CN110999249A

CN110999249A - Similarity search for discovering multiple vector attacks

Info

Publication number: CN110999249A
Application number: CN201880050589.2A
Authority: CN
Inventors: B·C·佩佩; G·R·里思
Original assignee: T Mobile USA Inc
Current assignee: T Mobile USA Inc
Priority date: 2017-08-03
Filing date: 2018-08-03
Publication date: 2020-04-10
Also published as: WO2019028341A1

Abstract

In response to an initial attack vector being attacked, a similarity search can be performed on the directed graph to identify additional attack vectors that are potentially under attack. Security event data including an attack history of the asset and threat participant data of the threat participants is received. A directed graph of attack vectors mapping threat participants to assets is generated based on the attack history. An attack risk probability may be calculated for the attack vector of the asset based on the directed graph, such that it may be determined that the attack vector is under attack in response to the risk probability exceeding a predetermined probability threshold. Subsequently, in view of determining the attack vector that suffered the attack, a similarity search can be performed in the directed graph to identify additional attack vectors for the asset or another other asset that is potentially under attack.

Description

Similarity search for discovering multiple vector attacks

Cross Reference to Related Applications

This patent application claims priority from us patent application 15/668,580 entitled "family Search for discovery Multiple Vector adapters" filed on 3.8.2017, partly consecutive from us patent application 14/958,792 entitled "combbinant thread Modeling" filed on 3.12.2015, and from us patent application 14/958,792 claiming priority from us patent application 62/088,479 entitled "threadmodel" filed on 5.12.2014, the entire contents of which are incorporated herein by reference.

Background

Enterprises are constantly under attack from the internet, or from the electrons of computing resources and data (hereinafter "all computing resources and data of an enterprise", not just connectivity resources, are referred to as "networks"). From 2011 to 2015, at least seven hundred (700) major network attacks were documented on many enterprises and government networks in the united states and many enterprises and government networks outside the united states. Some attacks steal data, while others steal money or acquire money electronically. Still other things may maliciously corrupt the data or cause denial of service. These attacks not only degrade the integrity of the particular network under attack, but also degrade the user's confidence in all networks. Thus, network security personnel and other personnel responsible for computer security are continually challenged to protect their networks from network attacks.

Thus, network security personnel are responsible for developing and maintaining threat models for the networks for which they are responsible. The threat model identifies defects in those networks, and may further identify or help identify techniques that mitigate any identified respective computer security risks. The application of those techniques is called remediation.

However, attacks against enterprise and government computing resources are currently increasing in size, complexity, and variety. For example, a complex attacker may use a multi-vector attack to simultaneously address multiple flaws in the computing resources belonging to an enterprise. Conventional security applications may fail to detect one or more aspects of multiple vector attacks, such that some attack vectors of computing resources are vulnerable to attack even if other attack vectors are successfully protected using newly developed safeguards.

Drawings

The detailed description is set forth with reference to the accompanying drawings. In the drawings, the left-most digit or digits of a reference number identify the drawing in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.

FIG. 1 illustrates an exemplary architecture for discovering multi-vector attacks on enterprise assets using similarity searches.

Fig. 2 is a diagram showing the intersection of two threat models within the same threat matrix.

FIG. 3 illustrates a threat as a series of attack planes, the relationship between attack vectors and threat models, and their respective attack vectors relative to one or more assets.

Fig. 4 shows the relationship between a threat model, a threat scenario and a threat matrix.

FIG. 5 is an exemplary environment for applying a similarity search to discover multiple vector attacks and implement a re-binned threat model and threat matrix.

FIG. 6 is a block diagram illustrating various components of an exemplary environment for applying a similarity search to discover multiple vector attacks and implement a re-binned threat model and threat matrix.

FIG. 7 is an example graph structure supporting a re-set threat model and a threat matrix.

FIG. 8 is a flow diagram of an exemplary process of performing a similarity search on a directed graph to detect additional attack vectors under attack after detecting an attack on an attack vector for an asset.

FIG. 9 is a flow diagram of an exemplary process for using attribute values of an attack vector to determine whether additional attack vectors for an asset are at risk of attack.

DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION

The present disclosure is directed to techniques for discovering multi-vector attacks on enterprise assets using similarity searches. Assets are entities that provide benefits to an enterprise and may be compromised by an attacker. For example, an asset may be a computing or network resource of an enterprise, or alternatively, may be an individual or individual working for an enterprise. A multi-vector attack is an attack that targets one or more multiple attack vectors (flaws) of one or more assets of an enterprise at the same time.

The threat environment faced by businesses and government entities has changed tremendously over the past few years, from simple service outages ("hackers") to significant economic theft, in terms of monetary losses, intellectual property and data. Risk control policies adopted by companies have been forced to transition from policy-and-control-based policies to policies that involve complex security applications (appliances) that evaluate, measure, and track defects. Most security applications monitor Security Information and Event Management (SIEM) logs and score discovered problems and then complement the implementation of mitigation responses. However, as sophisticated corporate risk data collection strategies evolve, those strategies remain defensive and reactive to an increasingly dangerous set of adversaries.

Currently, businesses and governments rely heavily on information infrastructure to promote their products and services, communicate with customers, and facilitate communications between graphically distributed work sites, employees, and data centers. Each of these access points has an attack surface defined by its configuration and known defects. Successful attacks are characterized by common flaws and exposures (CVEs), Computer Emergency Response Team (CERT), and other reports by security researchers. However, identification of these attacks is based on the fact that the features of the attack themselves are identified.

Economic incentives drive and subsidize the development of more complex attacks, such as multi-vector attacks, which have resulted in a vast difference in threat space. It is not sufficient to organize and direct risk mitigation and remediation after detection because it is based on attack signatures that have been presented on the attack face. For example, conventional risk management tools can reasonably and well cope with class I and II (Tier I and II) threats through security policies, data governance, and security applications. The defect scanning tool is essentially blind to level VI (Tier IV) attacks because the development creates custom defects that did not exist before, and therefore, there are no signatures to detect. Class V (Tier V) attacks are similar in that they are difficult to detect and remedy.

A threat may be understood as a specific entity having the ability and willingness to exploit a flaw using different attack procedures. For example, older versions of Windows NT^TMServers are susceptible to crashes due to ping weak ports (called "ping of death") ". Thus, the Ping threat of NT Death (NT Ping of Death) is the correlation of vulnerable ports to known port pings. Thus, a flaw is a weakness in network defense, which is commonly referred to as an attack vector. The attack is to exploit the defect. A threat, also referred to as a threat participant (actor), is a party or entity that may perform or is performing a particular attack. A set of fault or attack vectors for a particular portion of a network is referred to as an attack face for that portion of the network. It is important to note that the threat need not utilize a defect that is technical in nature, but may be non-technical (e.g., a threat from compromised or unsatisfied workers).

