System and method for assessing whether a communication contains an attack

US 8,931,095 B2
Filed: 10/04/2013
Issued: 01/06/2015
Est. Priority Date: 02/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method for assessing whether a communication contains an attack, the method comprising:

computing, at an attack detection device, a first probability that the communication contains an attack and a first confidence in the first probability in response to conducting a first counter-measure assessment on the communication;

computing a second probability that the communication contains an attack and a second confidence in the second probability in response to conducting a second countermeasure assessment on the communication; and

producing a third probability that the communication contains an attack and a third confidence in the third probability based on the first probability, the first confidence, the second probability, the second confidence, and hierarchical parameters aggregated from locations remote from the attack detection device, wherein the locations utilize an attack detection system of a common vendor, wherein the producing the third probability comprises computing the third probability from a weighted combination of the first and second probabilities, the weighted combination comprising using weights determined by reference to at least two characteristics of the communication to a database of historical attack characteristics.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Communications can be processed with multiple countermeasures to identify attacks. Each countermeasure can compute a probability of a communication containing an attack and an accompanying confidence score indicating confidence in the probability. Combining the probabilities can produce a composite probability and associated confidence of the communication containing an attack. The composite probability and confidence scores can be produced from a weighted combination of the individual countermeasure probabilities and confidence scores. Weighting factors can be generated or obtained from a database that stores profiles of confirmed attacks.

30 Citations

View as Search Results

15 Claims

1. A method for assessing whether a communication contains an attack, the method comprising:
- computing, at an attack detection device, a first probability that the communication contains an attack and a first confidence in the first probability in response to conducting a first counter-measure assessment on the communication;
  
  computing a second probability that the communication contains an attack and a second confidence in the second probability in response to conducting a second countermeasure assessment on the communication; and
  
  producing a third probability that the communication contains an attack and a third confidence in the third probability based on the first probability, the first confidence, the second probability, the second confidence, and hierarchical parameters aggregated from locations remote from the attack detection device, wherein the locations utilize an attack detection system of a common vendor, wherein the producing the third probability comprises computing the third probability from a weighted combination of the first and second probabilities, the weighted combination comprising using weights determined by reference to at least two characteristics of the communication to a database of historical attack characteristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the weighted combination of the first and second probabilities comprises weights based on at least one of industry, client, site, and device of the communication.
  - 3. The method of claim 1, wherein the communication comprises a network transmission.
  - 4. The method of claim 1, wherein the communication comprises a log message.
  - 5. The method of claim 1, further comprising:
    - determining whether the third probability and the third confidence meet a predetermined criterion; and
      
      adding attack profile data to a database in response to the determining.
  - 6. The method of claim 1, further comprising:
    - determining whether the third probability exceeds a first threshold and the third confidence exceeds a second threshold; and
      
      adding attack profile data to a database in response to determining that the third probability exceeds the first threshold and the third confidence exceeds the second threshold.
  - 7. The method of claim 6, further comprising:
    - determining whether the third probability exceeds a third threshold and the third confidence exceeds a fourth threshold; and
      
      transmitting an alert signal in response to determining that the third probability exceeds the third threshold and the third confidence exceeds the fourth threshold, wherein the third threshold is different than the first threshold, and the fourth threshold is different than the second threshold.

8. A non-transitory computer-readable medium including code for performing a method, the method comprising:
- computing a first probability that a communication contains an attack and a first confidence in the first probability in response to conducting a first counter-measure assessment on the communication;
  
  computing a second probability that the communication contains an attack and a second confidence in the second probability in response to conducting a second countermeasure assessment on the communication; and
  
  producing a third probability that the communication contains an attack and a third confidence in the third probability based on the first probability, the first confidence, the second probability, the second confidence, and hierarchical parameters aggregated from locations remote from the attack detection device, wherein the locations utilize an attack detection system of a common vendor, wherein the producing the third probability comprises computing the third probability from a weighted combination of the first and second probabilities, the weighted combination comprising using weights determined by reference to at least two characteristics of the communication to a database of historical attack characteristics.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable medium of claim 8, wherein the weighted combination of the first and second probabilities comprises weights based on at least one of industry, client, site, and device of the communication.
  - 10. The computer-readable medium of claim 8, wherein the communication comprises a network transmission.
  - 11. The computer-readable medium of claim 8, wherein the communication comprises a log message.
  - 12. The computer-readable medium of claim 8, further comprising:
    - determining whether the third probability and the third confidence meet a predetermined criterion; and
      
      adding attack profile data to a database in response to the determining.
  - 13. The computer-readable medium of claim 8, further comprising:
    - determining whether the third probability exceeds a first threshold and the third confidence exceeds a second threshold;
      
      adding attack profile data to a database in response to determining that the third probability exceeds the first threshold and the third confidence exceeds the second threshold;
      
      determining whether the third probability exceeds a third threshold and the third confidence exceeds a fourth threshold; and
      
      transmitting an alert signal in response to determining that the third probability exceeds the third threshold and the third confidence exceeds the fourth threshold, wherein the third threshold is different than the first threshold, and the fourth threshold is different than the second threshold.

14. An attack detection device comprising:
- a memory for storing machine-executable code; and
  
  a processor operable to;
  
  conduct a first counter-measure assessment on a communication;
  
  compute a first probability that the communication contains an attack and a first confidence in the first probability in response to the first counter-measure assessment;
  
  conduct a second counter-measure assessment on a communication;
  
  compute a second probability that the communication contains an attack and a second confidence in the second probability in response to the second countermeasure assessment; and
  
  produce a third probability that the communication contains an attack and a third confidence in the third probability based on the first probability, the first confidence, the second probability, the second confidence, and hierarchical parameters aggregated from locations remote from the attack detection device, wherein the locations utilize an attack detection system of a common vendor, wherein in producing the third probability, the processor is further operable to compute the third probability from a weighted combination of the first and second probabilities, the weighted combination comprising using weights determined by reference to at least two characteristics of the communication to a database of historical attack characteristics.
- View Dependent Claims (15)
- - 15. The attack detection device of claim 14,wherein the weighted combination of the first and second probabilities further comprises weights based on at least one of industry, client, site, and device of the communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
Dell Products LP (Dell Technologies Inc.)
Inventors
Ramsey, Jon R., Varma, Jyotish S., Thomas, Ashley, Schmidt, Kevin J., Stewart, Joseph Neal, Ristich, Rudy Alexander, Pepin, Joan
Primary Examiner(s)
Rahman, Mahfuzur

Application Number

US14/046,161
Publication Number

US 20140041028A1
Time in Patent Office

459 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/316   by observing the pattern of...

G06F 21/554   involving event detection a...

H04L 63/1408   by monitoring network traff...

System and method for assessing whether a communication contains an attack

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System and method for assessing whether a communication contains an attack

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others