Threat scoring system and method for intrusion detection security networks

US 7,594,270 B2
Filed: 12/29/2005
Issued: 09/22/2009
Est. Priority Date: 12/29/2004
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing an event detected in a distributed computer system, comprising:

at a receiving server machine in a security expert system, receiving information from said distributed computer system over a network, wherein said information comprises said event and wherein said event is detected by a device in said distributed computer system;

storing said event in a database in said security expert system;

at an expert system server machine in said security expert system;

retrieving said event from said database;

determining an attack validation value associated with said event;

determining a target exposure value associated with a host targeted by said event;

determining an attacker rating value associated with an attacker originating said event; and

determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value; and

displaying said threat rating on a user interface for said security expert system.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a security expert system (SES) that automates intrusion detection analysis and threat discovery that can use fuzzy logic and forward-chaining inference engines to approximate human reasoning process. Embodiments of the SES can analyze incoming security events and generate a threat rating that indicates the likelihood of an event or a series of events being a threat. In one embodiment, the threat rating is determined based on an attacker rating, a target rating, a valid rating, and, optionally, a negative rating. In one embodiment, the threat rating may be affected by a validation flag. The SES can analyze the criticality of assets and calibrate/recalibrate the severity of an attack accordingly to allow for triage. The asset criticality can have a user-defined value. This ability allows the SES to protect and defend critical network resources in a discriminating and selective manner if necessary (e.g., many attacks).

90 Citations

View as Search Results

26 Claims

1. A method of analyzing an event detected in a distributed computer system, comprising:
- at a receiving server machine in a security expert system, receiving information from said distributed computer system over a network, wherein said information comprises said event and wherein said event is detected by a device in said distributed computer system;
  
  storing said event in a database in said security expert system;
  
  at an expert system server machine in said security expert system;
  
  retrieving said event from said database;
  
  determining an attack validation value associated with said event;
  
  determining a target exposure value associated with a host targeted by said event;
  
  determining an attacker rating value associated with an attacker originating said event; and
  
  determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value; and
  
  displaying said threat rating on a user interface for said security expert system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method according to claim 1, wherein the step of determining a threat rating for said event further comprises utilizing a negation value.
  - 3. The method according to claim 1, further comprising performing user-defined pre-processing checks, user-defined post-processing checks, or a combination thereof.
  - 4. The method according to claim 1, further comprising creating an incident based on said event and said threat rating.
  - 5. The method according to claim 1, further comprising taking a defensive action, a corrective action, or a combination thereof, based on said threat rating.
  - 6. The method according to claim 1, wherein the step of determining an attack validation value further comprises determining whether an attack associated with said event was successful.
  - 7. The method according to claim 6, in which said attack associated with said event was successful, further comprises setting a validated flag.
  - 8. The method according to claim 1, wherein the step of determining an attack validation value further comprises:
    - determining a class rating value;
      
      determining a vulnerability to attack value for said host; and
      
      utilizing said class rating value and said vulnerability to attack value to calculate said attack validation value.
  - 9. The method according to claim 8, wherein the step of determining a class rating value further comprises:
    - determining whether said event is from said attacker or from said host; and
      
      applying attacker-specific rules if said event is from said attacker or target-specific rules if said event is from said host.
  - 10. The method according to claim 9, wherein the step of determining a class rating value further comprises determining an event signature and applying validation rules associated with said event signature to calculate said class rating value.
  - 11. The method according to claim 8, wherein the step of determining a vulnerability to attack value for said host further comprises:
    - determining a plurality of factors associated with said host, said plurality of factors including whether said host is known to be vulnerable, whether a vulnerability associated with an event signature can be found on said host, whether said host is running an operating system known to be vulnerable, whether said operating system matches that associated with said event signature, and whether a port is open on said host.
  - 12. The method according to claim 8, further comprising:
    - applying a first weight factor to said class rating value; and
      
      applying a second weight factor to vulnerability to attack value for said host.
  - 13. The method according to claim 1, wherein the step of determining a target exposure value associated with a host targeted by said event further comprises:
    - determining an interim host exposure value;
      
