Patent Issued for Automatic Generation Of Data-Centric Attack Graphs (USPTO 10,503,911)
2019 DEC 19 (NewsRx) -- By a
The patent’s inventors are Chari, Suresh N. (
This patent was filed on
From the background information supplied by the inventors, news correspondents obtained the following quote: “The disclosure relates generally to attack graphs and more specifically to calculating a risk to a set of sensitive data objects, which correspond to a regulated service provided by a set of components comprising the regulated service, based on automatically generating a data-centric attack graph of nodes representing the set of components and propagating risk scores to related components along edge paths in the attack graph connecting related components.
“Today, many software applications access and/or process sensitive data, such as, for example, personal medical information or personal financial information, corresponding to individuals. However, many federal, state, and local laws regulate the accessing and processing of certain types of sensitive data corresponding to individuals. For example, federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gram-Leach-Bliley Act, include specific mandates regarding the use of sensitive data. For example, HIPAA provides data privacy and security provisions for safeguarding sensitive personal medical information of individuals. The Gram-Leach-Bliley Act controls the way financial institutions may use sensitive personal financial information of individuals. As a result, any entity, such as institutions, enterprises, businesses, companies, or agencies, which provides one or more services that access and/or process these types of sensitive data must be able to determine whether the sensitive data is at risk of attack or compromise and take corrective action to eliminate, reduce, or mitigate the risk.”
Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “According to one illustrative embodiment, a computer-implemented method for generating an attack graph to protect sensitive data objects located on a network from attack is provided. A computer generates the attack graph that includes nodes representing components in a set of components of a regulated service and edges between nodes representing relationships between related components in the set of components based on vulnerability and risk metrics corresponding to each component in the set of components. The computer calculates a risk score for each component represented by a node in the attack graph based on a sensitivity rank and a criticality rank corresponding to each respective component. The computer aggregates risk scores for each component along each edge path connecting a node of a particular component to a node of a related component to form an aggregated risk score for each component. In response to the computer determining that the aggregated risk score of a component is greater than or equal to a risk threshold, the computer performs an action to mitigate a risk to sensitive data corresponding to the component posed by an attack via the network. According to other illustrative embodiments, a computer system and computer program product for generating an attack graph to protect sensitive data objects located on a network from attack are provided.”
The claims supplied by the inventors are:
“What is claimed is:
“1. A computer-implemented method for generating an attack graph to protect sensitive data objects located on a network from attack, the computer-implemented method comprising: generating, by a computer, the attack graph that includes nodes representing components in a set of components of a regulated service and edges between nodes representing relationships between related components in the set of components based on vulnerability and risk metrics corresponding to each component in the set of components; calculating, by the computer, a risk score for each component represented by a node in the attack graph based on a sensitivity rank and a criticality rank corresponding to each respective component; aggregating, by the computer, risk scores for each component along each edge path connecting a node of a particular component to a node of a related component to form an aggregated risk score for each component; and responsive to the computer determining that the aggregated risk score of a component is greater than or equal to a risk threshold, performing, by the computer, an action to mitigate a risk to sensitive data corresponding to the component posed by an attack via the network.
“2. The computer-implemented method of claim 1 further comprising: calculating, by the computer, a level of compromisability of sensitive data for each component represented by a node in the attack graph based on the vulnerability and risk metrics corresponding to each respective component and edge paths between nodes of related components; calculating, by the computer, the sensitivity rank, an integrity rank, and the criticality rank for each component represented by a node in the attack graph using a topology graph of the regulated service; and calculating, by the computer, the risk score for each component represented by a node in the attack graph based on the level of compromisability, the sensitivity rank, the integrity rank, and the criticality rank corresponding to each respective component.
“3. The computer-implemented method of claim 2, wherein the computer calculates the level of compromisability of the sensitive data using a network flow algorithm, and wherein the network flow algorithm is a max-flow min-cut algorithm.
“4. The computer-implemented method of claim 2 further comprising: normalizing, by the computer, the aggregated risk score for each component in the set of components of the regulated service to form a normalized risk score for each component.
“5. The computer-implemented method of claim 4 further comprising: comparing, by the computer, the normalized risk score for each component with a risk threshold value; and responsive to the computer determining that the normalized risk score of a component is greater than or equal to the risk threshold value, performing, by the computer, the action based on the normalized risk score being greater than the risk threshold value.
“6. The computer-implemented method of claim 1 further comprising: identifying, by the computer, a set of sensitive data corresponding to the regulated service; scanning, by the computer, for the set of components corresponding to the regulated service that are authorized to perform activities associated with sensitive data; identifying, by the computer, the vulnerability and risk metrics corresponding to each component in the set of components of the regulated service; and generating, by the computer, a topology graph of the regulated service based on each identified component in the set of components and a configuration of each identified component.
“7. The computer-implemented method of claim 6 further comprising: identifying, by the computer, authorized activities associated with the set of sensitive data.
“8. The computer-implemented method of claim 1 further comprising: identifying, by the computer, two or more edges having a common destination node in the attack graph.
“9. The computer-implemented method of claim 8, wherein the attack graph is an AND/OR graph.
“10. The computer-implemented method of claim 9 further comprising: generating, by the computer, an AND edge for the two or more edges having the common destination node, if and only if, a sensitive data vulnerability of the common destination node can be exploited by an attacker and all of the two or more edges having the common destination node are exploited.
“11. The computer-implemented method of claim 9 further comprising: generating, by the computer, an OR edge for the two or more edges having the common destination node if only one or more of the two or more edges having the common destination node can be exploited.