Detection of multi-vector attacks initially involves generating a graph, i.e., a directed graph, that plots the relationship between the threat participant and the attack vector for one or more assets of the enterprise. The directed graph may be generated using multiple data sources, for example, data from a security event data store, a threat participant data store, and/or attack data indicative of historical attacks and new attacks on enterprise assets. The directed graph is used to calculate a risk probability of an attack on an attack vector of the asset, wherein the risk probability being above a threshold may indicate that an attack is occurring on the attack vector. A similarity search is then performed on the directed graph to identify one or more additional attack vectors for the asset or another asset that have similar attributes to the attack vector that was subject to the attack. Thus, the identified one or more additional attack vectors may be designated as potentially being under attack. In various embodiments, the similarity search may be a topological similarity search, a semantic-based similarity search, a statistical similarity search, or another computer-implemented search of directed graphs.

In this way, the attack vector currently under attack and one or more additional vectors determined by the similarity search to be potentially under attack may be identified as targets of the same multi-vector attack. In contrast, conventional security applications may not be able to detect such multi-vector attacks, thereby making some attack vectors of the asset vulnerable even if others are successfully protected by remedial protection measures. The techniques described herein may be implemented in a variety of ways. Exemplary embodiments are provided below with reference to the following drawings.

Exemplary architecture

FIG. 1 illustrates an exemplary architecture for discovering multi-vector attacks on enterprise assets using similarity searches. Architecture 100 may include a directed graph generation module 102, an attack detection module 104, a multi-vector detection module 106, and a threat model module 108. The

module

102 and 108 may be implemented on one or more computing devices 110. Computing device 110 may comprise a general purpose computer such as a desktop computer, tablet computer, laptop computer, server, or other electronic device capable of receiving input, processing input, and generating output data. In other embodiments, the computing device 110 may be a virtual computing device in the form of a virtual machine or software container hosted in the cloud.

The directed graph generation module 102 may generate a directed graph (e.g., directed graph 112) for storage in a directed graph data store (store) 114. In various embodiments, the directed graph generation module 102 may generate the directed graph 112 using data from multiple data sources, such as a security event data store 116, a threat participant data store 118, and attack data 120. The security event data store 116 may include security event data from a SIEM application, an Intrusion Detection System (IDS), and/or a defect scanner monitoring enterprise assets. The data feed of the security event data may include a system log, an event monitor log, a scan log, and the like. The secure data feed may also come from an external source, such as a third party privately operated network security event monitoring application, a government agency operated network event detection system, and so forth. Thus, the data feed may provide attack data 120 regarding historical attacks that occurred on the enterprise asset or attacks that currently occurred on the asset. Attack data for an attack may indicate the nature of the attack, the attack vector that is compromised, detectable events (index) associated with the attack, the response to a remedial attack, and so forth.

Threat participant data store 118 may include data profiles for various threat participants that attack or may potentially attack enterprise assets. For example, tier 1 and 2 participants are often intent-based participants who target assets for theft purposes, as a resource expressing anger, or to attempt to break business reputations. On the other hand, layer 3 and layer 4 participants tend to be opportunity-based participants that target assets for motivation, financial revenue, or disruption to the enterprise's command and control (C & C) system. In another example, layer 5 and layer 6 participants may target assets for informative reasons, such as breaking control of critical infrastructure, conducting spying activities to obtain economic or industrial value information, or breaking critical systems, personnel and business knowledge. Higher-level attacks may develop in a longer time scale (timescales) and if a threat participant: (1) with appropriate motivation; (2) active in the threat space; (3) the attack capability is provided; and (4) access to the asset, the asset may be a potential target for such an attack.

Thus, the directed graph 112 generated by the directed graph generation module 102 may map threat participants to attack vectors for enterprise assets based on historical attack information. In various embodiments, the directed graph 112 may include nodes corresponding to enterprise assets, and edges connecting the nodes may indicate relationships between the assets. For example, a pair of nodes may represent two computing devices of an enterprise. Edges between nodes may correspond to data exchanges between computing devices, where an edge may be a unidirectional edge or a bidirectional edge. In one scenario, when the first computing device is capable of receiving data from the second device, the edge may be a unidirectional edge from the first node to the second node, but not vice versa, i.e., a unidirectional data flow. In another scenario, a bidirectional edge may connect a first node and a second node when the first computing device and the second computing device are capable of exchanging data with each other. In another example, a pair of nodes may represent a human being of an enterprise, rather than a computing device. In this example, edges between nodes may indicate working relationships between nodes, e.g., supervisors and subordinate, providers and customers, co-workers, and so on. These nodes may also be connected to other nodes that represent attack vectors (flaws) of assets and/or threat participants.

Attack detection module 104 can use the mapping data in directed graph 112 to calculate a risk probability of attacking an attack vector related to an asset. The risk probability of an attack may be calculated using a probabilistic inference algorithm that performs an inference and approximation function on the directed graph 112. Attack detection module 104 may then compare the calculated risk probability of the attack to a predetermined probability threshold. Thus, if the risk probability of an attack exceeds a predetermined probability threshold, attack detection module 104 may determine that an attack is occurring on the asset's associated attack vector. Otherwise, attack detection module 104 may determine that no attack has been made on the associated attack vector. In various embodiments, attack detection module 104 may perform such risk probability calculations and attack analyses on a plurality of attack vectors for a plurality of assets captured in directed graph 112.

