Method and apparatus for automating threat model generation and pattern identification

US 9,742,794 B2
Filed: 03/31/2016
Issued: 08/22/2017
Est. Priority Date: 05/27/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented method for automating threat model generation and pattern identification for an application of an asset of a service provider, comprising:

identifying, with a first computing environment, components of the application, wherein ones of the components perform at least one of receiving, transferring, and transmitting information for the application, wherein the asset includes a second computing environment provided by the service provider and configured to make the application publically available through one or more networks;

identifying, by at least one virtual asset of the first computing environment, one or more security threats and populating a threat model library with data regarding the identified security threats;

receiving security information, for at least some of the components, that identifies whether measures were taken within the application to secure the application against one or more of the security threats of the threat model library, the threat model library further including one or more patterns, the patterns representing one or more first operational characteristics of the first virtual asset, wherein patterns of the threat model library are associated with at least one external event;

determining that the measures sufficiently address security risks associated with the security threats of the threat model library, including;

transmitting first queries to a third computing environment that are related to the security information, wherein the third computing environment is a different computing environment than the first and second computing environments;

receiving responses from the third computing environment to the first queries related to the security information;

transmitting subsequent queries to the third computing environment in response to and based at least in part on content of the responses to the first queries;

receiving a second virtual asset pattern from a second virtual asset, the received second virtual asset pattern representing one or more second operational characteristics of the second virtual asset;

identifying, by comparing the second virtual asset pattern to one or more patterns of the threat model library, at least one external event; and

distributing data of the identified at least one external events to the one or more second virtual assets, if the second pattern is similar or equal to a compared pattern.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for automating threat model generation and pattern identification for an application includes identifying components of an application, and receiving security information that identifies whether security measures were implemented within the application to secure the application against security threats. The method further receives an identification of external events, and receiving first patterns from one or more first virtual assets. A database is populated with the first patterns and the external events and then second patterns are received and compared to the first patterns. The method and system include distributing the identification of the one of the external events to the one or more second virtual assets, if the second patterns are similar to the first patterns, according to one embodiment.

Citations

32 Claims

1. A computing system implemented method for automating threat model generation and pattern identification for an application of an asset of a service provider, comprising:
- identifying, with a first computing environment, components of the application, wherein ones of the components perform at least one of receiving, transferring, and transmitting information for the application, wherein the asset includes a second computing environment provided by the service provider and configured to make the application publically available through one or more networks;
  
  identifying, by at least one virtual asset of the first computing environment, one or more security threats and populating a threat model library with data regarding the identified security threats;
  
  receiving security information, for at least some of the components, that identifies whether measures were taken within the application to secure the application against one or more of the security threats of the threat model library, the threat model library further including one or more patterns, the patterns representing one or more first operational characteristics of the first virtual asset, wherein patterns of the threat model library are associated with at least one external event;
  
  determining that the measures sufficiently address security risks associated with the security threats of the threat model library, including;
  
  transmitting first queries to a third computing environment that are related to the security information, wherein the third computing environment is a different computing environment than the first and second computing environments;
  
  receiving responses from the third computing environment to the first queries related to the security information;
  
  transmitting subsequent queries to the third computing environment in response to and based at least in part on content of the responses to the first queries;
  
  receiving a second virtual asset pattern from a second virtual asset, the received second virtual asset pattern representing one or more second operational characteristics of the second virtual asset;
  
  identifying, by comparing the second virtual asset pattern to one or more patterns of the threat model library, at least one external event; and
  
  distributing data of the identified at least one external events to the one or more second virtual assets, if the second pattern is similar or equal to a compared pattern.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein determining whether the measures of the security information sufficiently address security risks associated with the list of security threats, further includes:
    - forwarding at least some of the responses from the third computing environment to the first queries to a subject matter expert or security expert to enable the subject matter expert or security expert to determine a sufficiency of the measures of the security information; and
      
      receiving an analysis from the subject matter or security expert regarding the sufficiency of the measures of the security information.
  - 3. The method of claim 1, further comprising:
    - providing a graphical user interface to receive input from the third computing environment,further wherein identifying the components of the application includes receiving information regarding the components of the application through the graphical user interface, wherein receiving the security information, for at least some of the components, includes receiving the security information through the graphical user interface.
  - 4. The method of claim 3 wherein providing the threat model to the third computing environment includes providing a graphical display of the threat model through the graphical user interface.
  - 5. The method of claim 1 wherein at least some of the components are application programming interfaces (APIs) for the application.
  - 6. The method of claim 1, further comprising:
    - receiving characteristics of the asset from the third computing environment through a graphical user interface;
      
      determining security weaknesses of the asset based on the characteristics of the asset; and
      
      providing the threat model to the third computing environment, at least partially, based on the characteristics of the asset.
  - 7. The method of claim 6, wherein determining the security weaknesses of the asset includes querying the threat model database with the characteristics of the asset.
  - 8. The method of claim 1 wherein determining whether the measures of the security information sufficiently address security risks associated with the list of security threats, further includes:
    - forwarding at least some of the responses from the third computing environment to the first queries to a programmable service; and
      
