CN111316272A - Advanced cybersecurity threat mitigation using behavioral and deep analytics - Google Patents

Abstract

A system for mitigating network attacks using an advanced network decision platform includes a time series data store, a directed computation graph module, an action result simulation module, and an observation and state evaluation module, wherein the state of the network is monitored and used to generate a network-physical graph representing network resources, generate and monitor simulated network events, and analyze the network events and their effects to generate security recommendations.

Description

Advanced cybersecurity threat mitigation using behavioral and deep analytics

Cross-references associated with the application

This application is and claims PCT Application Serial No. 15/655,113, filed on July 20, 2017, entitled "ADVANCED CYBERSECURITY THREAT MITIGATION USING BEHAVIORAL ANDDEEPANALYTICS" Priority, the entire specification of which is hereby incorporated by reference in its entirety.

technical field

The present disclosure relates to the field of computer management, and more particularly to the fields of network security and threat analysis.

Background technique

Over the past decade, the frequency and sophistication of cyberattacks (i.e., unauthorized access and modification) against information technology assets of multiple companies and U.S. government departments and activities has grown significantly, and the discovery and use of IT infrastructure vulnerabilities Continue to accelerate. The speed of network break-ins arguably has now reached a point where protection methods relying solely on published prior attacks and advisory results from them provide only a moderate level of protection. Further, the sheer volume of cybersecurity information and procedures has far outstripped the capabilities of those most needed to use it in full compliance or reliable use, overwhelming those charged with cybersecurity responsibilities for putting thousands of businesses at risk people. Over the past few years, the inability to identify important trends or become informed in a timely manner has resulted in highly visible, customer-facing security failures such as at TARGET ^TM , ANTHEM ^TM , DOW JONES ^TM and SAMSUNG ELECTRONICS ^TM , just to name a few making the news a few. Traditional network security solutions are mostly likely to be used at times when these attacks require too much effective configuration, ongoing administrator interaction and support, while providing limited protection against sophisticated adversaries, especially when users are stolen or forged certificate.

There have been several recent developments in business software that have emerged for the purpose of streamlining or automating business data analysis or business decision processing, which can be developed to help optimize network security. PALANTIR ^TM provides software to separate patterns in large volumes of data, DATABRICKS ^TM provides custom analysis services, and ANAPLAN ^TM provides financial shock calculation services. There are other software sources that mitigate some of the characteristic aspects of business data correlation identification in isolation, but these cannot holistically address the full range of cybersecurity vulnerabilities across an enterprise. However, the analysis of data and business decision automation remains outside their scope. Currently, none of these approaches deal with more than a single feature aspect of the entire task, cannot form predictive analytics data transformations, and thus play little role in the field of cybersecurity where the only approach is a complex process that requires a complex integration of the above tools.

The use of web-based service companies that provide cybersecurity advisory information has also grown considerably. This is only used to add to the above information overload and is to be used optimally and must be carefully analyzed by business information management systems that claim to provide reliable cybersecurity protection.

What is needed is a fully integrated system for retrieving cybersecurity related information from many disparate and disparate sources using scalable, explicitly scriptable, connecting interfaces, identifying and analyzing high volume data, and transforming it into useful formats. This must then use data consistent with the enterprise's baseline network usage profile and advance knowledge of enterprise systems, especially those hiding sensitive information, to drive an integrated, highly scalable simulation engine that can exploit system dynamics within a simulation run A combination of , discrete events, and broker-based paradigms for the most useful and precise data transformations and storage for human analysts to quickly digest the presented information, easily comprehend any predictions or recommendations and then respond creatively to mitigate the reported situation. This multi-method information security information capture, analysis, transformation, result prediction and presentation system forms a "business operating system".

SUMMARY OF THE INVENTION

Accordingly, the present inventors have developed a system for advanced cybersecurity threat mitigation using behavioral and in-depth analysis.

According to one characteristic aspect, a system for detecting and mitigating network attacks using an advanced network decision-making platform is disclosed, comprising: a time series data store including at least a processor, a memory, and a plurality of programming stored in the memory and running on the processor instructions, wherein, upon running the software instructions, configure the processor to monitor a plurality of network events and generate time series data, the time series data including at least a record of the network event and the time at which the event occurred; an activity result simulation module including at least a processor, a memory and a a plurality of programming instructions in memory and running on the processor, wherein the software instructions, upon execution of the software instructions, configure the processor to generate simulated network events and to generate recommendations based at least in part on the results of the analysis performed by the directed computational graph module an observation and state assessment module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and running on the processor, wherein upon execution of the software instructions, the processor is configured to monitor a plurality of connected resources on the network, and generating a network-physical graph representing a portion of at least a plurality of connected resources; and a directed computational graph module including at least a processor, a memory, and a plurality of programming instructions stored in the memory and executing on the processor, wherein once the software is executed Instructions that configure the processor to perform a plurality of analysis and transformation operations on at least a portion of the time series data, and are configured to perform a plurality of analysis and transformation operations on at least a portion of the network-physical graph.

According to another characteristic aspect, a method for mitigating a network attack using an advanced network decision-making platform is disclosed, comprising the steps of: a) using an observation and state assessment module to generate a network-physical graph representing a plurality of connected resources on the network; b) use a directed computational graph module to analyze at least a portion of a network-physical graph; c) use an activity results simulation module to simulate a plurality of network events; d) use a time series data store to monitor at least a portion of a plurality of network events; e) at least generating time series data based in part on the network event; f) analyzing at least a portion of the time series data; and g) generating a security recommendation based at least in part on a result of the analysis.

Description of drawings

The drawings illustrate several characteristic aspects, and together with the description serve to explain the principles of the invention in accordance with the characteristic aspects. It should be appreciated by those skilled in the art that the specific arrangements shown in the figures are merely examples and should not be construed as limiting the scope of the invention or the claims therein in any way.

1 is a diagram of an exemplary architecture of an advanced network decision platform according to one feature aspect.

2 is a flow diagram of example functionality of a business operating system in predicting and mitigating predetermined factors that cause and facilitate mitigation of ongoing cyber attacks.

3 is a process diagram illustrating commercial operating system functions for mitigating network attacks.

4 is a process flow diagram of a method for segmenting cyber attack information to appropriate corporate groups.

5 is an exemplary architectural diagram of a system for rapid predictive analysis of very large amounts of data using an actor-driven distributed computational graph, according to one feature aspect.

6 is an exemplary architectural diagram of a system for rapid predictive analysis of very large amounts of data using an actor-driven distributed computational graph, according to one feature aspect.

7 is an exemplary architectural diagram of a system for rapid predictive analysis of very large amounts of data using an actor-driven distributed computational graph, according to one feature aspect.

8 is a flowchart of an exemplary method for network security behavior analysis, according to one feature aspect.

9 is a flowchart of an exemplary method for measuring the effect of a network security attack, according to one feature aspect.

10 is a flowchart of an exemplary method for continuous network security monitoring and exploration, according to one feature aspect.

11 is a flowchart of an exemplary method for mapping a network-physical system diagram, according to one feature aspect.

12 is a flowchart of an exemplary method for continuous network rebound scoring, according to one feature aspect.

13 is a flow diagram of an exemplary method for cybersecurity privileged oversight in accordance with one feature aspect.

14 is a flowchart of an exemplary method for cybersecurity risk management, according to one feature aspect.

15 is a flowchart of an exemplary method for mitigating the threat of compromised credentials, according to one feature aspect.

16 is a block diagram illustrating an exemplary hardware architecture of a computing device.

17 is a block diagram illustrating an exemplary logical architecture for a client device.

18 is a block diagram illustrating an exemplary architectural arrangement of clients, servers, and external services.

19 is another block diagram illustrating an exemplary hardware architecture of a computing device.

Detailed ways

The inventors have envisioned and put into practice an advanced cybersecurity threat mitigation using behavioral and deep analytics.

