IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0627706
(2009-11-30)
|
등록번호 |
US-8495745
(2013-07-23)
|
발명자
/ 주소 |
- Schrecker, Sven
- Ritter, Stephen
- Nakawatase, Ryan
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
7 인용 특허 :
19 |
초록
▼
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for asset risk analysis. One method includes receiving threat definition data for threats, vulnerability detection data for assets, and countermeasure detection data for assets. The method further include
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for asset risk analysis. One method includes receiving threat definition data for threats, vulnerability detection data for assets, and countermeasure detection data for assets. The method further includes determining a respective risk metric for each of the assets for each of the threats. This includes analyzing the vulnerability detection data for an asset to determine whether the asset is vulnerable to a threat, determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat, and determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat.
대표청구항
▼
1. A computer-implemented method, comprising: receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the thr
1. A computer-implemented method, comprising: receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;receiving, at the data processing apparatus, vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; anddetermining, with the data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat: analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes: determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and an agent-based countermeasure; anddetermining a likelihood that the network-based countermeasure protects the particular asset; anddetermining a likelihood that the agent-based countermeasure protects the particular asset; anddetermining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat. 2. The method of claim 1, wherein the vulnerability detection data for an asset further identifies threats to which the asset is not vulnerable, and determining the risk metric for the particular asset and the particular threat is further based on whether the particular asset is not vulnerable to the particular threat. 3. The method of claim 1, wherein the threat definition data further includes, for each of the one or more threats, applicability data describing one or more configurations of assets that the threat applies to, the method further comprising: receiving configuration data for each asset, the configuration data describing a configuration of each asset. 4. The method of claim 3, wherein determining the risk metric for the particular asset for the particular threat further comprises determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset, and then determining the risk metric according to whether the particular threat applies to the configuration of the particular asset. 5. The method of claim 4, wherein: analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat includes determining a predicate categorization for the particular asset for the particular threat of vulnerable, not vulnerable, or unknown vulnerability;determining from the threat definition data and the countermeasure detection data whether the particular asset is protected by one of the countermeasures identified for the particular threat includes determining a predicate categorization for the particular asset for the particular threat of protected, not protected, or unknown protection; anddetermining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset includes determining a predicate categorization for the particular asset for the particular threat of applicable, not applicable, or unknown applicability. 6. The method of claim 5, wherein: the risk metric for each of the assets for each of the threats is one of: vulnerable, protected, not protected, unknown, and not vulnerable; andfor each asset and each threat: the risk metric is vulnerable when the asset has predicate categorizations for the threat of vulnerable and not-protected, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is protected when the asset has a predicate categorization for the threat of protected, a predicate categorization for the threat of either vulnerable or unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is not protected when the asset has predicate categorizations for the threat of protected and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is unknown when the asset has predicate categorizations for the threat of unknown protection and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability; andotherwise, the risk metric is not vulnerable. 7. The method of claim 1, wherein receiving countermeasure detection data comprises: receiving protection data identifying one or more assets protected by a sensor;receiving sensor countermeasure data describing one or more countermeasures provided by the sensor; andgenerating countermeasure detection data for each of the one or more assets protected by the sensor, the countermeasure detection data describing the one or more countermeasures provided by the sensor. 8. The method of claim 7, wherein the sensor countermeasure data identifies one or more signatures blocked by the sensor, and associates each signature with an attack identifier for a particular threat corresponding to the signature. 9. The method of claim 1, wherein the protection data is received from one or more users. 10. The method of claim 1, wherein the identification of a countermeasure in the threat definition data includes a product identifier, a version identifier, and data describing one or more settings of the countermeasure. 11. The method of claim 1, further comprising: receiving the vulnerability detection data from multiple sources, wherein at least two of the multiple sources provide vulnerability detection data in different formats; andnormalizing the received vulnerability detection data so that the data is in a common format. 