers associated with the one of the incident information and the activity information, the behavioral knowledge base, the observations, and the per-asset risks to support tracing causes to a subsequent event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Johns Hopkins University
Original Assignee
Johns Hopkins University
Inventors
Gifford, Christopher M., Brush, Jeffrey S., Gabriele, Mark B.
Primary Examiner(s)
Ouellette, Jonathan

Application Number

US13/774,293
Publication Number

US 20140046863A1
Time in Patent Office

1,544 Days
Field of Search

705 11-912
US Class Current
CPC Class Codes

G06Q 10/10 Office automation; Time man...

G06Q 50/265 Personal security, identity...

Risk analysis engine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Risk analysis engine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links