CN111316272A - Advanced cyber-security threat mitigation using behavioral and deep analytics - Google Patents

Abstract

A system for mitigating network attacks using an advanced network decision platform includes a time series data store, a directed computation graph module, an action result simulation module, and an observation and state evaluation module, wherein the state of the network is monitored and used to generate a network-physical graph representing network resources, generate and monitor simulated network events, and analyze the network events and their effects to generate security recommendations.

Description

Advanced cyber-security threat mitigation using behavioral and deep analytics

Cross reference associated with application

This application is PCT application serial No. 15/655,113 entitled ADVANCED network security THREAT MITIGATION by use behavior and depth analysis (ADVANCED security THREAT MITIGATION by ADVANCED network and security association system) filed on 20.7.2017, the entire specification of which is incorporated herein by reference in its entirety, and claims priority thereto.

Technical Field

The present disclosure relates to the field of computer management, and more particularly to the field of network security and threat analysis.

Background

Over the past decade, the frequency and complexity of cyber attacks (i.e., illegal access and modification) on information technology assets by multiple companies and U.S. government departments and activities has escalated dramatically, and the discovery and use of IT infrastructure vulnerabilities continues to accelerate. The speed of network intrusion can be said to have now reached a degree that relies on protection methods derived from just prior attacks that are open and advisory results from them to provide only a moderate level of protection. Further, the sheer volume of network security information and procedures has far exceeded the ability of those who most need to use to fully follow or reliably use them, overwhelming those who are controlled to have network security responsibility for putting thousands of enterprises at risk. Over the past few years, the inability to identify important trends or to become and know information in a timely manner has resulted in highly visible, customer-faced security failures such as in TARGET^TM,ANTHEM^TM,DOW JONES^TMAnd SAMSUNG ELECTRONICS^TMTo name just a few of the news that was produced. Traditional network security solutions are most likely to be used at times when these attacks require too much effective configuration, ongoing administrator interaction and support, while at the same time providing limited protection from sophisticated adversaries, especially when user credentials are stolen or forged.

There has been recent development in several business software that has emerged with the goal of pipelining or automating business data analysis or business decision processing, which can be developed to help optimize network security. PALANTIR^TMProviding software to separate patterns in large amounts of data, DATABRICKS^TMProviding customized analytical services, ANAPLAN^TMProviding financial impact calculation services. There are other software sources that slow down on isolationSome of the characteristic aspects of business data association identification, but these do not address the entire range of network security vulnerabilities across enterprises in their entirety. However, the analysis of data and business decision automation remains outside of their scope. Currently, none of these solutions deals with more than a single feature aspect of the entire task, cannot form predictive analytics data transformations, and thus have little utility in the field of network security where the only solution is a complex process requiring complex integration of the above tools.

The use of network-based service companies that provide network security consultation information has also grown greatly. This is only used to add overload to the above information and to be used optimally, must be carefully analyzed by the business information management system claiming to provide reliable network security protection.

What is needed is a fully integrated system for retrieving network security related information from many disparate and disparate sources using scalable, explicitly scriptable, interfacing, identifying and analyzing high volume data, transforming it into a useful format. This must then use data consistent with the enterprise's baseline network usage profile and look ahead of the enterprise systems, especially those with hidden sensitive information, to drive an integrated highly scalable simulation engine that can utilize a combination of system dynamics, discrete events, and broker-based paradigms within the simulation run in order to obtain the most useful and accurate data transformations and store the presented information for rapid digestion by human analysts, readily comprehending any predictions or recommendations and then creatively responding to slow down the reported situation. The multi-method information security information capture, analysis, transformation, result prediction and presentation system forms a 'business operating system'.

Disclosure of Invention

Accordingly, the present inventors have developed a system for advanced cyber-security threat mitigation using behavioral and deep analysis.

According to one aspect, a system for detecting and mitigating network attacks using an advanced network decision platform is disclosed, comprising: a time series data store comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein upon execution of the software instructions, the processor is configured to monitor a plurality of network events and generate time series data comprising at least a record of the network events and a time at which the events occurred; an activity result simulation module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein the processor is configured to generate a simulated network event upon execution of the software instructions and is configured to generate a recommendation based at least in part on a result of the analysis performed by the directed computation graph module; an observation and status evaluation module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein upon execution of the software instructions, the processor is configured to monitor a plurality of connected resources on a network and generate a network-physical graph representing at least a portion of the plurality of connected resources; and a directed computational graph module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein upon execution of the software instructions, the processor is configured to perform a plurality of analysis and transformation operations on at least a portion of the time series data and is configured to perform a plurality of analysis and transformation operations on at least a portion of the network-physical graph.

According to another aspect, a method for mitigating network attacks using an advanced network decision platform is disclosed, comprising the steps of: a) generating, using an observation and state evaluation module, a cyber-physical graph representing a plurality of connected resources on the network; b) analyzing at least a portion of the network-physical graph using a directed computation graph module; c) simulating a plurality of network events using an activity result simulation module; d) monitoring at least a portion of the plurality of network events using a time series data store; e) generating timing data based at least in part on the network event; f) analyzing at least a portion of the time series data; and g) generating a security recommendation based at least in part on the analysis results.

Drawings

The drawings illustrate several characteristic aspects and together with the description serve to explain the principles of the invention in terms of the characteristic aspects. Those skilled in the art will appreciate that the particular arrangements shown in the drawings are merely examples and should not be viewed as limiting the scope of the invention or the claims therein in any way.

FIG. 1 is a diagram of an exemplary architecture of an advanced network decision platform in accordance with a feature aspect.

FIG. 2 is a flow diagram of example functionality of a business operating system in predicting and mitigating predetermined factors that cause and facilitate mitigating an ongoing network attack.

FIG. 3 is a process diagram illustrating the functionality of a business operating system for mitigating network attacks.

FIG. 4 is a process flow diagram of a method for segmenting cyber attack information into appropriate corporate communities.

FIG. 5 is an exemplary architecture diagram of a system for rapid predictive analysis of very large amounts of data using actor-driven distributed computation graphs, according to one aspect of the features.

FIG. 6 is an exemplary architecture diagram of a system for rapid predictive analysis of very large amounts of data using actor-driven distributed computation graphs, according to one aspect of a feature.

FIG. 7 is an exemplary architecture diagram of a system for rapid predictive analysis of very large amounts of data using actor-driven distributed computation graphs, according to one aspect of the features.

FIG. 8 is a flow diagram of an exemplary method for network security behavior analysis in accordance with a feature aspect.

FIG. 9 is a flow diagram of an exemplary method for measuring the effectiveness of network security attacks in accordance with a feature aspect.

FIG. 10 is a flow diagram of an exemplary method for continuous network security monitoring and exploration, according to a feature aspect.

FIG. 11 is a flow diagram of an example method for mapping a network-physical system diagram in accordance with a featured aspect.

Fig. 12 is a flow diagram of an exemplary method for continuous network resiliency scoring in accordance with a characterizing aspect.

FIG. 13 is a flow diagram of an exemplary method for network security privilege supervision in accordance with a feature aspect.

FIG. 14 is a flow diagram of an exemplary method for cyber-security risk management according to one feature aspect.

Fig. 15 is a flow diagram of an example method for mitigating a compromised certificate threat, according to one feature aspect.

FIG. 16 is a block diagram illustrating an exemplary hardware architecture of a computing device.

Fig. 17 is a block diagram illustrating an exemplary logical architecture for a client device.

FIG. 18 is a block diagram illustrating an exemplary architectural arrangement of clients, servers, and external services.

FIG. 19 is another block diagram illustrating an exemplary hardware architecture of a computing device.

Detailed Description

The inventors have conceived and practiced an advanced network security threat mitigation using behavioral and deep analysis.