In some embodiments, the directed graph generation module 102 may, after calculating the risk probability of an attack for an attack vector of an asset, receive new attack data indicating one or more previously unknown historical attacks on the asset or new attacks on the asset. The new attacks may include real-time attacks on the asset and/or imminent attacks. New attack data may be received from internal resources and/or external resources. The internal resources may include one or more security applications that monitor the enterprise assets. External resources may include third party privately operated network security event monitoring applications, network event detection systems operated by government agencies, and so forth. Attack data from external resources may relate to attack vectors for assets belonging to an enterprise and/or similar attack vectors for comparable assets belonging to other enterprises. The directed graph generation module 102 may treat attacks against similar attack vectors for such comparable assets as an indication that an attack is imminent against the corresponding attack vector for an asset belonging to the enterprise. The new attack data for an attack may indicate the nature of the attack, the compromised attack vector, detectable events (metrics) associated with the attack, the response to remediate the attack, and so forth. Next, the directed graph generation module 102 may update the directed graph 112 based on the new data. In various embodiments, the updating of the directed graph 112 may be accomplished via the directed graph 112 taking into account new versions of the new attack data. The directed graph generation module 102 may then trigger the attack detection module 104 to repeatedly perform the risk probability calculation. Repeating the calculation of the risk probabilities based on the updated directed graph 112 may result in different risk probabilities being calculated for the attack vectors of the assets. For example, attack detection module 104 may initially calculate a risk probability of an attack on a Policy and Charging Rules Function (PCRF) software node of a wireless operator network to be about 75%. Subsequently, the directed graph generation module 102 may generate a new directed graph 112 after receiving additional attack data indicating that a PCRF software node of another wireless operator network is attacked. As a result, a risk probability recalculation for a (PCRF) software node of the wireless operator network may indicate a risk probability of 95%.

Once attack detection module 104 determines that a particular attack vector 122 of an asset is under attack, multi-vector detection module 106 may perform a similarity search on directed graph 112 to identify an additional attack vector 124 of the asset or another asset that is also potentially under attack. The similarity between a particular attack vector 122 and additional attack vectors 124 may indicate that the additional attack vectors 124 are also vulnerable to attacks, e.g., multi-vector attacks. The similarity search may be a topological similarity search, a semantic-based similarity search, a statistical similarity search, or another computer-implemented search of directed graphs.

In some embodiments, multi-vector detection module 106 may determine attribute values for particular attributes of attack vectors, where an attack vector (e.g., attack vector 122) belongs to an asset determined to be under attack. Multi-vector detection module 106 may also determine that the attribute value of a particular attribute belongs to each of the remaining attack vectors for assets in the enterprise or attack vectors for other assets. An attribute may be a parameter of an attack vector of an asset, and a corresponding attribute value of the attribute may quantify or qualify the attribute. For example, the attributes of the attack vector may be a model (model) name of the attack vector, a software version number of the attack vector, a number of data exchange events that the underlying asset of the attack vector has with another asset, a protocol standard for performing the data exchange events, a relationship of the attack vector with other attack vectors, and so on.

Subsequently, multi-vector detection module 106 may compare the attribute values of the attack vectors (i.e., baseline attribute values) of the assets found to be under attack to the target attribute values. The target attribute value may be a remaining attack vector belonging to the asset or a corresponding attribute value of an attack vector of another asset in the enterprise. The comparison is performed via generating a similarity score for the baseline attribute value and the target attribute value. In some embodiments, the similarity between two attribute values may be a normalized sum of the constituent pairwise attribute similarities. In this manner, the similarity score may display the similarity between the baseline attribute value and the target attribute value. For example, the difference between the baseline attribute value of 0.9 and the target attribute value of 0.85 may result in a similarity score of 94. Thus, when the similarity score exceeds a predetermined similarity score threshold (e.g., a similarity score threshold of 70), the multi-vector detection module 106 may determine that the attack vector having the target attribute value is at risk of being attacked. Otherwise, the multi-vector detection module 106 may determine that the attack vector with the target attribute value is not at risk of being attacked. The multi-vector detection module 106 may perform this similarity scoring process on each target attribute value of interest having a baseline attribute value to determine whether the attack vector associated with each target attribute value is at risk of being attacked.

In some embodiments, prior to performing the comparison, multi-vector detection module 106 may modify the baseline attribute value and/or the target attribute value with the corresponding weight value. The weighting may be performed based on one or more characteristics common to the attack vector associated with the baseline attribute value and the attack vector associated with the target attribute value, where the characteristics affect the enterprise. Characteristics of an attack vector may include the frequency with which the attack vector exchanges data with another attack vector or asset, the importance of the attack vector to enterprise operations, the cost associated with failure or malfunction of the attack vector, the susceptibility of the attack vector to attack, and the like. For example, an attack vector that performs data communication processing 100 times with another attack vector or asset within a predetermined period of time may be assigned a weight value of 1.0, and another attack vector that performs data communication processing 80 times within a predetermined period of time may be assigned a weight value of 0.8. In another example, the weight factor value of a first attack vector that is twice as important as a second attack vector may be twice as important as the weight factor value of the second attack vector for the operation of the enterprise. Thus, for each attribute value, the multi-vector detection module 106 may multiply the weight factor with the relevant attribute value of the attack vector to adjust the associated attribute value.

In some embodiments, the weight values of the attribute values of the attack vectors may be automatically assigned by a weighting component of the multi-vector detection module 106, the multi-vector detection module 106 evaluating the characteristics of the attack vectors. For example, the weighting component may track the number of data communication events for a plurality of attack vectors and then convert the number of data communication events for each attack vector into a weight value. In another example, the weighting component can analyze the importance of the attack vector compared to other attack vectors using a machine learning algorithm based on one or more factors (factors). These factors may include: the amount of input data received and the amount of output data generated by or assets associated with each attack vector, data processing delays caused by failures of each attack vector, the amount of computational resources consumed by each attack vector, dependencies between attack vectors, and so forth. The machine learning algorithm may utilize supervised learning, unsupervised learning, and/or semi-supervised learning to analyze the information to generate the weight values. The machine learning algorithm may include various classifiers. For example, various classification schemes (explicit and/or implicit training) and/or systems (e.g., support vector machines, neural networks, expert systems, bayesian belief networks, fuzzy logic, data fusion modules, etc.) may be employed. Other directed and undirected model classification approaches that may be employed by machine learning may include na iotave bayes, bayesian networks, decision trees, neural networks, and/or probabilistic classification models.

In some embodiments, the multi-vector detection module 106 may generate data reports in real-time. The data report may identify the attack vector being attacked and one or more additional attack vectors determined to be potentially attacked via a similarity search. The multi-vector detector module 106 may provide the data report for display via a user interface of a display device or to the threat model module 108. In alternative embodiments, the multi-vector detection module 106 may perform similarity searches and/or generate data reports on a periodic basis rather than in real-time.