One or more different feature aspects may be described in this application. Further, several alternative arrangements may be described for one or more of the feature aspects described herein; it should be understood that these are shown for illustrative purposes only and are not intended to limit in any way the aspects of the features contained herein or in the claims presented here. One or more of the arrangements may be broadly applicable to several feature aspects, as is readily apparent from the description. Typically, arrangements are described in sufficient detail to enable those skilled in the art to practice one or more of the feature aspects, and it should be understood that other arrangements may be utilized and structural, logical, software, electrical, and other changes may be made without departing from the specific features range of aspects. Specific features of one or more of the feature aspects described herein may be made with reference to one or more of the feature aspects forming part of this disclosure and by way of illustration showing the specific arrangement of one or more of the feature aspects or described with the accompanying drawings. It should be understood, however, that this feature is not limited to one or more of the specific feature aspects or drawings used for reference in the description. The disclosure is neither a literal description of all arrangements of one or more feature aspects nor a feature listing of one or more feature aspects that must be present in all arrangements.

The paragraph headings and title of the invention in this patent application are provided in this patent application for convenience only and should not be construed as limiting the present disclosure in any way.

Devices that communicate with each other need not continuously communicate with each other unless expressly specified otherwise. Furthermore, devices that are in communication with each other may communicate directly or through one or more logical or physical communication devices or intermediaries.

A description of a feature having several components in communication with each other does not imply that all such components are required. Rather, various optional components may be described to illustrate a wide variety of possible feature aspects, and in order to more fully describe one or more feature aspects. Similarly, although process steps, method steps, algorithms, etc. may be described in an order, the processes, methods, and algorithms may generally be configured to work in alternative orders, unless specifically stated to the contrary. In other words, any order or sequence of steps that may be described in this patent application does not by itself imply that the steps are required to be performed in that order. The steps of the process may be performed in virtually any order. Further, some steps may be performed concurrently, although described or implied as occurring non-concurrently (eg, because one step is described after another step). Furthermore, the description of a process by its description in the drawings does not imply that the illustrated process excludes other variations and modifications, nor does it imply that the illustrated process or any step thereof is required for one or more feature aspects, nor does it imply that The procedures shown are preferred. Furthermore, steps are typically described once per feature aspect, but this does not mean that they must occur once, or that they may occur only once per run or execution of a process, method or algorithm. Some steps may be omitted in some feature aspects or some events, or some steps may be performed more than once in a given feature aspect or event.

When a single device or item is described herein, it will be apparent that more than one device or item may be used in place of a single device or item. Similarly, where more than one device or item is described herein, it will be apparent that a single device or item may be used in place of more than one device or item.

A function or feature of a device may alternatively be embodied by one or more other devices not expressly described as having that function or feature. Therefore, other characteristic aspects need not include the device itself.

Techniques and mechanisms described or referenced herein will sometimes be described in the singular for clarity. It should be appreciated, however, that a particular feature aspect may include multiple iterations of a technique or multiple installations of a mechanism, unless otherwise specified. Process descriptions or blocks in the figures should be understood to represent modules, code segments, or portions of code that comprise one or more executable instructions for implementing a particular logical function or step in the process. Within the scope of the various feature aspects are included alternative implementations in which, for example, the functions may be performed out of the order shown or described, including substantially concurrently or in the reverse order, depending on the functionality involved, as described by the present understood by those skilled in the art.

definition

As used herein, a "swim lane" is a communication channel between a sequential sensor data receiving and dispatching device and a data store designed to hold the dispatched data sequential sensor data. Swimlanes can move a specific, limited amount of data between two devices. For example, a single swimlane can reliably carry the equivalent of 5 seconds worth of data from 10 sensors in 5 seconds and already include it in the data store, which is its performance. Attempting to use one lane to place 5 seconds worth of data from 6 sensors will result in data loss.

As used herein, a "meta-swimlane" is a logical combination as required of the transport capacity of two or more real lanes that is transparent to the requesting process. Sensor studies in which the amount of data received per unit time is expected to be highly disparate over time can be initialized to use meta lanes. Using the example described above, where a single real lane could transmit and include 5 seconds worth of data from 10 sensors, the sudden receipt of input sensor data from 13 sensors during a 5 second interval would cause the system to create two lane meta lanes to Accommodates standard 10 sensor data in one real lane and 3 sensor data overlays in a second transparently added real lane, however no changes to the data receiving logic are required as the data receiving and dispatching means will add additional real Swimlane transparency. ,

As used herein, "graph" refers to information and relationships, where each primary unit of information constitutes a "node" or "vertex" of the graph and the relationship between two nodes constitutes the edge of the graph. A node may be further defined by a connection or "property" to one or more descriptors of the node. For example, given a node "James R", for the person's name information, the qualifying properties may be "183cm tall", "DOB 08/13/1965", and "speaks English". Similar to using properties to further describe information in nodes, the relationship between two nodes that make up an edge can be defined using "labels". Therefore, given the second node "Thomas G", the edge between "James R" and "Thomas G" indicating that the two people know each other can be marked as "knowing". When the graph theory notation (graph=(vertices, edges)) applies to this situation, the set of nodes is used as one parameter V of the ordered pairing, and the set of 2 element edge endpoints is used as the second parameter E of the ordered pairing . When the order of edge endpoints within pair E is not important, eg edges James R, Thomas G is equivalent to Thomas G, James R, the graph is called "undirected". In situations when relationships flow from one node to another in one direction, eg James R is "higher" than Thomas G, the order of the endpoints is important. Graphics with this edge are called "orientation". In a distributed computing graphics system, transforms within a transform pipeline are represented as directed graphs with transforms, each transform including nodes and output messages including edges between transforms. Distributed computing graphs specify the potential use of nonlinear transformation pipelines, which are programmatically linearized. This linearization can lead to an exponential increase in resource consumption. The most sensitive approach to overcoming the possibility is to introduce a new transformation pipeline as needed, creating only those that are easy to compute. The method results in a transformation graph that is highly variable in size and combination of nodes and edges as the system processes the data stream. Those skilled in the art will recognize that transformation graphs can assume many shapes and sizes of a large number of topologies with edge relationships. The given examples are chosen for illustrative purposes only, and show a small number of the simplest possibilities. These examples should not be used to limit the possible graphics contemplated as part of the operation of the present invention.

As used herein, a "transform" is a function performed on zero or more streams of input data that results in a single output stream that may or may not be subsequently used as input to another transform. Transforms can include any combination of machines, people, or human-computer interaction, transforms do not need to change the data that is input to them, an example of this type of transform would be a storage transform, which would receive input and then use it as a queue for that data for subsequent use transform. As alluded to above, special transformations can produce output data in the absence of input data. Timestamps are used as examples. In the present invention, transforms are placed in the pipeline so that the output of one transform can be used as the input of another. These pipelines can consist of two or more transforms, the number of which is limited only by the resources of the system. Historically, transformation pipelines have a linear relationship with each transformation in the pipeline that receives input from a precedent and provides output to a successor without branching or iteration. Other pipeline configurations are possible. The present invention is designed to allow several of these configurations, including but not limited to: linear, incoming branch, outgoing branch, and circular.

A "database" or "data storage subsystem" (these terms may be considered substantially synonymous), as used herein, is a system suitable for long-term storage, indexing, and retrieval of data, usually via some query interface or language . "Database" may be used to refer to relational database management systems known in the art, but should not be considered limited to such systems. Numerous alternative database or data storage system technologies have been introduced and are actually being introduced in the art, including but not limited to distributed non-relational data storage systems such as Hadoop, column-oriented databases, in-memory databases, and the like. Although the various feature aspects may preferably employ one or the other of the various data storage subsystems available (or future applicable) in the art, the invention should not be construed as so limited as any data storage architecture may be used in accordance with the feature aspects . Similarly, although in some cases one or more specific data storage requirements are described as being met by discrete components (eg, the extended private capital markets database and the configuration database), these descriptions relate to the functional use of the data storage systems and do not address their physical Architecture. For example, any group of data storage systems for databases referred to herein may be included together in a single database management system running on a single machine, or they may be included in a single database management system running on a cluster of machines, as described herein known in the field. Similarly, any single database (such as the Extended Private Capital Markets database) can be implemented on a single machine, on a collection of machines using clustering techniques, on several machines connected by one or more messaging systems known in the art, Or in a master/servo configuration common in the art. These examples should illustrate that no particular architectural approach to database management is preferred in accordance with the present invention, and that the choice of data storage technology is at the discretion of each implementer without departing from the scope of the invention as claimed.