One or more different features aspects may be described in this application. Further, several alternative arrangements may be described for one or more of the feature aspects described herein; it should be understood that these are shown for illustrative purposes only and are not limiting in any way on the features included herein or the claims shown herein. One or more of the arrangements may be broadly applicable to the several features as will be readily apparent from the description. In general, the arrangements are described in sufficient detail to enable those skilled in the art to practice one or more of the characteristic aspects, and it is to be understood that other arrangements may be utilized and that structural, logical, software, electrical, and other changes may be made without departing from the scope of the specific characteristic aspects. Particular features of one or more of the featured aspects described herein may be described with reference to one or more featured aspects or drawings that form a part of this disclosure and which show, by way of illustration, a particular arrangement of one or more of the featured aspects. It should be understood, however, that the feature is not limited to the specific feature aspect or drawings described for reference. This disclosure is not intended to be a literal description of all arrangements of one or more features aspects, nor is it intended to be a listing of features of one or more features aspects that are necessarily present in all arrangements.

The section headings provided in this patent application and the title of the patent application are for convenience only and should not be construed as limiting the disclosure in any way.

Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. Further, devices that are in communication with each other may communicate directly or through one or more logical or physical communication devices or intermediaries.

A description of a feature aspect having several components in communication with each other does not imply that all such components are required. Rather, various optional components may be described to illustrate a wide variety of possible characteristic aspects, and to facilitate a more complete description of one or more characteristic aspects. Similarly, although process steps, method steps, algorithms or the like may be described in a sequence, the processes, methods and algorithms may generally be configured to work in alternate sequences unless specifically stated to the contrary. In other words, any order of steps or sequence that may be described in this patent application does not by itself dictate a requirement that the steps be performed in that order. The steps of the processes may be performed in virtually any order. Further, some steps may be performed concurrently, although described or implied as occurring non-concurrently (e.g., because one step is described after another). Moreover, the depiction of a process by a figure does not imply that the process so depicted does not preclude other variations and modifications, that the process so depicted or any of its steps is essential to one or more features, or that the process so depicted is preferred. Further, steps are typically described once per feature aspect, but this does not imply that they must occur once, or that they may occur only once per run or execution of a process, method, or algorithm. Some steps may be omitted in some aspects or events or some steps may be performed more than once in a given aspect or event.

When a single device or article is described herein, it will be readily apparent that more than one device or article may be used in place of a single device or article. Similarly, where more than one device or article is described herein, it will be readily apparent that a single device or article may be used in place of the more than one device or article.

A function or feature of an apparatus may alternatively be embodied by one or more other apparatuses not expressly described as having the function or feature. Thus, other characterizing aspects need not include the device itself.

Techniques and mechanisms described or referenced herein will sometimes be described in the singular for clarity. However, it should be appreciated that a particular feature aspect may include multiple iterations of a technique or multiple installations of a mechanism, unless specified otherwise. The process descriptions or blocks in the figures should be understood as representing modules, segments of code, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate embodiments are included within the scope of various feature aspects in which functions may be executed out of order from that shown or described, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art.

Definition of

As used herein, a "swimlane" is a communication channel between a timing sensor data receiving and dispatching device and a data store designed to hold dispatched data timing sensor data. A swimlane is capable of moving a particular, limited amount of data between two devices. For example, a single lane may reliably carry and already include into the data store a data equivalent of the 5 second data value from 10 sensors within 5 seconds of equivalence, which is its performance. Attempting to use one lane to place the 5 second worth of data from 6 sensors will result in data loss.

As used herein, a "meta-lane" is a logical combination of the transport capacity of two or more real lanes that is transparent to the requesting process, as needed. Sensor studies in which the amount of data received per unit time is expected to be highly diverse over time may be initialized to use meta lanes. Using the example described above, where a single real lane may transmit and include 5 seconds worth of data for 10 sensors, suddenly receiving input sensor data from 13 sensors during a 5 second interval will cause the system to create two lane meta-lanes to accommodate the standard 10 sensor data in one real lane and 3 sensor data overlays in a second transparently added real lane, however no change to the data reception logic is required as the data reception and dispatch device will add additional real lane transparency. ,

as used herein, "graph" means information and relationships, where each primary unit of information constitutes a "node" or "vertex" of the graph and the relationship between two nodes constitutes an edge of the graph. A node may be further defined by a connection or "property" to one or more descriptors of the node. For example, given the node "James R", the defined characteristics may be "183 cm high", "DOB 08/13/1965", and "speak English" for the person's name information. Similar to using properties to further describe information in a node, the relationship between two nodes that make up an edge can be defined using "labels". Thus, an edge between a given second node "Thomas G", "James R", and "Thomas G" indicating that two people know each other may be labeled "know". When a graph theory notation (graph ═ vertex, edge) applies to this case, the set of nodes serves as one parameter V of the ordered pair, and the set of 2 element edge endpoints serves as the second parameter E of the ordered pair. When the order of edge endpoints is not important in pair E, for example, edge James R, Thomas G is equivalent to Thomas G, James R, the graph is called "undirected". In the case when a relationship flows from one node to another in one direction, for example, James R is "higher" than Thomas G, the order of the endpoints is important. The pattern with this edge is called "orientation". In a distributed computing graphics system, the transformations within a transformation pipeline are represented as a directed graph with transformations, each transformation including nodes and output messages including edges between transformations. The distributed computing graph specifies a potential use of a non-linear transformation pipeline, which is programmatically linearized. This linearization may lead to an exponential increase in resource consumption. The most sensitive approach to overcome the possibility is to introduce a new transformation pipeline, just creating those that are easy to compute, as needed. This approach results in a transformation graph that is highly variable in size and node, edge combinations as the system processes the data stream. Those skilled in the art will recognize that the transformation graph may assume many shapes and sizes with a large number of topologies of edge relationships. The given examples are chosen for illustrative purposes only and show a few of the simplest possibilities. These examples should not be used to limit the possible figures contemplated as part of the operation of the present invention.

As used herein, a "transform" is a function performed on zero or more streams of input data that results in a single output stream that may or may not be subsequently used as an input for another transform. The transformation may include any combination of machines, people, or human-computer interactions, the transformation does not require changing the data that is input to them, one example of the type of transformation would be a storage transformation that would receive the input and then serve as a queue for that data for subsequent transformations. As alluded to above, a particular transform may produce output data in the absence of input data. A time stamp is used as an example. In the present invention, transforms are placed in a pipeline so that the output of one transform can be used as the input of another. These pipelines may be made up of two or more transforms, the number of which is limited only by the resources of the system. Historically, transformation pipelines have transformed linear relationships with each of the pipelines receiving input from a precedent and providing output to a successor without branching or iteration. Other pipeline configurations are possible. The present invention is designed to allow several of these configurations, including but not limited to: linear, incoming branch, outgoing branch, and loop.

A "database" or "data storage subsystem" (these terms may be considered as synonymous in nature) as used herein is a system adapted for long-term storage, indexing, and retrieval of data, typically via some query interface or language. "database" may be used in reference to a relational database management system known in the art, but should not be considered as being limited to such a system. Many alternative database or data storage system technologies have been introduced and are in fact being introduced in the art, including but not limited to distributed non-relational data storage systems such as Hadoop, column-oriented databases, in-memory databases, and the like. While various aspects of the features may preferably employ one or the other of various data storage subsystems applicable in the art (or in the future), the invention should not be construed as so limited, as any data storage architecture may be employed in accordance with the aspects of the features. Similarly, while in some cases one or more particular data storage requirements are described as being satisfied by discrete components (e.g., an extended private capital market database and a configuration database), these descriptions are related to the functional use of the data storage systems and not their physical architecture. For example, any group of data storage systems of the databases referred to herein may be included together in a single database management system running on a single machine, or they may be included in a single database management system running on a cluster of machines, as is known in the art. Similarly, any single database (such as an extended private capital market database) may be implemented on a single machine, on a collection of machines using clustering techniques, on several machines connected by one or more messaging systems known in the art, or in a master/servo configuration common in the art. These examples should illustrate that any particular architectural approach to database management is not preferred in accordance with the present invention, and that the selection of data storage techniques is at the discretion of each implementer, without departing from the scope of the present invention as claimed.

