NETWORK SECURITY SYSTEM WITH REMEDIATION BASED ON VALUE OF ATTACKED ASSETS
First Claim
1. A computer system for detecting and remediating attacks on a computer network comprising:
- a memory persistently storing a set of instructions and a set of data that identifies a plurality of host computers in the computer network;
one or more processors coupled to the memory, wherein the one or more processors execute the set of instructions, which cause the one or more processors to;
determine an attack on a particular host computer in the computer network;
determine a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors;
determine a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors;
determine a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors;
determine a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors;
determine a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights;
determine a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights;
determine a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights;
select a remediation action from a plurality of remediation actions based on the threat score for the attack;
perform the remediation action.
1 Assignment
0 Petitions
Accused Products
Abstract
A data processing method comprising obtaining a plurality of computer network security threat feeds from two or more computer threat detection systems; based upon computer network attack information in the computer network security threat feeds, determining a threat score that represents a severity of an actual or suspected attack on a particular host in a computer network; obtaining an asset value for the particular host that indicates a worth of the particular host, and updating the threat score based upon the asset value; mapping the updated threat score to one of a plurality of remediation actions, wherein a first remediation action is mapped when the updated threat score is low and a second, different remediation action is mapped when the updated threat score is high; based upon the updated threat score and the mapping, selecting and automatically performing one of the plurality of remediation actions on the particular host; wherein the method is performed by one or more special-purpose computing devices.
35 Citations
17 Claims
-
1. A computer system for detecting and remediating attacks on a computer network comprising:
-
a memory persistently storing a set of instructions and a set of data that identifies a plurality of host computers in the computer network; one or more processors coupled to the memory, wherein the one or more processors execute the set of instructions, which cause the one or more processors to; determine an attack on a particular host computer in the computer network; determine a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors; determine a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors; determine a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors; determine a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors; determine a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights; determine a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights; determine a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights; select a remediation action from a plurality of remediation actions based on the threat score for the attack; perform the remediation action. - View Dependent Claims (2, 3, 4)
-
-
5. A method comprising:
-
determining an attack on a particular host computer in a computer network; determining a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors; determining a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors; determining a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors; determining a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors; determining a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights; determining a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights; determining a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights; selecting a remediation action from a plurality of remediation actions based on the threat score for the attack; performing the remediation action; wherein the method is performed by one or more special-purpose computing devices. - View Dependent Claims (6, 7, 8)
-
-
9. A method comprising:
-
determining an attack on a particular host computer in a computer network; determining a first score associated with the attack; determining a second score associated with the particular host computer, wherein the first score is different than the second score; determining a third score based on a user associated with the particular host computer, wherein the first score and the second score are different than the third score; determining a total threat score based on the first score, the second score, and the third score; causing to present, on a display, the first score, the second score, the third score, the total threat score, a recommended remediation action based on the total threat score; wherein the method is performed by one or more special-purpose computing devices. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
Specification