The threat model module 108 may generate a threat model 126, the threat model 126 including additional attack vectors that are considered potentially under attack because the additional attack vectors are similar to the attack vectors determined to be under attack. The threat model 126 identifies flaws in the enterprise and may also identify or help identify techniques for mitigating any identified corresponding computer security risks. The threat model 126 may model a plurality of attack planes, where the attack planes are typically represented by attack trees. An attack tree is a computer security structure that is used to store the preconditions and prerequisites for defects in a computer network. In general, a tree may be composed of parent nodes (parent nodes), each parent node having a set of child nodes (child nodes). Children nodes inside the tree will have their respective children (grandchild nodes of the parent node). A child node that does not have its own child node is a leaf node (leaf nodes). Each parent node stores a potential network defect. The children of the parent node are potential vectors that exploit the defects stored in the parent node. For example, a parent node may store concepts: viruses may infect files. The parent node may have a first child node that stores a vector of a virus executing with administrator identity and a second child node that stores a vector of a virus executing with non-administrative privileges. The child nodes storing vectors of viruses executing in administrator identity may in turn have their respective child nodes to store the concept of a virus using a root socket and the concept of a virus running using a compromised administrative account.

Since the attack tree stores attack vectors, the attack tree can be used to develop a threat matrix. The threat matrix is a master list of all threats to the network that cross-reference potential remedial responses. However, because attack trees do not store explicit responses, they do not provide remedial information to develop a complete threat matrix. Furthermore, conventional techniques for developing attack trees are fundamentally manual in nature. Therefore, developing and maintaining an attack tree is complex and time consuming. In particular, conventional attack tree techniques do not have the ability to dynamically generate attack trees.

An attack tree may be developed for a particular class of defects. For example, a first attack tree may store flaws from technical attacks and a second attack tree may store flaws from social attacks. Those two attack trees may also be combined into a threat matrix. However, using conventional techniques, the prerequisites of attacks stored in the two attack trees are not correlated, even though they are in the same threat matrix. In particular, the prior art does not consider child nodes in one attack tree as potential prerequisites, and therefore does not consider potential child nodes in a second attack tree.

Typically, conventional threat modeling techniques suffer from having a single threat participant goal. In particular, the conventional process of developing a threat model is also linear in nature, even though real-world attacks may be lateral attacks, i.e., attacks initially stored in one attack tree eventually evolve into attacks stored in another attack tree. For example, indicators of attacks under a social model (i.e., stored in an attack tree composed of social and/or artifact data) are not used as indicators of expected technical threats (i.e., stored in an attack tree composed of technical attack data). For example, knowing that an employee paid out was ignored in the last three reviews may not trigger a response to check if the employee is an IT worker, and may attempt to make a technical attack on the server.

Attack trees are indeed suitable for integrating data from many data sources, both internal and external to an organization. In practice, however, the threat matrix is typically used only as an input to an in-house developed threat model. Often, the threat matrix is not updated with events about other installations, not the responsibility of corporate security personnel. This is often not only a result of the inability to access third party data, but also a result of the time already taken by the prior art to develop attack trees from only internal data.

Thus, in some embodiments, the threat model 126 may be a restructured threat model that identifies differences in the threat space. The restructured threat models may map threats and their respective attack vectors. The re-organized threat models may be combined into a series of overlapping "threat scenarios". The threat scenarios may then be combined into a final "threat matrix" for installation. Due to the capabilities described herein, the re-organized threat models may be cross-correlated and may be extended using third party data.

As shown in fig. 3, the reorganization threat model may be constructed as an array of attack faces having their respective attack vectors relative to one or more assets. The attack face consists of defects associated with one or more attributes describing the respective defect. The attack surface is typically displayed in the context of a family of potential threats, referred to as threat models. For example, an attack face may contain threats from weak encryption. Another attack face may contain threats from inadvertently exposed points in the server. Yet another attack face may contain threats from human factors (e.g., discontented employees, compromised employees, human errors).

Surface areas (Surface areas) may have one or more "attack vectors" and threats access the attack Surface by employing the attack vectors. The attack surface may be modeled by various attributes. For example, an attack face may be a set of technical vectors or non-technical vectors. This is illustrated in fig. 2, where the threat model includes an external attack surface that includes the attack vector (e.g., Ping for NT death) and an internal attack surface (e.g., discontent employees) in fig. 2. Attributes may be automatically (derived or inferred via computer automation), ingested (imported into the threat model), or observed. For example, since the respective asset has an attack history, the attack history of the asset may be imported (ingested) and then marked as part of the attack surface with higher risk (automatic/derivative). Alternatively, the security team may observe an ongoing attack.

As shown in fig. 4, the threat matrix includes a set of threat scenarios, and the threat scenarios include a set of restructured threat models. The restructured threat models may exist independently within the threat scenario. Alternatively, multiple recombinant threat models may be interconnected together. A threat scenario represents a computer security threat to a logical grouping of assets, e.g., a set of servers and/or end-user computers that provide functionality. Some examples of assets covered by a threat situation include a retail center, a data center, a set of similar server types, an executive management group, and the like. The set of threat scenarios, in turn, includes a threat matrix representing all threats that an enterprise, government or organization is typically faced with.

The restructured threat model may identify not only potential attack vectors and associated responses, but also threat indicators. Threat indicators are some detectable events that may be subtle or significant, indicating that a defect may be exploited by a threat. Thus, the threat metrics will trigger a response to prevent, counter, or eliminate an ongoing attack. Thus, remediation is accomplished by performing one or more responses to the threat.

For each attack vector, a company security officer or other responsible party would ideally have identified a response. Ideally, the response can be proactive by preventing attacks or eliminating flaws. For example, the threat may come from an unsatisfied worker. Frying and renaming workers may prevent attacks. Alternatively, Ping of NT deaths can be eliminated by upgrading all NT servers to a newer version or shutting down vulnerable ports. Sometimes, the response may be passive, in which the damage is limited and contained before the attack is stopped. The passive response is generally dynamic in nature and is triggered when a threat indicator is detected.

Thus, a threat matrix composed of recombined threat models may not only be populated with attack vectors grouped as attack planes, but may also cross-reference responses corresponding to respective attack vectors, and may cross-reference threat metrics whose detected conditions indicate a likelihood that the corresponding attack vector is imminent.

In some cases, the attack vectors indicated in the attack plane are not necessarily actual attacks in progress, but represent potential attacks. Thus, not all attack vectors indicated by the attack surface may be exploited by the threat. In fact, ideally, no attack vector is employed first, and all responses are proactive. In reality, however, the organization is in fact under attack. The threat matrix may store not only responses, it may also store those threats that utilize attack vectors, and it may also store the validity of the responses. In this way, the threat matrix may track the effectiveness of the response. In practice, some responses are effective, but unfortunately some are not. Subsequently, a corporate safer or other responsible party may update the threat matrix with improved responses to eliminate the previously deployed threats as risks.

