US20180146002A1 - Cyber Security System and Method Using Intelligent Agents - Google Patents
Cyber Security System and Method Using Intelligent AgentsDownload PDFInfo
- Publication number
- US20180146002A1 US20180146002A1US15/566,691US201615566691AUS2018146002A1US 20180146002 A1US20180146002 A1US 20180146002A1US 201615566691 AUS201615566691 AUS 201615566691AUS 2018146002 A1US2018146002 A1US 2018146002A1
- Authority
- US
- United States
- Prior art keywords
- target
- network
- scan
- results
- network scan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- G06F17/21—
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/10—Text processing
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/02—Knowledge representation; Symbolic representation
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
Definitions
- Embodiments of the inventionrelate in general to a cyber security system and method using intelligent agents. More specifically, embodiments of the invention relate to one or more of an offensive cyber security system and method using intelligent agents and a defensive cyber security system and method using intelligent agents.
- a cyber security method using intelligent agentsincludes: a) setting up, by the IA, a first network scan of a system over a network; b) running, by the IA, using a first network scan parameter, the first network scan, generating first network scan results; c) storing, by the IA, the first network scan results; d) running, by the IA, using a second network scan parameter, a second network scan of the system over the network, generating second network scan results; e) storing, by the IA, the second network scan results; f) running a port scan of the system, by the IA, generating port scan results; g) storing, by the IA, the port scan results in storage; h) using one or more of the first network scan results and the
- a cyber security method using intelligent agentsincludes: watching, by the IA, over a network, a software program running on a system; receiving, by the IA, results generated by the software; presenting, by the IA, the results; categorizing the results, by the IA, for efficient storage and efficient future retrieval; saving, by the IA, the categorized results; using the categorized results, by the IA, inferring new knowledge; categorizing the new knowledge, by the IA, for efficient storage and efficient future retrieval; saving, by the IA, the categorized new knowledge; and using one or more of the saved categorized results and the saved categorized new knowledge, by the IA, configuring the software.
- a cyber security method using intelligent agentsincludes: seeking, by the IA, required configuration information from storage; determining, by the IA, that the required configuration information cannot be retrieved from storage; identifying, by the IA, a software program; running, by the IA, the software program; verifying, by the IA, that the required configuration information has been obtained; re-running the software program, by the IA, using the required configuration information, generating a result; reviewing the result, by the IA; determining, by the IA, that the result is acceptable; and using the result, by the IA, generating a result response.
- a cyber security method using intelligent agentsincludes: after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target; collecting, by the IA, configuration information required to run the target; using the configuration information, by the IA, attempting a connection to the target; passing, by the IA, to a human user interface target information regarding the target; using the human user interface, by the IA, accumulating pertinent knowledge regarding one or more of a connection method and target information; using the human user interface, by the IA, communicating with the target using the pertinent knowledge; using the human user interface, receiving, by the IA, a response to the command from the target; processing the response, by the IA, thereby generating a result; transmitting, by the IA, the result to the knowledge base program; using the knowledge base program, by the IA, processing the result; receiving the processed result, by the IA, from the knowledge base program; and transmitting, by the IA, the processed result to storage.
- a cyber security method using intelligent agentsincludes: after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target; collecting, by the IA, configuration information required to run the target; using the configuration information, by the IA, attempting a connection to the target; using one or more of a connection method and target information regarding the target, sending, by the IA, a command to the target; receiving, by the IA, a response to the command from the target; processing the response, by the IA, thereby generating a result; transmitting, by the IA, the result to the knowledge base program; using the knowledge base program, by the IA, processing the result; receiving the processed result, by the IA, from the knowledge base program; and transmitting, by the IA, the processed result to storage.
- IAsintelligent agents
- a cyber security method using intelligent agentsincludes: observing, by the IA, traffic through a master system; identifying, by the IA, a vulnerability; diverting, by the IA, the vulnerability onto a temporary target; constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system; and launching, by the IA, the decoy system.
- a cyber security method using intelligent agentsincludes: observing, by the IA, traffic through a master system; identifying, by the IA, a vulnerability; diverting, by the IA, the vulnerability onto a temporary target; tracking the vulnerability as it moves through the master system; investigating the vulnerability, generating investigation results; reporting the investigation results to the master system; storing the investigation results; constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system; launching, by the IA, the decoy system; and reviewing, by the IA, effectiveness of the decoy system in promoting safety of the master system.
- FIG. 1is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.
- IAsintelligent agents
- FIG. 2is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.
- IAsintelligent agents
- FIG. 3is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.
- IAsintelligent agents
- FIG. 4is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.
- IAsintelligent agents
- FIG. 5is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.
- IAsintelligent agents
- FIG. 6is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.
- IAsintelligent agents
- FIG. 7is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.
- IAsintelligent agents
- the cyber security system and method using intelligent agentsincludes a plurality of components such as one or more of electronic components, hardware components, and computer software components. A number of such components can be combined or divided in the system.
- An example component of the systemincludes a set and/or series of computer instructions written in or implemented with any of a number of programming languages, as will be appreciated by those skilled in the art.
- the system in one exampleemploys one or more computer-readable signal-bearing media.
- the computer-readable signal bearing mediastore software, firmware and/or assembly language for performing one or more portions of one or more implementations of the invention.
- the computer-readable signal-bearing medium for the system in one examplecomprises one or more of a magnetic, electrical, optical, biological, and atomic data storage medium.
- the computer-readable signal-bearing mediumcomprises floppy disks, magnetic tapes, CD-ROMs, DVD-ROMs, hard disk drives, downloadable files, files executable “in the cloud,” and electronic memory.
- Embodiments of the inventionrelate in general to a cyber security system and method using intelligent agents (IAs). More specifically, embodiments of the invention relate to one or more of an offensive cyber security system and method using IAs, a defensive cyber security system and method using IAs, and a system and method for tuning security software using IAs.
- IAsintelligent agents
- an IAperforms one or more of combatting and limiting exposure of a device to one or more of a hacker and a breach.
- the devicebelongs to one or more systems.
- the devicebelongs to one or more systems connected by Internet Protocol (IP).
- IPInternet Protocol
- ICSIndustrial Control Systems
- the devicebelongs to the Internet of Things (IoT).
- IAdetects one or more of a change made by the hacker and a configuration error.
- the IAconnects to the device over the network.
- the IAlogs into the device via one or more of a command shell, a web interface, and a IP port.
- the IAperforms one or more of communicating with the device and exchanging data with the device.
- the IAthereby extracts information regarding one or more of the device and the device's functionality.
- the IAcan later use the extracted information in one or more security assessments.
- the IAassesses knowledge comprising one or more of a connection method, a measure of success of the connection, a quantity of information returned from the device using the connection method, and a type of information returned from the device using the connection method.
- the type of informationmay comprise one or more of data, intelligence, and another type of information.
- the IAstores the knowledge.
- the IAstores the knowledge locally.
- the IAstores the knowledge locally in long-term storage (LTS).
- LTSlong-term storage
- the IAstores the knowledge remotely.
- the IAassesses and stores the knowledge to enable the IA to respond to one or more of failures, errors, and other types of non-optimum functioning.
- the IAcontinually assesses and stores additional knowledge to accomplish one or more of correcting errors and updating existing knowledge.
- the IAuses the knowledge to accomplish one or more of connecting to a device and correcting an error.
- the IAuses the knowledge to connect to a target.
- the targetcomprises one or more of a target device, a target sub-system, a target port, and another target.
- the IAuses the knowledge to correct an error while performing one or more of maintaining a connection, optimizing a connection, and minimizing duplicated knowledge.
- the IAuses the knowledge to correct an error while approximately simultaneously performing one or more of maintaining a connection, optimizing a connection, and minimizing duplicated knowledge.
- the IAconnects to the target.
- the IAinitiates a command.
- the IAuses the knowledge to initiate a command.
- initiating the commandcomprises typing one or more characters in one or more of a keyboard and another input device.
- initiating the commandcomprises answering one or more questions in a form.
- initiating the commandcomprises answering one or more questions in an Internet form.
- initiating the commandcomprises participating in an interactive session with a human.
- the targetcomprises a human-IA interface configured to facilitate an interactive session between a human and the IA.
- initiating the commandcomprises participating in the interactive session with the human using the human-IA interface.