"data context," as used herein, refers to a set of arguments that identify a data location. It may be a Rabbit queue, a csv file in cloud-based storage, or any other reference to the location other than a single event or record. The activities may communicate events or data contexts to each other for processing. The nature of the pipeline allows for direct information transfer between activities and the data locations or files do not have to be predetermined at the beginning of the pipeline.

A "pipeline," as used herein and interchangeably referred to as a "data pipeline" or "processing pipeline," refers to a collection of data stream transmission activities and batch processing activities. Streaming and batching activities may be indifferently connected within the pipeline. Events will flow through the streaming activity actor in an active manner. At the connection of the streaming activity to the batch activity, there is a streaming batch protocol (streambatch protocol) data object. The object is responsible for determining when and whether to run the batch process. One or more of three possibilities may be used to handle the trigger: regular timed intervals, every N events, or optionally external triggers. Events are held in a queue or the like until processed. Each batch activity may contain a "source" data context (which may be a streaming context if an upstream activity is streaming), and a "destination" data context (which is passed to the next activity). The streaming activity may be an optional "destination" streaming data context (optional means: caching/persistence of events, as opposed to short time), although this should not be part of the original implementation.

Conceptual architecture

Fig. 1 is an exemplary architecture diagram of an advanced network decision platform (ACDP)100 in accordance with a feature aspect. Client access of the system 105 for special data input, system control and interaction with system outputs such as automatic prediction decision making and planning and alternative path simulation occurs through a distributed, scalable high bandwidth cloud interface 110 of the system, which uses a multipurpose, robust web application driven interface for client-oriented information input and display via the network 107, and operates a data store 112 according to various settings such as, but not limited to, MONGODB^TM,COUCHDB^TM,CASSANDRA^TMOr REDIS^TM. Most business data from client business-wide sources analyzed by the system, as well as from cloud-based sources, is also input into the system through the cloud interface 110, the data passes to the connector module 135, which may possess API routines 135a needed to accept and convert the extrinsic data and then pass the normalized information to other analysis and transformation components of the system, the directed computation graph module 155, the high-capacity web crawler module 115, the multidimensional timing database 120, and the graphics stack service 145. Directed computation graph module 155 retrieves one or more data streams from multiple sources, including but not limited to multiple physical sensors, web services provisioningWeb-based questionnaires and surveys, monitoring of electronic infrastructure, crowd-sourcing activities, and human input device information. Within the directed computation graph module 155, the data may be divided into two equivalent streams in a dedicated pre-programmed data pipeline 155a, where one sub-stream may be sent for batch processing and storage, while the other sub-stream may be reformatted for transform pipeline analysis. The data is then transmitted to either a generic transformer service module 160 for linear data transformation as part of the analysis or a detachable transformer service module 150 for batch or iterative transformation as part of the analysis. The directed computation graph module 155 represents all data as a directed graph, where the transitions are nodes and the results are being signaled between the transition edges of the graph. The high-capacity webcrawler module 115 uses multiple servers to host pre-programmed web spiders, when configured autonomously, at SCRAPY^TMAn exemplary web mining framework 115a is employed within to identify and retrieve data of interest from web-based sources that are not tagged by conventional web crawler technology. The multi-dimensional time series data storage module 120 may receive streaming data from a large number of multiple sensors, which may be of several different types. The multidimensional time series data storage module may also store any time series data encountered by the system such as, but not limited to, enterprise network usage data, component and system logs, execution data, web service information capture such as, but not limited to, news and financial feeds, and sales and service related customer data. The module is designed to accommodate irregular and high-capacity surges to process incoming data by dynamically allocating network bandwidth and server processing channels. Including for C + +, PERL, PYTHON, and ERLANG^TMThe programming wrapper of the language example of (1) allows adding complex programming logic to the default functionality of the multidimensional timing database 120 without exhaustively recognizing core programming, greatly extending the breadth of functionality. The data retrieved by the multidimensional timing database 120 and the high-capacity web crawler module 115 can be further analyzed and transformed into the results of task optimization by the directed computation graph 155 and associated generic transformer service 150 and dismantlable transformer service 160 modules. Alternatively, data from a multidimensional timing database and a high-capacity web crawler module maySent to the graphics stack services module 145, typically with scripting hints that identify significant vertices 145a, the graphics stack services module employs standardized protocols for converting the information stream into a graphical representation of the data, such as open-graph internet technology, although the invention is not dependent on any one standard. Through the steps, the graphic stack service module 145 represents data in a graphic form affected by any predetermined script writing modification 145a and stores it in a graphic-based data store 145b such as GIRAPH^TMMiddle, or key value pair type data storage REDIS^TMOr RIAK^TMAll of these are suitable for storing graphics-based information, among others.

The results of the transformation analysis process may then be combined with further client instructions, additional business rules and practices related to the analysis, and situational information beyond the data already available in the automated planning service module 130, the automated planning service module 130 also running predictive statistical functions and machine learning algorithms based on powerful information theory 130a to allow for rapid prediction of future trends and results based on the results obtained by the current system, and selection of each of a plurality of possible business decisions. Using all applicable data, automated planning service module 130 may make business decisions whose results are most likely the most favorable business results with a high degree of confidence in availability. The activity outcome simulation module 125 with its discrete event simulator programming module 125a coupled with the end-user oriented observation and status evaluation service 140 allows the business decision maker to investigate possible outcomes of one pending activity history over another based on analysis of currently applicable data, with the results of the system being closely related to the automated planning service module in use with possible externally provided additional information with the assistance of end-user business decision making, the end-user oriented observation and status evaluation service 140 being highly scriptable 140b as the case requires, and with the game engine 140a to more practically consider the staged possible outcomes of business decisions.

For example, the information insurance department is notified by the system 100 that the principal X is using a certificate K (Kerberos principal Key) that has never been used before by him to access the service Y. Service Y utilizes these same credentials to access the secure data on data store Z. This correctly generates alarms when suspicious trails later pass through the network and will recommend X and Y isolation and suspension of K based on continuous baseline network communication monitoring by the multidimensional time series data store 120 programmed to process this data 120a, the network baseline is rigorously analyzed by the directed computation graph 155 using its underlying generic transducer service module 160 and dismantlable transducer service module 150 in conjunction with the AI and primary machine learning capabilities 130a of the automated planning service module 130, the automated planning service module 130 applicable from multiple sources has also been received and publicly assimilated by the multi-source connected APIs of the connector module 135. Ad hoc simulations of these communication patterns are run against the baseline by the activity result simulation module 125 and its discrete event simulator 125a, where the discrete event simulator 125a is used to determine a probability space of legal likelihood. Based on its data and analysis, the system 100 is able to detect and recommend mitigation of cyber attacks that expose all business operations to the existing threats, and at the moment of the attack the most needed information for the mobile program is exposed to the human analysts in multiple levels of mitigation and corrective effort using the observation and status assessment service 140, which also has been specially pre-programmed to handle cyber security events 140 b.