Exemplary Environment

FIG. 5 is an exemplary environment 500 for applying a similarity search to discover multiple vector attacks and to implement a restructured threat model and threat matrix. The request to initiate generation of the threat model 126 may be executed from the client 502. The client 502 may be any device having a processor 504, storage 506, and a network interface 508 sufficient to connect to a cloud server, either directly or via the internet. Typically, an operating system 510 and one or more application programs 512 will reside on the storage device 506. Typical configurations are a central processor, RAM, and a Wi-Fi or Ethernet connection. Storage 506 will be a computer-readable medium and/or will have access to other computer-readable media, and will run client application 512, client application 512 comprising computer-executable code residing in storage and/or other computer-readable media. The client 502 may access remote storage 514, the remote storage 514 such as network-aware storage (NAS)516 on a local network.

Similarly, server 516 or cloud service 518 that governs (host) the server side of the reorganization threat model infrastructure may be a device with a processor 520, storage 522, and network interface 524 sufficient to connect to clients directly or via the internet. Like the client, there is typically an operating system. Typical configurations are a central processing unit, RAM and a Wi-Fi or Ethernet connection. The storage devices will be computer-readable media and/or will have access to other computer-readable media, and will run applications 526 and operating system 528, applications 526 and operating system 528 comprising computer-executable code that resides in the storage devices and/or other computer-readable media. The server may have access to a database or data store 530 local to or on its local network.

Cloud server 532 may typically run a virtualization environment 534, and virtualization environment 534 may create virtual machines. In each virtual machine, there may be an operating system or system level environment. Each virtual machine may spawn a process, and each process may spawn a thread. An execution environment (e.g., a Java virtual machine or. NET runtime) may execute in a virtual machine and manage processes and threads. The server 532 may also take the form of a database server 536. Computer-readable media includes at least two types of computer-readable media, namely computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information for access by a computing device. In contrast, communication media may embody computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., carrier wave) or other transport mechanism. As defined herein, computer storage media does not include communication media.

FIG. 6 is a block diagram illustrating various components of an exemplary environment for applying a similarity search to discover multiple vector attacks and implement a re-binned threat model and threat matrix. The configuration includes a computer host system 602 having a processor 604, a computer readable storage 606, and a computer readable medium 608. The storage 606 may be RAM and the computer readable medium 606 may be permanent, e.g., disk storage. The computer readable medium may store a data structure memory 610 for reorganizing the threat models and threat matrices. The data structure memory 610 is a software data structure (e.g., a directed graph or a set of tables) for storing the reorganization threat model data. The computer-readable medium 608 may be separate from the processor 604 and the storage 606, and may execute on a network-aware storage or database server on a network, the internet, or a cloud service. The storage 606 may store the directed graph generation module 102, the attack detection module 104, the multi-vector detection module 106, and the threat model module 108. Storage 606 may also store a software query component 612, a software similarity component 614, a software data feed component 616, and a software audit component 618. Each module and component may include routines, program instructions, objects, and/or data structures that perform particular tasks or implement particular abstract data types.

The software query component 612 is configured to receive query data. Typical query data takes the form of observed events. One or more attributes may be used to describe the observed event. The software query component may also receive filter metrics. When a query is executed, the software query component 612 communicates with a software similarity component 614 that provides similarity scores between entities. An entity is composed of a set of attributes and is further described with respect to the discussion below regarding data structure store 610.

The software similarity component 614 may apply a similarity score between the two entities. In one embodiment, the software similarity component 614 may enumerate at least some properties (sometimes referred to as fields) of the first entity, as well as enumerate at least some properties of the second entity. First, the field names and types are then aligned by their similarity. Then, the field values are scored for similarity. The similarity between two entities may be a normalized sum of the pairwise attribute similarities of the components. In this way, similarity scores can be made for entities having different attributes. Note that software similarity component 614 does not actually declare that the entities are actually similar. But it only generates a score. The similarity score is used in conjunction with a predetermined threshold, indicating sufficient similarity if the similarity score exceeds the threshold. Thus, the multi-vector detection module 106 may generate a similarity score for the attribute values of the attack vectors using the software similarity component 614.

The software similarity component 614 may also be used in conjunction with the software data feed component 616. The software data feed component 616 is a loader that receives attack vectors, attack planes, and threat model data. The software data feed component 616 loads the attack vectors, attack planes, and threat model data into the respective instances. However, the software data feed component 616 can use the software similarity component 614 to create or infer an association between the threat model and the attack face. This is possible because the software similarity component 614 performs a pairwise attribute comparison.

It is possible that the association between the software query component 612 during the query time and the entity inferred by the software data feed component 616 at the load time may not be correct. Thus, any usage or creation associated with inference is stored by software auditing component 618.

Data structure store (storage)610 stores entities having different attributes. The entities include attack vectors 620, attack planes 622, threat models 624, and associations 626 of attack planes and threat models. The record for each entity is called an instance. Note that the data structure store need not be implemented as a relational database. Each entity may be designated as an abstract base class so that instances derived from the abstract base class may have different properties. For example, an attack face instance may have different attributes than a second attack face instance.

Attack vectors 620 and attack plane entities 622 are not only associated with defects and attack planes, respectively, but may also be associated with metrics data 628 and response data 630. The metric data 628 describes events that alter the likelihood that the respective attack vector and attack face will occur, if observed. Typically, the indicator indicates that the likelihood is increasing and a remedial response should be proactively taken.

The associated response data 630 stores recommended remediation programs for the respective attack vector and attack face. Response data 630 may also store an indicator, such as a field or flag, that the response is invalid. The effectiveness data can be used to alter the priority of responses returned during a query.

Exemplary threat model method

The restructured threat model may store information about: (a) attack planes and their associated attack vectors, (b) the network assets to which those attack vectors are directed, (c) threat profiles in the form of metrics, (d) attack history, and (e) historical responses to attacks. The re-organized threat models may be combined into a unified threat matrix. The stored information is not limited to a particular company or installation, but also includes publicly available information. The threat matrix may be used to correlate threats from different restructured threat models and to quickly and automatically update responses stored in the threat matrix. The development of the restructured threat model may involve an initial population of restructured threat models, determination of responses to attack indicators, and updating of the restructured threat model.

In an initial population of threat models, the inputting of the proposed threat matrix includes inputting into the proposed threat matrix attack vectors collected into one or more attack planes, attack histories, and historical responses. The resources of the attack plane may include internal data organized into an existing attack tree. Other resources may include third party resources, such as data provided by the federal government via the U.S. national standards and technology institute.