- the IAinvestigates the network to acquire knowledge regarding one or more of the target and a service running on the target.
- the IAstores the acquired knowledge.
- the IAstores the acquired knowledge in LTS.
- the IAperforms one or more of identifying a new system, identifying a change in an exiting system, and appropriately configuring a test of system vulnerability.
- the IAconfigures a test of system vulnerability.
- the IAappropriately configures software to test system vulnerability.
- the IAcollects knowledge about the target to help intelligently schedule testing when the target will be least impacted. For example, the IA periodically checks on the target to ensure that the current configurations of the target are up to date. For example, the IA identifies a new service provided by the target. For example, the IA updates the configuration of the vulnerability scanning software to account for the new service.
- the IAuses a method that provides the most detailed knowledge about a desired data set. For example, the IA collects additional knowledge. For example, the IA processes the collected knowledge in order to perform one or more of configuring knowledge collection software and correcting errors in the knowledge collection software.
- FIG. 1is a flowchart of a method 100 for promoting cyber security using intelligent agents over a network.
- the order of the steps in the method 100is not constrained to that shown in FIG. 1 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- an intelligent agentsets up a first network scan of a system over a network.
- setting up the first network scancomprises setting a first network scan parameter.
- the first network scan parametercomprises one or more of a scan frequency, a scan wait time, a blast rate, and another network scan parameter.
- the scan frequencyis defined as the elapsed time over which the IA scans the system.
- the scan wait timeis defined as the time for which the IA awaits a response from a scanned target before assume that the target is not active.
- a non-active systemmay be one or more of not present, turned off, and otherwise non-active.
- Blast rateis defined as a number of targets the IA processes in parallel.
- Block 110then transfers control to block 120 .
- step 120using a first network scan parameter, the IA runs the first network scan of the system over the network, generating first network scan results.
- running the first network scancomprises continually running the first network scan.
- running the first network scancomprises continually running the first network scan in the background.
- the networkcomprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the system.
- the first network scancomprises one or more of an active scan of the network, a ping networking utility, a network mapping (NMAP) security scanner, and another first network scan.
- the IAuses the first network scan results to accomplish one or more of maximizing a success rate, minimizing a scan time, minimizing a scan frequency, improving efficiency of scanning, and increasing scan frequency.
- the first network scandetermines a presence of a new system.
- the first network scandetermines an absence of an existing system.
- the first network scangenerates first pings.
- the first pingscomprise frequent, multiple, low accuracy first pings.
- the first pingshave representative return times of approximately thirty seconds to approximately sixty seconds.
- the first pingshave representative return times of approximately thirty seconds to approximately sixty seconds for a system comprising 256 sub-systems.
- the first pingshave an accuracy between approximately eighty percent and approximately 95 percent.
- Block 120then transfers control to block 130 .
- the IAstores the first network scan results.
- the IAstores the first network scan results in storage.
- the IAstores the first network scan results in a long term storage.
- the IAstores the first network scan results in memory.
- Block 130then transfers control to block 140 .
- step 140using a second network scan parameter, the IA runs a second network scan over the network, generating second network scan results.
- the step of running the second network scancomprises accessing the second network scan on an operating system of the system.
- the second network scancomprises one or more of an active scan of the network, a ping networking utility, an NMAP security scanner, and another second network scan.
- the second network scandetermines a presence or absence of a new system
- the second network scan resultshave an accuracy of at least approximately ninety-five percent.
- the IAuses the highly accurate second network scan results in order to set the first network scan parameter for successfully future runs of the first network scan.
- the second network scan parametercomprises one or more of a number of target checks, a size of data being sent, and another second network scan parameter.
- the second network scandetermines details of a detected security threat.
- the second network scangenerates second pings.
- the second pingscomprise infrequent, high accuracy second pings.
- the second pingshave an accuracy greater than or equal to approximately ninety-five percent.
- the second pingshave representative return times of approximately seventeen minutes to approximately twenty-two minutes for a system comprising 256 sub-systems. Block 140 then transfers control to block 150 .
- the IAstores the second network scan results.
- the IAstores the second network scan results in storage.
- the IAstores the second network scan results in a second storage.
- the IAstores the second network scan results in a long term storage.
- the IAstores the second network scan results in memory.
- the IAmay also periodically determine if a new second network scan is needed. If the IA determines that the second network scan is needed, the IA performs the second network scan. For example, the IA monitors one or more of a performance of the system and an accuracy of the second network scan to determine when the IA runs the new second network scan. For example, the IA determines a frequency with which the IA runs the second network scan. Block 150 then transfers control to block 160 .
- the IAruns a port scan of the system, generating port scan results. For example, the IA scans the network to identify one or more of a target, a scan time, and a scan frequency. For example, the IA runs a port scan using one or more of data stored in storage and environment information. For example, the environment information comprises one or more of network utilization information, system resource usage, and other environment information. Block 160 then transfers control to block 170 .
- step 170the IA stores the port scan results. Block 170 then transfers control to block 180 .
- step 180using one or more of the first network scan results and the second network scan results, the IA optimizes the first network scan parameter.
- the IAuses the optimized first network scan parameter in one or more of future first network scans, future second network scans and future port scans. Block 180 then transfers control to block 185 .
- step 185using one or more of the first network scan parameter and the second network scan parameter, the IA configures a vulnerability scan of the system over the network. Block 185 then transfers control to block 190 .
- step 190using one or more of the first network scan parameter, the second network scan parameter, and the port scan results, the IA runs a vulnerability scan of the system, generating vulnerability scan results.
- the step of running the vulnerability scancomprises identifying an at-risk target.
- identifying the at-risk targetcomprises identifying the at-risk target using one or more of pre-set risk determination parameters and risk determination parameters that are calculated on the fly.
- an at-risk targetis defined as a target that is incurring one or more of a potential security risk and an actual security risk.
- the IAidentifies the at-risk target using one or more of pre-set risk determination parameters and risk determination parameters that are calculated on the fly. Block 190 then transfers control to block 195 .
- the IAstores the vulnerability scan results in storage.
- the IAstores an identified at-risk target in the storage for subsequent use, for example, use in later iterations.
- the IAstores service information regarding the at least one at-risk target.
- the service informationcomprises one or more of a port, an application, and a version.
- Block 195then transfers control to block 196 .
- step 196the IA collects at least one of service information and availability knowledge regarding at least one of an available target and an available service. Block 196 then transfers control to block 198 .
- step 198the IA using the at least one of service information and availability knowledge, the IA identifies a needed setting.
- the settingcomprises one or more of a schedule, access, additional port information, a current status, an existing configuration, a new configuration, and another setting.
- Block 198then transfers control to block 199 .
- step 199the IA stores the needed setting.
- the IAstores the needed setting for use in running the vulnerability scanner. Block 199 then terminates the process.
- the methodcomprises an additional step of providing a device configured to perform one or more of tracking traffic and collecting information regarding the traffic.
- FIG. 2is a flowchart of a method 200 for promoting cyber security using intelligent agents over a network.
- the order of the steps in the method 200is not constrained to that shown in FIG. 2 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- an intelligent agentwatches a running software program over a network.
- the IAwatches the running software program to identify in the software one or more of an inefficiency, a deficiency, an incomplete aspect and an error.
- the softwarecomprises security software.
- the softwarecomprises security software configured to protect an enterprise.
- the softwarecomprises security software configured to collect one or more of an alert and additional information about the enterprise. Block 210 then transfers control to block 220 .
- step 220the IA receives results generated by the software.
- the IApresents the results.
- Block 220then transfers control to block 225 .
- the IApresents the results.
- the IApresents the results for usage by a human user.
- the IApresents the results for usage by a human user in one or more of an alert, a web page update, a graph, a database entry, and a report.
- Block 225then transfers control to block 230 .
- step 230the IA categorizes the results for efficient storage and efficient future retrieval. Block 230 then transfers control to block 240 .
- step 240the IA saves the categorized results. Block 240 then transfers control to block 250 .
- step 250using the categorized results, the IA infers new knowledge. Block 250 then transfers control to block 260 .
- step 260the IA categorizes the new knowledge for efficient storage and efficient future retrieval. Block 260 then transfers control to block 270 .