"Data context", as used herein, refers to a set of arguments that identifies the location of data. It can be a Rabbit queue, a .csv file in cloud-based storage, or any other reference to that location other than a single event or record. Activities can pass events or data contexts to each other for processing. The nature of the pipeline allows direct information transfer between activities, and data locations or files do not have to be predetermined at the beginning of the pipeline.

A "pipeline," as used herein and interchangeably referred to as a "data pipeline" or "processing pipeline," refers to a collection of data streaming activities and batch processing activities. Streaming and batching activities can be connected indiscriminately within the pipeline. Events will flow through the stream sending activity actor in an active fashion. At the connection of the streaming activity to the batching activity, there is a StreamBatchProtocol data object. This object is responsible for determining when and whether to run the batch. One or more of three possibilities can be used to handle triggering: regular timed intervals, every N events, or optionally an external trigger. Events remain in a queue or similar until processed. Each batch activity can contain a "source" data context (which can be a streaming context if the upstream activity is streaming), and a "destination" data context (passed on to the next activity). The streaming activity may be an optional "destination" streaming data context (optional means: caching/persistence of events, as opposed to short durations), although this should not be part of the initial implementation.

conceptual architecture

1 is an exemplary architectural diagram of an Advanced Network Decision Platform (ACDP) 100 according to one feature aspect. Client access to the system 105 for ad hoc data input, system control, and interaction with system outputs such as automated predictive decision making and planning, and alternative path simulation occurs through the system's distributed, scalable, high-bandwidth cloud interface 110, which uses multiple A versatile, robust web application drives an interface for client-oriented information entry and display via the network 107 and operates a data store 112 according to various settings such as, but not limited to, MONGODB ^™ , COUCHDB ^™ , CASSANDRA ^™ or REDIS ^™ . Most business data from client business-wide sources, as well as from cloud-based sources, analyzed by the system is also entered into the system through the cloud interface 110, and the data is passed to the connector module 135, which may have the ability to accept and transform the incoming data and subsequently The API routines 135a required to pass the normalization information to the other analysis and transformation components of the system, the directed computational graph module 155, the high volume web crawler module 115, the multidimensional time series database 120, and the graph stack service 145. The directed computational graph module 155 retrieves one or more data streams from multiple sources including, but not limited to, multiple physical sensors, web service providers, web-based questionnaires and surveys, monitoring of electronic infrastructure, crowd sourcing activity, and human input device information. Within the directed computational graph module 155, the data can be divided into two equivalent streams in a dedicated pre-programmed data pipeline 155a, one of which can be sent for batch processing and storage, and the other can be reformatted for the transform pipeline analyze. The data is then passed to the general transformer service module 160 for linear data transformation as part of the analysis, or the disassembled transformer service module 150 for batch or iterative transformation as part of the analysis. The directed computational graph module 155 represents all data as a directed graph, where transforms are nodes and results are messaged between transform edges of the graph. The high-volume web crawler module 115 hosts pre-programmed web spiders using multiple servers, employed within the SCRAPY ^™ exemplified web mining framework 115a when autonomously configured, to avoid web-based Source identification and retrieval of data of interest. The multidimensional time series data storage module 120 may receive streaming data from a large number of sensors, which may be of several different types. The multidimensional time series data storage module can also store any time series data encountered by the system such as but not limited to enterprise network usage data, component and system logs, execution data, network service information capture such as but not limited to news and financial feeds, and sales and service relevant customer data. Modules are designed to accommodate irregular and high volume influx by dynamically allocating network bandwidth and server processing channels to process incoming data. Programming wrappers including examples for languages such as but not limited to C++, PERL, PYTHON, and ERLANG ^™ allow adding complex programming logic to the default functionality of the multidimensional time series database 120 without exhaustive knowledge of core programming, greatly expanding the breadth of functionality . Data retrieved by the multidimensional time series database 120 and the high volume web crawler module 115 may be further analyzed and transformed into task-optimized results by the directed computation graph 155 and associated generic transformer service 150 and disassembled transformer service 160 modules. Alternatively, data from multi-dimensional time series databases and high-volume web crawler modules can be sent to the graphics stack service module 145, typically with scripting hints that identify important vertices 145a, and the graphics stack service module uses standardized protocols for streamlining information. Converted to a graphical representation of this data, such as Open Graph Internet technology, although the present invention does not rely on any one standard. Through the steps, the graphics stack service module 145 represents the data in the graphical form affected by any predetermined scripting modification 145a and stores it in a graphics based data store 145b such as GIRAPH ^™ , or key value pair type data Storing REDIS ^TM or RIAK ^TM , among others, all of which are suitable for storing graph-based information.

The results of the transformation analysis process can then be combined with further client instructions, additional business rules and practices related to the analysis, and situational information beyond the already applicable data in the automatic planning service module 130, which also operates based on Predictive statistical functions and machine learning algorithms of powerful information theory 130a to allow rapid prediction of future trends and outcomes based on results obtained from current systems and selection of each of a number of possible business decisions. Using all applicable data, the automatic planning service module 130 can make business decisions that are most likely to result in the most favorable business outcomes with the high confidence available. Closely related to the automatic planning service module in the use of the system's results in conjunction with possible externally provided additional information to aid end user business decision making, with its discrete event simulator programming coupled with end user oriented observation and state assessment services 140 The campaign outcome simulation module 125 of module 125a allows business decision makers to investigate the possible outcomes of selecting one pending campaign course over another based on analysis of currently applicable data, end-user-oriented observation and state assessment services 140 as the situation requires is highly scriptable 140b and has a game engine 140a to more realistically consider the staged possible outcomes of business decisions.

For example, the information insurance department is notified by the system 100 that the principal X is using a certificate K (Kerberos principal key) that has never been used by it before to access the service Y. Service Y utilizes these same credentials to access secure data on data store Z. This correctly generates an alert when the suspicious track later passes through the network and will recommend X and Y isolation and K suspension based on continuous baseline network traffic monitoring by the multi-dimensional time series data store 120 programmed to process this data 120a, by the directed computational graph 155 uses its underlying Universal Transformer Service Module 160 and Detachable Transformer Service Module 150 to rigorously analyze network baselines in conjunction with the AI and primary machine learning capabilities 130a of the Auto-Planning Service Module 130, also through the multi-source connection of the Connector Module 135 The APIs receive and explicitly assimilate the auto-planning service modules 130 that are applicable from multiple sources. Ad hoc simulations of these communication modes are run against the baseline by the activity outcome simulation module 125 and its discrete event simulator 125a, which is used here to determine a probability space of legitimate possibilities. Based on its data and analysis, the system 100 is able to detect and recommend mitigation of cyber-attacks that present a pre-existing threat to all business operations, at the moment of the attack through the use of observation and status assessment services 140 to mitigate and correct multiple levels of efforts to Human analysts present the information most needed for active planning, and the observation and status assessment service 140 has also been specifically pre-programmed to handle cybersecurity events 140b.