The attack vectors may also be correlated with metrics from threat profiles and other resources. Metrics may be collected by looking at attack history (e.g., from SIEMs) and from historical responses. The collection of historical responses may be done automatically via RSS feeds, external fees, or crawling spiders programmed to search for reports of network attacks on the internet.

In this way, the threat matrix comprising the recombined threat models will be more complete and will exploit cross-correlation information from different threat models, resulting in a more robust method for detecting attacks and responses. By analyzing the threat matrix using machine learning and pattern matching functions, an enterprise Security Officer (corporation Security Officer) will be able to process threat intelligence from a lateral perspective, providing the enterprise Security Officer with a much more accurate picture of the threat relative to the threat situation, and thus more accurately assessing the organization risk.

The underlying data structures of the threat matrix and the restructured threat model may be in the form of a directed graph data structure (hereinafter "directed graph"), with an exemplary directed graph data structure being illustrated in fig. 7. Data representing technical and non-technical data points will be ingested into the graph data structure as a series of directed graph nodes. Each node represents an entity within the threat matrix and may represent a threat participant, a threat profile, a bug, an attack history, a response, and the like. A node may have multiple capabilities and labels. The node has a relationship (edge) with other nodes that may also contain capabilities. The nodes and relationships are used to develop a threat model.

The relationships in the directed graph determine how the surface regions or model nodes are developed. The relationships in the threat model represent vectors from one face region to another. Note that since all nodes are in the same directed graph, nodes from one threat model may be connected and thus related to nodes from a different threat model. Also note that since the historical responses include input from the spider program, the method may automatically add third party threat information from outside the organization.

The structure of the node itself may be in the form of an abstract class, with records represented as object instances. One proposed model might be an abstract class for each attack vector, an abstract class for the restructured threat model, and store the threat model instances in a threat matrix consisting of a directed graph of threat models and attack vector instances. The attack vector instances may be combined together to form an attack surface.

The threat matrix may be implemented as a directed graph of the abstract classes of the threat model. In effect, the threat matrix becomes a map of the threat model instance. This allows any instance of the threat model with any attributes to be part of the directed graph of the threat matrix.

The attack surface (referred to as S) may be directed to a specific property of the artifact vulnerability of the compromised employee, as follows:

if the employee is in the leave period, no;

finally, checking (Last view) as poor;

salary is the administrative level (business Range).

The restructured threat model (M) may also be directed to specific attributes of the artifact vulnerability as follows:

the conception period is 1 year;

work performance 2/5;

remuneration $ 30,000.

To determine whether a threat model should be associated with an attack vector, a matching/similarity algorithm may match the face S with the model M. Note that attributes may have different names and may have different value types. First, the match/similarity algorithm may determine that the "last censored" attribute in S maps to the "work performance" attribute in M. The match/similarity algorithm may then determine that the binary "poor/good" last censored "attribute in S is similar to the 2/5 scalar" work performance "attribute value in M, so that the two match. Various known similarity scoring and fuzzy logic scoring algorithms may be applied.

A predetermined threshold for similarity may be applied to the matching/similarity algorithm. Specifically, the matching/similarity algorithm employs a threat model instance and enumerates attributes of the threat model instance. The algorithm then selects candidate attack face instances to associate with the threat model and enumerates the attributes of the attack faces. The algorithm pair-wise calculates the similarity between the attribute of the instance of the threat model and the attribute of the instance of the attack surface. The algorithm then calculates a relevance score for the threat model instance and the attack face instance. If the relevance score exceeds a predetermined threshold, the threat model instance and the attack face instance will be associated.

In populating the threat matrix, a response to the attack metric may be determined. Initially, the system receives an observed event, wherein the observed event is comprised of a set of attributes that are comparable to metric data associated with an attack vector instance and an attack face. The system then searches for metrics in the directed graph that are similar to the observed events. The software similarity component may perform a comparison of attributes if the observed event's attributes differ from the metrics to be analyzed. In the event that the discovery index exceeds a predetermined similarity threshold, the associated attack vector instance and the associated attack face instance are retrieved.

Note that any entity in the data structure store may be associated with an index (e.g., a flag or field) that is associated with a filter. If the software query component is configured to run queries using filters (i.e., in the fast query mode), the software query component will perform similarity searches only on nodes with the appropriate set of filter metrics. Because comparing fields is faster than performing a similarity search, the fast query mode is typically faster than a query that only performs a similarity search. The system reports responses associated with the retrieved attack vector instances and attack face instances. At least some of the responses are executed to remedy.

Recall that one of the features of the restructured threat models is to provide data from more than one model. The system may identify a first set of threat models associated with the returned attack face instance. Thus, the software similarity component may also create a second set of threat models and attack surfaces similar to the threat models in the first set of threat models at the direction of the user. Note that the software similarity component may compare not only the threat model to the threat model, but also the threat model to the attack surface.

The second group then provides the user with another set of potential remedies. In particular, the attack face and the attack vector associated with the returned attack face are associated with the response data. The user may also perform at least some of the remediation processes described in the response data. Another feature of the reorganization threat model is to reduce the likelihood of false positives in the remedial action. In particular, the user should be presented with the remedial response most likely to address the attack without overwhelming the user with a potential amount of response.

In the event that a response is found to be invalid or irrelevant, the directed graph may determine which responses will not be retrieved using different predetermined similarity thresholds. Specifically, invalid or irrelevant responses (false positives) are collected and their respective attack planes and threat models are reviewed. If the majority of the errors come from the second set of retrieved threat models and attack surfaces, then a higher predetermined threshold is recommended.

Ideally, the threat matrix and the potential threat model are updated from time to time. Some threats or attacks may expire. New response techniques have been developed. The automatically generated correlations may not be correct. As the size of the threat matrix grows, performance optimizations may be added.

One optimization is to remove outdated threats and attacks from the underlying directed graph. In the case of a threat, an event may occur that indicates that a party is no longer a threat. For example, long term hackers are caught. In that case, the directed graph may be searched for all attacks associated with the threat. Only data relevant to the threat may be removed from the directed graph and archived. It is important not to remove data of attacks associated with other threat entities, as those attacks may still be initiated, albeit by another threat entity.

In the case of an attack that has expired, an event occurs indicating that the attack vector is no longer a flaw. For example, it may be that a router that has been removed from the network has suffered an attack. This is no longer a drawback since the router is no longer located in the network. Thus, attacks specific to the router may be removed.

As an alternative to removal, data associated with an out-of-date threat or attack may simply be marked as low priority to skip for fast directed graph traversal. Specifically, when traversing the directed graph, if a user or machine searches for the directed graph so indicated, the search will skip over nodes marked with low priority, thereby saving processing time for lower priority nodes.

