Predicting attacks based on probabilistic game-theory
Abstract
Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.
Claims
exact text as granted — not AI-modified1 . A system for determining cyber-attack target, comprising:
a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the plurality of paths, and to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker.
2 . The system of claim 1 , wherein the network event information comprises network traffic information.
3 . The system of claim 1 , wherein the network event information comprises node system calls.
4 . The system of claim 1 , wherein the network event information comprises activity logs.
5 . The system of claim 1 , wherein the processor is configured to compute likelihood l for each of the plurality of paths π as
l
(
π
)
=
max
q
1
<
…
<
q
m
,
r
1
<
…
<
r
m
∏
i
p
(
o
q
i
π
r
i
)
∏
j
≠
r
1
,
…
,
r
m
p
_
(
π
j
)
,
where p(o q i |π r i ) is a probability of making an observation o q i when a node π r i is attacked and p (π j ) is the probability of the node π j being attacked without triggering any observations.
6 . The system of claim 1 , wherein processor is configured to compute the probability distribution for the set of potential targets using a Monte Carlo simulation.
7 . The system of claim 1 , wherein the processor is configured to compute the probability distribution for the set of potential targets as
P
[
t
ℋ
]
=
∑
A
l
(
A
)
P
[
t
A
]
,
where P]t|A] is a probability of an attacker pursuing a target node t given a set of occupied nodes A, and l(A) is a likelihood of the set of nodes A being occupied.
8 . A system for determining cyber-attack targets, comprising:
a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.
9 . The system of claim 8 , wherein the network event information comprises network traffic information.
10 . The system of claim 8 , wherein the network event information comprises node system calls.
11 . The system of claim 8 , wherein the network event information comprises activity logs.
12 . The system of claim 8 , wherein the processor is configured to determine the defender's expected uncertainty over the potential targets as a Shannon entropy.
13 . The system of claim 8 , wherein the network management module is configured to remove the determined network graph edge by disconnecting a corresponding network communication link.
14 . The system of claim 8 , wherein the network management module is configured to remove the determined network graph edge by adapting a corresponding network communication link to block the attacker's use of the determined network graph edge.
15 . A system for determining cyber-attack target, comprising:
a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the plurality of paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.
16 . The system of claim 15 , wherein the network event information comprises network traffic information.
17 . The system of claim 15 , wherein the network event information comprises node system calls.
18 . The system of claim 15 , wherein the network event information comprises activity logs.
19 . The system of claim 15 , wherein the network management module is configured to remove the determined network graph edge by disconnecting a corresponding network communication link.
20 . The system of claim 15 , wherein the network management module is configured to remove the determined network graph edge by adapting a corresponding network communication link to block the attacker's use of the determined network graph edge.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.