According to one characteristic aspect, the programming use of advanced network decision-making platforms, especially commercial operating systems, continuously monitors the behavior of the client enterprise's normal network activities, such as, but not limited to, normal users on the network, resources accessed by each user, each user's Access permissions, machine-to-machine traffic on the network, approved external access to the core network, and administrator access to the network identification and access management servers, combined with real-time analysis of network attack methodologies inform cognition. The system then uses this information for two purposes: first, using the system's advanced computational analysis and simulation capabilities to provide direct disclosure of possible digital access points at the network perimeter and within the enterprise's information transformers and trust structures, and to provide feedback on network changes. Make recommendations that should be made before or during an attack to reinforce it. Second, the Advanced Network Decision Platform continuously monitors the traffic types of the network in real-time, and uses techniques such as deep packet inspection for pre-determined analysis of valid deviations in user communications to indicate known network attack vectors such as but not limited to ACTIVE DIRECTORY ^TM /Kerberos Ignore Ticket Attack, ACTIVE DIRECTORY ^TM /Kerberos Ignore Hash Attack and Related ACTIVE DIRECTORY ^TM /Kerberos Skip Hash Attack, ACTIVE DIRECTORY ^TM /Kerberos Master Key, ACTIVE DIRECTORY ^TM /Kerberos Gold Ticket Attack, Privilege Escalation Attack, Compromised User credentials, and ransomware disk attacks. When suspicious activity is determined to be at a level indicative of an attack (eg, including but not limited to master key attacks, ignore hash attacks, or attacks via compromised user credentials), the system sends activity-focused alerts to all predefined groups , in particular their roles are suitable for attack mitigation or remediation and are formatted to provide predictive attack modeling based on historical, current and contextual attack progression analysis so that human decision makers can use the most actionable activities at the level of their responsibility with as little fragmented data as possible The most efficient process for quickly expressing activities under the command of information. The system then sends defensive measures in the most active form to end the attack with the least possible damage and compromise. Permanently store all attack data for later forensic analysis.

FIG. 2 is a flow diagram of exemplary functionality of a business operating system in causing and stepping into the detection and mitigation of predetermined factors that mitigate an ongoing cyber attack 200 . The system continuously retrieves network communication data 201, which may be stored and preprocessed by the multidimensional time series data store 120 and its programming wrapper 120a. All captured data is then analyzed to predict normal usage patterns of network nodes, such as internal users, network-connected systems and equipment, and approved users outside corporate boundaries such as off-site employees, contractors and vendors, to name just a few possible actors . Naturally, normal other network communications may also be known to those skilled in the art, the given list is not meant to be exclusive, and other possibilities will not fall outside the design of the present invention. Analysis of network communications may include graphical analysis of parameters, such as network items used for networks using specially developed programs in the graphics stack service 145, 145a, analysis of use by each network item may be performed by a directed computational graph module 155, general Depending on the complexity of the individual usage profile 201, specific pre-developed algorithms associated with the changer service module 160 and the detachable service module 150 are implemented. These usage pattern analyses can then be further analyzed within the automated scheduling services module 130 in conjunction with additional data regarding the enterprise's network topology, gateway firewall programming, internal firewall configuration, directory service protocols and configurations, and access to user and sensitive information Permission profile for, to name but a few non-exclusive examples, in which machine learning techniques including, but not limited to, information-theoretical statistics 130a may be employed, and the prosecution outcome simulation module 125 dedicated to outcome prediction simulations based on current data 125a may be applied to formulate A current, up-to-date and continuously evolving baseline network usage profile 202 . This same data can be combined with the latest known network attack method reports, possibly retrieved from several divergent and external sources by using the multi-application programming interface-aware connector module 135 to show enterprise decision makers the importance of physical and configuration-based networks Preventive recommendations for infrastructure changes to cost-effectively reduce the probability of cyber-attacks and significantly and most cost-effectively mitigate data breaches and losses in the event of attacks 203, 204.

While some of these options may have been partially available in the past as segment-by-segment solutions, we believe that modeling and analysis of outcomes based on intelligently integrating large volumes of data from multiple sources and then predicting outcomes based on this current data can be demonstrated so that actionable , The ability to efficiently recommend business practices is innovative and necessary in the field.

Once a comprehensive baseline profile of network usage has been formulated using all applicable network communication data, the task-specific commercial operating system continuously polls incoming communication data for activity anomalies against the baseline as determined by pre-designed boundaries 205 . Examples of unusual activity can include user attempts to access several workstations or servers in rapid succession, or user attempts to gain domain server access with sensitive information to the server using random user IDs or another user's username and password, or by any user Attempts to brute force passwords of privileged users, or replays of recently issued ACTIVE DIRECTORY ^TM /Kerberos ticket authorization tickets, or the existence of any known network under development or the introduction of known malware into the network, to name only those skilled in the art have Very few samples of known cyber attack profiles. The present invention, which predicts and knows known developments, is designed to analyze any abnormal network behavior, formulate the likely consequences of the behavior, and then send any required alerts, regardless of whether the attack follows a published development specification or exhibits an indication of normal network practice. Innovation characteristic deviation. Once a possible cyber attack is detected, the system is then designed to obtain the required information to the responsible party 206, possibly customized for each role in mitigating the attack and the damage 207 caused by it. This can include a precise subset of the information included in alerts and updates, and the format presented can be through the enterprise's existing security information and event management systems. The network administrator can then receive information such as, but not limited to, whether the attack on the network is believed to have originated, what systems are believed to be currently affected, predictive information about where the attack can progress, what enterprise information is at risk, and information about repelling the intrusion and actionable recommendations to mitigate damage, and alerts that CISOs can receive include, but are not limited to, the timeline of the cyber-attack, services and information believed to have been compromised, what actions, if any, have been taken to mitigate the attack, information about the attack Predictions of how this can unfold, and advice given to contain and repel an attack 207, although all parties have access to any network and cyber attack information to which they have authorized access at any time, unless a breach is suspected. Other specially tailored updates may be issued by the systems 206, 207.

FIG. 3 is a flow diagram illustrating a general process 300 of commercial operating system functionality for mitigating network attacks. Incoming network data may be passed 315 to the business operating system 310 for analysis as part of its network security functions, the incoming network data may include network flow patterns 321, the source and destination of each segment of the measurable network communication 322, System logs 323 from servers and workstations on the network, endpoint data 323a, any security event log data 324 from servers or applicable security information and event (SIEM) systems, external threat intelligence feeds 324a, identifying or assessing context 325, external networks Health or network security feeds 326, Kerbero Domain Controller or ACTIVE DIRECTORY ^™ server logs or meters 327, and business unit performance related data 328, among many other possible data types that the present invention is designed to analyze and integrate. These multiple types of data from multiple sources can be transformed for analysis 311, 312 using at least one of the dedicated cybersecurity, risk assessment or public functions of the commercial operating system in the role of a cybersecurity system such as but not Limited to Network and System User Priority Oversight 331, Network and System User Behavior Analysis 332, Attacker and Defender Action Timeline 333, SIEM Integration and Analysis 334, Dynamic Benchmarking 335, and Incident Identification and Resolution Performance Analysis 336, among others Among the possible cybersecurity functions; value-at-risk (VAR) modeling and simulation 341, anticipation and response cost assessment of different types of data breaches to establish prioritization 342, job factor analysis 343, and cyber incident detection rates 344, as a system part of risk analysis capabilities; as well as formatting and delivering customized reports and dashboards 351, performing general, especially on-demand data analysis 352, continuously monitoring, processing and exploring incoming data for minor changes or proliferating information threats 353, and generating network - The ability of the physical system graph 354 to be part of the common capabilities of commercial operating systems. Output 317 can be used to configure network gateway security applications 361, help prevent network intrusions through oracle changes to infrastructure recommendations 362, warn enterprises of ongoing network attacks early in the attack cycle, may prevent but at least mitigate damage 362, record For compliance with standardized guidelines or SLA requirements, continuously probe existing network infrastructure and alert 364 for any changes that may make violations more likely, propose solutions 365 for any domain controller ticketing weaknesses detected, detect malware's There is 366, and vulnerability scans 367 are performed once or continuously depending on client instructions. Naturally, these examples are only a subset of the possible uses of the system, they are exemplary in nature and do not reflect any boundaries of the capabilities of the invention.