In general, the directed graph may be subject to different filters. Since over time the directed graph will become very large, nodes belonging to a subset that are commonly traversed may store a flag or field value indicating that they belong to a particular subset. Traversal of subset screening will then only examine nodes with the corresponding set of flag or field values. Commonly accessed nodes may also be cached. In particular, some directed graph queries are typically performed. Thus, where data is expected to be static, those nodes may be cached to speed up retrieval.

Exemplary attack vector discovery Process

Fig. 8 and 9 illustrate

exemplary processes

800 and 900 for discovering multiple vector attacks on enterprise assets using similarity searches. Each of

processes

800 and 900 is illustrated as a collection of blocks in a logical flow graph, which represent a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the blocks represent computer-executable instructions that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and so forth that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement a process. For discussion purposes, processes 800 and 900 are described with reference to the exemplary architecture 100 of fig. 1.

FIG. 8 is a flow diagram of an exemplary process 800 for performing a similarity search on a directed graph to detect additional attack vectors that are under attack after an attack on an attack vector for an asset is detected.

At block 802, the directed graph generation module 102 may receive security event data from a security event data store, the security event data including attack histories for one or more assets belonging to an enterprise. In various embodiments, the security event data store 116 may include security event data from SIEM applications, IDS, and/or defect scanners monitoring enterprise assets. The data feed of the security event data may include a system log, an event monitor log, a scan log, and the like. The security data feed may also come from external sources, such as third party privately operated network security event monitoring applications, government agency operated network event detection systems, and the like.

At block 804, the directed graph generation module 102 may receive threat participant data from the threat participant data store regarding one or more threat participants that are capable of attacking one or more assets of the enterprise. In various embodiments, the threat participant data store may include data profiles for various threat participants that have attacked or may potentially attack the enterprise asset.

At block 806, the directed graph generation module 102 may generate a directed graph that maps threat participants to attack vectors of one or more assets of the enterprise based on the attack history for storage in a directed graph data store. An attack vector is a flaw in asset defense, and an attack is the exploitation of the flaw. In various embodiments, the directed graph may include nodes corresponding to enterprise assets, and edges connecting the nodes may indicate relationships between the assets. These nodes may also be connected to other nodes representing attack vectors for assets and/or threat participants.

At block 808, attack detection module 104 may calculate an attack risk probability for the asset's associated attack vector based on the directed graph. The attack risk probability may be computed using a probabilistic inference algorithm that performs inference and approximation functions on the directed graph 112.

At block 810, attack detection module 104 may receive new attack data from one or more security applications indicating one or more previously unknown historical attacks or one or more new attacks against at least one asset of an enterprise. The new attacks may include real-time attacks on the asset and/or impending attacks. The new attacks may include real-time attacks on the asset and/or imminent attacks. The new attack data may be received from an internal resource or an external resource. The internal resources may include one or more security applications that monitor the enterprise assets. External resources may include third party privately operated network security event monitoring applications, network event detection systems operated by government agencies, and the like.

At block 812, the directed graph generation module 102 may update the directed graph to account for new attack data received from the one or more security applications. In various embodiments, updating of a directed graph may be accomplished via generating a new version of the directed graph. At block 814, attack detection module 104 may recalculate the attack risk probability for the associated attack vector for the asset based on the updated directed graph.

At decision block 816, attack detection module 104 may determine whether the attack risk probability computed for the attack vector exceeds a predetermined probability threshold. Thus, if the attack risk probability exceeds the predetermined probability threshold ("yes" at decision block 816), process 800 may proceed to block 818. At block 818, attack detection module 104 may determine that an attack on the asset's attack vector is occurring.

At block 820, the multi-vector detection module 106 may perform a similarity search on the directed graph in view of the attack vectors to identify one or more additional attack vectors for the asset or at least one other asset potentially under attack. In various embodiments, the similarity search may be a topological similarity search, a semantic-based similarity search, a statistical similarity search, or another computer-implemented search of directed graphs.

Returning to decision block 816, if the attack risk probability does not exceed (i.e., is equal to or less than) the predetermined probability threshold ("no" at decision block 816), the process 800 may loop back to block 802. In some alternative embodiments, the operations described in blocks 810-814 may be skipped. Accordingly, the operations described in

blocks

816 and 820 may be performed directly after block 808. In other alternative embodiments, the operations described in block 808 may be skipped during execution of process 800.

Fig. 9 is a flow diagram of an exemplary process 900 for using attribute values of an attack vector to determine whether additional attack vectors for an asset are at risk of attack. The process 900 may also be block 820 of the process 800. At block 902, the multi-vector detection module 106 may determine a baseline attribute value for an attack vector for the asset under attack in the directed graph. In various embodiments, the attribute values measure attributes of the attack vectors. In other words, an attribute of an attack vector may be a parameter of the attack vector, and a corresponding attribute value of the attribute may quantify or qualify the attribute.

At block 904, multi-vector detection module 106 may determine target attribute values for an asset or an additional attack vector for another asset. The target attribute value may be used for attributes of additional attack vectors that are the same as the attributes of the attack vector. At block 906, the multi-vector detection module 106 may modify at least one of the baseline attribute value or the target attribute value with the corresponding weight value. The assignment of each weight value by the multi-vector detection module 106 may be performed based on one or more characteristics common to the attack vector associated with the baseline attribute value and the attack vector associated with the target attribute value, wherein the characteristics affect the enterprise. However, in some cases, multi-vector detection module 106 may omit modification of attribute values having weight values.

At block 908, the multi-vector detection module 106 may generate similarity scores for the baseline attribute values and the target attribute values. In various embodiments, the similarity between two attribute values may be a normalized sum of the constituent pairwise attribute similarities. In this way, the similarity score may display the similarity between the attribute value and the additional attribute value.

At block 910, the multi-vector detection module 106 may compare the similarity score to a predetermined similarity score threshold. At decision block 912, if the multi-vector detection module 106 determines that the similarity score exceeds the similarity score threshold ("yes" at decision block 912), the process 900 may proceed to block 914. At block 914, the multi-vector detection module 106 may determine that the additional risk vector is at risk of attack. Process 900 may then loop back to block 904, whereby another attribute value of a subsequent attack vector may be compared for purposes of identifying whether the subsequent attack vector is at risk of being attacked.

Returning to decision block 912, if the multi-vector detection module 106 determines that the similarity score does not exceed (i.e., is equal to or less than) the similarity score threshold ("no" to decision block 908), the process 900 may proceed to block 916. At block 916, multi-vector detection module 106 may determine that the additional risk vectors are not at risk of attack. Process 900 may then loop back to block 904 where another attribute value of a subsequent attack vector may be compared for the purpose of identifying whether the subsequent attack vector is at risk of being attacked.