According to one aspect, the programming of advanced network decision platforms, particularly business operating systems, uses the behavior of continuously monitoring the normal network activities of the client enterprise, such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, approved external access to the core network and administrator access to the network's identification and access management server, in conjunction with real-time analysis of network attack methodologies, to inform cognition. The system then uses this information for two purposes: first, advanced computational analysis and simulation capabilities of the system are used to provide direct disclosure of possible digital access points around the network and within the enterprise's information transformer and trust structure, and to give recommendations for network changes that should be made before or during an attack to strengthen it. Second, advanced network blockThe policy platform continuously monitors the communication type of the network in real time and checks the effective deviation for predetermined analysis of user communications by techniques such as deep packet inspection to indicate known network attack vectors such as, but not limited to, ACTIVE DIRECTORY^TMPerrberos ignore Ticket attacks, ACTIVE DIRECTORY^TM/Kerberos ignore hash attacks and related ACTIVE DIRECTORY^TMPerrberos over Hash attack, ACTIVE DIRECTORY^TMACTIVE direct key^TMa/Kerberos ticket attack, a privilege upgrade attack, a compromised user certificate, and a lasso software disk attack. When it is determined that suspicious activity is at a level that characterizes an attack (e.g., including but not limited to a passkey attack, ignoring hash attacks, or an attack via compromised user credentials), the system sends alert information that focuses the activity to all pre-defined parties, especially their roles that are appropriate for attack mitigation or remediation and formatted to provide predictive attack modeling based on historical, current, and contextual attack progress analysis so that human decision makers can quickly represent the most efficient process of activity at their level of responsibility, on command of the most active information with as little scattered data as possible. The system then sends defensive measures in the most mobile form to terminate the attack with the least possible damage and compromise. All attack data is permanently stored for later forensic analysis.

Fig. 2 is a flow diagram of exemplary functionality of a business operating system in the detection and mitigation of predetermined factors that cause and step-in mitigation of an ongoing network attack 200. The system continuously retrieves network communication data 201, which may be stored and preprocessed by multidimensional time series data store 120 and its programming wrapper 120 a. All captured data is then analyzed to predict the normal usage patterns of network nodes, such as internal users, network connection systems and devices, and approved users outside the enterprise boundary, such as off-site employees, contractors, and vendors, to name just a few possible participants. Naturally, other network communications in general may be known to those skilled in the art, the list given is not meant to be exclusive, and other possibilities would not fall outside the design of the present invention. The analysis of network communications may include graphical analysis of parameters, such as network items for network usage using a particular development program in the graphics stack services 145, 145a, the analysis of usage by each network item may be done by a particular pre-development algorithm associated with the directed computation graph module 155, the generic transformer service module 160, and the dismissible service module 150, depending on the complexity of the individual usage profile 201. These usage pattern analyses may then be further analyzed within the automated planning services module 130 in conjunction with additional data regarding the enterprise's network topology, gateway firewall programming, internal firewall configuration, directory service agreements and configurations, and permission profiles for user and access to sensitive information, to name a few non-exclusive examples, where machine learning techniques including, but not limited to, information theory statistics 130a may be employed, and a complaint result simulation module 125 dedicated to predicting simulations based on results of current data 125a may be applied to develop a current, up-to-date, and continuously evolving base network usage profile 202. This same data may be combined with the latest known network attack method reports, retrieved from several divergent and external sources, possibly by using the multi-application programming interface aware connector module 135, to expose preventive recommendations for physical and configuration based network infrastructure changes to enterprise decision makers to cost effectively reduce the probability of network attacks and significantly and most cost effectively mitigate data leakage and loss in the event of attacks 203, 204.

While some of these options may have been partially available in the past as a piecemeal solution, we believe that the ability to intelligently integrate large volumes of data from multiple sources based on this current data, then predict simulation and analysis of results based on this current data so that active, business routine and efficient recommendations can be demonstrated is innovative and necessary in the art.

Once the integrated baseline profile of network usage has been formulated using all applicable network communication data, the mission-specific business operating system continuously polls the incoming communication data for activity anomalies from the baseline as determined by the pre-designed boundary 205. Examples of anomalous activity may include a user attempting to access several workstations or servers in rapid succession, or a user attempting to use a random user IDs or another user's username and password to gain access to the server's domain server with sensitive information, or by any user attempting to brute force a privileged user's password, or reenacting a recently issued ACTIVE DIRECTORY^TMthe/Kerberos ticket authorizes the ticket, or the presence of any known network under development or the introduction of known malware into the network, to name only a very few examples of network attack profiles known to those skilled in the art. The present invention, which predicts and is aware of known developments, is designed to analyze any abnormal network behavior, formulate the likely outcome of the behavior, and then send any needed alerts, whether or not an attack follows published development specifications or exhibits innovative characteristic deviations from normal network practice. Once a possible network attack is detected, the system is then designed to obtain the required information to the responsible party 206, which is tailored to each role of mitigating the attack and the damage 207 caused by it, if possible. This may include an exact subset of the information included in the alerts and updates, and the format presented may be through an enterprise's existing security information and event management system. Subsequently, the network administrator may receive information such as, but not limited to, whether an attack on the network is believed to have an origin, what systems are currently affected, predictive information about where the attack may progress, what business information is at risk, and actionable recommendations about countering intrusions and mitigating damage, while the alerts that the master information security officer may receive include, but are not limited to, a timeline of the network attack, services and information believed to be compromised, what actions, if any, have been taken to mitigate the attack, predictions about how the attack may be deployed, and recommendations for controlling and countering the attack 207, although all parties may have access to any network at any time and network attack information they have authorized access, unless a compromise is suspected. Other specifically tailored updates may be published by the systems 206, 207.

FIG. 3 is a flow diagram illustrating a general flow 300 of business operating system functionality for mitigating network attacks. The incoming network data may be passed 315 to the business operating system 310 for analysis as part of its network security functions, the incomingThe network data may include network flow patterns 321, the source and destination 322 of each segment of measurable network communications, system logs 323 from servers and workstations on the network, endpoint data 323a, any security event log data 324 from servers or applicable Security Information and Event (SIEM) systems, external threat intelligence feeds 324a, identification or assessment contexts 325, external network health or network security feeds 326, Kerbero domain controllers or ACTIVE direct requests^TMThe server log or meter 327, and the business unit performance-related data 328, are among the many other possible data types that the present invention is designed to analyze and integrate. These multiple types of data from multiple sources may be transformed for analysis 311, 312 using at least one of the private cyber security, risk assessment, or public functions of the business operating system in the role of a cyber security system, such as but not limited to, cyber and system user priority supervision 331, cyber and system user behavior analysis 332, attacker and defender action timeline 333, SIEM integration and analysis 334, dynamic benchmarking 335, and contingency recognition and resolution performance analysis 336, among other possible cyber security functions; risk Value (VAR) modeling and simulation 341, expectation and reaction cost assessment of different types of data violations to establish priorities 342, job factor analysis 343, and network event discovery rates 344 as part of system risk analysis performance; and the ability to format and deliver custom reports and dashboards 351, perform general, and in particular on-demand data analysis 352, continuously monitor, process and explore incoming data or diffusion information threats 353 for minor changes, and generate cyber-physical system graphs 354 as part of the common performance of a business operating system. The output 317 can be used to configure a network gateway security application 361, help prevent network intrusion through predictive changes to infrastructure recommendations 362, early alert an enterprise of an ongoing network attack during an attack period, possibly thwart but at least mitigate damage 362, record compliance with standardized guidelines or SLA requirements, continuously probe existing network infrastructure and alert 364 for any changes that may make a breach more likely, control any domain detectedMachine ticketing vulnerabilities propose solutions 365, detecting presence of malware 366, and performing vulnerability scans 367 once or continuously depending on client instructions. Naturally, these examples are only a subset of the possible uses of the system, they are exemplary in nature and do not reflect any boundaries for the performance of the invention.

