Probabilistic model for cyber risk forecasting

US 9,680,855 B2
Filed: 06/30/2014
Issued: 06/13/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system having a processor, the method comprising:

receiving target organization information, asset information, system information, threat information, and known and modeled threat agent information descriptive of a networked system of at least one target organization;

calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the target organization information, the asset information, the system information, the threat information, and the known and modeled threat agent information descriptive of the at least one target organization;

determining, by the processor, a time-dependent interactive model involving one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization,wherein at least one of the one or more likely future pathways includes a plurality of path segments,wherein at least one of the plurality of path segments is based on an unobserved event,wherein at least one of the one or more likely future pathways includes a path segment based on an observed event, andwherein at least one of the one or more likely future pathways includes known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization,wherein the one or more sets of response actions of the targeted organization includes;

effects of automatic security control measures within the networked system; and

human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;

estimating, by the processor, for the one or more likely future pathways;

probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event;

determining, by the processor, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more incidents of such damage to the assets based on the estimated probabilities that the unobserved event will occur and based on the estimated probability distributions of times of occurrence of the unobserved event; and

dynamically reconfiguring or deploying operation of one or more hardware components of the networked system at the one or more likely future pathways based on the determined probability distribution of damage to the assets and the probability distribution of one or more incidents of such damage to the assets,wherein reconfiguring or deploying operation of one or more components of the networked system includes reconfiguring or deploying a firewall, security device, or sensor with respect to the one or more likely future pathways.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network.

Citations

30 Claims

1. A method in a computing system having a processor, the method comprising:
- receiving target organization information, asset information, system information, threat information, and known and modeled threat agent information descriptive of a networked system of at least one target organization;
  
  calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the target organization information, the asset information, the system information, the threat information, and the known and modeled threat agent information descriptive of the at least one target organization;
  
  determining, by the processor, a time-dependent interactive model involving one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization,wherein at least one of the one or more likely future pathways includes a plurality of path segments,wherein at least one of the plurality of path segments is based on an unobserved event,wherein at least one of the one or more likely future pathways includes a path segment based on an observed event, andwherein at least one of the one or more likely future pathways includes known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization,wherein the one or more sets of response actions of the targeted organization includes;
  
  effects of automatic security control measures within the networked system; and
  
  human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;
  
  estimating, by the processor, for the one or more likely future pathways;
  
  probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event;
  
  determining, by the processor, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more incidents of such damage to the assets based on the estimated probabilities that the unobserved event will occur and based on the estimated probability distributions of times of occurrence of the unobserved event; and
  
  dynamically reconfiguring or deploying operation of one or more hardware components of the networked system at the one or more likely future pathways based on the determined probability distribution of damage to the assets and the probability distribution of one or more incidents of such damage to the assets,wherein reconfiguring or deploying operation of one or more components of the networked system includes reconfiguring or deploying a firewall, security device, or sensor with respect to the one or more likely future pathways.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising generating a report based on the modeling, wherein the report includes information for increasing the likelihood of detection of a threat at the at least one target organization, wherein the threat information characterizes exploits, vulnerabilities, or cyber threats to the networked system, wherein the cyber threats include intentional attacks, accidents, and system failures.
  - 3. The method of claim 1, wherein receiving the asset information characterizing assets of the at least one target organization includes obtaining information describing tangible or intangible assets that are available through the networked system, wherein existing and future cyber-related behaviors are modeled in hierarchical levels of cyber threat information, wherein partially known cyber threat information at a first level is dynamically aggregated with other known or partially known threat information as the other known or partially known cyber threat information is discovered, wherein the aggregated threat information is represented as a second level of cyber threat information, wherein the second level of cyber threat information is metadata for improving resolution of the modeling, and wherein portions of the results of the modeling are indicated in a report.
  - 4. The method of claim 1, further comprising establishing a probability distribution of financial values based on a determination of loss of one or more assets of at the least one target organization based on occurrence time, types and amounts of damage to the one or more assets.
  - 5. The method of claim 1, wherein receiving the system information characterizing the networked system includes obtaining information about a location, type, and configuration of one or more assets associated with the networked system and wherein the attacker characteristics includes one or more of a number of threat types based on asset attractiveness, attack campaign tactics, and time available to execute an attack on the target organization.
  - 6. The method of claim 1, wherein the probability distribution of damage to assets is a probability distribution of the occurrence time, the types, and amounts of assets of the least one target organization, wherein the probability distribution of damages to assets includes a probability of loss of access to services, assets, or data associated with the networked system.
  - 7. The method of claim 1, wherein the probability of damage to assets of at the least one target organization includes a probability of loss of goodwill, reputation, or business, including the time of such loss.
  - 8. The method of claim 1, further comprising calculating a financial loss from the damage, based on the determining of the probability of damage to the assets, including the time of such loss.
  - 9. The method of claim 1, further comprising modeling and estimating:
    - probabilities of one or more pathways for responding to the threats,threat remediation actions of security personnel or software, andprobability distributions of times for responding to the threats with at least one of the remediation actions.
  - 10. The method of claim 1, further comprising calculating the one or more threat characteristics based on a resource limitation of an attacker, wherein the resource limitation is one or more of time available to execute an attack on the target organization, capital, number of personnel and attacker skill level.
  - 11. The method of claim 1, wherein the resource limitation of the one or more attackers associated with the threats is based on expert opinion, historical data attacker behavior or attacker group behavior, wherein the resource limitation of the one or more attackers associated with the threats is manually obtained, wherein the resource limitation of the one or more attackers associated with the threats is automatically obtained and wherein receiving the system information characterizing the networked system includes obtaining information about one or more security policies or procedures.
  - 12. The method of claim 1, wherein the modeling is used to validate likely future pathways associated with a past cyber threat which resulted in an attack that was completed in the past.
  - 13. The method of claim 1, wherein the modeling is used to forecast financial losses from one or more cyber attacks over time windows looking forward from past, present, and future times.

