IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0909526
(2010-10-21)
|
등록번호 |
US-8150783
(2012-04-03)
|
발명자
/ 주소 |
- Gonsalves, Paul G.
- Call, Catherine Dudley
- Ho, Stephen
- Lapsley, David
|
출원인 / 주소 |
- Charles River Analytics, Inc.
|
대리인 / 주소 |
McDermott Will & Emery LLP
|
인용정보 |
피인용 횟수 :
12 인용 특허 :
0 |
초록
▼
An improved security system for and method of detecting and responding to cyber attacks on a network or network element. The system comprises: (a) an intelligent agent-based information retrieval subsystem configured so as to automatically search for and retrieve relevant data from distributed sourc
An improved security system for and method of detecting and responding to cyber attacks on a network or network element. The system comprises: (a) an intelligent agent-based information retrieval subsystem configured so as to automatically search for and retrieve relevant data from distributed sources; (b) a rule-based inferencing mechanism configured so as to interpret retrieved data within the situational context to support event and alert generation for cyber threat assessment and prediction; and (c) a threat assessment and prediction mechanism configured so as to capture relating to the interrelationship between cyber sensor outputs and cyber attacks.
대표청구항
▼
1. A security system for detecting and responding to cyber attacks on network or network element, the system comprising: (a) an intelligent agent-based information retrieval subsystem configured so as to automatically search for and retrieve relevant data from distributed sources;(b) a rule-based in
1. A security system for detecting and responding to cyber attacks on network or network element, the system comprising: (a) an intelligent agent-based information retrieval subsystem configured so as to automatically search for and retrieve relevant data from distributed sources;(b) a rule-based inferencing mechanism configured so as to interpret retrieved data within the situational context to support event and alert generation for cyber threat assessment and prediction; and(c) a threat assessment and prediction mechanism configured to capture data relating to the interrelationship between cyber sensor outputs and cyber attacks. 2. The system of claim 1, further including a user interface configured so as to support on-site network assessment including visualization of a current situation state, threat assessment information and alerts. 3. The system of claim 2, wherein alerts are differentiated from events solely based on criticality and timeliness. 4. The system of claim 1, wherein the retrieval subsystem is configured so that computations are performed at sites of the distributed resources where the relevant data is available. 5. The system of claim 1, wherein the retrieval subsystem is configured to query distributed heterogeneous data sources in accordance with an on-demand approach. 6. The system of claim 1, wherein the retrieval subsystem is configured to query distributed heterogeneous data sources in accordance with an in-advance approach. 7. The system of claim 1, wherein the threat assessment and prediction mechanism includes dynamic time Bayesian belief networks. 8. The system of claim 1, further including a user interface configured to interface with system components including network resources and dynamic time Bayesian belief networks. 9. The system of claim 1, wherein the intelligent agent-based information retrieval subsystem is configured so as to automatically search for relevant data from distributed sources in accordance with at least two modes of information retrieval. 10. The system of claim 9, wherein the intelligent agent-based information retrieval subsystem includes sensor agents that detect and retrieve data from selected sources as information becomes available, and retrieval agents that react to a system query for additional information and translate diverse data sources into consistent data objects. 11. The system of claim 1, further including a manager configured to for implementing the intelligent agent-based information retrieval subsystem. 12. The system of claim 11, wherein the manager is configured so as to manage one or more of the following: vulnerability assessment;network attack detection;network attack prediction;impact assessment; andremediation/mitigation. 13. The system of claim 1, wherein the intelligent agent-based information retrieval subsystem includes a data fusion architecture. 14. The system of claim 13, wherein the data fusion architecture includes: a signal/feature assessment level; an entity assessment level, a situation assessment level and an impact assessment level. 15. The system of claim 14, wherein the signal/feature assessment level includes flow-based analysis, IDS alerts and application alerts; the entity assessment level includes security incident detection using dynamic time Bayesian belief networks multi-target tracking, the situation assessment level includes belief networks and collusion discovery; and the impact assessment level includes believe networks. 16. The system of claim 1, wherein the rule-based inferencing mechanism includes a homogeneous event fusion sub-component and a heterogeneous event fusion sub-component. 17. The system of claim 1, wherein the rule-based inferencing mechanism includes rule engines. 18. The system of claim 17, wherein the rules engines are configured to implement one or more of the following: a. instantaneous reaction mechanisms in response to changes in the environment;b. support virtual parallelism of event processing;c. trace and elicit information filtering and response recommendations knowledge;d. rule-based truth maintenance supporting the continuous maintenance of paced information consistently across operational scenarios and context;e. high-level interfaces for rule editing in terms specific to the application domain;f. tying in information representations that include objects, relational database systems, and procedural components; andg. adding supplementary processing and reasoning capabilities for information filtering. 19. The system of claim 1, wherein the threat assessment and prediction mechanism includes dynamic time Bayesian belief networks. 20. The system of claim 19, wherein the dynamic time Bayesian belief network includes a Rate Matrix and an Observation Matrix. 21. The system of claim 19, wherein the dynamic time Bayesian belief networks includes a network assessment Bayesian belief network. 