“12. The computer-implemented method of claim 9 further comprising: generating, by the computer, multi-step attack paths by connecting one sensitive data vulnerability to another sensitive data vulnerability such that a path containing two or more edges representing an attack requires an attacker to exploit each vulnerability of the two or more edges in sequential order.
“13. The computer-implemented method of claim 1 further comprising: propagating, by the computer, a local sensitive data risk backward along an edge path from a sensitive data sink node to a source sensitive data attack node in the attack graph.
“14. The computer-implemented method of claim 13 further comprising: calculating, by the computer, a cumulative sensitive data risk for each node in the attack graph based on a propagated sensitive data risk along all incoming edge paths of a node and the local sensitive data risk corresponding to that particular node.
“15. The computer-implemented method of claim 14 further comprising: calculating, by the computer, a total sensitive data risk corresponding to the regulated service represented by the attack graph based on aggregating cumulative sensitive data risk of all sensitive data sink nodes.
“16. The computer-implemented method of claim 1, wherein the computer identifies the vulnerability and risk metrics of a component based on at least one of Common Vulnerabilities and Exposures identifiers, application scanning, penetration testing, and vulnerability scanning.
“17. A computer system for generating an attack graph to protect sensitive data objects located on a network from attack, the computer system comprising: a bus system; a storage device connected to the bus system, wherein the storage device stores program instructions; and a processor connected to the bus system, wherein the processor executes the program instructions to: generate the attack graph that includes nodes representing components in a set of components of a regulated service and edges between nodes representing relationships between related components in the set of components based on vulnerability and risk metrics corresponding to each component in the set of components; calculate a risk score for each component represented by a node in the attack graph based on a sensitivity rank and a criticality rank corresponding to each respective component; aggregate risk scores for each component along each edge path connecting a node of a particular component to a node of a related component to form an aggregated risk score for each component; and perform an action to mitigate a risk to sensitive data corresponding to a component posed by an attack via the network in response to determining that the aggregated risk score of the component is greater than or equal to a risk threshold.
“18. A computer program product for generating an attack graph to protect sensitive data objects located on a network from attack, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising: generating, by the computer, the attack graph that includes nodes representing components in a set of components of a regulated service and edges between nodes representing relationships between related components in the set of components based on vulnerability and risk metrics corresponding to each component in the set of components; calculating, by the computer, a risk score for each component represented by a node in the attack graph based on a sensitivity rank and a criticality rank corresponding to each respective component; aggregating, by the computer, risk scores for each component along each edge path connecting a node of a particular component to a node of a related component to form an aggregated risk score for each component; and responsive to the computer determining that the aggregated risk score of a component is greater than or equal to a risk threshold, performing, by the computer, an action to mitigate a risk to sensitive data corresponding to the component posed by an attack via the network.
“19. The computer program product of claim 18 further comprising: calculating, by the computer, a level of compromisability of sensitive data for each component represented by a node in the attack graph based on the vulnerability and risk metrics corresponding to each respective component and edge paths between nodes of related components; calculating, by the computer, the sensitivity rank, an integrity rank, and the criticality rank for each component represented by a node in the attack graph using a topology graph of the regulated service; and calculating, by the computer, the risk score for each component represented by a node in the attack graph based on the level of compromisability, the sensitivity rank, the integrity rank, and the criticality rank corresponding to each respective component.
“20. The computer program product of claim 19, wherein the computer calculates the level of compromisability of the sensitive data using a network flow algorithm, and wherein the network flow algorithm is a max-flow min-cut algorithm.”
For the URL and additional information on this patent, see: Chari, Suresh N.; Kundu, Ashish; Molloy, Ian M.; Pendarakis, Dimitrios; Rao, Josyula R. Automatic Generation Of Data-Centric Attack Graphs.
(Our reports deliver fact-based news of research and discoveries from around the world.)
Health care special interests are spending millions to kill reform. We can’t let them get away with it. | Opinion
Elderly Russian Kindergarten Teacher Dies After False Bomb Threat
Advisor News
- Health insurance premium tax bill advancing
- The Medi-Cal money pit
- The untapped potential of Qualified Longevity Annuity Contracts
- NYC's fiscal outlook on downslide over budget gaps
- Health insurance premium tax bill moving in Iowa House
More Advisor NewsAnnuity News
- An Application for the Trademark “GREAT-WEST LIFE & ANNUITY INSURANCE COMPANY” Has Been Filed by Great-West Life & Annuity Insurance Company: Great-West Life & Annuity Insurance Company
- The forces shaping life and annuities in 2026
- Variable annuity sales surge as market confidence remains high, Wink finds
- New Allianz Life Annuity Offers Added Flexibility in Income Benefits
- How to elevate annuity discussions during tax season
More Annuity NewsHealth/Employee Benefits News
- From $500 to $1.5K: Marylanders feel financial impact of expired ACA tax credits
- The politics behind America's new health insurance shock
- Health insurance premium tax bill advancing
- Families oppose bill locking in Iowa Medicaid privatization
- The Medi-Cal money pit
More Health/Employee Benefits NewsLife Insurance News
- Are the biggest life insurance opportunities hiding during tax season?
- Hulse, Murray
- Murray Giles Hulse
- Oaktree grabs control of Atlantic Coast Life Co. in blockbuster A-Cap deal
- AM Best Removes From Under Review With Developing Implications and Downgrades Credit Ratings of Banner Life Insurance Company and William Penn Life Insurance Company of New York
More Life Insurance News