14. A non-transitory storage medium storing instructions that, if executed by a processor of a computing system, cause the computing system to perform a method, the method comprising:
- determining threat information relating to a networked system of the target organization, wherein the threat information is descriptive of one or more attacker characteristics and attack characteristics;
  
  determining a model that at least includes one or more likely future pathways of the cyber threat within the networked system, wherein at least one of the one or more likely future pathways includes a path segment based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on a known event;
  
  propagating probabilistic distributions of at least the unobserved event over time through the model;
  
  determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions,wherein the probabilistic damages are determined to result from attacks on one or more likely future pathways successfully compromising or damaging assets following time-related interactions of one or more attackers and one or more response actions of the targeted organization;
  
  identifying a likelihood of a forecasted attack to the networked system at a point in time and at a pathway based on the determined probabilistic damages to the network-dependent assets of the target organization over a period of time based on the probabilistic distributions; and
  
  dynamically modifying operation of the networked system at the point in time and at the pathway of the forecasted attack to the networked system,wherein modifying operation of the networked system includes modifying placement of security devices of the networked system with respect to the pathway or deploying an active deception approach using a honeypot with respect to the pathway.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The non-transitory storage medium of claim 14, wherein determining the model further includes determining risk probability distribution effects of cyber threats to the networked system of the target organization, wherein the model is a hierarchical model, wherein the hierarchical model has different levels of detail and dynamically augmented in response to receiving new data relating to the networked system of the target organization, and wherein the risk probability distribution effects are based on target organization characteristics and attacker characteristics.
  - 16. The non-transitory storage medium of claim 15, wherein the target organization characteristics include:
    - targeted physical and virtual network configuration, devices, and software,security control mitigation measures, including one or more physical access and network based measures,the likelihood of detecting the unobserved event,insider threats, andtargeted tangible and intangible assets.
  - 17. The non-transitory storage medium of claim 15, wherein the attacker characteristics are based on one or more of:
    - attacker goals and sub-goals,threat types based on asset attractiveness,attacker techniques, attack rates, or attack campaign tactics, andresource limitations, including one or more of capital, number of personnel, expertise, and time available to execute an attack on the target organization.
  - 18. The non-transitory storage medium of claim 14, further comprising determining probabilities of one or more vulnerabilities of, security control measures of, or trust relationships with one or more other organizations.
  - 19. The non-transitory storage medium of claim 14, wherein the propagating of probabilistic distributions of the unobserved event over time through the model includes forecasting cumulative effects of threat characteristics via multiple attack pathways and wherein forecasting cumulative effects of threat characteristics within the one or more likely future pathways of the cyber threat includes computing accumulated rewards and costs to the attacker along multiple potential event pathways.
  - 20. The non-transitory storage medium of claim 14, further comprising pricing expected losses over fixed and varying periods of time, wherein the propagating of probabilistic distributions of the unobserved event over time through the model includes stochastic forecasting of loss-generating attack pathways.
  - 21. The non-transitory storage medium of claim 14, wherein the determining of probabilistic damages to network-dependent assets of the target organization over a period of time includes propagating event-time distributions to forecast losses varying as a function of time based on uncertain vulnerabilities, exploits, system components, or security control measures, and determining the tradeoff between forecasts of the cost and effectiveness of possible security control options.
  - 22. The non-transitory storage medium of claim 14, wherein the determining of probabilistic damages to network-dependent assets of the target organization over a period of time includes determining an exceedance probability curve to estimate a likelihood of loss of value over a period of time.