- step 270the IA saves the categorized new knowledge. Block 270 then transfers control to block 280 .
- the IAconfigures the software.
- the IAcollects configuration information from storage.
- the IAruns additional software until required configuration information exists in the storage.
- the configuration informationcomprises one or more of an Internet Protocol (IP) address, login information, a device type, network access information, and other configuration information.
- IPInternet Protocol
- the login informationcomprises one or more of a user name, a password, an access key, and other login information.
- the network access informationcomprises a network configured to access the target.
- the networkcomprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the device.
- Block 280then terminates the process.
- FIG. 3is a flowchart of a method 300 for promoting cyber security using intelligent agents over a network.
- the order of the steps in the method 300is not constrained to that shown in FIG. 3 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- an intelligent agentseeks required configuration information from storage.
- Configuration informationmay be required when a security system is initially built and turned on. Alternatively, or additionally, configuration information may be required upon detection of a software problem.
- the configuration informationcomprises one or more of an Internet Protocol (IP) address, login information, a device type, network access information, and other configuration information.
- IPInternet Protocol
- the login informationcomprises one or more of a user name, a password, an access key, and other login information.
- the network access informationcomprises a network configured to access the target.
- the networkcomprises one or more of the Internet, the World-Wide Web (WWM, Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the device.
- the software problemcan comprise one or more of an inefficiency in running the software and an error in running the software. Block 310 then transfers control to block 320 .
- step 320the IA determines if the required configuration information can be retrieved from storage. If no, the process proceeds to step 330 . If yes, the process proceeds to step 350 .
- step 330the IA identifies a software program. Block 330 then transfers control to block 335 .
- step 335the IA runs the software program. Block 335 then transfers control to block 340 .
- step 340the IA verifies whether the required configuration information has been obtained. If yes, block 340 transfers control to block 350 . If no, block 340 loops back to block 330 .
- step 350the IA re-runs the software program using the required configuration information, generating a result.
- Block 350then transfers control to block 360 .
- step 360the IA reviews the result. Block 360 then transfers control to block 370 .
- step 370the IA determines if the result is acceptable. If yes, step 370 transfers control to step 380 . If no, step 370 loops back to step 330 .
- step 380using the result, the IA generates a result response.
- the result responsecomprises one or more of an alert, a web page update, a graph, a database entry, a report, recommended corrective action on the target, and another result response.
- Block 380then terminates the process.
- the IAwill utilize and make a connection to the system's human user interface.
- the human user interfacecomprises one or more of a Graphical User Interface (GUI), a Command Line Interface (CLI), and another human user interface.
- GUIGraphical User Interface
- CLICommand Line Interface
- the IAwill utilize knowledge that it has learned and stored. From that point, the IA will use its knowledge and understanding of interfaces to process through the interfaces and to interact with the target.
- the IAhas knowledge of various access methods to a target and when the access methods are available (some targets only have a single access method).
- the IAwill determine (1) a target's access methods (if a method has been inaccessible on a target for a period of time), (2) resource allocation of various connection methods and (3) information available with each connection method. There are a few things the IA will be able to do with this information: (1) determine the most likely method to return as much of the information needed by the IA as possible; (2) prioritize the access methods to meet the IA's needs; and (3) if an access method fails, the IA utilizes another access method until all access methods have been exhausted.
- the IAwill be able to utilize investigative and discovery techniques and environment knowledge using its own algorithms and techniques to determine if the target may be unavailable.
- the IAwill utilize appropriate forms and links.
- the IAwill process and comprehend page information using techniques unique to the IA, for example including one or more of Natural Language Parsing and information about computers. This functionality allows for choices made by the IA in going to pages and filling out forms that will provide feedback and information that the IA is trying to gather.
- the IAknows about programs running on various targets.
- the IAknows about various data (configuration, databases, etc) that exist on various targets as part of software that might be installed onto the system.
- the IAknows how to find and read that data.
- the IAknows how to run various commands on the target and has knowledge of software options to generate various kinds of output and various formats of that output.
- the IAknows about how that software runs on a given target (where resources are maxed or when they start affecting the primary mission/purpose of that target).
- the IAknows how to comprehend one or more of the returned errors and limits of the software responses and uses one or more of proprietary algorithms and methods to circumvent those issues.
- the IAwill utilize one or more of other software and other analytics when necessary to conclude events that cannot be fixed.
- the IAwill utilize its knowledge of the human user interface to authenticate where it has login information (username/password, a key, or other known authentication method). The IA will then work the interface as needed to gather and collect information it is seeking. If elevated privileges are granted by the authentication, the IA will utilize the heightened accesses to gain additional information as needed.
- login informationusername/password, a key, or other known authentication method.
- the IAwill then work the interface as needed to gather and collect information it is seeking. If elevated privileges are granted by the authentication, the IA will utilize the heightened accesses to gain additional information as needed.
- the IAruns software in the CLI, forms are utilized in a GUI, or pages in a Web GUI provide English or formatted data designed for a human recipient, the IA will process those results in a number of techniques in order to establish knowledge to the IA and help the IA make decisions.
- FIG. 4is a flowchart of a method 400 for promoting cyber security using intelligent agents and a target over a network.
- the order of the steps in the method 400is not constrained to that shown in FIG. 4 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- an intelligent agentdirects a knowledge base program to scan data comprised in a target.
- the targetcomprises a remote target.
- Block 410then transfers control to block 420 .
- the IAcollects configuration information required to run the target.
- the IAretrieves from storage the configuration information required to run the target.
- the configuration informationcomprises one or more of an Internet Protocol (IP) address, login information, a target type, network access information, and other configuration information.
- IPInternet Protocol
- the login informationcomprises one or more of a user name, a password, an access key, and other login information.
- the network access informationcomprises a network configured to access the target.
- the networkcomprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the target.
- Block 420then transfers control to block 430 .
- step 430the IA uses the configuration information to attempt a connection to the target. For example, the IA attempts a connection to the target in descending order of estimated likelihood of success for the connection method, until a connection succeeds. Block 430 then transfers control to block 440 .
- the IApasses to a human user interface target information regarding the target.
- the human user interfacecomprises one or more of a Graphical User Interface (GUI), a Command Line Interface (CLI), and another human user interface.
- GUIGraphical User Interface
- CLICommand Line Interface
- the GUIcomprises one or more of a hardware-based GUI and a Web GUI.
- the target informationcomprises one or more of a command for the target, an instruction for the target, and a connection method to the target.
- Block 440then transfers control to block 450 .
- step 450using the human user interface, the IA accumulates pertinent knowledge regarding one or more of a connection method and target information. Block 450 then transfers control to block 460 .
- step 460using the human user interface, the IA communicates with the target using the pertinent knowledge. For example, if the connection method is the WWW, using the human user interface, the IA completes an appropriate form request, repeating the process until the IA has no more requests available to make with the target. If the connection method is CLI, then using the human user interface, the IA types in commands on the target. Block 460 then transfers control to block 470 .
- step 470using the human user interface, the IA receives a response to the command from the target. For example, the IA receives the command response by, using the human user interface, gathering a result from the connection to the target. Block 470 then transfers control to block 480 .
- step 480using the human user interface, the IA processes the response, thereby generating a result.
- processingcomprises one or more of interpreting the response, categorizing the response, placing the response into storage, and processing the response in another way.
- Block 480then transfers control to block 490 .
- step 490using the human user interface, the IA transmits the result to the knowledge base program.
- Block 490then transfers control to block 492 .
- step 492using the knowledge base program, the IA processes the result. For example, using a processing block comprised in the knowledge base program, the IA processes the result. For example, using analyzer code, and using the processing block, the IA does one or more of parsing the result, processing the result, formatting the result, and transmitting the result to storage. Block 492 then transfers control to block 494 .
- step 494the IA receives the processed result from the knowledge base program.
- the IAreceives the processed result from a processing block comprised in the knowledge base program.
- Block 494then transfers control to block 495 .
- step 495the IA transmits the processed result to storage. Block 495 then terminates the process.
- the IAwill gain knowledge about historical software runs and performance.
- the IAaccumulates detailed knowledge of how the software operates.
- the detailed knowledgemay comprise resource use data.
- the resourcemay comprise one or more of memory, central processing unit (CPU) usage, disk usage, and another resource.