12. The method of claim 1, further comprising: receiving the countermeasure detection data from multiple sources, wherein at least two of the multiple sources provide countermeasure detection data in different formats; andnormalizing the countermeasure detection data so that the data is in a common format. 13. The method of claim 1, wherein: the threat definition data further includes a respective risk score for each of the one or more threats, the risk score for a threat measuring how likely the threat is to affect an asset; andthe risk metric for the particular asset relative to the particular threat is further determined from the risk score for the particular threat. 14. The method of claim 1, wherein: the threat definition data further includes a respective confidence score for each countermeasure for each of the one or more threats, the confidence score for a counter measure and a threat measuring how likely the countermeasure is to reduce a risk that the threat will affect an asset; andthe risk metric for the particular asset relative to the particular threat is further determined from the confidence scores for one or more countermeasures determined to be protecting the particular asset from the particular threat. 15. The method of claim 1, further comprising generating a report summarizing the risk metric of each of the one or more assets. 16. A system comprising: a processor; anda computer storage medium coupled to the processor and including instructions, which, when executed by the processor, causes the processor to perform operations comprising: receiving threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;receiving vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; anddetermining a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat: analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes: determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and a host-based countermeasure; anddetermining a likelihood that the network-based countermeasure protects the particular asset; anddetermining a likelihood that the host-based countermeasure protects the particular asset; anddetermining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat. 17. The system of claim 16, wherein the vulnerability detection data for an asset further identifies threats to which the asset is not vulnerable, and determining the risk metric for the particular asset and the particular threat is further based on whether the particular asset is not vulnerable to the particular threat. 18. The system of claim 16, wherein the threat definition data further includes, for each of the one or more threats, applicability data describing one or more configurations of assets that the threat applies to, the system further operable to perform operations comprising: receiving configuration data for each asset, the configuration data describing a configuration of each asset. 19. The system of claim 18, wherein determining the risk metric for the particular asset for the particular threat further comprises determining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset, and then determining the risk metric according to whether the particular threat applies to the configuration of the particular asset. 20. The system of claim 19, wherein: analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat includes determining a predicate categorization for the particular asset for the particular threat of vulnerable, not vulnerable, or unknown vulnerability;determining from the threat definition data and the countermeasure detection data whether the particular asset is protected by one of the countermeasures identified for the particular threat includes determining a predicate categorization for the particular asset for the particular threat of protected, not protected, or unknown protection; anddetermining from the applicability data for the particular threat and the configuration data for the particular asset whether the particular threat applies to the configuration of the particular asset includes determining a predicate categorization for the particular asset for the particular threat of applicable, not applicable, or unknown applicability. 21. The system of claim 20, wherein: the risk metric for each of the assets for each of the threats is one of: vulnerable, protected, not protected, unknown, and not vulnerable; andfor each asset and each threat: the risk metric is vulnerable when the asset has predicate categorizations for the threat of vulnerable and not-protected, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is protected when the asset has a predicate categorization for the threat of protected, a predicate categorization for the threat of either vulnerable or unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is not protected when the asset has predicate categorizations for the threat of protected and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability;the risk metric is unknown when the asset has predicate categorizations for the threat of unknown protection and unknown vulnerability, and a predicate categorization for the threat of either applicable or unknown applicability; andotherwise, the risk metric is not vulnerable. 22. The system of claim 16, wherein receiving countermeasure detection data comprises: receiving protection data identifying one or more assets protected by a sensor;receiving sensor countermeasure data describing one or more countermeasures provided by the sensor; andgenerating countermeasure detection data for each of the one or more assets protected by the sensor, the countermeasure detection data describing the one or more countermeasures provided by the sensor. 23. The system of claim 22, wherein the sensor countermeasure data identifies one or more signatures blocked by the sensor, and associates each signature with an attack identifier for a particular threat corresponding to the signature. 24. The system of claim 16, wherein the protection data is received from one or more users. 25. The system of claim 16, wherein the identification of a countermeasure in the threat definition data includes a product identifier, a version identifier, and data describing one or more settings of the countermeasure. 