Fig. 4 is a flow diagram of a method 400 for segmenting cyber attack information into appropriate corporate communities. As previously disclosed, one of the strengths of the advanced web decision platform 200, 351 is capable of precisely tailoring reports and dashboards to particular listeners, while being suitable. This customization is possible because a portion of the business operating system is dedicated to programming specifically to output the presentation, whose modules include the observation and status evaluation service 140 with its game engine 140a and script interpreter 140 b. In the setting of network security, the publication of dedicated alarms, updates and reports can greatly help to accomplish the correct mitigation actions in the most timely manner while keeping all participants informed at the proper granularity as preset. Once a network attack is detected by the system 401, all applicable information related to the attack in progress and existing network security knowledge is analyzed, including through near real-time predictive modeling 402 to develop the most accurate identification of the current event and actionable recommendations as to where and how the attack may progress. The overall generated information is typically more than any one group that is required to perform their task of slowing down. In this regard, during a network attack, providing a single expanded and generalized alert, dashboard image, or report may make identification and action of the determinant information by each participant more difficult, so a setting that focuses network security may create multiple targeted information streams, each designed simultaneously throughout the enterprise during the attack to produce the fastest and efficient actions, and issue follow-up reports and recommendations with information that may lead to long term changes in the future. Examples of groups that may receive a dedicated information stream include, but are not limited to, front-line responders 404 during an attack, event forensic support 405 during and after an attack, a master information security officer 406, and a master risk officer 407, with information sent to both latter focused to assess total damage and implement mitigation strategies and defensive changes after an attack. Front line responders can use the analyzed, transformed and corrected information 404a sent to them specifically by the network decision platform to probe the scope of the attack, isolating such things as: the point of entry of the attacker to the enterprise network, the system involved or the predicted ultimate target of the attack, is predicted, and the simulated performance of the system can be used to investigate alternative methods of investigation to successfully terminate the attack and defeat the attacker in the most efficient manner, although many other queries known to those skilled in the art can be answered by the present invention. The simulation run may also include the predictive effect of any attack mitigation actions on the normal and critical operation of the enterprise's IT systems and corporate users. Similarly, the master information security officer may use a network decision platform to predictively analyze 406a what corporate information has been compromised, predictively simulate the ultimate information goal of an attack that has or has not been compromised, and the overall impact that the attack may achieve now and in the near future to protect that information. Further, during a retrospective forensic examination of an attack, a forensic responder may use the network decision platform 405a to clearly and completely map the scope of the network infrastructure through predictive modeling and high volume data analysis. Forensic analysts may also use the capabilities of the platform to perform time series and infrastructure space analysis of attack progress in a manner that is used to infiltrate the subnets and servers of the enterprise. Further, the master officer will perform an analysis of what information 407a was stolen and predict what the thief meant for the business as the simulation progressed over time. Additionally, the predictive capabilities of the system may be leveraged to help create plans to change IT infrastructure, which may optimize cyber-security risk remediation under corporate site-limited enterprise budget constraints in order to maximize financial outcomes.

Fig. 5 is an exemplary architecture diagram of a system for fast predictive analysis of very large data sets using an actor-driven distributed computation graph 500, according to one aspect of features. According to a feature aspect, the DCG500 may include a pipeline orchestrator 501 that may be used to perform a wide variety of data transformation functions on data within the processing pipeline, and may be used in a messaging system 510 that enables communication using any number of a variety of services and protocols, relays messages, and transforms them into protocol specific API system calls for interoperability with external systems if desired (rather than requiring integration of a particular protocol or service into the DCG 500).

The pipeline orchestrator 501 may spread multiple sub-pipeline clusters 502a-b, which may act as dedicated workers for pipeline parallel processing. In some arrangements, the entire data processing pipeline may pass to the sub-cluster 502a for processing, as opposed to a single processing task, such that each sub-cluster 502a-b processes the entire data pipeline in a dedicated manner to maintain isolated processing of different pipelines using different cluster nodes 502 a-b. The pipeline orchestrator 501 may provide a software API for starting, stopping, committing, or saving the pipeline. When starting the pipeline, the pipeline orchestrator 501 may send pipeline information to the applicable worker nodes 502a-b, e.g., using AKKA^TMAnd (4) clustering. For each pipeline initialized by pipeline orchestrator 501, a report object with state information may be maintained. The flow activity may report the last time the event was processed, as well as the number of events processed. Batch activities may report status messages when they occur. Pipeline orchestrator 501 may use, for example, IGFS^TMThe caching file system performs batch caching. This allows activities 512ad within pipelines 502a-b to pass data contexts to each other, employing any necessary parameter configuration.

The pipeline managers 511a-b may be decentralized for each newly run pipeline and may be used to send activity, status, age, and event count information to the pipeline orchestrator 501. Within a particular pipeline, multiple activity actors 512a-d may be created by pipeline managers 511a-b to process a single task and provide output to data services 522 a-d. The data model used in a given pipeline may be determined by the particular pipeline and activity, as directed by the pipeline managers 511 a-b. Each pipeline manager 511a-b controls and directs the operation of any activity actors 512a-d dispersed by it. Pipelining may require coordinating the streaming of data between tasks. To this end, pipeline managers 511a-b may scatter service connectors to dynamically create TCP connections between active instances 512 a-d. A data context may be maintained for each individual activity 512a-d and may be cached to provide to other activities 512a-d as needed. The data context defines how the activity accesses information, and the activities 512a-d may process the data or simply forward it to the next step. Forwarding data between pipeline steps may route the data through a streaming context or a batch context.

The client service cluster 530 may operate multiple service actors 521a-d to service requests of activity actors 512a-d, ideally maintaining enough service actors 521a-d to support each activity for each service type. These may also be provided within service clusters 520a-d in a manner similar to the logical organization of activity actors 512a-d within clusters 502a-b in a data pipeline. The logging service 530 may be used to log and sample DCG requests and messages during operation, while the notification service 540 may be used to receive alerts and other notifications (e.g., alarm errors, which may be subsequently diagnosed by viewing records from the logging service 530) during operation, and by being externally connected to the messaging system 510, logging and notification services may be added, removed, or modified during operation without affecting the DCG 500. Multiple DCG protocols 550a-b may be used to provide structured messaging between the DCG500 and the messaging system 510, or to cause the messaging system 510 to distribute DCG messages across the service clusters 520a-d as shown. The service agreement 560 may be used to define service interactions so that the DCG500 may be modified without affecting the service implementation. In this manner, it can be appreciated that the overall architecture of the system using the actor-driven DCG500 operates in a modular fashion, enabling modification and replacement of individual components without affecting other operations or requiring additional reconfiguration.

FIG. 6 is an exemplary architecture diagram of a system for rapid predictive analysis of very large data sets using an actor-driven distributed computation graph 500, according to one aspect of the features. According to a feature aspect, a variant messaging setting may utilize messaging system 510 as a messaging broker that immediately sends and receives messages using messaging system 510 as a message broker to bridge communications between service actors 521a-b as needed using streaming protocol 610. Alternatively, individual services 522a-b may communicate directly in the batch context 620 using the data context service 630 as a broker to batch and relay messages between the services 522 a-b.

FIG. 7 is an exemplary architecture diagram of a system for rapid predictive analysis of very large data sets using an actor-driven distributed computation graph 500, according to one aspect of the features. According to a feature aspect, a variant messaging arrangement may utilize the service connector 710 as a central message broker among multiple service actors 521a-b to bridge messages in the streaming context 610, while the data context service 630 continues to provide direct point-to-point messaging among the individual services 522a-b in the batch context 620.

It should be appreciated that various combinations and arrangements of the above system variations (see fig. 1-7) may be possible, such as using one particular messaging arrangement for one data pipeline directed by the pipeline managers 511a-b, while another pipeline may utilize a different messaging arrangement (or may not utilize messaging at all). In this manner, a single DCG500 and pipeline orchestrator 501 may operate a single pipeline in a manner best suited to their particular needs, making dynamic setup possible by designing modularity as described above in FIG. 5.

Detailed description of exemplary feature aspects

Fig. 8 is a flow diagram of an exemplary method 800 for network security behavior analysis in accordance with a feature aspect. According to a feature aspect, the behavior analysis may utilize passive information feeds (e.g., including but not limited to user activity, network performance, or device behavior on the network) from multiple existing endpoints to generate a security solution. In an initial step 801, the web crawler 115 may passively collect activity information, which may then use the DCG 155 process 802 to analyze behavioral patterns. Based on this initial analysis, abnormal behavior (e.g., based on a threshold of change from an established pattern or trend) such as a high risk user or malware operator such as a robot may be identified 803. These abnormal behaviors may then be used 804 to analyze the potential attack angle and then generate 805 security recommendations based on this second level analysis and the predictions generated by the action result simulation module 125 to determine the likely effect of the change. The suggested behavior may then be automatically implemented 806 if desired. Passive monitoring 801 may continue to gather information after implementing 806 new security solutions, such that machine learning improves operation over time as relationships between security change and observed behaviors and threats are observed and analyzed.