- the resource use datamay comprise data on use of one or more of resource quantity and the length of time for which a resource is used. Since resource use data is unique to a target, the target will generate unique historical details.
- the IAhas the ability to investigate and to gain knowledge about specifics of the software, even at the binary level.
- the IAuses analytic knowhow to pinpoint various areas of concern in running the software in order to perform one or more of maximizing its usefulness and optimizing use of the target's primary mission.
- the IAknows how to gather help to optimize running software.
- the IAdetects improvements in the software over time.
- the IAwill identify changes to software options when the IA detects one or more of new software versions and changed software versions. It is possible to have multiple versions of the same software on a target, allowing the IA to review one or more of options performance to utilize the best version for a current task assigned to the IA.
- FIG. 5is a flowchart of a method 500 for promoting cyber security using intelligent agents and a target over a network.
- the order of the steps in the method 500is not constrained to that shown in FIG. 5 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- an intelligent agentdirects a knowledge base program to a target.
- the targetcomprises a remote target.
- the knowledge base programscans data comprised in one or more targets.
- the knowledge base programscans data comprised in the target.
- Block 510then transfers control to block 520 .
- the IAcollects configuration information required to run the target.
- the IAcollects the required configuration information from storage.
- the configuration informationcomprises one or more of an Internet Protocol (IP) address, login information, a target type, network access information, and other configuration information.
- IPInternet Protocol
- the login informationcomprises one or more of a user name, a password, an access key, and other login information.
- the network access informationcomprises a list of one or more networks configured to access the target.
- the network access informationcomprises one or more of the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network configured to access a device.
- Block 520then transfers control to block 530 .
- step 530the IA uses the configuration information to attempt a connection to the target. For example, the IA attempts a connection to the target in descending order of estimated likelihood of success for the connection method, until a connection succeeds. Block 530 then transfers control to block 540 .
- the IAuses one or more of a connection method and target information to send a command to the target.
- the target informationcomprises a device type.
- the connection methodis the WWW
- the IAcompletes an appropriate form request, repeating the process until communication is attained with the target.
- the connection methodis command line interface (CLI)
- the IAuses the user interface (UI) to enter a command to the target.
- Block 540then transfers control to block 550 .
- step 550the IA receives from the target a response to the command. Block 550 then transfers control to block 560 .
- step 560the IA processes the response, thereby generating a result.
- processingcomprises one or more of interpreting the response, classifying the response, placing the response into storage, and processing the result in another way.
- Block 560then transfers control to block 570 .
- step 570the IA transmits the result to the knowledge base program.
- Block 570then transfers control to block 580 .
- step 580using the knowledge base program, the IA processes the result. For example, using a processing block comprised in the knowledge base program, the IA processes the result. For example, using analyzer code, and using the processing block, the IA does one or more of parsing the result, processing the result, formatting the result, and transmitting the result to storage. Block 580 then transfers control to block 590 .
- step 590the IA receives the processed result from the knowledge base program.
- the IAreceives the processed result from a processing block comprised in the knowledge base program.
- Block 590then transfers control to block 595 .
- step 595the IA transmits the processed result to storage. Block 595 then terminates the process.
- An enterpriseis defined as a target under control of one or more of an agency, a company and an organization. Examples include one or more of a desktop computer, a notebook computer, a laptop computer, a server, a network, a printer, another Internet Protocol (IP)-connected target, and another enterprise.
- IP-connected targetcan comprise one or more of an Internet Of Things (IoT) device and an Industrial Control System (ICS) device.
- IoTInternet Of Things
- ICSIndustrial Control System
- Vulnerability scanning softwareinteracts with the target to generate proof that a vulnerability is exploitable.
- the vulnerability scanning softwareoften uses methods beyond human capability to generate binary level adjustments to expose unknown vulnerabilities.
- the IAanalyzes criticality of targets and scores the criticality in order to help establish which targets are critical.
- the IAuses target information collected about a target.
- the target informationcomprises one or more of a frequency of changes, a vulnerability history, a target type, a target location, services used by the target, service usages by the target, and other target information.
- target locationcomprises proximity to a network.
- target locationcomprises proximity to a public Internet. Closer proximity to the public Internet generally implies one or more of higher target visibility and increased risk of unauthorized access.
- a target on the edge of the enterprise that is experiencing 20,000 uses per secondmight have a relatively high level of exposure, thereby increasing its critical level.
- the targetcomprises a web server.
- a web server internal to the enterprise that has three internal connections every couple of daysmight have a reduced level of exposure. While both web servers need monitoring and scanning, the former web server needs more frequent deep scanning. The internal web server also would get a deep scanning but not as frequently.
- a web servermight be more static. Therefore, a series of changes would be more suspicious and would increase the level of monitoring more sharply than in the case of a highly dynamic target. Since the highly dynamic target is already watched more closely and changes regularly, fewer suspicions would be raised by the same behavior observed in it compared to a static web server.
- One advantage offered by embodiments of the inventionis the ability for the IA to provide one or more of security monitoring and security defenses that are tailored to one or more of a specific target in the master system and the specific master system as a whole. This advantage is available from embodiments of the invention because, due to requests it receives from entities wishing to access the master system, the IA is constantly obtaining additional information that is unique to one or more of the master system as a whole and the individual target involved.
- the master systemcan comprise an arbitrary number of data-generating devices.
- the data-generating devicecan comprise one or more of a monitoring target, security software, a network monitoring tool, and another data-generating device.
- Security software provided by the IAmay comprise one or more of asset management software, scanning of targets for known vulnerabilities, application scanning for detection of known attack methods, network scanning software, and other security software.
- the network scanning softwarecomprises software configured to explore security weather patterns comprising one or more of a new device, a new service on an existing device, a changed service on an existing device, a change in a traffic pattern to a target, and a change in a traffic pattern from a target. This weather pattern collection differs from current systems in that current systems are sitting on a high traffic gateway.
- small, inexpensive devicesmay be distributed throughout the master system to perform one or more of tracking traffic and collecting information regarding traffic. This includes being able to see traffic between two systems connected by a switch.
- the IAadjusts one or more commands the IA is running to perform one or more of gathering, validating and generating data knowledge.
- This command adjustmentmay comprise one or more of blocking traffic, un-installing software, stopping a process, prohibiting binaries from running, building a temporary target, and diverting traffic to the temporary target.
- the IAmay build a decoy system, the decoy system configured to replicate one or more of the appearance and the operation of the system, which we may call the master system.
- the decoy systemmay use decoy data unrelated to genuine data from the master system.
- the IAmay perform one or more of collecting and observing traffic through the master system. For example, the IA may thereby identify a vulnerability.
- the vulnerabilitycomprises one or more of a new vulnerability, a pattern indicating a vulnerability, a series of communication events indicating a vulnerability, a new attack method, malware, a computer virus, a document comprising a secret, and another vulnerability.
- the IAmay construct the decoy system.
- the decoy systemis configured to mislead an attacker into thinking he has entered into the master system.
- a decoy systemone or more of an operating system, an application, a software version, a patch, and another decoy system parameter is substantially the same as in the master system.
- content of the decoy systemis substantially identical to content of the master system.
- a decoy team collaboration software systemcomprises decoy company documents.
- a decoy billing systemcomprises decoy credit card data that appears to comply with the Payment Card Industry Data Security Standards (PCI-DSS).
- PCI-DSSPayment Card Industry Data Security Standards
- the IAcan create an additional decoy system if the attacker tries to move beyond the first decoy system.
- the IAcan observe the attacker's actions, and if the attacker is successful, can take corrective actions on one or more of the real system and a real network.
- the IAcan do one or more of detect and divert data that may be vulnerable to the attacker.
- the vulnerable datacomprises one or more of a software application, a media, a document, and other vulnerable data.
- the vulnerable mediacomprises one or more of a movie, an audio file, and other vulnerable media.
- the vulnerable, documentcomprises one or more of a word processing document, a spreadsheet, and another vulnerable document.
- the vulnerable datacan be transmitted by one or more of electronic mail, a file transfer, the Internet, and another vulnerable data transmission method.
- the IAdiverts the vulnerability onto a temporary target.
- the temporary targetcomprises a temporary storage.
- the IAprofiles the vulnerable data. Effectively, the IA thereby gathers fingerprint information about the vulnerable data.