4 is a flowchart of a method 400 for segmenting cyber attack information to appropriate corporate groups. As previously disclosed, one of the strengths of the Advanced Web Decision Platform 200, 351 is capable of precisely customizing reports and dashboards for specific audiences, while being appropriate. This customization is possible because a portion of the commercial operating system is dedicated to being specially programmed to output the presentation, the modules of which include the observation and state evaluation service 140 with its game engine 140a and script interpreter 140b. In a cybersecurity setting, the publication of dedicated alerts, updates, and reports can greatly assist in accomplishing the right mitigation actions in the most timely manner, while keeping all participants informed at a preset appropriate granularity. Once a cyber attack is detected by the system 401, analyze all applicable information related to the ongoing attack and existing cyber security knowledge, including through near real-time predictive simulation 402 to develop the most accurate identification of current events and where the attack can progress And actionable recommendations on how you can slow it down. The aggregates generally produce more information than any one group needs to perform their mitigation tasks. In this regard, during a cyber-attack, providing a single augmented and aggregated alert, dashboard image, or report can make identification and action on decisive information more difficult by each actor, so a cybersecurity-focused setting can create multiple Targeted information flows, each designed simultaneously throughout the enterprise during an attack to produce the most rapid and effective action, and to publish tracking reports and recommendations with information that can lead to long-term changes later. Examples of groups that may receive a dedicated stream of information include, but are not limited to, Frontline Responders 404 during an attack, Incident Court Support 405 during and after an attack, Primary Information Security Officer 406, and Primary Risk Officer 407, information sent to Spotlight of both the latter to assess total damage and implement mitigation strategies and defensive changes following an attack. Front responders can use the special analyzed, transformed and corrected information 404a sent to them by the network decision platform to detect the scope of the attack, isolate such things as: predict the attacker's entry point on the enterprise network, the systems involved or The predicted ultimate goal of the attack, and the simulated performance of the system can be used to investigate alternative methods of investigation to successfully end the attack and repel the attacker in the most efficient manner, although many other queries known to those skilled in the art may be used by the present invention reply. The simulation run may also include the predictive effect of any attack mitigation actions on the normal and critical work of the enterprise's IT systems and the company's users. Similarly, CISOs can use the Cyber Decision Platform to predictively analyze 406a what company information has been compromised, predictively model the ultimate information goals of attacks that have or have not been compromised, and the total impact of attacks that can be achieved now and in the near future to protect the information. Further, during retrospective forensic examination of an attack, forensic responders can use the network decision platform 405a to map the scope of the network infrastructure through predictive simulations and high-volume data analysis with clarity and integrity. Forensic analysts can also use the platform's capabilities to perform time-series and infrastructure-space analysis of attack progression in the same way that it was used to infiltrate an enterprise's subnets and servers. In addition, the master risk officer will perform an analysis of what information 407a is stolen and predict what the thief will mean to the business over time. Additionally, the predictive performance of the system can be leveraged to help create plans to change the IT infrastructure, which can optimize cybersecurity risk remediation within the limited corporate budget constraints of the corporate site in order to maximize financial outcomes.

5 is an exemplary architectural diagram of a system for rapid predictive analysis of very large data sets using an actor-driven distributed computing graph 500, according to one feature aspect. According to feature aspects, DCG 500 can include a pipeline orchestrator 501 that can be used to perform a wide variety of data transformation functions on data within a processing pipeline, and can be used in a messaging system 510 that enables use of any number of various services and protocols. Communicate, relay messages and convert them to protocol specific API system calls if needed for interoperability with external systems (rather than requiring specific protocols or services to be integrated into DCG 500).

The pipeline orchestrator 501 can scatter multiple sub-pipeline clusters 502a-b, which can serve as dedicated workers for pipeline parallel processing. In some arrangements, the entire data processing pipeline may be passed to sub-cluster 502a for processing, as opposed to a single processing task, such that each sub-cluster 502a-b processes the entire data pipeline in a dedicated manner to maintain differences using different cluster nodes 502a-b Pipeline isolation processing. The pipeline orchestrator 501 may provide software APIs for starting, stopping, committing, or saving pipelines. When starting a pipeline, the pipeline orchestrator 501 may send pipeline information to applicable worker nodes 502a-b, eg, using an AKKA ^™ cluster. For each pipeline initialized by the pipeline scheduler 501, a report object with status information may be maintained. Stream activities can report the last time an event was processed, as well as the number of events processed. Batch activities can report status messages as they occur. The pipeline scheduler 501 may perform batch caching using, for example, the IGFS ^™ cache file system. This allows activities 512ad within pipelines 502a-b to communicate data contexts to each other, with any necessary parameter configurations.

The pipeline managers 511a-b can be distributed for each newly running pipeline and can be used to send activity, status, age, and event count information to the pipeline orchestrator 501 . Within a particular pipeline, multiple activity actors 512a-d may be created by pipeline managers 511a-b to process a single task and provide output to data services 522a-d. The data model used in a given pipeline may be determined by a particular pipeline and activity, as directed by the pipeline managers 511a-b. Each pipeline manager 511a-b controls and directs the operation of any activity actors 512a-d distributed by it. A pipelined process may need to coordinate streaming data between tasks. To this end, the pipeline managers 511a-b may distribute service connectors to dynamically create TCP connections between active instances 512a-d. A data context may be maintained for each individual activity 512a-d and may be cached to provide to other activities 512a-d as needed. The data context defines how activities can access information, and activities 512a-d can process the data or simply forward it to the next step. Forwarding data between pipeline steps can route data through a streaming context or a batching context.

The client service cluster 530 can operate multiple service actors 521a-d to service the requests of the activity actors 512a-d, ideally maintaining enough service actors 521a-d to support each activity of each service type. These may also be arranged within service clusters 520a-d, in a similar manner to the logical organization of activity actors 512a-d within clusters 502a-b in a data pipeline. The logging service 530 can be used to log and sample DCG requests and messages during operation, while the notification service 540 can be used to receive alerts and other notifications during operation (eg, alarm errors, which can then be diagnosed by browsing the logs from the logging service 530 ). ), and through an external connection to the messaging system 510, entry and notification services can be added, removed or modified during operation without affecting the DCG 500. Multiple DCG protocols 550a-b may be used to provide structured messaging between DCG 500 and messaging system 510, or to enable messaging system 510 to distribute DCG messages across service clusters 520a-d as shown. The service protocol 560 can be used to define service interactions so that the DCG 500 can be modified without affecting the service implementation. In this manner, it can be seen that the overall structure of the system using the actor-driven DCG 500 works in a modular fashion, enabling modification and replacement of individual components without affecting other operations or requiring additional reconfiguration.

6 is an exemplary architectural diagram of a system for rapid predictive analysis of very large data sets using an actor-driven distributed computing graph 500, according to one feature aspect. According to feature aspects, a variant messaging setup may utilize the messaging system 510 as a messaging broker, which uses the streaming protocol 610, to immediately use the messaging system 510 as a messaging broker to send and receive messages to service actors as needed Bridge communication between 521a-b. Alternatively, individual services 522a-b may communicate directly in batch context 620 using data context service 630 as a broker to batch and relay messages between services 522a-b.

7 is an exemplary architectural diagram of a system for rapid predictive analysis of very large data sets using an actor-driven distributed computing graph 500 according to one feature aspect. According to feature aspects, a variant messaging setup may utilize service connector 710 as a central message broker between multiple service actors 521a-b, bridging messages in streaming context 610, while data context service 630 continues in batches Direct peer-to-peer messaging between individual services 522a-b in processing context 620 is provided.

It should be appreciated that various combinations and arrangements of the above-described system variants (referring to Figures 1-7) may be possible, such as using a particular messaging arrangement for one data pipeline directed by pipeline managers 511a-b, while another Pipelines may utilize different messaging settings (or may not utilize messaging at all). In this way, a single DCG 500 and pipeline orchestrator 501 can operate a single pipeline in a way that best suits their specific needs, making dynamic settings possible by designing modularity as described in Figure 5 above.