26. The system of claim 16, further operable to perform operations comprising: receiving the vulnerability detection data from multiple sources, wherein at least two of the multiple sources provide vulnerability detection data in different formats; andnormalizing the received vulnerability detection data so that the data is in a common format. 27. The system of claim 16, further operable to perform operations comprising: receiving the countermeasure detection data from multiple sources, wherein at least two of the multiple sources provide countermeasure detection data in different formats; andnormalizing the countermeasure detection data so that the data is in a common format. 28. The system of claim 16, wherein: the threat definition data further includes a respective risk score for each of the one or more threats, the risk score for a threat measuring how likely the threat is to affect an asset; andthe risk metric for the particular asset relative to the particular threat is further determined from the risk score for the particular threat. 29. The system of claim 16, wherein: the threat definition data further includes a respective confidence score for each countermeasure for each of the one or more threats, the confidence score for a counter measure and a threat measuring how likely the countermeasure is to reduce a risk that the threat will affect an asset; andthe risk metric for the particular asset relative to the particular threat is further determined from the confidence scores for one or more countermeasures determined to be protecting the particular asset from the particular threat. 30. The system of claim 16, further operable to perform operations comprising generating a report summarizing the risk metric of each of the one or more assets. 31. A non-transitory computer-storage medium encoded with a computer program including instructions operable to cause data processing apparatus to perform operations comprising: receiving, at a data processing apparatus, threat definition data, the threat definition data including, for each of one or more threats, an identification of the threat and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset;receiving, at the data processing apparatus, vulnerability detection data for each of one or more assets and countermeasure detection data for each of the one or more assets, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; anddetermining, with the data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat: analyzing the vulnerability detection data for the particular asset to determine whether the particular asset is vulnerable to the particular threat;determining from the threat definition data and the countermeasure detection data whether the particular asset is protected from the particular threat by one or more countermeasures, wherein determining whether the particular asset is protected includes: determining that the particular asset is protected by a set of countermeasures including a network-based countermeasure and a host-based countermeasure; anddetermining a likelihood that the network-based countermeasure protects the particular asset; anddetermining a likelihood that the host-based countermeasure protects the particular asset; anddetermining the risk metric for the particular asset for the particular threat according to whether the particular asset is vulnerable to the particular threat and whether the particular asset is protected by one of the countermeasures identified for the particular threat. 32. A computer-implemented method, comprising: receiving configuration data for each of one or more assets, the configuration data describing for each asset configuration of the asset;receiving threat definition data including, for each of one or more threats, applicability data and an identification of one or more countermeasures that reduce a risk that the threat will affect an asset, wherein the applicability data describes asset configurations applicable to the threat;receiving, for each of one or more assets, vulnerability detection data and countermeasure detection data, wherein the vulnerability detection data for each asset identifies threats to which the asset is vulnerable and the countermeasure detection data for each asset identifies one or more countermeasures protecting the asset; anddetermining, with a data processing apparatus, a respective risk metric for each of the one or more assets for each of the one or more threats, the determining including, for a particular asset and a particular threat: analyzing the vulnerability detection data for the particular asset to determine a predicate categorization for the particular asset for the particular threat from a group comprising: vulnerable, not vulnerable, and unknown vulnerability;determining, from the threat definition data and the countermeasure detection data, a predicate categorization for the particular asset for the particular threat from a group comprising: protected, not protected, or unknown protection; anddetermining, from the applicability data and configuration data a predicate categorization for the particular asset for the particular threat from a group comprising: applicable, not applicable, or unknown applicability; andwherein the risk metric for each of the assets for each of the threats is one of vulnerable, protected, not protected, unknown, and not vulnerable, and for each asset and each threat: the vulnerable risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of vulnerable and not-protected, the protected risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of protected and either applicable or unknown applicability, the not protected risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of not protected and unknown vulnerability, the unknown risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of unknown protection and unknown vulnerability, and the not vulnerable risk metric corresponds to determining predicate categorizations for the particular asset and the particular threat of either not vulnerable or not applicable.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.