- the IAtracks the vulnerable data as it moves through the master system. If the IA later identifies vulnerable data as malicious data, the IA will already have knowledge of all the targets through which the vulnerable data passed.
- the IAinvestigates the data. For example, investigating comprises one or more of virus scanning, binary analysis, text analysis, steganalysis, and other investigating.
- FIG. 6is a flowchart of a method 600 for promoting cyber security using intelligent agents and a target over a network.
- the order of the steps in the method 600is not constrained to that shown in FIG. 6 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- step 610an intelligent agent (IA) observes traffic through a master system. Block 610 then transfers control to block 620 .
- IAintelligent agent
- step 620the IA identifies a vulnerability. Block 620 then transfers control to block 630 .
- step 630the IA diverts the vulnerability onto a temporary target. Block 630 then transfers control to block 640 .
- step 640the IA constructs a decoy system configured to replicate one or more of the appearance and the operation of the master system. Block 640 then transfers control to block 650 .
- step 650the IA launches the decoy system. Block 650 then terminates the process.
- FIG. 7is a flowchart of a method 700 for promoting cyber security using intelligent agents and a target over a network.
- the order of the steps in the method 700is not constrained to that shown in FIG. 7 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.
- step 710an intelligent agent (IA) observes traffic through a master system.
- Block 710then transfers control to block 720 .
- step 720the IA identifies a vulnerability. Block 720 then transfers control to block 730 .
- step 730the IA diverts the vulnerability onto a temporary target. Block 730 then transfers control to block 740 .
- step 740the IA tracks the vulnerability as it moves through the master system. Block 740 then transfers control to block 750 .
- step 750the IA investigates the vulnerability, generating investigation results.
- Block 750then transfers control to block 753 .
- step 753the IA reports the investigation results to the master system.
- Block 753then transfers control to block 755 .
- step 755the IA stores the investigation results. Block 755 then transfers control to block 770 .
- step 770the IA constructs a decoy system configured to replicate one or more of the appearance and the operation of the master system. Block 770 then transfers control to block 780 .
- step 780the IA launches the decoy system.
- Block 780then transfers control to block 790 .
- step 790the IA reviews effectiveness of the decoy system in promoting safety of the master system. Block 790 then terminates the process.
- network scanningdetects a new service in a target.
- the IAcreates an alert to a person to require human authorization of the service.
- the IAaddresses the suspicious network behavior.
- the IAperforms enhanced network monitoring to do one or more of categorize, classify and identify the traffic. Commonly the IA performs this in ways that cannot be replicated by humans.
- the IAincreases one or more of vulnerability scanning and network scanning that targets the host of the suspicious traffic. This can be done using one or more of software designed to expose Cross-Site-Scripting (CXX), database injections, and remote command execution.
- CXXCross-Site-Scripting
- asset informationindicates a change in a target.
- the IAcreates an alert to a person to require human authorization of the change.
- the IAinvestigates the changes.
- the IAgenerates network scanning to analyze one or more of traffic to the target and traffic from the target. Commonly the IA performs this in ways that cannot be replicated by humans.
- the IAcan initiate additional processing directly on the target. The additional processing may continue until the behavior has been identified as not a threat. The additional processing may continue until the behavior has been one or more of authorized by the IA, authorized by the human, and corrected.
- the IAcan leverage neural-network (NN) technology.
- NNneural-network
- the IAcan create an NN.
- the IAwill generate training data and correct the NN as desired.
- the IAwill analyze the NN in ways a human cannot, in order to provide efficient, fast results. These results are then used by the IA to make decisions.
- the NNcan be generated new when needed, or one or more of NN structure and NN information can be stored for later retrieval and use.
- the IAcan classify the NN for later use.
- the IAcan study one or more of an NN's design and an NN's function to improve one or more of the NN and results.
- the IAmaintains knowledge of one or more of the various NN's it has and their performance in order to do one or more of creating better future NN's and enhancing the current NN's that the IA has in memory.
- the IAwill use Elasticsearch, Logstash, and Kibana (ELK) for one or more of processing of events and logging data.
- ELKKibana
- the IAuses stored ELK data when constructing an NN for a needed decision.
- the IAbuilds the NN based on one or more of what needs to be analyzed and the security controls to be implemented.
- the IAdoes one or more of creating blocks, adjusting blocks, and applying security controls to components in the master system.
- the IAimplements one or more of a firewall rule, a spam rule for electronic mail, and another rule.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
- The present application claims the priority benefit of U.S. provisional patent application No. 62/193,486 filed Jul. 16, 2015 and entitled “Cyber Security System and Method Using Intelligent Agents,” the disclosure of which is incorporated herein by reference.
- Embodiments of the invention relate in general to a cyber security system and method using intelligent agents. More specifically, embodiments of the invention relate to one or more of an offensive cyber security system and method using intelligent agents and a defensive cyber security system and method using intelligent agents. A cyber security method using intelligent agents (IAs) includes: a) setting up, by the IA, a first network scan of a system over a network; b) running, by the IA, using a first network scan parameter, the first network scan, generating first network scan results; c) storing, by the IA, the first network scan results; d) running, by the IA, using a second network scan parameter, a second network scan of the system over the network, generating second network scan results; e) storing, by the IA, the second network scan results; f) running a port scan of the system, by the IA, generating port scan results; g) storing, by the IA, the port scan results in storage; h) using one or more of the first network scan results and the second network scan results, by the IA, optimizing the first network scan parameter; i) using one or more of the first network scan parameter and the second network scan parameter, configuring, by the IA, a vulnerability scan of the system over the network; j) using one or more of the first network scan parameter, the second network scan parameter, and the port scan results, running the vulnerability scan of the system, generating vulnerability scan results; k) storing, by the IA, the vulnerability scan results; I) collecting, by the IA, at least one of service information and availability knowledge regarding at least one of an available target and an available service; m) using the at least one of service information and availability knowledge, by the IA, identifying a needed setting; and n) storing, by the IA, the needed setting.
- A cyber security method using intelligent agents (IAs) includes: watching, by the IA, over a network, a software program running on a system; receiving, by the IA, results generated by the software; presenting, by the IA, the results; categorizing the results, by the IA, for efficient storage and efficient future retrieval; saving, by the IA, the categorized results; using the categorized results, by the IA, inferring new knowledge; categorizing the new knowledge, by the IA, for efficient storage and efficient future retrieval; saving, by the IA, the categorized new knowledge; and using one or more of the saved categorized results and the saved categorized new knowledge, by the IA, configuring the software.
- A cyber security method using intelligent agents (IAs) includes: seeking, by the IA, required configuration information from storage; determining, by the IA, that the required configuration information cannot be retrieved from storage; identifying, by the IA, a software program; running, by the IA, the software program; verifying, by the IA, that the required configuration information has been obtained; re-running the software program, by the IA, using the required configuration information, generating a result; reviewing the result, by the IA; determining, by the IA, that the result is acceptable; and using the result, by the IA, generating a result response.
- A cyber security method using intelligent agents (IAs) includes: after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target; collecting, by the IA, configuration information required to run the target; using the configuration information, by the IA, attempting a connection to the target; passing, by the IA, to a human user interface target information regarding the target; using the human user interface, by the IA, accumulating pertinent knowledge regarding one or more of a connection method and target information; using the human user interface, by the IA, communicating with the target using the pertinent knowledge; using the human user interface, receiving, by the IA, a response to the command from the target; processing the response, by the IA, thereby generating a result; transmitting, by the IA, the result to the knowledge base program; using the knowledge base program, by the IA, processing the result; receiving the processed result, by the IA, from the knowledge base program; and transmitting, by the IA, the processed result to storage.
- A cyber security method using intelligent agents (IAs) includes: after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target; collecting, by the IA, configuration information required to run the target; using the configuration information, by the IA, attempting a connection to the target; using one or more of a connection method and target information regarding the target, sending, by the IA, a command to the target; receiving, by the IA, a response to the command from the target; processing the response, by the IA, thereby generating a result; transmitting, by the IA, the result to the knowledge base program; using the knowledge base program, by the IA, processing the result; receiving the processed result, by the IA, from the knowledge base program; and transmitting, by the IA, the processed result to storage.
