US2013318616A1PendingUtilityA1

Predicting attacks based on probabilistic game-theory

57
Assignee: CHRISTODORESCU MIHAIPriority: May 23, 2012Filed: Jun 4, 2012Published: Nov 28, 2013
Est. expiryMay 23, 2032(~5.9 yrs left)· nominal 20-yr term from priority
G06Q 10/06375H04L 63/1408G06F 21/00H04L 63/20G06F 21/552
57
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.

Claims

exact text as granted — not AI-modified
1 . A system for determining cyber-attack target, comprising:
 a network monitor module configured to collect network event information from sensors in one or more network nodes;   a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the plurality of paths, and to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker.   
     
     
         2 . The system of  claim 1 , wherein the network event information comprises network traffic information. 
     
     
         3 . The system of  claim 1 , wherein the network event information comprises node system calls. 
     
     
         4 . The system of  claim 1 , wherein the network event information comprises activity logs. 
     
     
         5 . The system of  claim 1 , wherein the processor is configured to compute likelihood l for each of the plurality of paths π as 
       
         
           
             
               
                 
                   l 
                    
                   
                     ( 
                     π 
                     ) 
                   
                 
                 = 
                 
                   
                     max 
                     
                       
                         
                           
                             q 
                              
                             
                                 
                             
                           
                           1 
                         
                         < 
                         
                             
                         
                          
                         … 
                          
                         
                             
                         
                         < 
                         
                           q 
                           m 
                         
                       
                       , 
                       
                         
                           r 
                           1 
                         
                         < 
                         
                             
                         
                          
                         … 
                          
                         
                             
                         
                         < 
                         
                           r 
                           m 
                         
                       
                     
                   
                    
                   
                     
                       ∏ 
                       i 
                     
                      
                     
                         
                     
                      
                     
                       
                         p 
                          
                         
                           ( 
                           
                             
                               o 
                               
                                 q 
                                 i 
                               
                             
                              
                             
                               π 
                               
                                 r 
                                 i 
                               
                             
                           
                           ) 
                         
                       
                        
                       
                         
                           ∏ 
                           
                             
                               j 
                               ≠ 
                               
                                 r 
                                 1 
                               
                             
                             , 
                             
                                 
                             
                              
                             … 
                              
                             
                                 
                             
                             , 
                             
                               r 
                               m 
                             
                           
                         
                          
                         
                             
                         
                          
                         
                           
                             p 
                             _ 
                           
                            
                           
                             ( 
                             
                               π 
                               j 
                             
                             ) 
                           
                         
                       
                     
                   
                 
               
               , 
             
           
         
       
       where p(o q     i   |π r     i   ) is a probability of making an observation o q     i    when a node π r     i    is attacked and  p (π j ) is the probability of the node π j  being attacked without triggering any observations. 
     
     
         6 . The system of  claim 1 , wherein processor is configured to compute the probability distribution for the set of potential targets using a Monte Carlo simulation. 
     
     
         7 . The system of  claim 1 , wherein the processor is configured to compute the probability distribution for the set of potential targets as 
       
         
           
             
               
                 
                   P 
                    
                   
                     [ 
                     
                       t 
                        
                       ℋ 
                     
                     ] 
                   
                 
                 = 
                 
                   
                     ∑ 
                     A 
                   
                    
                   
                       
                   
                    
                   
                     
                       l 
                        
                       
                         ( 
                         A 
                         ) 
                       
                     
                      
                     
                       P 
                        
                       
                         [ 
                         
                           t 
                            
                           A 
                         
                         ] 
                       
                     
                   
                 
               
               , 
             
           
         
       
       where P]t|A] is a probability of an attacker pursuing a target node t given a set of occupied nodes A, and l(A) is a likelihood of the set of nodes A being occupied. 
     
     
         8 . A system for determining cyber-attack targets, comprising:
 a network monitor module configured to collect network event information from sensors in one or more network nodes;   a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and   a network management module configured to remove the determined network graph edge.   
     
     
         9 . The system of  claim 8 , wherein the network event information comprises network traffic information. 
     
     
         10 . The system of  claim 8 , wherein the network event information comprises node system calls. 
     
     
         11 . The system of  claim 8 , wherein the network event information comprises activity logs. 
     
     
         12 . The system of  claim 8 , wherein the processor is configured to determine the defender's expected uncertainty over the potential targets as a Shannon entropy. 
     
     
         13 . The system of  claim 8 , wherein the network management module is configured to remove the determined network graph edge by disconnecting a corresponding network communication link. 
     
     
         14 . The system of  claim 8 , wherein the network management module is configured to remove the determined network graph edge by adapting a corresponding network communication link to block the attacker's use of the determined network graph edge. 
     
     
         15 . A system for determining cyber-attack target, comprising:
 a network monitor module configured to collect network event information from sensors in one or more network nodes;   a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the plurality of paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and   a network management module configured to remove the determined network graph edge.   
     
     
         16 . The system of  claim 15 , wherein the network event information comprises network traffic information. 
     
     
         17 . The system of  claim 15 , wherein the network event information comprises node system calls. 
     
     
         18 . The system of  claim 15 , wherein the network event information comprises activity logs. 
     
     
         19 . The system of  claim 15 , wherein the network management module is configured to remove the determined network graph edge by disconnecting a corresponding network communication link. 
     
     
         20 . The system of  claim 15 , wherein the network management module is configured to remove the determined network graph edge by adapting a corresponding network communication link to block the attacker's use of the determined network graph edge.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.