Method for simulation aided security event management

US 9,507,944 B2
Filed: 03/20/2013
Issued: 11/29/2016
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method for simulation aided security event management, the method comprises:

generating and storing attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;

wherein the generating of the attack simulation information is responsive to a network model, at least one attack starting point and attack action information;

identifying security events in response to a correlation between simulation data items and event data;

determining a confidence level for each of the identified security events;

prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for simulation aided security event management, the method comprises: generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items; wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information; identifying security events in response to a correlation between simulation data items and event data; and prioritizing identified security events.

143 Citations

18 Claims

1. A method for simulation aided security event management, the method comprises:
- generating and storing attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
  
  wherein the generating of the attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
  
  identifying security events in response to a correlation between simulation data items and event data;
  
  determining a confidence level for each of the identified security events;
  
  prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1 comprising generating, by a first computer, attack simulation information;
    - and identifying security events, by a second computer, in response to the attack simulation information and to actual network event information.
  - 3. The method according to claim 1 comprising determining a correlation between a simulation data item and event data by comparing between key fields of the simulation data item and corresponding key fields of the event data.
  - 4. The method according to claim 1 comprising defining field based correlation rules and specific simulated event correlation rules;
    - and applying the correlation rules and specific simulated event correlation rules during the identifying of the security events.

5. A method for simulation aided security event management, the method comprises:
- generating a new attack starting point or updating an existing attack starting point in response to an identified security event that has a priority that exceeds a priority threshold;
  
  wherein security events are identified in response to a correlation between simulation data items and event data;
  
  determining a priority level for each of the identified security events;
  
  ignoring the identified security events that have a priority level below the priority threshold, while prioritizing the identified security events that have a priority level exceeds the priority threshold;
  
  running an attack simulation which is based on a network model using the new attack starting point;
  
  storing attack simulation results; and
  
  analyzing risk and extracting contextual information.

6. A non-transitory computer readable medium that stores instructions for generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items;
- wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information;
  
  identifying security events in response to a correlation between simulation data items and event data;
  
  determining a confidence level for each of the identified security events;
  
  prioritizing the identified security events that have a confidence level that is above a confidence threshold while ignoring the identified security events that have a confidence level that is below the confidence threshold.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The non-transitory computer readable medium according to claim 6, storing instructions for assigning a first confidence level to an identified event that is associated with a directly exposed vulnerability;
    - assigning a second confidence level to an identified event that is associated with an indirectly exposed vulnerability; and
      
      assigning a third confidence level to an identified event that is associated with an inaccessible vulnerability;
      
      wherein the second confidence level is lower than the first confidence level and higher than the third confidence level.
  - 8. The non-transitory computer readable medium according to claim 6, storing instructions for obtaining network address translation information and applying the network translation information during correlating between IP addresses appear in simulation data items and events.
  - 9. The non-transitory computer readable medium according to claim 6, storing instructions for automatically generating rules for the security event management (SEM), where the rules represent attack simulation knowledge.
  - 10. The non-transitory computer readable medium according to claim 9, wherein the rules for the SEM comprise rules for identifying exploitation of vulnerabilities that were found by the attack simulation knowledge to be risky.
  - 11. The non-transitory computer readable medium according to claim 10, wherein the rules for the SEM comprise an IP address of a target node, a target port, and a source of attack steps.
  - 12. The non-transitory computer readable medium according to claim 6, storing instructions for generating, by a first computer, attack simulation information;
    - and identifying security events, by a second computer, in response to the attack simulation information and to actual network event information.
  - 13. The non-transitory computer readable medium according to claim 6, storing instructions for determining a correlation between a simulation data item and event data by comparing between key fields of the simulation data item and corresponding key fields of the event data.
  - 14. The non-transitory computer readable medium according to claim 6, storing instructions for defining field based correlation rules and specific simulated event correlation rules;
    - and applying the correlation rules and specific simulated event correlation rules during the identifying of the security events.

15. A non-transitory computer readable medium that stores instructions for generating a new attack starting point or updating an existing attack starting point in response to an identified security event that has a priority that exceeds a priority threshold;
- wherein security events are identified in response to a correlation between simulation data items and event data;
  
  determining a priority level for each of the identified security events;
  
  ignoring the identified security events that have a priority level below the priority threshold, while prioritizing the identified security events that have a priority level exceeds the priority threshold;
  
  running an attack simulation which is based on a network model using the new attack starting point; and
  
  analyzing risk and extracting contextual information.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer readable medium according to claim 15, storing instructions for extracting contextual information that relates to a next possible attack steps of an attacker from an event target node.
  - 17. The non-transitory computer readable medium according to claim 15, storing instructions for extracting contextual information that relates to a next possible attack steps of an attacker from an event source node.
  - 18. The non-transitory computer readable medium according to claim 15, storing instructions for extracting contextual information that relates to security counter-measures that can be used for blocking possible next attack steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Ben Naon, Lior, Lotem, Amnon, Cohen, Gideon
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
VU, PHY ANH TRAN

Application Number

US13/847,533
Publication Number

US 20130312101A1
Time in Patent Office

1,350 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Method for simulation aided security event management

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for simulation aided security event management

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links