US2022327221A1PendingUtilityA1

Techniques for detecting exploitation of medical device vulnerabilities

59
Assignee: ARMIS SECURITY LTDPriority: Feb 26, 2020Filed: Jun 29, 2022Published: Oct 13, 2022
Est. expiryFeb 26, 2040(~13.6 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06F 16/245G06N 5/04G06F 21/554G06N 20/00G06F 21/577G06N 20/20G06F 21/57H04L 63/1433G06F 2221/2115
59
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for detecting medical device exploitable vulnerabilities, comprising:
 determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes;   analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and   performing at least one mitigation action based on the exploitable vulnerability.   
     
     
         2 . The method of  claim 1 , wherein the at least one first device attribute includes use of an unencrypted communications protocol, wherein the behavior of the medical device includes a connection to the Internet, wherein the plurality of known exploits includes connecting to the Internet while using the unencrypted communications protocol. 
     
     
         3 . The method of  claim 1 , wherein the medical device is any of a medical imaging device, a diagnostic device, life support equipment, a pump, a defibrillator, and a pacemaker. 
     
     
         4 . The method of  claim 1 , further comprising:
 querying a vulnerability scanner based on the analyzed behavior and configuration of the medical device, wherein the currently exploitable vulnerability is detected based further on a response of the vulnerability scanner to the query.   
     
     
         5 . The method of  claim 1 , further comprising:
 sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein each sub-model includes a plurality of classifiers, wherein the at least one first device attribute is determined based on the sequential application of the plurality of sub-models of the hierarchy.   
     
     
         6 . The method of  claim 5 , wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein the at least one first device attribute is determined based on the output of the last sub-model of the plurality of sub-models. 
     
     
         7 . The method of  claim 6 , wherein each sub-model outputs a class representing a device attribute when applied to at least a portion of the plurality of features extracted from the device activity data, wherein the at least one first device attribute is determined based on the class output by the last sub-model of the plurality of sub-models. 
     
     
         8 . The method of  claim 5 , wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy. 
     
     
         9 . The method of  claim 5 , wherein each classifier is trained to output a class and a confidence score, wherein the class output by each sub-model is determined based on the class and the confidence score output by each classifier of the sub-model. 
     
     
         10 . A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:
 determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes;   analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and   performing at least one mitigation action based on the exploitable vulnerability.   
     
     
         11 . A system for determining device attributes using a classifier hierarchy, comprising:
 a processing circuitry; and   a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:   determine at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes;   analyze behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and   perform at least one mitigation action based on the exploitable vulnerability.   
     
     
         12 . The system of  claim 11 , wherein the at least one first device attribute includes use of an unencrypted communications protocol, wherein the behavior of the medical device includes a connection to the Internet, wherein the plurality of known exploits includes connecting to the Internet while using the unencrypted communications protocol. 
     
     
         13 . The system of  claim 11 , wherein the medical device is any of a medical imaging device, a diagnostic device, life support equipment, a pump, a defibrillator, and a pacemaker. 
     
     
         14 . The system of  claim 11 , wherein the system is further configured to:
 query a vulnerability scanner based on the analyzed behavior and configuration of the medical device, wherein the currently exploitable vulnerability is detected based further on a response of the vulnerability scanner to the query.   
     
     
         15 . The system of  claim 11 , wherein the system is further configured to:
 sequentially apply a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein each sub-model includes a plurality of classifiers, wherein the at least one first device attribute is determined based on the sequential application of the plurality of sub-models of the hierarchy.   
     
     
         16 . The system of  claim 15 , wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein the at least one first device attribute is determined based on the output of the last sub-model of the plurality of sub-models. 
     
     
         17 . The system of  claim 16 , wherein each sub-model outputs a class representing a device attribute when applied to at least a portion of the plurality of features extracted from the device activity data, wherein the at least one first device attribute is determined based on the class output by the last sub-model of the plurality of sub-models. 
     
     
         18 . The system of  claim 15 , wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy. 
     
     
         19 . The system of  claim 15 , wherein each classifier is trained to output a class and a confidence score, wherein the class output by each sub-model is determined based on the class and the confidence score output by each classifier of the sub-model.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.