DETAILED DESCRIPTION OF EXEMPLARY FEATURES

8 is a flow diagram of an exemplary method 800 for network security behavior analysis, according to one feature aspect. According to feature aspects, behavioral analysis can leverage passive information feeds from multiple existing endpoints (eg, including, but not limited to, user activity on the network, network performance, or device behavior) to produce security solutions. In an initial step 801, the web crawler 115 can passively collect activity information, which can then be processed 802 using the DCG 155 to analyze behavioral patterns. Based on this initial analysis, abnormal behavior such as high risk users or malware operators such as bots can be identified 803 (eg, based on changing thresholds from established patterns or trends). These anomalous behaviors can then be used 804 to analyze potential attack angles and then based on this second level analysis and the predictions produced by the action result simulation module 125 to generate 805 security recommendations to determine the likely effects of the changes. The suggested action can then be automatically implemented 806 if desired. Passive monitoring 801 may continue, collecting information after a new security solution is implemented 806, allowing machine learning to improve operations over time, as relationships between security change and observed behaviors and threats are observed and analyzed.

The method 800 for behavioral analysis enables proactive and high-speed reactive defense capabilities against a variety of cyberattack threats, including anomalous human behavior as well as non-human "bad actors" such as those who can detect and then exploit existing Vulnerable automated software bots. Using automated behavioral learning in this manner provides a far more responsive solution than human intervention, enabling rapid responses to threats to mitigate any potential impact. The scheme is further enhanced with machine-learned behaviors, providing additional proactive behaviors not possible in a simple automatic scheme that only reacts to threats when they occur.

9 is a flowchart of an exemplary method 900 for measuring the effect of a network security attack, according to one feature aspect. In terms of features, the impact assessment of an attack can be measured using the DCG 155 to analyze user accounts and identify their access capabilities 901 (eg, what files, directories, devices, or domains the account can access). This can then be used to generate 902 an impact assessment score for the account, representing the potential risk of the account being compromised. In the event of an incident, the impact assessment score for any compromised accounts can be used to generate a "shock radius" calculation 903, identifying precisely what resources are at risk as a result of the intrusion and where security personnel should focus their attention. In order to provide proactive security recommendations through the simulation module 125, simulated intrusions can be run 904 to identify potential shock radius calculations for various attacks and determine 905 high risk accounts or resources so that security can be improved in those critical areas rather than focusing on reactive resolution Program.

10 is a flow diagram of an exemplary method 1000 for continuous network security monitoring and exploration, according to one feature aspect. According to feature aspects, the state observation service 140 may receive data from various connected systems 1001 such as, for example, including but not limited to, servers, domains, databases, or user dictionaries. This information can be received continuously, events are passively collected and activity monitored over time, while the collected information is fed 1002 into the graphics service 145 for use in generating a timing diagram 1003 of states and changes over time. This adjusted time series data can then be used to generate a visualization 1004 over time, quantifying the collected data into a meaningful and understandable format. When new events are recorded, such as changing user roles or permissions, modifying servers or data structures, or other changes within the security infrastructure, automatically include these events in the time series data and update the visualization accordingly to highlight meaningful data while Live monitoring of information health is provided in a way that does not lose detail due to the number of data points to be examined.

11 is a flowchart of an exemplary method 1100 for drawing a cyber-physical system diagram (CPG) according to one feature aspect. According to feature aspects, a cyber-physical system diagram may include a visualization of hierarchies and relationships between devices and resources within a security infrastructure, placing security information in the context of physical device relationships readily understandable by security personnel and users. In an initial step 1101, behavioral analysis information (as previously described with reference to FIG. 8) may be received at the graphics service 145 for inclusion in the CPG. In the next step 1102, the impact assessment score (as previously described with reference to FIG. 9) may be received and included in the CPG information, adding the risk assessment context to the behavior information. In the next step 1103, timing information may be received and included (as previously described with reference to Figure 10), and CPG information updated when changes occur and events are entered. This information can then be used to generate 1104 users, servers, devices and other resources that associate physical relationships (such as a user's personal computer or smartphone, or physical connection between servers) with logical relationships (such as access privileges or database connections) to produce meaningful and contextual visualizations of the security infrastructure that reflect the current state of the internal relationships that exist in the infrastructure.

12 is a flowchart of an exemplary method 1200 for continuous network rebound scoring, according to one feature aspect. In terms of characteristics, a baseline score can be used to measure the overall level of risk to the network infrastructure, and can be compiled by first gathering 1201 information on vulnerabilities exposed to the public, such as using the Internet or a public vulnerability and exploitation (CVE) process . This information may then be included 1201 into the CPG as previously described in Figure 11, and the combined data of the CPG and known vulnerabilities may then be analyzed 1203 to identify relationships between known vulnerabilities and risks exposed by infrastructure components. This produces a combined CPF 1204 that includes internal risk levels for network resources, user accounts and devices, and actual risk levels based on an analysis of known vulnerabilities and security risks.

13 is a flowchart of an exemplary method 1300 for network security privilege supervision, according to one feature aspect. According to feature aspects, time series data (as described above with reference to FIG. 10 ) may be collected 1301 for user accounts, credentials, directories, and other user-based privilege and access information. This data can then be analyzed 1302 to identify changes over time that can affect security, such as modifying user access privileges or adding new users. The results of the 1303 analysis (as previously described in Figure 11) can be examined against the CPG to compare and correlate the user directory changes with the real infrastructure state. This comparison can be used to perform an accurate and context-enhanced user directory audit 1304 that not only identifies current user credentials and other user-specific information, but also how this information has changed over time and how user information relates to the real infrastructure (eg, Credentials granting access to the device, and may thus implicitly grant additional access due to device relationships not individually apparent from the user directory).

14 is a flowchart of an exemplary method 1400 for cybersecurity risk management, according to one feature aspect. According to feature aspects, the various methods described earlier can be combined to provide a live assessment of attacks as they occur, by first receiving 1401 time series data for the infrastructure (as previously described in Figure 10) to provide live monitoring of network events . This data is then augmented 1402 using CPG (as described above in Figure 11) to correlate events with real infrastructure elements such as servers or accounts. When an event (eg, an attempted attack on a vulnerable system or resource) occurs 1403, the event is entered 1404 in the time series data and compared 1405 against the CPG to determine impact. This is augmented by including impact assessment information 1406 for any affected resources, and then examining the attack 1407 against the baseline score to determine the full extent of the attack's impact and any necessary modifications to infrastructure or policies.

15 is a flowchart of an exemplary method 1500 for mitigating the threat of compromised credentials, according to one feature aspect. According to feature aspects, impact assessment scores can be collected 1501 for user accounts in the directory (as previously described with reference to Figure 9) so that the potential impact of any given credential attack is known prior to the actual attack event. This information can be combined 1502 with the CPG as previously described in Figure 11 to place the impact assessment score in context within the infrastructure (eg, so that it can predict what systems or resources may be at risk for any given credential attack). A simulated attack can then be performed 1503 to use machine learning to improve security without waiting for a real attack to trigger a reactive response. Shockwave radius assessments (described above in FIG. 9 ) can be used to respond 1504 to determine the effectiveness of a simulated attack and identify weaknesses, as well as to generate a recommended report 1505 for improving and hardening the infrastructure for future attacks.

hardware architecture

Generally, the techniques disclosed herein may be implemented in hardware or a combination of software and hardware. For example, they can be implemented in the operating system kernel, in a discrete user process, in a library package bound to a network application, on a specially constructed machine, on an application specific integrated circuit (ASIC), or on a network interface on the card.

Hybrid software/hardware implementations of at least some of the aspects of the features disclosed herein may be implemented on a programmable network-resident machine selectively activated or reconfigured by a computer program stored in memory (should be understood to include intermittently connected network-aware machine). The network device may have multiple network interfaces that may be configured or designed to utilize different types of network communication protocols. A general architecture for some of these machines may be described herein to facilitate illustration of one or more exemplary mechanisms by which a given functional unit may be implemented. Depending on the particular feature aspect, at least some of the features or functions of the various feature aspects disclosed herein may be implemented on one or more general-purpose computers associated with one or more networks, such as, for example, end-user computer systems, client computers, network Server or other server system, mobile computing device (eg, tablet computing device, mobile phone, smartphone, laptop, or other suitable computing device), consumer electronics device, music player, or any other suitable electronic device , routers, switches, or other suitable devices, or any combination thereof. In at least some feature aspects, at least some of the features or functions of the various feature aspects disclosed herein may be implemented in one or more virtualized computing environments (eg, network computing clouds, hosted on one or more physical computing machines) virtual machine, or other suitable virtual environment).

