Probabilistic model for cyber risk forecasting
First Claim
1. A method in a computing system having a processor, the method comprising:
- receiving target organization information, asset information, system information, threat information, and known and modeled threat agent information descriptive of a networked system of at least one target organization;
calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the target organization information, the asset information, the system information, the threat information, and the known and modeled threat agent information descriptive of the at least one target organization;
determining, by the processor, a time-dependent interactive model involving one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization,wherein at least one of the one or more likely future pathways includes a plurality of path segments,wherein at least one of the plurality of path segments is based on an unobserved event,wherein at least one of the one or more likely future pathways includes a path segment based on an observed event, andwherein at least one of the one or more likely future pathways includes known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization,wherein the one or more sets of response actions of the targeted organization includes;
effects of automatic security control measures within the networked system; and
human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;
estimating, by the processor, for the one or more likely future pathways;
probabilities that the unobserved event will occur, andprobability distributions of times of occurrence of the unobserved event;
determining, by the processor, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more incidents of such damage to the assets based on the estimated probabilities that the unobserved event will occur and based on the estimated probability distributions of times of occurrence of the unobserved event; and
dynamically reconfiguring or deploying operation of one or more hardware components of the networked system at the one or more likely future pathways based on the determined probability distribution of damage to the assets and the probability distribution of one or more incidents of such damage to the assets,wherein reconfiguring or deploying operation of one or more components of the networked system includes reconfiguring or deploying a firewall, security device, or sensor with respect to the one or more likely future pathways.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network.
-
Citations
30 Claims
-
1. A method in a computing system having a processor, the method comprising:
-
receiving target organization information, asset information, system information, threat information, and known and modeled threat agent information descriptive of a networked system of at least one target organization; calculating, by the processor, threat characteristics for the networked system of the at least one target organization, based on the target organization information, the asset information, the system information, the threat information, and the known and modeled threat agent information descriptive of the at least one target organization; determining, by the processor, a time-dependent interactive model involving one or more likely future pathways for at least one or more threats based on the calculated threat characteristics for the networked system of the at least one target organization, wherein at least one of the one or more likely future pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, wherein at least one of the one or more likely future pathways includes a path segment based on an observed event, and wherein at least one of the one or more likely future pathways includes known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization, wherein the one or more sets of response actions of the targeted organization includes; effects of automatic security control measures within the networked system; and human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective; estimating, by the processor, for the one or more likely future pathways; probabilities that the unobserved event will occur, and probability distributions of times of occurrence of the unobserved event; determining, by the processor, a probability distribution of damage to assets of the at least one target organization and a probability distribution of one or more incidents of such damage to the assets based on the estimated probabilities that the unobserved event will occur and based on the estimated probability distributions of times of occurrence of the unobserved event; and dynamically reconfiguring or deploying operation of one or more hardware components of the networked system at the one or more likely future pathways based on the determined probability distribution of damage to the assets and the probability distribution of one or more incidents of such damage to the assets, wherein reconfiguring or deploying operation of one or more components of the networked system includes reconfiguring or deploying a firewall, security device, or sensor with respect to the one or more likely future pathways. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory storage medium storing instructions that, if executed by a processor of a computing system, cause the computing system to perform a method, the method comprising:
-
determining threat information relating to a networked system of the target organization, wherein the threat information is descriptive of one or more attacker characteristics and attack characteristics; determining a model that at least includes one or more likely future pathways of the cyber threat within the networked system, wherein at least one of the one or more likely future pathways includes a path segment based on an unobserved event, and wherein at least one of the one or more likely future pathways includes a path segment based on a known event; propagating probabilistic distributions of at least the unobserved event over time through the model; determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions, wherein the probabilistic damages are determined to result from attacks on one or more likely future pathways successfully compromising or damaging assets following time-related interactions of one or more attackers and one or more response actions of the targeted organization; identifying a likelihood of a forecasted attack to the networked system at a point in time and at a pathway based on the determined probabilistic damages to the network-dependent assets of the target organization over a period of time based on the probabilistic distributions; and dynamically modifying operation of the networked system at the point in time and at the pathway of the forecasted attack to the networked system, wherein modifying operation of the networked system includes modifying placement of security devices of the networked system with respect to the pathway or deploying an active deception approach using a honeypot with respect to the pathway. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computing system for mitigating an attack to a target site, the system comprising:
-
a processor; a computer-readable storage medium; an input component configured to receive, for a target site, site-specific data and site-independent data; a threat estimating component configured to estimate threat data for the target site based on the received site-specific data and site-independent data; a pathway probability component configured to calculate probability distributions of cost and time for identifying one or more potential attack pathways for the target site based on the estimated threat data for the target site, wherein at least one of the one or more potential attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, wherein at least one of the one or more potential attack pathways includes a path segment based on an observed event, and wherein at least one of the one or more potential pathways includes; known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization, including;
effects of automatic security control measures in the networked systems and human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;a detection component configured to model a probability of attack along the one or more potential attack pathways based at least on the site-specific data; and a response component configured to cause modifications to placement of detection and monitoring systems at the target site based on a determination of at least one of the one or more potential attack pathways within the model as a likely attack pathway, wherein components comprise computer-executable instructions stored in the computer-readable storage medium for execution by the processor. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A system, comprising:
-
an input component for receiving a first set of data and a second set of data relating to a networked system, wherein the first set of data includes a first level of information and the second set of data includes information that refines the first level of information; one or more model components for; constructing a time-dependent interactive model of the networked system, based on the first set of data, and calibrating the time-dependent interactive model based on the first set of data and the second set of data, wherein the time-dependent interactive model includes one or more potential future attack pathways, wherein at least one of the potential future attack pathways includes a plurality of path segments, wherein at least one of the plurality of path segments is based on an unobserved event, wherein at least one of the one or more potential future attack pathways includes a path segment based on an observed event, and wherein at least one of the one or more potential future attack pathways includes; known and modeled attack agent objectives, attacker attributes, attack tactics and techniques, and time-related interactions of one or more attackers or attack behaviors and one or more sets of response actions of the targeted organization, including;
effects of automatic security control measures in the networked systems and human responses modeled by computing probabilities as a function of reward-cost from an attacker'"'"'s perspective and from a targeted organization'"'"'s perspective;one or more forecasting components for; determining probabilistic distributions of at least the unobserved event over time through the time-dependent interactive model, determining probabilistic damages to network-dependent assets of the target organization over a period of time based on the probabilistic distributions, in response to receiving the second set of data relating to the networked system, aggregating one or more threats, systems, vulnerabilities, assets, and observations from the first data set and the second data set, and determining a probability distribution of detection to reduce false alarm rates over the false alarm rates associated with respective individual detectors; and a response component for; determining responses to attacks of the networked system based at least in part on the reduced false alarm rates obtained from the determined probability distribution of detection, and causing modifications to operation of the networked system at the one or more potential future attack pathways to the networked system, wherein modified operation of the networked system includes redeployment of security devices or sensors of the networked system at the one or more potential future attack pathways or deploying an active deception approach using a honeypot with respect to the one or more potential future attack pathways.
-
Specification