22. The system of claim 21, wherein the network assessment Bayesian belief network includes one or more of the following: a vulnerability sub-net;attack attractiveness sub-net;attack prevention sub-net; andnetwork physical health sub-net. 23. A method of detecting and responding to cyber attacks on a network or network element, the method comprising: (a) automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem;(b) interpreting retrieved data within the situational context with a rule-based inferencing mechanism configured so as to support event and alert generation for cyber threat assessment and prediction; and(c) capturing data relating to the interrelationship between cyber sensor outputs and cyber attacks with a threat assessment and prediction mechanism. 24. The method of claim 23, further including interfacing with the network system using a user interface configured so as to support on-site network assessment including visualization of a current situation state, threat assessment information and alerts. 25. The method of claim 24, further including differentiating between alerts and events solely based on criticality and timeliness. 26. The method of claim 25, wherein automatically searching for and retrieving relevant data from distributed sources includes performing computations at sites of the distributed resources where the relevant data is available. 27. The method of claim 23, wherein automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem includes querying distributed heterogeneous data sources in accordance with an on-demand approach. 28. The method of claim 23, wherein automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem includes querying distributed heterogeneous data sources in accordance with an in-advance approach. 29. The method of claim 23, wherein capturing the interrelationships between cyber sensor outputs and cyber attacks includes using dynamic time Bayesian belief networks. 30. The method of claim 23, further providing an interface with network resources and dynamic time Bayesian belief networks. 31. The method of claim 23, wherein automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem includes automatically searching for relevant data from distributed sources in accordance with at least two modes of information retrieval. 32. The method of claim 23, wherein automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem includes using sensor agents that detect and retrieve data from selected sources as information becomes available, and retrieval agents that react to a system query for additional information and translate diverse data sources into consistent data objects. 33. The method of claim 23, further including implementing the intelligent agent-based information retrieval subsystem using a manager. 34. The method of claim 23, wherein using the manager is configured to perform one or more of the following: assess vulnerability assessment;detect a network attack;predict a network attack;assess impact; andprovide remediation/mitigation. 35. The method of claim 23, wherein automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem includes using a data fusion architecture. 36. The method of claim 35, wherein using the data fusion architecture includes employing a signal/feature assessment level; an entity assessment level, a situation assessment level and an impact assessment level. 37. The method of claim 36, wherein employing the signal/feature assessment level includes employing flow-based analysis, IDS alerts and application alerts; employing the entity assessment level includes employing security incident detection using dynamic time Bayesian belief networks multi-target tracking, employing the situation assessment level includes employing belief networks and collusion discovery; and employing the impact assessment level includes employing believe networks. 38. The method of claim 23, wherein interpreting retrieved data within the situational context with a rule-based inferencing mechanism includes using a homogeneous event fusion sub-component and a heterogeneous event fusion sub-component. 39. The method of claim 23, wherein interpreting retrieved data within the situational context with a rule-based inferencing mechanism includes using at least one rule engine. 40. A recording medium for storing a set of instructions for detecting and responding to cyber attacks on a network or network element, the instructions including:\ (a) automatically searching for and retrieving relevant data from distributed sources using an intelligent agent-based information retrieval subsystem;(b) interpreting retrieved data within the situational context with a rule-based inferencing mechanism configured so as to support event and alert generation for cyber threat assessment and prediction; and(c) capturing data relating to the interrelationship between cyber sensor outputs and cyber attacks with a threat assessment and prediction mechanism. 41. The method of claim 23, wherein capturing the interrelationships between cyber sensor outputs and cyber attacks with a threat assessment and prediction mechanism, includes using dynamic time Bayesian belief networks. 42. The method of claim 41, wherein using the rules engine includes using the rule engine to implement one or more of the following: a. instantaneous reaction in response to changes in the environment;b. support virtual parallelism of event processing;c. trace and elicit information filtering and response recommendations knowledge;d. rule-based truth maintenance supporting the continuous maintenance of paced information consistently across operational scenarios and context;e. high-level interfaces for rule editing in terms specific to the application domain;f. tying in information representations that include objects, relational database systems, and procedural components; andg. adding supplementary processing and reasoning capabilities for information filtering. 43. The method of claim 41, wherein the dynamic time Bayesian belief network includes a Rate Matrix and an Observation Matrix. 44. The method of claim 41, wherein the dynamic time Bayesian belief networks include a network assessment Bayesian belief network. 45. The system of claim 44, wherein the network assessment Bayesian belief network includes one or more of the following: a vulnerability sub-net;attack attractiveness sub-net;attack prevention sub-net; andnetwork physical health sub-net.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.