      determining a target criticality value associated with said host; and
      
      utilizing said interim host exposure value and said target criticality value associated with said host to calculate said target exposure value associated with said host.
  - 14. The method according to claim 13, further comprising:
    - applying a third weight factor to said interim host exposure value; and
      
      applying a fourth weight factor to said target criticality value associated with said host.
  - 15. The method according to claim 13, wherein the step of determining an interim host exposure value further comprises dividing a total number of exposures associated with said host by a number of average exposures exhibited by one or more hosts in a host group to which said host belongs.
  - 16. The method according to claim 15, wherein the step of determining a target criticality value associated with said host further comprises searching an asset criticality table having user-specified assets and corresponding user-defined asset criticality values.
  - 17. The method according to claim 1, wherein the step of determining an attacker rating value associated with an attacker originating said event further comprises:
    - determining at least two factors from a plurality of actors, said plurality of factors including a signature severity value, an aggressive attacker value, and a returning attacker value; and
      
      utilizing said at least two factors to calculate said attacker rating value.
  - 18. The method according to claim 17, further comprising:
    - applying a fifth weight factor to said signature severity value;
      
      applying a sixth weight factor to said aggressive attacker value; and
      
      applying a seventh weight factor to said returning attacker value.
  - 19. The method according to claim 18, further comprising:
    - obtaining said signature severity value from a table of severity values for signatures stored in a database.
  - 20. The method according to claim 19, the step of determining said aggressive attacker value further comprises:
    - applying aggressive attacker rules to a window of time and number of events within the window; and
      
      applying an eighth weight factor to said signature severity value and said aggressive attacker value.
  - 21. The method according to claim 20, wherein the step of determining said returning attacker value further comprises:
    - determining whether said attacker has attacked before within a predetermined time period; and
      
      applying a ninth weight factor to said returning attacker value.
  - 22. The method according to claim 1, further comprising:
    - applying one or more weighting factors to one or more of said attack validation value associated with said event, said target exposure value associated with said host targeted by said event, and said attacker rating value associated with said attacker.
  - 23. The method according to claim 22, in which if a validated flag is set, a weighting factor is applied to said attack validation value associated with said event such that said attack validation value has majority over said target exposure value and said attacker rating value.
  - 24. The method according to claim 22, in which if a validated flag is set, said threat rating=(said attacker rating value*0.15)+(said target exposure value*0.25)+(said attack validation value*0.6)−
    - (a negation value); and
      
      , if a validated flag is not set, said threat rating=(said attacker rating value*0.2)+(said target exposure value*0.4)+(said attack validation value*0.4)−
      
      (a negation value).

25. A computer program product comprising a computer-readable storage medium carrying program instructions executable on a security expert system, wherein said program instructions comprise:
- code for receiving information from a distributed computer system over a network, wherein said information comprises an event detected by a device in said distributed computer system;
  
  code for storing said event in a database;
  
  code for retrieving said event from said database;
  
  code for determining an attack validation value associated with said event;
  
  code for determining a target exposure value associated with a host targeted by said event;
  
  code for determining an attacker rating value associated with an attacker originating said event;
  
  code for determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value; and
  
  code for displaying said threat rating on a user interface for said security expert system.

26. A computer system, comprising:
- a receiving server machine for receiving information from a distributed computer system over a network, wherein said information comprises an event detected by a device in said distributed computer system;
  
  a database for storing said event; and
  
  an expert system server machine forretrieving said event from said database;
  
  determining an attack validation value associated with said event;
  
  determining a target exposure value associated with a host targeted by said event;
  
  determining an attacker rating value associated with an attacker originating said event; and
  
  determining a threat rating for said event utilizing said attack validation value, said target exposure value, and said attacker rating value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alert Logic Incorporated
Original Assignee
Alert Logic Incorporated
Inventors
Baker, Christopher D., Holm, Christopher D., Govshteyn, Mikhail, Church, Christopher A.
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US11/321,620
Publication Number

US 20070169194A1
Time in Patent Office

1,363 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

Threat scoring system and method for intrusion detection security networks

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Threat scoring system and method for intrusion detection security networks

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links