Referring now to FIG. 16, a block diagram depicting an exemplary computing device 10 suitable for implementing at least a portion of the features or functions disclosed herein is shown. Computing device 10 may be, for example, any of the computing machines listed in the preceding figures, or indeed any other electronic device capable of executing software or hardware based instructions according to one or more programs stored in memory. Computing device 10 may be configured to communicate with a number of other computing devices such as clients or servers over a communication network such as a wide area network, metropolitan area network, local area network, wireless network, the Internet, or any Other networks, whether wired or wireless.

In one characteristic aspect, computing device 10 includes one or more central processing units (CPUs) 12, one or more interfaces 15, and one or more buses 14 (such as a peripheral component interconnect (PCI) bus). When acting under the control of suitable software or firmware, CPU 12 may be responsible for implementing special functions associated with the functions of a specially configured computing device or machine. For example, in at least one feature aspect, computing device 10 may be configured or designed to function as a server system utilizing CPU 12 , local memory 11 and/or remote memory 16 , and interface 15 . In at least one feature aspect, CPU 12 may be caused to perform one or more of different types of functions and/or operations under the control of software modules or components, which may include, for example, an operating system and any suitable hardware software, drives, etc.

The CPU 12 may include one or more processors 13, such as, for example, processors from one of the Intel, ARM, Qualcomm and AMD microprocessor families. In some feature aspects, processor 13 may include specially designed hardware such as application specific integrated circuits (ASICs), electrically erasable programmable read only memories (EEPROMs), field programmable gate arrays (FPGAs) for controlling the operation of computing device 10 )and many more. In certain feature aspects, local memory 11 , such as non-volatile random access memory (RAM) and/or read only memory (ROM), including, for example, one or more levels of cache memory, may also form part of CPU 12 . However, there are many different ways in which memory may be coupled to system 10 . The memory 11 may be used for various purposes, such as, for example, caching and/or storing data, programming instructions, and the like. It should be further appreciated that the CPU 12 may be one of various system-on-chip (SOC) type hardware, which may include additional hardware such as memory or graphics processing chips, such as the QUALCOMM SNAPDRAGON ^™ or SAMSUNG EXYNOS that are becoming more common in the art ^TM CPU, such as used in mobile devices or integrated devices.

As used herein, the term "processor" is not limited to those integrated circuits known in the art as processors, mobile processors, or microprocessors, but broadly refers to microcontrollers, microcomputers, programmable logic control devices, application-specific integrated circuits, and any other programmable circuits.

In one characteristic aspect, interfaces 15 are provided as network interface cards (NICs). Typically, NICs control the sending and receiving of data packets over a computer network; other types of interfaces 15 may, for example, support other peripherals used by computing device 10 . Among the interfaces that can be provided are Ethernet interfaces, Frame Relay interfaces, cable interfaces, DSL interfaces, Token Ring interfaces, graphics interfaces, and the like. Additionally, various types of interfaces may be provided, such as, for example, Universal Serial Bus (USB), Serial, Ethernet, FIREWIRE ^™ , THUNDERBOLT ^™ , PCI, Parallel, Radio Frequency (RF), BLUETOOTH ^™ , Near Field Communication (eg using Near Field Magnet), 802.11 (WiFi), Frame Relay, TCP/IP, ISDN, Fast Ethernet, Gigabit Ethernet, Serial ATA (SATA) or External SATA (ESATA), High Definition Multimedia ( HDMI), digital visual interface (DVI), analog or digital audio interface, asynchronous transfer mode (ATM) interface, high-speed serial interface (HSSI) interface, point-of-sale (POS) interface, fiber optic data distribution interfaces (FDDIs), and more. Typically, the interface 15 may include a physical port suitable for communicating with a suitable medium. In some cases, they may also include independent processors (such as dedicated audio or video processors, as is common in the art for high-fidelity A/V hardware interfaces), and in some cases may be volatile and/or or non-volatile memory such as RAM.

Although the system shown in FIG. 16 illustrates one particular architecture of computing device 10 for implementing one or more of the features described herein, it is by no means the only one on which the features and techniques described herein may be implemented. at least a portion of the device architecture. For example, an architecture with one or any number of processors 13 may be used, and the processors 13 may be present in a single device, or distributed among any number of devices. In one feature aspect, a single processor 13 handles communications as well as routine computations, while in other feature aspects separate dedicated communications processors may be provided. In various feature aspects, different types of features or functions may be implemented in systems according to the feature aspects, including client devices (such as tablet devices or smartphones running client software) and server systems (such as described in more detail below) server system).

Regardless of network device configuration, the systems of the feature aspects may utilize one or more memories or memory modules (such as, for example, remote memory banks 16 and local memory 11 ) configured to store data, programming instructions for general network operations, or Additional information (or any combination of the above) regarding the functionality of the features described herein. Programming instructions may control or include the execution of an operating system and/or one or more applications. Memory 16 or memories 11, 16 may be configured to store data structures, configuration data, encrypted data, historical system operating information, or any other special or general non-program information described herein.

Because this information and programming instructions may be utilized to implement one or more of the systems or offenses described herein, at least some aspects of the network device may include a non-transitory machine-readable storage medium, which, for example, may be configured or designed to store storage for execution Programming instructions, status information, etc. for the various operations described herein. Examples of such non-transitory machine-readable storage media include, but are not limited to, magnetic media such as hard disks, software, and magnetic tapes; optical media such as CD-ROM disks; magneto-optical media such as optical disks, and devices specially configured to store and execute programming instructions. Hardware devices, such as read only memory (ROM), flash memory (common in mobile devices and integrated systems), solid state drives (SSD), and may be increasingly common in the art in a single hardware device (as with respect to personal computers) ), memristor memory, random access memory (ROM), and the like, any logic component that combines a solid state state and a hard drive. It should be appreciated that the storage mechanisms may be integrated and non-removable (such as RAM hardware modules that may be soldered to a motherboard or otherwise integrated into the electronic device), or they may be removable such as pluggable flash memory modules ( such as "thumb drives" or other removable media designed to quickly swap physical storage devices), "hot-swappable" hard disk drives or solid-state drives, removable optical storage disks, or other such removable media, And these integrated and removable storage media can be utilized interchangeably. Examples of programming instructions include object code, such as may be generated by a compiler, machine code, such as may be generated by an assembler or linker, byte code, such as may be generated by, for example, a JAVA ^™ compiler, and may use a Java virtual machine or the like , or a file containing more advanced code that can be executed by a computer using an interpreter (such as a script written in Python, Perl, Ruby, Groovy, or any other scripting language).

In some feature aspects, the system may be implemented on a separate computing system. Referring now to FIG. 17, a block diagram depicting a typical exemplary architecture for one or more features, or components thereof, on a stand-alone computing system is shown. Computing device 20 includes a processor 21 that may execute software that performs one or more functions or applications of the feature aspects, such as, for example, client application 24 . The processor 21 may execute computational instructions under the control of an operating system 22, such as versions of, for example, the MICROSOFT WINDOWS ^(TM) operating system, APPLE macOS ^(TM) or iOS ^(TM ), or the like, some of the Linux operating system, the ANDROID ^(TM) operating system variants, etc. In many cases, one or more common services 23 may be operable in system 20 and may assist in providing common services to client applications 24 . The service 23 may be, for example, a WINDOWS ^™ service, a user space common service in a Linux environment, or any other type of common service architecture used by the operating system 21 . Input device 28 may be of any type suitable for receiving user input, including, for example, a keyboard, touch screen, microphone (eg, for voice input), mouse, touch pad, trackball, or any combination thereof. Output device 27 may be of any type suitable for providing output to one or more users, whether remote or local to system 20, and may include, for example, one or more screens, speakers, printers, or any of these for visual output. combination. Memory 25 may be random access memory of any structure and architecture known in the art, used by processor 21, for example, to run software. Storage device 26 may be any magnetic, optical, machine, memristor, or electrical storage device (such as those described above, with reference to FIG. 10 ) for storing data in digital form. Examples of storage device 25 include flash memory, magnetic hard drives, CD-ROMs, and/or the like.