- A cyber security method using intelligent agents (IAs) includes: observing, by the IA, traffic through a master system; identifying, by the IA, a vulnerability; diverting, by the IA, the vulnerability onto a temporary target; constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system; and launching, by the IA, the decoy system.
- A cyber security method using intelligent agents (IAs) includes: observing, by the IA, traffic through a master system; identifying, by the IA, a vulnerability; diverting, by the IA, the vulnerability onto a temporary target; tracking the vulnerability as it moves through the master system; investigating the vulnerability, generating investigation results; reporting the investigation results to the master system; storing the investigation results; constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system; launching, by the IA, the decoy system; and reviewing, by the IA, effectiveness of the decoy system in promoting safety of the master system.
FIG. 1 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.FIG. 2 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.FIG. 3 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) over a network.FIG. 4 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.FIG. 5 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.FIG. 6 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.FIG. 7 is a flowchart of a method for promoting cyber security using intelligent agents (IAs) and a target over a network.- While the present invention is susceptible of embodiment in many different forms, there is shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as exemplary of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described. In the following description and in the several figures of the drawings, like reference numerals are used to describe the same, similar or corresponding parts in the several views of the drawings.
- The cyber security system and method using intelligent agents (IAs) includes a plurality of components such as one or more of electronic components, hardware components, and computer software components. A number of such components can be combined or divided in the system. An example component of the system includes a set and/or series of computer instructions written in or implemented with any of a number of programming languages, as will be appreciated by those skilled in the art.
- The system in one example employs one or more computer-readable signal-bearing media. The computer-readable signal bearing media store software, firmware and/or assembly language for performing one or more portions of one or more implementations of the invention. The computer-readable signal-bearing medium for the system in one example comprises one or more of a magnetic, electrical, optical, biological, and atomic data storage medium. For example, the computer-readable signal-bearing medium comprises floppy disks, magnetic tapes, CD-ROMs, DVD-ROMs, hard disk drives, downloadable files, files executable “in the cloud,” and electronic memory.
- Embodiments of the invention relate in general to a cyber security system and method using intelligent agents (IAs). More specifically, embodiments of the invention relate to one or more of an offensive cyber security system and method using IAs, a defensive cyber security system and method using IAs, and a system and method for tuning security software using IAs.
- According to embodiments of the invention, an IA performs one or more of combatting and limiting exposure of a device to one or more of a hacker and a breach. According to further embodiments of the invention, the device belongs to one or more systems. According to yet other embodiments of the invention, the device belongs to one or more systems connected by Internet Protocol (IP). According to other embodiments of the invention, the device belongs to one or more systems connected by Industrial Control Systems (ICS). According to further embodiments of the invention, the device belongs to the Internet of Things (IoT). According to additional embodiments of the invention, the IA detects one or more of a change made by the hacker and a configuration error.
- For example, the IA connects to the device over the network. For example, the IA logs into the device via one or more of a command shell, a web interface, and a IP port. For example, the IA performs one or more of communicating with the device and exchanging data with the device. For example, the IA thereby extracts information regarding one or more of the device and the device's functionality. For example, the IA can later use the extracted information in one or more security assessments.
- For example, the IA assesses knowledge comprising one or more of a connection method, a measure of success of the connection, a quantity of information returned from the device using the connection method, and a type of information returned from the device using the connection method. For example, the type of information may comprise one or more of data, intelligence, and another type of information. The IA stores the knowledge. For example, the IA stores the knowledge locally. For example, the IA stores the knowledge locally in long-term storage (LTS). For example, the IA stores the knowledge remotely.
- For example, the IA assesses and stores the knowledge to enable the IA to respond to one or more of failures, errors, and other types of non-optimum functioning. The IA continually assesses and stores additional knowledge to accomplish one or more of correcting errors and updating existing knowledge.
- For example, the IA uses the knowledge to accomplish one or more of connecting to a device and correcting an error. For example, the IA uses the knowledge to connect to a target. For example, the target comprises one or more of a target device, a target sub-system, a target port, and another target. For example, the IA uses the knowledge to correct an error while performing one or more of maintaining a connection, optimizing a connection, and minimizing duplicated knowledge. For example, the IA uses the knowledge to correct an error while approximately simultaneously performing one or more of maintaining a connection, optimizing a connection, and minimizing duplicated knowledge.
- For example, the IA connects to the target. For example, the IA initiates a command. For example, the IA uses the knowledge to initiate a command. For example, initiating the command comprises typing one or more characters in one or more of a keyboard and another input device. For example, initiating the command comprises answering one or more questions in a form. For example, initiating the command comprises answering one or more questions in an Internet form. For example, initiating the command comprises participating in an interactive session with a human. For example, the target comprises a human-IA interface configured to facilitate an interactive session between a human and the IA. For example, initiating the command comprises participating in the interactive session with the human using the human-IA interface.
- For example, the IA investigates the network to acquire knowledge regarding one or more of the target and a service running on the target. For example, the IA stores the acquired knowledge. For example, the IA stores the acquired knowledge in LTS. For example, using the knowledge, the IA performs one or more of identifying a new system, identifying a change in an exiting system, and appropriately configuring a test of system vulnerability. For example, using the knowledge, the IA configures a test of system vulnerability. For example, using the knowledge, the IA appropriately configures software to test system vulnerability.
- For example, the IA collects knowledge about the target to help intelligently schedule testing when the target will be least impacted. For example, the IA periodically checks on the target to ensure that the current configurations of the target are up to date. For example, the IA identifies a new service provided by the target. For example, the IA updates the configuration of the vulnerability scanning software to account for the new service.
- For example, the IA uses a method that provides the most detailed knowledge about a desired data set. For example, the IA collects additional knowledge. For example, the IA processes the collected knowledge in order to perform one or more of configuring knowledge collection software and correcting errors in the knowledge collection software.
FIG. 1 is a flowchart of amethod 100 for promoting cyber security using intelligent agents over a network. The order of the steps in themethod 100 is not constrained to that shown inFIG. 1 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 110, an intelligent agent (IA) sets up a first network scan of a system over a network. For example, setting up the first network scan comprises setting a first network scan parameter. For example, the first network scan parameter comprises one or more of a scan frequency, a scan wait time, a blast rate, and another network scan parameter. The scan frequency is defined as the elapsed time over which the IA scans the system. The scan wait time is defined as the time for which the IA awaits a response from a scanned target before assume that the target is not active. A non-active system may be one or more of not present, turned off, and otherwise non-active. Blast rate is defined as a number of targets the IA processes in parallel. Block 110 then transfers control to block120.- In
step 120, using a first network scan parameter, the IA runs the first network scan of the system over the network, generating first network scan results. For example, running the first network scan comprises continually running the first network scan. For example, running the first network scan comprises continually running the first network scan in the background. For example, the network comprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the system. - For example, the first network scan comprises one or more of an active scan of the network, a ping networking utility, a network mapping (NMAP) security scanner, and another first network scan. For example, the IA uses the first network scan results to accomplish one or more of maximizing a success rate, minimizing a scan time, minimizing a scan frequency, improving efficiency of scanning, and increasing scan frequency. For example, the first network scan determines a presence of a new system. For example, the first network scan determines an absence of an existing system.
- For example, the first network scan generates first pings. For example, the first pings comprise frequent, multiple, low accuracy first pings. For example, the first pings have representative return times of approximately thirty seconds to approximately sixty seconds. For example, the first pings have representative return times of approximately thirty seconds to approximately sixty seconds for a system comprising 256 sub-systems. For example, the first pings have an accuracy between approximately eighty percent and approximately 95 percent.
Block 120 then transfers control to block130. - In
step 130, the IA stores the first network scan results. For example, the IA stores the first network scan results in storage. For example, the IA stores the first network scan results in a long term storage. For example, the IA stores the first network scan results in memory.Block 130 then transfers control to block140. - In
step 140, using a second network scan parameter, the IA runs a second network scan over the network, generating second network scan results. For example, the step of running the second network scan comprises accessing the second network scan on an operating system of the system. - For example, the second network scan comprises one or more of an active scan of the network, a ping networking utility, an NMAP security scanner, and another second network scan. For example, the second network scan determines a presence or absence of a new system
- For example, the second network scan results have an accuracy of at least approximately ninety-five percent. The IA uses the highly accurate second network scan results in order to set the first network scan parameter for successfully future runs of the first network scan.