23. A computing system for mitigating an attack to a target site, the system comprising:
- a processor;
  
  a computer-readable storage medium;
  
  an input component configured to receive, for a target site, site-specific data and site-independent data;
  
  a threat estimating component configured to estimate threat data for the target site based on the received site-specific data and site-independent data;
  
  a pathway probability component configured to calculate probability distributions of cost and time for identifying one or more potential attack pathways for the target site based on the estimated threat data for the target site,wherein at least one of the one or more potential attack pathways includes a plurality of path segments,wherein at least one of the plurality of path segments is based on an unobserved event,wherein at least one of the one or more potential attack pathways includes a path segment based on an observed event, andwherein at least one of the one or more potential pathways includes;
  
  known and modeled attack agent objectives,attacker attributes,attack tactics and techniques, andtime-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization, including;
  
  effects of automatic security control measures in the networked systems and human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;
  
  a detection component configured to model a probability of attack along the one or more potential attack pathways based at least on the site-specific data; and
  
  a response component configured to cause modifications to placement of detection and monitoring systems at the target site based on a determination of at least one of the one or more potential attack pathways within the model as a likely attack pathway,wherein components comprise computer-executable instructions stored in the computer-readable storage medium for execution by the processor.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system of claim 23, wherein the site-specific data includes, for a target site, one or more of:
    - site configuration data, asset location and valuation data, questionnaire data, evaluation data, penetration testing data, and monitoring data; and
      
      wherein the site-independent data includes one or more of attacker goal and resource data, asset valuation data, vulnerability and exploit data, attacker behavior data, and previous attack data, wherein the model is for determining recommendations for one or more security products by evaluating their effectiveness within the target site.
  - 25. The system of claim 23, wherein the threat data for the target site includes attacker attributes, attack rates, and exploits relevant to the target site, and wherein the site specific data includes data from user-defined collection configurations to determine one or more of a detection rate and asset loss for each configuration.
  - 26. The system of claim 23, wherein the threat estimating component is configured to determine likely attackers or attacker groups, and to compute, based on the determined likely attackers or attacker groups, a reward-cost for an attack on one or more sites or site categories associated with the target site, wherein the threat estimating component is further configured to determine a probabilistic ranking of sites possibly subject to attack.
  - 27. The system of claim 23, wherein, for security monitoring and alerting purposes at the target site, the pathway probability component is configured to determine:
    - a probability for each of one or more potential attack pathways based on at least one of reward-cost, detectability, or asset locations, anda likelihood that an attacker is executing, may execute, or has executed one or more actions along certain pathways in the network.
  - 28. The system of claim 23, wherein the detection component is configured to model a probability that attack activity is observed or not observed by sensors or software associated with the target site and wherein the analysis component is configured to determine plans in response to the modeled probability of attack detection, wherein the plans include site configuration or policy changes.
  - 29. The system of claim 23, further comprising a component configured to compute probabilistic asset damage or financial losses based on the probability of an attack succeeding without immediate detection at the target site.

30. A system, comprising:
- an input component for receiving a first set of data and a second set of data relating to a networked system, wherein the first set of data includes a first level of information and the second set of data includes information that refines the first level of information;
  
  one or more model components for;
  
  constructing a time-dependent interactive model of the networked system, based on the first set of data, andcalibrating the time-dependent interactive model based on the first set of data and the second set of data,wherein the time-dependent interactive model includes one or more potential future attack pathways,wherein at least one of the potential future attack pathways includes a plurality of path segments,wherein at least one of the plurality of path segments is based on an unobserved event,wherein at least one of the one or more potential future attack pathways includes a path segment based on an observed event, andwherein at least one of the one or more potential future attack pathways includes;
  
  known and modeled attack agent objectives,attacker attributes,attack tactics and techniques, andtime-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization, including;
  
  effects of automatic security control measures in the networked systems and human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;
  
  one or more forecasting components for;
  
  determining probabilistic distributions of at least the unobserved event over time through the time-dependent interactive model,determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions,in response to receiving the second set of data relating to the networked system, aggregating one or more threats, systems, vulnerabilities, assets, and observations from the first data set and the second data set, anddetermining a probability distribution of detection to reduce false alarm rates over the false alarm rates associated with respective individual detectors; and
  
  a response component for;
  
  determining responses to attacks of the networked system based at least in part on the reduced false alarm rates obtained from the determined probability distribution of detection, andcausing modifications to operation of the networked system at the one or more potential future attack pathways to the networked system,wherein modified operation of the networked system includes redeployment of security devices or sensors of the networked system at the one or more potential future attack pathways or deploying an active deception approach using a honeypot with respect to the one or more potential future attack pathways.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Craig Schultz, Jeffrey Starr, John Compton
Original Assignee
Neo Prime, LLC
Inventors
Nitao, John J., Starr, Jeffrey M., Compton, John, Schultz, Craig A.
Primary Examiner(s)
Sterrett, Jonathan G
Assistant Examiner(s)
Yesildag, Mehmet

Application Number

US14/319,994
Publication Number

US 20150381649A1
Time in Patent Office

1,079 Days
Field of Search

726 22, 726 25, 725 25, 705 728
US Class Current
CPC Class Codes

G06Q 10/0635   Risk analysis of enterprise...

G06Q 40/08   Insurance

G09C 1/00   Apparatus or methods whereb...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

Probabilistic model for cyber risk forecasting

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Probabilistic model for cyber risk forecasting

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links