In some feature aspects, the system may be implemented on a distributed computing network, such as may have one of any number of clients and/or servers. Referring now to FIG. 18, a block diagram depicting an exemplary architecture 30 for implementing at least a portion of a system in accordance with one feature aspect over a distributed computing network is shown. Depending on the feature aspect, any number of clients 33 may be provided. Each client 33 may run software for implementing the client-side portion of the system; the client may include the system 20 as shown in FIG. 17 . Furthermore, any number of servers 32 may be provided for processing requests received from one or more clients 33 . The client 33 and server 32 may communicate with each other via one or more electronic networks 31, which may be, in various characteristic aspects, the Internet, a wide area network, a mobile telephone network (such as a CDMA or GSM cellular network), a wireless network (such as WiFi, WiMAX , LTE, etc.) or a local area network (or indeed any network topology known in the art, no one network topology is preferred over any other in terms of characteristics).

Furthermore, in some feature aspects, server 32 may invoke external services 37 when additional information is required or additional data related to a particular invocation is required. Communication with external services 37 may occur, for example, via one or more networks 31 . In various feature aspects, external services 37 may include network-enabled services or functions associated with or installed on hardware devices. For example, in one feature aspect where client application 24 is implemented on a smartphone or other electronic device, client application 24 may be stored in server system 32 in the cloud, or deployed at one or more locations on a particular enterprise or user property. More information on external services 37.

In some feature aspects, client 33 or server 32 (or both) may utilize one or more dedicated services or applications that may be deployed locally or remotely across one or more networks 31 . For example, one or more databases 34 may be used or referenced by one or more feature aspects. Those skilled in the art will appreciate that the database 34 may be arranged in a wide variety of architectures and using a wide variety of data access and manipulation mechanisms. For example, in various feature aspects, one or more of the databases 34 may include relational database systems using Structured Query Language (SQL), while others may include alternative data storage technologies such as those referred to in the art as "NoSQL" (eg HADOOP CASSANDRA ^TM , GOOGLEBIGTABLE ^TM , etc.). In some feature aspects, variant database architectures such as column-oriented databases, in-memory databases, clustered databases, distributed databases, or even flat file data repositories may be used according to the feature aspects. Those skilled in the art will appreciate that any combination of known or future database technologies may be used as appropriate, unless a particular database technology or particular arrangement of components is dedicated to the particular features described herein. Furthermore, it should be understood that the term "database" as used herein may refer to a physical database machine, a cluster of machines functioning as a single database system, or a logical database within an overall database management system. Unless a specific meaning is specified for a given use of the term "database", it should be construed to mean any of the meanings of these words, all such understandings being understood by those skilled in the art to be the ordinary meaning of the term "database".

Similarly, some feature aspects may utilize one or more of the security system 36 and the configuration system 35 . Security and configuration management are general information technology (IT) and network functions, and some quantity of each is typically associated with any IT or network system. It should be understood by those skilled in the art that any configuration or security subsystem known in the art, now or in the future, may be used in conjunction with feature aspects without limitation unless a particular security 36 or configuration system is specifically required by the description of any particular feature aspect 35 or scheme.

FIG. 19 shows an exemplary overview of a computer system 40 as may be used in any of various locations throughout the system. This is an example of any computer that can execute code to process data. Various modifications and changes may be made to computer system 40 without departing from the broader scope of the systems and methods disclosed herein. Central processing unit (CPU) 41 is connected to bus 42 , which is also connected to memory 43 , non-volatile memory 44 , display 47 , input/output (I/O) unit 48 , and network interface card (NIC) 53 . I/O unit 48 may generally be connected to keyboard 49 , pointing device 50 , hard disk 52 , and real-time clock 51 . The NIC 53 is connected to a network 54, which may be the Internet or a local area network, which may or may not have a connection to the Internet. Power supply unit 45, also shown as part of system 40, is connected to mains alternating current (AC) power source 46 in this example. Batteries that may be present are not shown, as well as many other devices and modifications that are widely known but not available for the particular innovative functions of the current systems and methods disclosed herein. It should be appreciated that some or all of the components shown may be combined, such as in various integrated applications, such as Qualcomm or Samsung system-on-chip (SOC) devices, or as long as it may be suitable to combine multiple capabilities or functions into a single hardware device ( For example in mobile devices such as smartphones, video game consoles, in-vehicle computer systems such as in-car navigation or multimedia systems, or other integrated hardware devices).

In the various feature aspects, the functionality of the system or method for implementing the various feature aspects may be distributed among any number of client and/or server components. For example, various software modules may be implemented to perform various functions in conjunction with the system of any particular feature, and such modules may be implemented in various ways to run on server and/or client components.

Those skilled in the art will recognize the range of possible modifications in the various features described above. Accordingly, the invention is defined by the claims and their equivalents.

Claims (7)

1. An advanced network decision-making platform for mitigating network attacks, the platform comprising: A sequential data store comprising at least a processor, a memory, and a plurality of programmed instructions stored in the memory and executed on the processor, wherein the programmable instructions when executed on the processor cause the processor: monitor multiple network events; generating time series data including at least a record of a network event and the time at which the event occurred; An observation and state evaluation module comprising at least a processor, a memory, and a plurality of programmed instructions stored in the memory and executed on the processor, wherein the programmable instructions when executed on the processor cause The processor: Monitor multiple connected resources on the network; generating a network-physical graph representing at least a portion of the plurality of connected resources, the network-physical graph including logical relationships between at least a portion of the plurality of connected resources on the network, and the physical relationship between any connected resources; A directed computational graph module comprising at least a processor, a memory, and a plurality of programmed instructions stored in the memory and executed on the processor, wherein the programmable instructions when executed on the processor cause all Describe the processor: performing a plurality of analysis and transformation operations on at least a portion of the time series data; performing a plurality of analysis and transformation operations on at least a portion of the network-physical graph; and An action result simulation module comprising at least a processor, a memory, and a plurality of programmed instructions stored in the memory and executed on the processor, wherein the programmable instructions when executed on the processor cause all Describe the processor: Generate simulated cyber events that include at least simulated cyber attacks; A plurality of security recommendations are generated based at least in part on the results of the analysis performed by the directed computational graph module. 2. The system of claim 1, wherein the performing a plurality of analysis and transformation operations on at least a portion of a network-physical graph includes computing an impact assessment score for each of a portion of resources in the graph. 3. The system of claim 2, wherein the performing a plurality of analysis and transformation operations on at least a portion of the time series data comprises calculating a total impact of a cyberattack, wherein the calculating is based at least in part on the impact of the cyberattack by the cyberattack. Impact assessment score for each resource impacted. 4. The system of claim 1, wherein the performing a plurality of analysis and transformation operations on at least a portion of the network-physical graph includes comparing relationships between resources for known security vulnerabilities. 5. The system of claim 4, wherein the recommendation generated by the action outcome simulation module is based at least in part on the results of the comparison against known security vulnerabilities. 6. The system of claim 1, wherein the observation and state assessment module is further configured to generate a visualization based at least in part on at least a portion of the time series data, wherein the visualization illustrates the evolution of the data over time. Variety. 7. A method for mitigating a cyber attack using an advanced cyber decision platform, comprising the steps of: a) generating a network-physical map representing at least a portion of a plurality of connected resources using the observation and state evaluation module, the network-physical map including logical relationships between at least a portion of the plurality of connected resources on the network, and the physical relationship between any connected resources including at least hardware devices; b) performing a plurality of analysis and transformation operations on at least a portion of the cyber-physical graph using a directed computational graph module; c) use the action result simulation module to generate simulated network events including at least simulated network attacks; d) monitoring a plurality of network events including at least the simulated network attack using time series data storage; e) generating timing data based at least in part on the network event; f) performing a plurality of analysis and transformation operations on at least a portion of the time series data; and g) generating a plurality of safety recommendations based at least in part on the results of the analysis performed by the directed computational graph module.

Images