The method 800 for behavioral analysis enables proactive and high-speed reactive defense capabilities against a variety of cyber-attack threats, including abnormal human behavior and non-human "wrongdoers" such as automated software robots that can detect and subsequently exploit existing vulnerabilities. Using automatic behavior learning in this manner provides a much more responsive solution than manual intervention, enabling a quick response to threats to mitigate any potential impact. This approach is further enhanced with machine learning behavior, providing additional proactive behavior not possible in a simple automatic approach that reacts to threats only when they occur.

Fig. 9 is a flow diagram of an exemplary method 900 for measuring the effectiveness of a network security attack in accordance with a feature aspect. According to a feature aspect, the DCG 155 can be used to measure impact evaluations of attacks to analyze a user account and identify its access capabilities 901 (e.g., what files, directories, devices or domains the account can access). This may then be used to generate 902 an impact assessment score for the account, indicating a potential risk of the account being compromised. In the event of an accident, the impact evaluation score for any compromised account number can be used to generate a "shock wave radius" calculation 903, identifying exactly what resources are at risk as a result of the intrusion and where security personnel should focus. To provide proactive security recommendations through the simulation module 125, simulated intrusions may be run 904 to identify potential shock wave radius calculations for various attacks and determine 905 high risk account numbers or resources so that security may be improved in those critical areas rather than focusing on reactive solutions.

Fig. 10 is a flow diagram of an exemplary method 1000 for continuous network security monitoring and exploration, according to one featured aspect. According to a feature aspect, the state observation service 140 can receive data from various connected systems 1001 such as, for example, including but not limited to, a server, a domain, a database, or a user dictionary. This information may be continuously received, passively collecting events and monitoring time-varying activity, while feeding 1002 the collected information into graphics service 145 for generating a timing graph 1003 of states and varying over time. This adjusted timing data can then be used to generate a time-varying visualization 1004 that quantifies the collected data into a meaningful and understandable format. When new events are recorded, such as changing user roles or permissions, modifying servers or data structures, or other changes within the security infrastructure, these events are automatically included into the time-series data and the visualization is updated accordingly, providing live monitoring of information health in a manner that highlights meaningful data without losing detail due to the number of data points to be examined.

Fig. 11 is a flow diagram of an example methodology 1100 for mapping a network-physical system graph (CPG), in accordance with a featured aspect. According to a feature aspect, the cyber-physical system diagram may include a visualization of the hierarchy and relationships between devices and resources in the security infrastructure, placing security information in the context of physical device relationships that are readily understandable by security personnel and users. In an initial step 1101, behavior analysis information (as previously described with reference to fig. 8) may be received at the graphics service 145 for inclusion in the CPG. In a next step 1102, impact assessment scores (as previously described with reference to fig. 9) may be received and included in the CPG information, adding risk assessment context to the behavioral information. In a next step 1103, timing information may be received and included (as previously described with reference to fig. 10), and the CPG information is updated when a change occurs and an event is logged. This information can then be used to generate 1104 visualizations of users, servers, devices, and other resources that associate physical relationships (such as a user's personal computer or smart phone, or a physical connection between servers) with logical relationships (such as access privileges or database connections) to generate meaningful and contextualized visualizations of the security infrastructure that reflect the current state of internal relationships that exist in the infrastructure.

Fig. 12 is a flow diagram of an exemplary method 1200 for continuous network bounce scoring in accordance with a characterizing aspect. According to a feature aspect, the baseline score may be used to measure the overall risk level for the network infrastructure and may be compiled by first collecting 1201 information about vulnerabilities open to the public, such as using the internet or a common vulnerability and development (CVE) process. This information may then be included 1201 into the CPG as previously described in FIG. 11, and the combined data of the CPG and known vulnerabilities may then be analyzed 1203 to identify relationships between the known vulnerabilities and the risks exposed by the infrastructure components. This results in a combined CPF 1204 that includes the internal risk levels of network resources, user accounts and devices, as well as the actual risk levels based on analysis of known vulnerabilities and security risks.

FIG. 13 is a flow diagram of an exemplary method 1300 for network security privilege supervision according to one featured aspect. According to feature aspects, time series data may be collected 1301 for user accounts, certificates, directories, and other user-based privileges and access information (as described above with reference to fig. 10). This data can then be analyzed 1302 to identify changes over time that can affect security, such as modifying user access privileges or adding new users. The results of the analysis can be checked 1303 against the CPG (as described previously in FIG. 11) to compare and associate user directory changes with the true infrastructure state. This comparison can be used to perform an accurate and context-enhanced user directory audit 1304 that not only identifies current user credentials and other user-specific information, but also identifies the change in that information over time and how the user information is related to the real infrastructure (e.g., credentials that grant access to a device, and can thus implicitly grant additional access due to device relationships that are not explicitly visible separately from the user directory).

Fig. 14 is a flow diagram of an exemplary method 1400 for cyber-security risk management according to a feature aspect. According to a characteristic aspect, the previously described methods may be combined to provide live evaluation of attacks as they occur by first receiving 1401 time series data for an infrastructure (as previously described in fig. 10) to provide live monitoring of network events. The data is then augmented 1402 with a CPG (as described above in fig. 11) to associate the event with a real infrastructure element such as a server or account number. When an event (e.g., an attempted attack on a vulnerable system or resource) occurs 1403, the event is logged 1404 in the timing data and compared 1405 against the CPG to determine the impact. This is enhanced by including impact evaluation information 1406 for any impacted resources, and then checking 1407 the attacks against the baseline scores to determine the full scope of impact of the attacks and any necessary modifications to the infrastructure or policy.

Fig. 15 is a flow diagram of an example method 1500 for mitigating compromised certificate threats, according to one feature aspect. According to a feature aspect, the impact evaluation score may be collected 1501 for the user account in the directory (as previously described with reference to FIG. 9) so that the potential impact of any given certificate attack is known prior to the actual attack event. This information may be combined 1502 with the CPG as described previously in fig. 11, placing impact assessment scores in context within the infrastructure (e.g., so that it can predict what systems or resources may be at risk for any given credential attack). The simulated attack may then be executed 1503 to use machine learning to improve security without waiting for a true attack to trigger a reactive response. A shockwave radius evaluation (as described above in fig. 9) can be used in response 1504 to determine the effectiveness of the simulated attack and identify weaknesses, and to generate a recommendation report 1505 for improving and reinforcing the infrastructure for future attacks.

Hardware architecture

In general, the techniques disclosed herein may be implemented on hardware or a combination of software and hardware. For example, they may be implemented in an operating system kernel, in a separate user process, in a library package bound into network applications, on a specially constructed machine, on an Application Specific Integrated Circuit (ASIC), or on a network interface card.

A software/hardware hybrid implementation of at least some of the aspects of the features disclosed herein may be implemented on programmable network-resident machines (understood to include intermittently connected network-aware machines) selectively activated or reconfigured by a computer program stored in memory. The network device may have multiple network interfaces that may be configured or designed to utilize different types of network communication protocols. A general architecture for some of these machines may be described herein to facilitate explanation of one or more exemplary mechanisms by which a given functional unit may be implemented. According to particular feature aspects, at least some of the features or functionality of the various feature aspects disclosed herein may be implemented on one or more general-purpose computers associated with one or more networks, such as, for example, an end-user computer system, a client computer, a network server or other server system, a mobile computing device (e.g., a tablet computing device, mobile phone, smart phone, laptop computer, or other suitable computing device), a consumer electronic device, a music player, or any other suitable electronic device, router, switch, or other suitable device, or any combination thereof. In at least some feature aspects, at least some of the features or functions of the various feature aspects disclosed herein may be implemented in one or more virtualized computing environments (e.g., a network computing cloud, virtual machines residing on one or more physical computing machines, or other suitable virtual environment).

