NETWORK SECURITY SYSTEM WITH REMEDIATION BASED ON VALUE OF ATTACKED ASSETS

US 20160248805A1
Filed: 05/04/2016
Published: 08/25/2016
Est. Priority Date: 03/05/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system for detecting and remediating attacks on a computer network comprising:

a memory persistently storing a set of instructions and a set of data that identifies a plurality of host computers in the computer network;

one or more processors coupled to the memory, wherein the one or more processors execute the set of instructions, which cause the one or more processors to;

determine an attack on a particular host computer in the computer network;

determine a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors;

determine a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors;

determine a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors;

determine a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors;

determine a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights;

determine a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights;

determine a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights;

select a remediation action from a plurality of remediation actions based on the threat score for the attack;

perform the remediation action.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing method comprising obtaining a plurality of computer network security threat feeds from two or more computer threat detection systems; based upon computer network attack information in the computer network security threat feeds, determining a threat score that represents a severity of an actual or suspected attack on a particular host in a computer network; obtaining an asset value for the particular host that indicates a worth of the particular host, and updating the threat score based upon the asset value; mapping the updated threat score to one of a plurality of remediation actions, wherein a first remediation action is mapped when the updated threat score is low and a second, different remediation action is mapped when the updated threat score is high; based upon the updated threat score and the mapping, selecting and automatically performing one of the plurality of remediation actions on the particular host; wherein the method is performed by one or more special-purpose computing devices.

35 Citations

View as Search Results

17 Claims

1. A computer system for detecting and remediating attacks on a computer network comprising:
- a memory persistently storing a set of instructions and a set of data that identifies a plurality of host computers in the computer network;
  
  one or more processors coupled to the memory, wherein the one or more processors execute the set of instructions, which cause the one or more processors to;
  
  determine an attack on a particular host computer in the computer network;
  
  determine a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors;
  
  determine a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors;
  
  determine a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors;
  
  determine a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors;
  
  determine a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights;
  
  determine a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights;
  
  determine a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights;
  
  select a remediation action from a plurality of remediation actions based on the threat score for the attack;
  
  perform the remediation action.
- View Dependent Claims (2, 3, 4)
- - 2. The computer system of claim 1, wherein the first attribute score is based on a machine posture of the particular host computer, wherein the machine posture is based on a number of installed patches;
    - wherein the second attribute score is based on a user posture, wherein the user posture is based on a position associated with a user that is associated with the particular host computer;
      
      wherein the first category of attack monitors is an internal risk category.
  - 3. The computer system of claim 2, wherein the third attribute score is based on results from a first detector;
    - wherein the fourth attribute score is based on results from a second detector;
      
      wherein the second category of attack monitors is a detector category.
  - 4. The computer system of claim 1, wherein the set of instructions causes the one or more processors to determine a third category score based on a history between the attack and the particular host computer, wherein the threat score for the attack is based on the third category score.

5. A method comprising:
- determining an attack on a particular host computer in a computer network;
  
  determining a first attribute score that corresponds to a first attribute, wherein the first attribute is associated with a first category of attack monitors;
  
  determining a second attribute score that corresponds to a second attribute, wherein the second attribute is associated with the first category of attack monitors;
  
  determining a third attribute score that corresponds to a third attribute, wherein the third attribute is associated with a second category of attack monitors;
  
  determining a fourth attribute score that corresponds to a fourth attribute, wherein the fourth attribute is associated with the second category of attack monitors;
  
  determining a first category score for the first category of attack monitors based on the first attribute score, the second attribute score, and a first set of weights;
  
  determining a second category score for the first category of attack monitors based on the third attribute score, the fourth attribute score, and a second set of weights;
  
  determining a threat score for the attack on the particular host computer based on the first category score, the second category score, and a set of category weights;
  
  selecting a remediation action from a plurality of remediation actions based on the threat score for the attack;
  
  performing the remediation action;
  
  wherein the method is performed by one or more special-purpose computing devices.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the first attribute score is based on a machine posture of the particular host computer, wherein the machine posture is based on a number of installed patches;
    - wherein the second attribute score is based on a user posture, wherein the user posture is based on a position associated with a user that is associated with the particular host computer;
      
      wherein the first category of attack monitors is an internal risk category.
  - 7. The method of claim 6, wherein the third attribute score is based on results from a first detector;
    - wherein the fourth attribute score is based on results from a second detector;
      
      wherein the second category of attack monitors is a detector category.
  - 8. The method of claim 5 comprising determining a third category score based on a history between the attack and the particular host computer, wherein the threat score for the attack is based on the third category score.

9. A method comprising:
- determining an attack on a particular host computer in a computer network;
  
  determining a first score associated with the attack;
  
  determining a second score associated with the particular host computer, wherein the first score is different than the second score;
  
  determining a third score based on a user associated with the particular host computer, wherein the first score and the second score are different than the third score;
  
  determining a total threat score based on the first score, the second score, and the third score;
  
  causing to present, on a display, the first score, the second score, the third score, the total threat score, a recommended remediation action based on the total threat score;
  
  wherein the method is performed by one or more special-purpose computing devices.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein one or more first factors were used to determine the first score, one or more second factors were used to determine the second score, and one or more third factors were used to determine the third score, and the method comprising:
    - causing to present, on the display, with the first score, a first listing identifying the one or more first factors;
      
      causing to present, on the display, with the second score, a second listing identifying the one or more second factors;
      
      causing to present, on the display, with the third score, a third listing identifying the one or more third factors.
  - 11. The method of claim 10, wherein each factor of the one or more first factors is associated with a value, and the method comprises, for each factor of the one or more first factors:
    - causing to present, on the display, the value associated with the factor.
  - 12. The method of claim 9, wherein the first score is based on a machine posture of the particular host computer.
  - 13. The method of claim 12, wherein the machine posture comprises a value indicating a number of installed patches.
  - 14. The method of claim 12, wherein the second score is based on one or more features associated with a user that corresponds to the particular host computer.
  - 15. The method of claim 14, wherein the third score is based on one or more features associated with the attack.
  - 16. The method of claim 9, wherein the attack is a suspected attack.
  - 17. The method of claim 9 comprising causing to present, on the display, a listing of one or more previously taken radiation actions to neutralize the attack on the particular host computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netflix, Inc.
Original Assignee
Netflix, Inc.
Inventors
BURNS, WILLIAM D., FRY, ROB

Granted Patent

US 10,511,623 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

NETWORK SECURITY SYSTEM WITH REMEDIATION BASED ON VALUE OF ATTACKED ASSETS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

NETWORK SECURITY SYSTEM WITH REMEDIATION BASED ON VALUE OF ATTACKED ASSETS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others