Techniques for detecting exploitation of medical device vulnerabilities
Abstract
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for detecting medical device exploitable vulnerabilities, comprising:
determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
2 . The method of claim 1 , wherein the at least one first device attribute includes use of an unencrypted communications protocol, wherein the behavior of the medical device includes a connection to the Internet, wherein the plurality of known exploits includes connecting to the Internet while using the unencrypted communications protocol.
3 . The method of claim 1 , wherein the medical device is any of a medical imaging device, a diagnostic device, life support equipment, a pump, a defibrillator, and a pacemaker.
4 . The method of claim 1 , further comprising:
querying a vulnerability scanner based on the analyzed behavior and configuration of the medical device, wherein the currently exploitable vulnerability is detected based further on a response of the vulnerability scanner to the query.
5 . The method of claim 1 , further comprising:
sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein each sub-model includes a plurality of classifiers, wherein the at least one first device attribute is determined based on the sequential application of the plurality of sub-models of the hierarchy.
6 . The method of claim 5 , wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein the at least one first device attribute is determined based on the output of the last sub-model of the plurality of sub-models.
7 . The method of claim 6 , wherein each sub-model outputs a class representing a device attribute when applied to at least a portion of the plurality of features extracted from the device activity data, wherein the at least one first device attribute is determined based on the class output by the last sub-model of the plurality of sub-models.
8 . The method of claim 5 , wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy.
9 . The method of claim 5 , wherein each classifier is trained to output a class and a confidence score, wherein the class output by each sub-model is determined based on the class and the confidence score output by each classifier of the sub-model.
10 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:
determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
11 . A system for determining device attributes using a classifier hierarchy, comprising:
a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: determine at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyze behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and perform at least one mitigation action based on the exploitable vulnerability.
12 . The system of claim 11 , wherein the at least one first device attribute includes use of an unencrypted communications protocol, wherein the behavior of the medical device includes a connection to the Internet, wherein the plurality of known exploits includes connecting to the Internet while using the unencrypted communications protocol.
13 . The system of claim 11 , wherein the medical device is any of a medical imaging device, a diagnostic device, life support equipment, a pump, a defibrillator, and a pacemaker.
14 . The system of claim 11 , wherein the system is further configured to:
query a vulnerability scanner based on the analyzed behavior and configuration of the medical device, wherein the currently exploitable vulnerability is detected based further on a response of the vulnerability scanner to the query.
15 . The system of claim 11 , wherein the system is further configured to:
sequentially apply a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein each sub-model includes a plurality of classifiers, wherein the at least one first device attribute is determined based on the sequential application of the plurality of sub-models of the hierarchy.
16 . The system of claim 15 , wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein the at least one first device attribute is determined based on the output of the last sub-model of the plurality of sub-models.
17 . The system of claim 16 , wherein each sub-model outputs a class representing a device attribute when applied to at least a portion of the plurality of features extracted from the device activity data, wherein the at least one first device attribute is determined based on the class output by the last sub-model of the plurality of sub-models.
18 . The system of claim 15 , wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy.
19 . The system of claim 15 , wherein each classifier is trained to output a class and a confidence score, wherein the class output by each sub-model is determined based on the class and the confidence score output by each classifier of the sub-model.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.