Referring now to FIG. 16, a block diagram is shown depicting an exemplary computing device 10 suitable for implementing at least a portion of the features or functionality disclosed herein. Computing device 10 may be, for example, any of the computing machines listed in the preceding figures, or indeed any other electronic device capable of executing software-or hardware-based instructions according to one or more programs stored in memory. Computing device 10 may be configured to communicate with a number of other computing devices, such as clients or servers, using known protocols for this connection over a communication network, such as a wide area network, a metropolitan area network, a local area network, a wireless network, the internet, or any other network, whether wired or wireless.

In one feature aspect, computing device 10 includes one or more Central Processing Units (CPUs) 12, one or more interfaces 15, and one or more buses 14, such as a Peripheral Component Interconnect (PCI) bus. When acting under the control of appropriate software or firmware, the CPU12 may be responsible for implementing specific functions associated with the functions of a specifically configured computing device or machine. For example, in at least one feature aspect, computing device 10 may be configured or designed to function as a server system that utilizes CPU12, local memory 11 and/or remote memory 16, and interface 15. In at least one feature aspect, the CPU12 may be caused to perform one or more of various types of functions and/or operations under the control of software modules or components, which may include, for example, an operating system and any suitable hardware software, drivers, and the like.

The CPU12 may include one or more processors 13, such as, for example, a processor from one of the Intel, ARM, Qualcomm, and AMD microprocessor families. In some aspects, the processor 13 may include specially designed hardware for controlling the operation of the computing device 10, such as Application Specific Integrated Circuits (ASICs), electrically erasable programmable read-only memories (EEPROMs), Field Programmable Gate Arrays (FPGAs), and so forth. In certain feature aspects, local memory 11, such as non-volatile Random Access Memory (RAM) and/or Read Only Memory (ROM), including for example one or more levels of cache, may also form part of CPU 12. However, there are many different ways in which memory may be coupled to system 10. Memory 11 may be used for various purposes such as, for example, caching and/or storing data, programming instructions, etc. It should further be appreciated that the CPU12 may be one of various system-on-chip (SOC) type hardware, which may include additional hardware such as a memory or graphics processing chip, such as QUALCOMM SNAPDRAGON, which is becoming more and more common in the art^TMOr SAMSUNG EXYNOS^TMA CPU, such as for use in a mobile device or an integrated device.

As used herein, the term "processor" is not limited to just those integrated circuits referred to in the art as a processor, a mobile processor, or a microprocessor, but broadly refers to a microcontroller, a microcomputer, a programmable logic controller, an application specific integrated circuit, and any other programmable circuit.

In one aspect of the features, the interfaces 15 are provided as Network Interface Cards (NICs). Generally, NICs control the sending and receiving of data packets over computer networks; other types of interfaces 15 may, for example, support other peripheral devices used by computing device 10. Among the interfaces that may be provided are ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, graphics interfaces, and the like. In addition, various types of interfaces may be provided, such as, for example, Universal Serial Bus (USB), serial, Ethernet, FIREWIRE^TM、THUNDERBOLT^TMPCI, parallel, Radio Frequency (RF), BLUETOOTH^TMNear field communication (e.g., using a near field magnet), 802.11(WiFi), frame relay, TCP/IP, ISDN, fast ethernet interface, gigabit ethernet interface, serial ata (sata) or external sata (esata) interface, High Definition Multimedia Interface (HDMI), Digital Visual Interface (DVI), analog or digital audio interface, Asynchronous Transfer Mode (ATM) interface, High Speed Serial Interface (HSSI) interface, point of sale (POS) interface, Fiber Data Distribution Interface (FDDIs), and so forth. In general, the interface 15 may comprise a physical port adapted for communication with a suitable medium. In some cases they may also include a stand-alone processor (such as a dedicated audio or video processor, as is common in the art for high fidelity a/V hardware interfaces), and in some cases may be volatile and/or non-volatile memory (e.g., RAM).

Although the system shown in fig. 16 illustrates one particular architecture of a computing device 10 for implementing aspects of one or more features described herein, it is by no means the only device architecture on which at least a portion of the features and techniques described herein may be implemented. For example, an architecture having one or any number of processors 13 may be used, and the processors 13 may be present in a single device, or distributed among any number of devices. In one feature aspect, a single processor 13 handles communications as well as routine computations, while in other feature aspects separate dedicated communications processors may be provided. In various feature aspects, different types of features or functions may be implemented in a system according to the feature aspects, the system comprising a client device (such as a tablet device or smartphone running client software) and a server system (such as the server system described in more detail below).

Regardless of network device configuration, the system of a feature aspect may utilize one or more memories or memory modules (such as, for example, remote memory block 16 and local memory 11) configured to store data, programming instructions for the general-purpose network operations, or other information regarding the functionality of the feature aspects described herein (or any subcombination of the above). The programming instructions may control the execution of, or include, an operating system and/or one or more applications. Memory 16 or memories 11, 16 may be configured to store data structures, configuration data, encryption data, historical system operating information, or any other special or general non-program information described herein.

Because such information and programming instructions may be utilized to implement one or more systems or acts described herein, at least some aspects of the network device features may include non-transitory machine-readable storage media that may be configured or designed, for example, to store programming instructions, state information, etc. for performing the various operations described herein. Examples of the non-transitory machine-readable storage medium include, but are not limited to, magnetic media such as hard disks, software, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media such as optical disks, and hardware devices specially configured to store and execute programming instructions, such as read-only memory (ROM), flash memory (common in mobile devices and integrated systems), Solid State Drives (SSDs), and any logic component that can combine solid state and hard disk drives in a single hardware device (as becomes more and more common in the art with respect to personal computers), memristor memory, random access memory (ROM), and so forth. It should be appreciated that the storage mechanisms may be integrated and non-removable (such as RAM hardware modules that may be soldered onto a motherboard or otherwise integrated into the electronic device), or they may be removable such as pluggable flash memory modules (such as "thumb drives" or other removable media designed for fast swap physical storage devices), "hot pluggable" hard or solid state drives, removable optical storage disks, or other such removable media, and may beTo utilize these integrated and removable storage media interchangeably. Examples of programming instructions include object code, such as may be produced by a compiler, machine code, such as may be produced by an assembler or linker, byte code, such as may be produced by, for example, JAVA^TMA compiler is generated and may be executed using a Java virtual machine or equivalent, or a file containing more advanced code that can be executed by a computer using an interpreter (e.g., a script written in Python, Perl, Ruby, Groovy, or any other scripting language).

In some aspects, the system may be implemented on a stand-alone computing system. With reference now to FIG. 17, a block diagram depicts a typical exemplary architecture of one or more features aspects or components thereof on a stand-alone computing system. Computing device 20 includes a processor 21 that may run software that performs one or more functions or applications that perform aspects of the features, such as, for example, a client application 24. The processor 21 may execute computing instructions under the control of an operating system 22, such as, for example, MICROSOFT WINDOWS^TMOperating system, APPLE macOS^TMOr iOS^TMVersion of operating system, Linux operating system, ANDROID^TMSome variations of operating systems, and so forth. In many cases, one or more common services 23 may be operable in system 20 and may help provide common services to client applications 24. The service 23 may be, for example, WINDOWS^TMA service, a user space common service in a Linux environment, or any other type of common service architecture used by the operating system 21. The input device 28 may be of any type suitable for receiving user input, including, for example, a keyboard, a touch screen, a microphone (e.g., for voice input), a mouse, a touch pad, a trackball, or any combination thereof. Output device 27 may be of any type suitable for providing output to one or more users, whether remote or local to system 20, and may include, for example, one or more screens for visual output, speakers, printers, or any combination thereof. Memory 25 may be a random access memory having any structure and architecture known in the art for use by processor 21, e.g., to run software. The storage device 26 may be any magnetic, optical, machine, memristor, or electrical storage device for storing data in digital form (such as those described above with reference to FIG. 10). Examples of storage device 25 include flash memory, a magnetic hard drive, a CD-ROM, and/or the like.

