Identifying relationships between security metrics

US 8,806,645 B2
Filed: 04/01/2011
Issued: 08/12/2014
Est. Priority Date: 04/01/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

receive security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time;

receive a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system;

calculate, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system;

compare the scores for each metric over the period of time to identify one or more relationships between the plurality of metric definitions;

select a set of metric definitions from the plurality of metric definitions as candidates to be key performance indicators for security of the network system based on the one or more relationships between the plurality of metric definitions, wherein each key performance indicator is to represent a state of the network system and is to be indicative of one or more other metric definitions;

cause the set of metric definitions to be presented at a user interface as suggested candidates for selection as key performance indicators for the network system;

identify user selection, through the user interface, of one or more of the set of metric definitions as key performance indicators for the network system; and

define the selected one or more of the set of metric definitions as new key performance indicators for the network system based on the user selection.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security metrics system receives security information data for a network system of computers and metric definitions from metric sources. Each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system. The system calculates each metric definition for a plurality of times and selecting metric definitions that are related to the performance of and are indicative of one or more other metric definitions as candidates to be key performance indicators.

12 Citations

21 Claims

1. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time;
  
  receive a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system;
  
  calculate, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system;
  
  compare the scores for each metric over the period of time to identify one or more relationships between the plurality of metric definitions;
  
  select a set of metric definitions from the plurality of metric definitions as candidates to be key performance indicators for security of the network system based on the one or more relationships between the plurality of metric definitions, wherein each key performance indicator is to represent a state of the network system and is to be indicative of one or more other metric definitions;
  
  cause the set of metric definitions to be presented at a user interface as suggested candidates for selection as key performance indicators for the network system;
  
  identify user selection, through the user interface, of one or more of the set of metric definitions as key performance indicators for the network system; and
  
  define the selected one or more of the set of metric definitions as new key performance indicators for the network system based on the user selection.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The storage medium of claim 1, wherein the plurality of metric definitions include one or more user-defined metric definitions and one or more system-defined metric definitions.
  - 3. The storage medium of claim 1, wherein the instructions, when executed on a machine, further cause the machine to:
    - generate a graphical representation of the scores for each of the set of metric definitions over time;
      
      present the graphical representations to a user.
  - 4. The storage medium of claim 1, wherein the one or more relationships include a correlation relationship.
  - 5. The storage medium of claim 4, wherein the set of metric definitions are positively or negatively correlated to one or more other metric definitions, and wherein each metric definition is not explicitly dependent on the one or more other metric definitions with which it is positively correlated.
  - 6. The storage medium of claim 1, further comprising receiving input from a user identifying one or more metric definitions of interest, wherein the set of metric definitions is to be selected according to identified relationships between-the set of metric definitions and the one or more metric definitions of interest, wherein the new key performance indicators comprise key performance indicators corresponding to the metric definitions of interest.

7. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time;
  
  receive a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system;
  
  calculate, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system;
  
  compare the scores for the metrics over the period of time to identify one or more relationships between the plurality of metric definitions;
  
  present a graphical representation of one or more of the identified relationships between two or more of the metric definitions to a user; and
  
  receive a selection of at least one of the two or more metric definitions as a key performance indicator for the network system, wherein key performance indicators are to represent a corresponding state of the network system and are to be indicative of one or more other metric definitions; and
  
  define the selected metric definitions as new key performance indicators for the network system based on the user selection.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The storage medium of claim 7, wherein the plurality of metric definitions include one or more user-defined metric definitions and one or more system-defined metric definitions.
  - 9. The storage medium of claim 7, wherein comparing the scores for the metrics over the period of time comprises comparing the score of each metric to each other metric.
  - 10. The storage medium of claim 7, wherein the instructions, when executed on a machine, further cause the machine to receive user input specifying two or more metric definitions of interest;
    - wherein comparing the scores for the metrics over the period of time comprises comparing the scores for the metric definitions of interest.
  - 11. The storage medium of claim 7, wherein the one or more relationships include correlation relationships.

12. A computer implemented method, comprising:
- receiving, by a data processing apparatus, security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time;
  
  receiving, by the data processing apparatus, a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system;
  
  calculating, by the data processing apparatus, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system;
  
  comparing, by the data processing apparatus, the scores for each metric over the period of time to identify one or more relationships between the plurality of metric definitions;
  
  selecting, by the data processing apparatus, a set of metric definitions from the plurality of metric definitions as candidates to be key performance indicators for security of the network system based on the one or more relationships between the plurality of metric definitions, and wherein each key performance indicator is to represent a state of the network system and is to be indicative of one or more other metric definitions;
  
  causing the set of metric definitions to be presented at a user interface as suggested candidates for selection as key performance indicators for the network system;
  
  identifying user selection, through the user interface, of one or more of the set of metric definitions as key performance indicators for the network system; and
  
  defining the selected one or more of the set of metric definitions as new key performance indicators for the network system based on the user selection.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the plurality of metric definitions include one or more user-defined metric definitions and one or more system-defined metric definitions.
  - 14. The method of claim 12, further comprising:
    - generating a graphical representation of the scores for each of the set of metric definitions over time;
      
      presenting the graphical representations to a user.
  - 15. The method of claim 12, wherein the one or more relationships include a correlation relationship.
  - 16. The method of claim 15, wherein the set of metric definitions are positively or negatively correlated to one or more other metric definitions, and wherein each metric definition is not explicitly dependent on the one or more other metric definitions with which it is positively correlated.

17. A method, comprising:
- receiving, by a data processing apparatus, security information data from each of a plurality of data sources for a network system of computers, the security information data from each data source comprising values of one or more security signals for the network system at each of a plurality of times in a period of time;
  
  receiving, by the data processing apparatus, a plurality of metric definitions from each of a plurality of metric sources, wherein each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system;
  
  calculating, by the data processing apparatus, for each metric definition, a respective score for the system for each time in the plurality of times, the calculating comprising, for each time, applying the metric definition to the security signal values at the time to calculate the respective score for the network system;
  
  comparing, by the data processing apparatus, the scores for the metrics over the period of time to identify one or more relationships between the plurality of metric definitions;
  
  generating, by the data processing apparatus, data for a graphical representation of one or more of the identified relationships between two or more of the metric definitions to a user;
  
  receiving a selection of at least one of the two or more metric definitions as a key performance indicator for the network system, wherein key performance indicators are to represent a corresponding state of the network system and are to be indicative of one or more other metric definitions; and
  
  defining the selected metric definitions as new key performance indicators for the network system based on the user selection.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, wherein the plurality of metric definitions include one or more user-defined metric definitions and one or more system-defined metric definitions.
  - 19. The method of claim 17, wherein comparing the scores for the metrics over the period of time comprises comparing the score of each metric to each other metric.
  - 20. The method of claim 17, further comprising receiving user input specifying two or more metric definitions of interest;
    - wherein comparing the scores for the metrics over the period of time comprises comparing the scores for the metric definitions of interest.
  - 21. The method of claim 17, wherein the one or more relationships include correlation relationships.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Nakawatase, Ryan, Ritter, Stephen, Schrecker, Sven
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US13/078,440
Publication Number

US 20130247203A1
Time in Patent Office

1,229 Days
Field of Search

726 22- 25, 705 711- 742
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/14   for detecting or protecting...

Identifying relationships between security metrics

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Identifying relationships between security metrics

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others