US2018041533A1PendingUtilityA1

Scoring the performance of security products

50
Assignee: EMPOW CYBER SECURITY LTDPriority: Aug 3, 2016Filed: Aug 3, 2016Published: Feb 8, 2018
Est. expiryAug 3, 2036(~10.1 yrs left)· nominal 20-yr term from priority
Inventors:Avi Chesla
G06F 16/24578H04L 63/1433H04L 63/20G06F 17/3053
50
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and system for scoring performance of a security product are provided. The method includes receiving security product performance data of the security product configured to handle a specific cyber threat; classifying the performance data into a product profile associated with the security product; computing at least one security product performance score for the product profile based on the classified product security performance data; and associating the at least one security performance score with the product profile. In an embodiment, the method also includes selecting the at least one security product from a plurality of security products based on their respective performance scores for the respective cyber threat.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for scoring performance of a security product, comprising:
 receiving security product performance data of the security product configured to handle a specific cyber threat;   classifying the performance data into a product profile associated with the security product;   computing at least one security product performance score for the product profile based on the classified product security performance data; and   associating the at least one security performance score with the product profile.   
     
     
         2 . The method of  claim 1 , further comprising:
 computing at least one security performance score for each of a plurality of security products; and   selecting the at least one security product from the plurality of security products based on their respective performance scores for the respective cyber threat.   
     
     
         3 . The method of  claim 1 , wherein the security product performance data includes any of: security rules saved in an attack database and application logs produced by the at least one security product. 
     
     
         4 . The method of  claim 3 , wherein the at least one security performance score includes at least one of: an offline score, a runtime score, and a unified score. 
     
     
         5 . The method of  claim 4 , wherein the offline score is computed based on the security rules in the attack database. 
     
     
         6 . The method of  claim 5 , further comprising:
 for each security rule in the attack database computing at least one of: a coverage parameter, a risk parameter, and accuracy parameter; and   computing the offline score is a function of the at least one of: the coverage parameter, the risk parameter, and the accuracy parameter.   
     
     
         7 . The method of  claim 4 , wherein the runtime score is computed based on the attack logs. 
     
     
         8 . The method of  claim 4 , wherein the unified score is at least a function of the runtime score and the offline score. 
     
     
         9 . The method of  claim 8 , wherein the function is any one of: a weight function, a threshold-based function, and a fuzzy logic function. 
     
     
         10 . The method of  claim 9 , wherein weights utilized by any of the weight function and the fuzzy logic function are adaptively changed based on the previously computed performance scores. 
     
     
         11 . The method of  claim 1 , wherein classifying the security product performance data further comprising:
 normalizing each security rule or attack log;   generating a vector for each security rule or attach log, wherein each vector is generated based on a set of terms indicative of a cyber-solution;   mapping each of the generated vectors to a security engine with in a security service, wherein the security service is configured per a cyber-solution category and the security engine is configured per a specific cyber threat; and   associating each of the respective security rule or attack log with a product profile maintained by the security engine, when an evaluation threshold is met.   
     
     
         12 . The method of  claim 11 , wherein the security service includes any of: an intrusion detection system (IDS), Network behavior analysis system, an anti-malware system, a reputation security system, an anti-virus (AV), and a Web application (WAF). 
     
     
         13 . A non-transitory computer readable medium having stored thereon instructions for causing processing circuitry to perform the method of  claim 1 . 
     
     
         14 . A method for selecting a security product among a plurality of security products for protecting a protected entity, comprising:
 for each of the plurality of security products:
 receiving security product performance data of the security product configured to handle a specific cyber threat;
 classifying the product performance data into a product profile associated with the security product; 
 computing at least one security performance score for the product profile based on the classified security product performance data; 
 
   associating the at least one security performance score with the product profile; and   selecting at least one security product from the plurality of security products based on their respective performance scores.   
     
     
         15 . The method of  claim 14 , wherein the security product performance data includes any of: security rules saved in an attack database and application logs produced by the security product. 
     
     
         16 . The method of  claim 15 , wherein the at least one security performance score includes at least one of: an offline score, a runtime score, and a unified score. 
     
     
         17 . The method of  claim 16 , wherein the offline score is computed based on the security rules in the attack database. 
     
     
         18 . The method of  claim 16 , wherein the runtime score is computed based on the attack logs. 
     
     
         19 . The method of  claim 16 , wherein the unified score is at least a function of the runtime score and the offline score. 
     
     
         20 . The method of  claim 19 , wherein the function is any one of: a weight function, a threshold-based function, and a fuzzy logic function. 
     
     
         21 . The method of  claim 20 , wherein weights utilized by any of the weight function and the fuzzy logic function are adaptively changed based on the previously computed performance scores. 
     
     
         22 . The method  claim 14 , further comprising:
 benchmarking the plurality of security products based on the security performance score computed for each of the plurality of security products.   
     
     
         23 . A non-transitory computer readable medium having stored thereon instructions for causing processing circuitry to perform the method of  claim 14 . 
     
     
         24 . A system for selecting a security product among a plurality of security products for protecting a protected entity, comprising:
 a processing circuitry; and   a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:   receive security product performance data of the security product configured to handle a specific cyber threat;   classify the performance data into a product profile associated with the security product;   compute at least one security product performance score for the product profile based on the classified product security performance data; and   associate the at least one security performance score with the product profile.   
     
     
         25 . The system of  claim 24 , wherein the at least one security performance score includes at least one of: an offline score, a runtime score, and a unified score. 
     
     
         26 . A system for scoring performance of a security product, comprising:
 a processing circuitry; and   a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:
 receive security product performance data of the security product configured to handle a specific cyber threat; 
 classify the product performance data into a product profile associated with the security product; 
 compute at least one security performance score for the product profile based on the classified security product performance data; 
 associate the at least one security performance score with the product profile; and 
 select at least one security product of the plurality of security products based on their respective performance scores. 
   
     
     
         27 . The system of  claim 26 , wherein the at least one security performance score includes at least one of: an offline score, a runtime score, and a unified score.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.