In some aspects, the system may be implemented on a distributed computing network, such as one that may have any number of clients and/or servers. Referring now to FIG. 18, there is illustrated a block diagram depicting an exemplary architecture 30 for implementing at least a portion of a system in accordance with an aspect of the features on a distributed computing network. According to a feature aspect, any number of clients 33 may be provided. Each client 33 may run software for implementing the client-side portion of the system; the client may include a system 20 as shown in fig. 17. In addition, any number of servers 32 may be provided for processing requests received from one or more clients 33. The client 33 and server 32 may communicate with each other via one or more electronic networks 31, which in various aspects may be any of the internet, a wide area network, a mobile phone network (such as a CDMA or GSM cellular network), a wireless network (such as WiFi, WiMAX, LTE, etc.), or a local area network (or indeed any network topology known in the art, any one of which is not preferred over any other in terms of characteristics).

Further, in some feature aspects, server 32 may invoke external services 37 when additional information needs to be obtained or additional data is involved with a particular invocation. Communication with external services 37 may occur, for example, via one or more networks 31. In various feature aspects, the external services 37 may comprise network-enabled services or functions associated with or installed on hardware devices. For example, in one feature aspect in which the client application 24 is implemented on a smartphone or other electronic device, the client application 24 may obtain information for external services 37 stored in the server system 32 in the cloud, or deployed on one or more of a particular enterprise or user premises.

In some aspects, the client 33 or the server 32 (or both) may benefit fromWith one or more dedicated services or applications that may be deployed locally or remotely across one or more networks 31. For example, one or more databases 34 may be used or involved by one or more aspect of features. Those skilled in the art will appreciate that database 34 may be arranged in a wide variety of architectures and using a wide variety of data access and manipulation mechanisms. For example, in various feature aspects, one or more databases 34 may comprise relational database systems using Structured Query Language (SQL), while others may comprise alternative data storage technologies such as those known in the art as "NoSQL" (e.g., HADOOP casssandra)^TM,GOOGLEBIGTABLE^TMEtc.). In some aspects, a morphed database architecture such as a column-oriented database, an in-memory database, a clustered database, a distributed database, or even a flat file data repository may be used in accordance with aspects of the features. One skilled in the art will appreciate that any combination of known or future database techniques may be used, as appropriate, unless a particular database technique or particular arrangement of components is specific to a particular aspect described herein. Further, it should be appreciated that the term "database," as used herein, may refer to a physical database machine, a cluster of machines acting as a single database system, or a logical database within an overall database management system. Unless a specific meaning is specified for a given use of the term "database," it should be construed to mean any of the meanings of these words, all of which are understood by those skilled in the art as being generic to the term "database.

Similarly, some aspects may utilize one or more security systems 36 and configuration systems 35. Security and configuration management are common Information Technology (IT) and network functions, and some amount of each is typically associated with any IT or network system. It should be understood by those skilled in the art that any configuration or security subsystem known in the art now or in the future may be used in combination with the feature aspects without limitation, unless special security 36 or configuration system 35 or scheme is specifically required by the description of any particular feature aspect.

FIG. 19 shows an exemplary overview of a computer system 40 as may be used in any of various locations throughout the system. This is an example of any computer that can execute code to process data. Various modifications and changes may be made to computer system 40 without departing from the broader scope of the systems and methods disclosed herein. A Central Processing Unit (CPU)41 is connected to a bus 42, which is also connected to a memory 43, a non-volatile memory 44, a display 47, an input/output (I/O) unit 48, and a Network Interface Card (NIC) 53. The I/O unit 48 may be typically connected to a keyboard 49, a pointing device 50, a hard disk 52, and a real-time clock 51. The NIC 53 is connected to a network 54, which may be the internet or a local area network, which may or may not have a connection to the internet. A power supply unit 45, also shown as part of the system 40, is connected in this example to a main Alternating Current (AC) power supply 46. The batteries that may be present, as well as many other devices and modifications that are widely known but not available for the particular inventive function of the present systems and methods disclosed herein, are not shown. It should be appreciated that some or all of the components shown may be combined, such as in various integrated applications, e.g., Qualcomm or Samsung system-on-a-chip (SOC) devices, or so long as it is suitable for combining multiple capabilities or functions into a single hardware device (e.g., in a mobile device such as a smart phone, a video game console, an in-vehicle computer system such as a navigation or multimedia system in an automobile, or other integrated hardware device).

In various feature aspects, the functionality of a system or method for implementing various feature aspects may be distributed among any number of client and/or server components. For example, various software modules may be implemented to perform various functions in conjunction with the system in any particular feature aspect, and may be variously implemented to run on server and/or client components.

Those skilled in the art will appreciate the range of possible modifications to the various feature aspects described above. Therefore, the invention is defined by the claims and their equivalents.

Claims (7)

1. An advanced network decision platform for mitigating network attacks, the platform comprising:

a time series data store comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein the programming instructions, when executed on the processor, cause the processor to:

monitoring a plurality of network events;

generating timing data comprising at least a record of network events and times at which the events occur;

an observation and state evaluation module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein the programming instructions, when executed on the processor, cause the processor to:

monitoring a plurality of connected resources on a network;

generating a network-physical graph representing at least a portion of the plurality of connected resources, the network-physical graph including logical relationships between at least a portion of the plurality of connected resources on the network and physical relationships between any connected resources including at least hardware devices;

a directed computation graph module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein the programming instructions, when executed on the processor, cause the processor to:

performing a plurality of analysis and transformation operations on at least a portion of the time series data;

performing a plurality of analysis and transformation operations on at least a portion of the cyber-physical diagram; and

an action result simulation module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and executed on the processor, wherein the programming instructions, when executed on the processor, cause the processor to:

generating a simulated network event comprising at least a simulated network attack;

generating a plurality of security recommendations based at least in part on results of the analysis performed by the directed computation graph module.

2. The system of claim 1, wherein the performing a plurality of analysis and transformation operations on at least a portion of a network-physical graph comprises calculating an impact evaluation score for each of a portion of resources in the graph.

3. The system of claim 2, wherein the performing a plurality of analysis and transformation operations on at least a portion of the time series data comprises calculating an overall impact of a cyber attack, wherein the calculating is based at least in part on evaluating a score for the impact of each resource impacted by the cyber attack.

4. The system of claim 1, wherein the performing a plurality of analysis and transformation operations on at least a portion of a network-physical graph includes comparing relationships between resources for known security vulnerabilities.

5. The system of claim 4, wherein the recommendation generated by the action result simulation module is based at least in part on a result of the comparison against known security vulnerabilities.

6. The system of claim 1, wherein the observation and status evaluation module is further configured to generate a visualization based at least in part on at least a portion of the time series data, wherein the visualization accounts for changes in the data over time.

7. A method for mitigating network attacks using an advanced network decision platform, comprising the steps of:

a) generating, using an observation and status evaluation module, a network-physical graph representing at least a portion of a plurality of connected resources, the network-physical graph including logical relationships between at least a portion of the plurality of connected resources on the network and physical relationships between any connected resources including at least hardware devices;

b) performing a plurality of analysis and transformation operations on at least a portion of the network-physical graph using a directed computation graph module;

c) generating a simulated network event including at least a simulated network attack using the action result simulation module;

d) monitoring a plurality of network events including at least the simulated network attack using a time series data store;

e) generating timing data based at least in part on the network event;

f) performing a plurality of analysis and transformation operations on at least a portion of the time series data; and

g) generating a plurality of security recommendations based at least in part on results of the analysis performed by the directed computation graph module.

Images