The techniques described herein are capable of identifying an attack vector currently under attack, and one or more additional vectors determined by a similarity search to be potentially under attack by the same multi-vector attack. Attacks against multiple attack vectors may be made by the same threat participant or different threat participants acting in concert on behalf of an organization. In contrast, conventional security applications may not be able to detect such multi-vector attacks, thereby making some attack vectors of an asset vulnerable to attack even if others are successfully protected by remedial protection measures.

Conclusion

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as example forms of implementing the claims.

Claims

1. One or more non-transitory computer-readable media of a user device storing computer-executable instructions that, when executed, cause one or more processors to perform acts comprising:

receiving security event data comprising attack history of one or more assets of an enterprise and threat participant data of one or more threat participants capable of attacking the one or more assets of the enterprise;

generating a directed graph that maps threat participants to attack vectors for the one or more assets of the enterprise based on the attack history;

in response to an attack risk probability computed for the attack based on the directed graph exceeding a predetermined probability threshold, determining that an attack vector of an asset is under attack; and

in view of the attack vector determined to be under attack, a similarity search is performed on the directed graph to identify one or more additional attack vectors for the asset or at least one other asset potentially under attack.

2. The one or more non-transitory computer-readable media of claim 1, wherein the actions further comprise generating a threat model that includes the additional attack vectors that are potentially under attack.

3. The one or more non-transitory computer-readable media of claim 2, wherein the threat model is a recombinant threat model that identifies a plurality of threat vectors and is responsive to at least one of preventing, containing, or eliminating an attack on the plurality of threat vectors.

4. The one or more non-transitory computer-readable media of claim 1, wherein the actions further comprise generating a data report in real-time or periodically that identifies the attack vector that suffered the attack and the one or more additional vectors that potentially suffered the attack.

5. The one or more non-transitory computer-readable media of claim 1, wherein the acts further comprise:

receiving new attack data from one or more security applications indicating one or more previously unknown historical attacks or new attacks on additional assets;

generating an updated directed graph to account for the new attack data received from the one or more security applications;

determining that the additional attack vector of the asset is under attack in response to an additional attack risk probability computed for the additional attack vector based on the updated directed graph exceeding the predetermined probability threshold; and

in view of the additional attack vectors determined to be under attack, performing a similarity search on the directed graph to identify one or more other attack vectors for the asset or at least one other asset that is potentially under attack.

6. The one or more non-transitory computer-readable media of claim 1, wherein the performing the similarity search comprises performing a topological similarity search, a semantic-based similarity search, a statistical similarity search, or the directed graph.

7. The one or more non-transitory computer-readable media of claim 1, wherein the performing the similarity search comprises:

determining a baseline attribute value of the attack vector for the asset under attack, the baseline attribute value quantifying or defining an attribute of the attack vector;

determining a target attribute value of an additional attack vector for the asset or another asset of the enterprise, the target attribute value quantifying or defining an additional attribute of the additional attack vector that is the same as the attribute of the attack vector;

generating a similarity score for the baseline attribute value and the target attribute value based on a normalized sum of pairwise attribute similarities between the baseline attribute value and the target attribute value;

in response to the similarity score exceeding a similarity score threshold, determining that the additional attack vector is at risk of attack; and

determining that the additional vector is not at risk of attack in response to the similarity score being less than or equal to the similarity score threshold.

8. The one or more non-transitory computer-readable media of claim 1, wherein the directed graph comprises nodes representing assets and edges connecting the nodes and representing relationships between the nodes, the edges comprising bidirectional edges or unidirectional edges.

9. The one or more non-transitory computer-readable media of claim 8, wherein the bidirectional edge represents a reciprocal data exchange between a pair of nodes, and wherein the unidirectional edge represents a unidirectional data flow between another pair of nodes.

10. A computing device, comprising:

one or more processors; and

a memory comprising a plurality of computer-executable components executable by the one or more processors to perform a plurality of acts, the plurality of acts comprising:

receiving new attack data from one or more security applications indicating one or more previously unknown historical attacks or new attacks on at least one asset;

determining that an attack vector of an asset is under attack in response to an attack risk probability computed for the attack vector based on the updated directed graph exceeding a predetermined probability threshold; and

in view of the attack vector determined to be under attack, performing a similarity search on the updated directed graph to identify one or more additional attack vectors for the asset or at least one other asset potentially under attack.

11. The computing device of claim 10, wherein the plurality of actions further comprise generating a threat model comprising the additional attack vectors that are potentially under attack.

12. The computing device of claim 10, wherein the performing the similarity search comprises:

13. The computing device of claim 10, wherein the directed graph includes nodes representing assets and edges connecting the nodes and representing relationships between the nodes, the edges including bidirectional edges representing reciprocal data exchange between one pair of nodes or unidirectional edges representing unidirectional data flow between another pair of nodes.

14. A computer-implemented method, comprising:

receiving, at one or more computing devices, security event data comprising attack history of one or more assets of an enterprise and threat participant data of one or more threat participants capable of attacking the one or more assets of the enterprise;

generating, at the one or more computing devices, a directed graph that maps threat participants to attack vectors for the one or more assets of the enterprise based on the attack history;

determining, at the one or more computing devices, that an attack vector of an asset is under attack in response to an attack risk probability computed for the attack vector based on the directed graph exceeding a predetermined probability threshold;

determining, at the one or more computing devices, a baseline attribute value of the attack vector for the asset under attack, the baseline attribute value quantifying or defining an attribute of the attack vector;

determining, at the one or more computing devices, a target attribute value of an additional attack vector for the asset or another asset of the enterprise, the target attribute value quantifying or defining an additional attribute of the additional attack vector that is the same as the attribute of the attack vector;

generating, at the one or more computing devices, a similarity score for the baseline attribute value and the target attribute value based on a normalized sum of pairwise attribute similarities between the baseline attribute value and the target attribute value;

determining, at the one or more computing devices, that the additional attack vector is at risk of attack in response to the similarity score exceeding a similarity score threshold; and

determining, at the one or more computing devices, that the additional vector is not at risk of attack in response to the similarity score being less than or equal to the similarity score threshold.

15. The method of claim 14, wherein the security event data comprises data from at least one of a Security Information and Event Management (SIEM) application, an Intrusion Detection System (IDS), or a defect scanner operated by the enterprise or a third party external to the enterprise.