- For example, the second network scan parameter comprises one or more of a number of target checks, a size of data being sent, and another second network scan parameter. For example, the second network scan determines details of a detected security threat.
- For example, the second network scan generates second pings. For example, the second pings comprise infrequent, high accuracy second pings. For example, the second pings have an accuracy greater than or equal to approximately ninety-five percent. For example, the second pings have representative return times of approximately seventeen minutes to approximately twenty-two minutes for a system comprising 256 sub-systems.
Block 140 then transfers control to block150. - In
step 150, the IA stores the second network scan results. For example, the IA stores the second network scan results in storage. For example, the IA stores the second network scan results in a second storage. For example, the IA stores the second network scan results in a long term storage. For example, the IA stores the second network scan results in memory. - The IA may also periodically determine if a new second network scan is needed. If the IA determines that the second network scan is needed, the IA performs the second network scan. For example, the IA monitors one or more of a performance of the system and an accuracy of the second network scan to determine when the IA runs the new second network scan. For example, the IA determines a frequency with which the IA runs the second network scan.
Block 150 then transfers control to block160. - In
step 160, the IA runs a port scan of the system, generating port scan results. For example, the IA scans the network to identify one or more of a target, a scan time, and a scan frequency. For example, the IA runs a port scan using one or more of data stored in storage and environment information. For example, the environment information comprises one or more of network utilization information, system resource usage, and other environment information.Block 160 then transfers control to block170. - In
step 170, the IA stores the port scan results.Block 170 then transfers control to block180. - In
step 180, using one or more of the first network scan results and the second network scan results, the IA optimizes the first network scan parameter. The IA uses the optimized first network scan parameter in one or more of future first network scans, future second network scans and future port scans.Block 180 then transfers control to block185. - In
step 185, using one or more of the first network scan parameter and the second network scan parameter, the IA configures a vulnerability scan of the system over the network.Block 185 then transfers control to block190. - In
step 190, using one or more of the first network scan parameter, the second network scan parameter, and the port scan results, the IA runs a vulnerability scan of the system, generating vulnerability scan results. For example, the step of running the vulnerability scan comprises identifying an at-risk target. For example, identifying the at-risk target comprises identifying the at-risk target using one or more of pre-set risk determination parameters and risk determination parameters that are calculated on the fly. - For example, an at-risk target is defined as a target that is incurring one or more of a potential security risk and an actual security risk. Via the vulnerability scan, the IA identifies the at-risk target using one or more of pre-set risk determination parameters and risk determination parameters that are calculated on the fly.
Block 190 then transfers control to block195. - In
step 195, the IA stores the vulnerability scan results in storage. For example, the IA stores an identified at-risk target in the storage for subsequent use, for example, use in later iterations. For example, for at least one at-risk target, the IA stores service information regarding the at least one at-risk target. For example, the service information comprises one or more of a port, an application, and a version.Block 195 then transfers control to block196. - In
step 196, the IA collects at least one of service information and availability knowledge regarding at least one of an available target and an available service.Block 196 then transfers control to block198. - In
step 198, the IA using the at least one of service information and availability knowledge, the IA identifies a needed setting. For example, the setting comprises one or more of a schedule, access, additional port information, a current status, an existing configuration, a new configuration, and another setting.Block 198 then transfers control to block199. - In
step 199, the IA stores the needed setting. For example, the IA stores the needed setting for use in running the vulnerability scanner.Block 199 then terminates the process. - For example, the method comprises an additional step of providing a device configured to perform one or more of tracking traffic and collecting information regarding the traffic.
FIG. 2 is a flowchart of amethod 200 for promoting cyber security using intelligent agents over a network. The order of the steps in themethod 200 is not constrained to that shown inFIG. 2 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 210, after initial setup, an intelligent agent (IA) watches a running software program over a network. For example, the IA watches the running software program to identify in the software one or more of an inefficiency, a deficiency, an incomplete aspect and an error. For example, the software comprises security software. For example, the software comprises security software configured to protect an enterprise. For example, the software comprises security software configured to collect one or more of an alert and additional information about the enterprise.Block 210 then transfers control to block220. - In
step 220, the IA receives results generated by the software. The IA presents the results.Block 220 then transfers control to block225. - In
step 225, the IA presents the results. For example, the IA presents the results for usage by a human user. For example, the IA presents the results for usage by a human user in one or more of an alert, a web page update, a graph, a database entry, and a report.Block 225 then transfers control to block230. - In
step 230, the IA categorizes the results for efficient storage and efficient future retrieval.Block 230 then transfers control to block240. - In
step 240, the IA saves the categorized results.Block 240 then transfers control to block250. - In
step 250, using the categorized results, the IA infers new knowledge.Block 250 then transfers control to block260. - In
step 260, the IA categorizes the new knowledge for efficient storage and efficient future retrieval.Block 260 then transfers control to block270. - In
step 270, the IA saves the categorized new knowledge.Block 270 then transfers control to block280. - In
step 280, using one or more of the saved results and the saved new knowledge, the IA configures the software. For example, the IA collects configuration information from storage. For example, the IA runs additional software until required configuration information exists in the storage. For example, the configuration information comprises one or more of an Internet Protocol (IP) address, login information, a device type, network access information, and other configuration information. For example, the login information comprises one or more of a user name, a password, an access key, and other login information. For example, the network access information comprises a network configured to access the target. For example, the network comprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the device.Block 280 then terminates the process. FIG. 3 is a flowchart of amethod 300 for promoting cyber security using intelligent agents over a network. The order of the steps in themethod 300 is not constrained to that shown inFIG. 3 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 310, an intelligent agent (IA) seeks required configuration information from storage. Configuration information may be required when a security system is initially built and turned on. Alternatively, or additionally, configuration information may be required upon detection of a software problem. For example, the configuration information comprises one or more of an Internet Protocol (IP) address, login information, a device type, network access information, and other configuration information. For example, the login information comprises one or more of a user name, a password, an access key, and other login information. For example, the network access information comprises a network configured to access the target. For example, the network comprises one or more of the Internet, the World-Wide Web (WWM, Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the device. The software problem can comprise one or more of an inefficiency in running the software and an error in running the software.Block 310 then transfers control to block320. - In
step 320, the IA determines if the required configuration information can be retrieved from storage. If no, the process proceeds to step330. If yes, the process proceeds to step350. - In
step 330, the IA identifies a software program.Block 330 then transfers control to block335. - In
step 335, the IA runs the software program.Block 335 then transfers control to block340. - In
step 340, the IA verifies whether the required configuration information has been obtained. If yes, block340 transfers control to block350. If no, block340 loops back to block330. - In
step 350, the IA re-runs the software program using the required configuration information, generating a result.Block 350 then transfers control to block360. - In
step 360, the IA reviews the result.Block 360 then transfers control to block370. - In
step 370, the IA determines if the result is acceptable. If yes, step370 transfers control to step380. If no, step370 loops back tostep 330. - In
step 380, using the result, the IA generates a result response. For example, the result response comprises one or more of an alert, a web page update, a graph, a database entry, a report, recommended corrective action on the target, and another result response.Block 380 then terminates the process. - The IA will utilize and make a connection to the system's human user interface. For example, the human user interface comprises one or more of a Graphical User Interface (GUI), a Command Line Interface (CLI), and another human user interface. The IA will utilize knowledge that it has learned and stored. From that point, the IA will use its knowledge and understanding of interfaces to process through the interfaces and to interact with the target.
- The IA has knowledge of various access methods to a target and when the access methods are available (some targets only have a single access method). The IA will determine (1) a target's access methods (if a method has been inaccessible on a target for a period of time), (2) resource allocation of various connection methods and (3) information available with each connection method. There are a few things the IA will be able to do with this information: (1) determine the most likely method to return as much of the information needed by the IA as possible; (2) prioritize the access methods to meet the IA's needs; and (3) if an access method fails, the IA utilizes another access method until all access methods have been exhausted.
- The IA will be able to utilize investigative and discovery techniques and environment knowledge using its own algorithms and techniques to determine if the target may be unavailable.