      receiving an analysis from the programmable service regarding the sufficiency of the measures of the security information.
  - 9. The method of claim 1 wherein determining whether the measures of the security information sufficiently address security risks associated with the list of security threats includes determining whether the security information conforms with requirements of a security policy for the asset, the security policy being managed by the service provider.
  - 10. The method of claim 1, wherein the external events include at least one of a natural disaster, a world event, and a malicious software attack.
  - 11. The method of claim 10, wherein the natural disaster includes one or more of a hurricane, a tornado, an earthquake, a tsunami, a typhoon, a volcano, and a flood.
  - 12. The method of claim 10, wherein the world event includes one or more of a sporting event, an election, an act of terrorism, and a war.
  - 13. The method of claim 10, wherein the malicious software attack includes one or more of a denial of service attack, a virus, a worm, a Trojans horse, spoofing, and pharming.
  - 14. The method of claim 1, wherein the first and second operational characteristics include one or more types of messages received, quantities of messages received, geographic origins of messages received, frequencies of messages received, size of messages received, failed user account login attempts, processor usage percentages, denied access to a third computing environment, memory usage percentages, and network bandwidth.
  - 15. The method of claim 1, wherein each of the one or more second virtual assets provides the one or more computing services to the one or more users,further wherein each of the one or more second virtual assets includes a second allocation of one or more second hardware and software resources from a third computing environment.
  - 16. The method of claim 1, wherein the first patterns are at least partially based on deviations from pre-determined operating parameters, by the one or more first virtual assets,further wherein the second patterns are at least partially based on deviations from the pre-determined operating parameters, by the one or more second virtual assets.
  - 17. The method of claim 1, wherein the second computing environment is a data center.
  - 18. The method of claim 1, wherein the first patterns are detected by the one or more first virtual assets during the one of the external events.

19. A system for automating threat model generation and pattern identification for an application of an asset of a service provider, the system comprising:
- at least one processor; and
  
  at least one memory coupled to the at least one processor, the at least one memory having stored therein instructions which when executed by the at least one processors, perform a process for automating threat model generation and pattern identification for an application of an asset of a service provider, the process including;
  
  identifying, with a first computing environment, components of the application, wherein ones of the components perform at least one of receiving, transferring, and transmitting information for the application, wherein the asset includes a second computing environment provided by the service provider and configured to make the application publically available through one or more networks;
  
  identifying, by a virtual asset of the first computing environment, one or more security threats and populating a threat model library with data regarding the identified security threats;
  
  receiving security information, for at least some of the components, that identifies whether measures were taken within the application to secure the application against one or more of the security threats of the threat model library, the threat model library further including one or more patterns, the patterns representing one or more first operational characteristics of the first virtual asset, wherein patterns of the threat model library are associated with at least one external event;
  
  determining whether the measures sufficiently address security risks associated with the security threats of the threat model library, including;
  
  transmitting first queries to a third computing environment that are related to the security information, wherein the third computing environment is a different computing environment than the first and second computing environments;
  
  receiving responses from the third computing environment to the first queries related to the security information;
  
  transmitting subsequent queries to the third computing environment in response to and based at least in part on content of the responses to the first queries;
  
  receiving a second virtual asset pattern from a second virtual asset, the received second virtual asset pattern representing one or more second operational characteristics of the second virtual asset;
  
  identifying, by comparing the second virtual asset pattern to one or more patterns of the threat model library, at least one external event; and
  
  distributing data of the identified at least one external events to the one or more second virtual assets, if the second pattern is similar or equal to a compared pattern.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 20. The system of claim 19 wherein determining whether the measures of the security information sufficiently address security risks associated with the list of security threats, further includes:
    - forwarding at least some of the responses from the third computing environment to the first queries to a subject matter expert or security expert to enable the subject matter expert or security expert to determine a sufficiency of the measures of the security information; and
      
      receiving an analysis from the subject matter or security expert regarding the sufficiency of the measures of the security information.
  - 21. The system of claim 19 wherein the process further comprises:
    - providing a graphical user interface to receive input from the third computing environment,further wherein identifying the components of the application includes receiving information regarding the components of the application through the graphical user interface, wherein receiving the security information, for at least some of the components, includes receiving the security information through the graphical user interface.
  - 22. The system of claim 21 wherein providing the threat model to the third computing environment includes providing a graphical display of the threat model through the graphical user interface.
  - 23. The system of claim 19 wherein at least some of the components are application programming interfaces for the application.
  - 24. The system of claim 19 wherein determining whether the measures of the security information sufficiently address security risks associated with the list of security threats includes determining whether the security information conforms with requirements of a security policy for the asset, the security policy being managed by the service provider.
  - 25. The system of claim 19, wherein the external events include at least one of a natural disaster, a world event, and a malicious software attack.
  - 26. The system of claim 25, wherein the natural disaster includes one or more of a hurricane, a tornado, an earthquake, a tsunami, a typhoon, a volcano, and a flood.
  - 27. The system of claim 25, wherein the world event includes one or more of a sporting event, an election, an act of terrorism, and a war.
  - 28. The system of claim 25, wherein the malicious software attack includes one or more of a denial of service attack, a virus, a worm, a Trojans horse, spoofing, and pharming.
  - 29. The system of claim 19, wherein the first and second operational characteristics include one or more types of messages received, quantities of messages received, geographic origins of messages received, frequencies of messages received, size of messages received, failed user account login attempts, processor usage percentages, denied access to a third computing environment, memory usage percentages, and network bandwidth.
  - 30. The system of claim 19, wherein the first patterns are at least partially based on deviations from pre-determined operating parameters, by the one or more first virtual assets,further wherein the second patterns are at least partially based on deviations from the pre-determined operating parameters, by the one or more second virtual assets.
  - 31. The system of claim 19, wherein the second computing environment is a data center.
  - 32. The system of claim 19, wherein the first patterns are detected by the one or more first virtual assets during the one of the external events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intuit, Inc.
Original Assignee
Intuit, Inc.
Inventors
Cabrera, Luis Felipe, Lietz, M. Shannon, Godinez, Javier
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US15/086,330
Publication Number

US 20160248798A1
Time in Patent Office

509 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Method and apparatus for automating threat model generation and pattern identification

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automating threat model generation and pattern identification

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links