Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing
0 Assignments
0 Petitions
Accused Products
Abstract
A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.
92 Citations
35 Claims
-
1-20. -20. (canceled)
-
21. A computerized method, comprising:
-
at a client security agent; initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred; wherein the method is performed by one or more processors. - View Dependent Claims (22, 23, 24, 25)
-
-
26. A apparatus, comprising:
-
one or more processors; a memory, encoded with one or more sequences of instructions, which when executed by the one or more processors, cause the one or more processors to perform; initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred. - View Dependent Claims (27, 28, 29, 30)
-
-
31. A computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to perform:
-
initializing probability settings, based on information about known types of security attacks and representing an initial level of a security policy; detecting an occurrence of a key event from a plurality of key events and collecting event data that represent effects caused by the occurrence of the key event; selecting one or more first rules that take into consideration the effects caused by the occurrence of the key event, and applying the one or more first rules to the collected event data to compute one or more event result values; in response to determining that the one or more event result values exceeded one or more corresponding threshold values, modifying the probability settings to increase the level of the security policy, applying one or more second rules to the modified probability settings and determining whether a new type of security attack has occurred. - View Dependent Claims (32, 33, 34, 35)
-
Specification