- For example, it could be that a Wireless Access Point provides only a Web GUI. In such a case, the IA will utilize appropriate forms and links. The IA will process and comprehend page information using techniques unique to the IA, for example including one or more of Natural Language Parsing and information about computers. This functionality allows for choices made by the IA in going to pages and filling out forms that will provide feedback and information that the IA is trying to gather.
- For example, the IA knows about programs running on various targets. The IA knows about various data (configuration, databases, etc) that exist on various targets as part of software that might be installed onto the system. The IA knows how to find and read that data. The IA knows how to run various commands on the target and has knowledge of software options to generate various kinds of output and various formats of that output. The IA knows about how that software runs on a given target (where resources are maxed or when they start affecting the primary mission/purpose of that target). The IA knows how to comprehend one or more of the returned errors and limits of the software responses and uses one or more of proprietary algorithms and methods to circumvent those issues. The IA will utilize one or more of other software and other analytics when necessary to conclude events that cannot be fixed.
- The IA will utilize its knowledge of the human user interface to authenticate where it has login information (username/password, a key, or other known authentication method). The IA will then work the interface as needed to gather and collect information it is seeking. If elevated privileges are granted by the authentication, the IA will utilize the heightened accesses to gain additional information as needed.
- As the IA runs software in the CLI, forms are utilized in a GUI, or pages in a Web GUI provide English or formatted data designed for a human recipient, the IA will process those results in a number of techniques in order to establish knowledge to the IA and help the IA make decisions.
FIG. 4 is a flowchart of amethod 400 for promoting cyber security using intelligent agents and a target over a network. The order of the steps in themethod 400 is not constrained to that shown inFIG. 4 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 410, after initial setup, an intelligent agent (IA) directs a knowledge base program to scan data comprised in a target. For example, the target comprises a remote target.Block 410 then transfers control to block420. - In
step 420, the IA collects configuration information required to run the target. For example, the IA retrieves from storage the configuration information required to run the target. For example, the configuration information comprises one or more of an Internet Protocol (IP) address, login information, a target type, network access information, and other configuration information. For example, the login information comprises one or more of a user name, a password, an access key, and other login information. For example, the network access information comprises a network configured to access the target. For example, the network comprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the target.Block 420 then transfers control to block430. - In
step 430, the IA uses the configuration information to attempt a connection to the target. For example, the IA attempts a connection to the target in descending order of estimated likelihood of success for the connection method, until a connection succeeds.Block 430 then transfers control to block440. - In
step 440, the IA passes to a human user interface target information regarding the target. For example, the human user interface comprises one or more of a Graphical User Interface (GUI), a Command Line Interface (CLI), and another human user interface. For example, the GUI comprises one or more of a hardware-based GUI and a Web GUI. For example, the target information comprises one or more of a command for the target, an instruction for the target, and a connection method to the target.Block 440 then transfers control to block450. - In
step 450, using the human user interface, the IA accumulates pertinent knowledge regarding one or more of a connection method and target information.Block 450 then transfers control to block460. - In
step 460, using the human user interface, the IA communicates with the target using the pertinent knowledge. For example, if the connection method is the WWW, using the human user interface, the IA completes an appropriate form request, repeating the process until the IA has no more requests available to make with the target. If the connection method is CLI, then using the human user interface, the IA types in commands on the target.Block 460 then transfers control to block470. - In
step 470, using the human user interface, the IA receives a response to the command from the target. For example, the IA receives the command response by, using the human user interface, gathering a result from the connection to the target.Block 470 then transfers control to block480. - In
step 480, using the human user interface, the IA processes the response, thereby generating a result. For example, processing comprises one or more of interpreting the response, categorizing the response, placing the response into storage, and processing the response in another way.Block 480 then transfers control to block490. - In
step 490, using the human user interface, the IA transmits the result to the knowledge base program.Block 490 then transfers control to block492. - In
step 492, using the knowledge base program, the IA processes the result. For example, using a processing block comprised in the knowledge base program, the IA processes the result. For example, using analyzer code, and using the processing block, the IA does one or more of parsing the result, processing the result, formatting the result, and transmitting the result to storage.Block 492 then transfers control to block494. - In
step 494, the IA receives the processed result from the knowledge base program. For example, the IA receives the processed result from a processing block comprised in the knowledge base program.Block 494 then transfers control to block495. - In
step 495, the IA transmits the processed result to storage.Block 495 then terminates the process. - The IA will gain knowledge about historical software runs and performance. The IA accumulates detailed knowledge of how the software operates. The detailed knowledge may comprise resource use data. The resource may comprise one or more of memory, central processing unit (CPU) usage, disk usage, and another resource. The resource use data may comprise data on use of one or more of resource quantity and the length of time for which a resource is used. Since resource use data is unique to a target, the target will generate unique historical details. The IA has the ability to investigate and to gain knowledge about specifics of the software, even at the binary level. The IA uses analytic knowhow to pinpoint various areas of concern in running the software in order to perform one or more of maximizing its usefulness and optimizing use of the target's primary mission.
- The IA knows how to gather help to optimize running software. The IA detects improvements in the software over time. The IA will identify changes to software options when the IA detects one or more of new software versions and changed software versions. It is possible to have multiple versions of the same software on a target, allowing the IA to review one or more of options performance to utilize the best version for a current task assigned to the IA.
FIG. 5 is a flowchart of amethod 500 for promoting cyber security using intelligent agents and a target over a network. The order of the steps in themethod 500 is not constrained to that shown inFIG. 5 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 510, after initial setup, an intelligent agent (IA) directs a knowledge base program to a target. For example, the target comprises a remote target. The knowledge base program scans data comprised in one or more targets. For example, the knowledge base program scans data comprised in the target.Block 510 then transfers control to block520. - In
step 520, the IA collects configuration information required to run the target. For example, the IA collects the required configuration information from storage. For example, the configuration information comprises one or more of an Internet Protocol (IP) address, login information, a target type, network access information, and other configuration information. For example, the login information comprises one or more of a user name, a password, an access key, and other login information. For example, the network access information comprises a list of one or more networks configured to access the target. For example, the network access information comprises one or more of the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network configured to access a device.Block 520 then transfers control to block530. - In
step 530, the IA uses the configuration information to attempt a connection to the target. For example, the IA attempts a connection to the target in descending order of estimated likelihood of success for the connection method, until a connection succeeds.Block 530 then transfers control to block540. - In
step 540, the IA uses one or more of a connection method and target information to send a command to the target. For example, the target information comprises a device type. For example, if the connection method is the WWW, the IA completes an appropriate form request, repeating the process until communication is attained with the target. If the connection method is command line interface (CLI), then the IA uses the user interface (UI) to enter a command to the target.Block 540 then transfers control to block550. - In
step 550, the IA receives from the target a response to the command.Block 550 then transfers control to block560. - In
step 560, the IA processes the response, thereby generating a result. For example, processing comprises one or more of interpreting the response, classifying the response, placing the response into storage, and processing the result in another way.Block 560 then transfers control to block570. - In
step 570, the IA transmits the result to the knowledge base program.Block 570 then transfers control to block580. - In
step 580, using the knowledge base program, the IA processes the result. For example, using a processing block comprised in the knowledge base program, the IA processes the result. For example, using analyzer code, and using the processing block, the IA does one or more of parsing the result, processing the result, formatting the result, and transmitting the result to storage.Block 580 then transfers control to block590. - In
step 590, the IA receives the processed result from the knowledge base program. For example, the IA receives the processed result from a processing block comprised in the knowledge base program.Block 590 then transfers control to block595. - In
step 595, the IA transmits the processed result to storage.Block 595 then terminates the process. - An enterprise is defined as a target under control of one or more of an agency, a company and an organization. Examples include one or more of a desktop computer, a notebook computer, a laptop computer, a server, a network, a printer, another Internet Protocol (IP)-connected target, and another enterprise. An IP-connected target can comprise one or more of an Internet Of Things (IoT) device and an Industrial Control System (ICS) device.
- Vulnerability scanning software interacts with the target to generate proof that a vulnerability is exploitable. The vulnerability scanning software often uses methods beyond human capability to generate binary level adjustments to expose unknown vulnerabilities.
- According to embodiments of the invention, the IA analyzes criticality of targets and scores the criticality in order to help establish which targets are critical. To perform the criticality scoring, the IA uses target information collected about a target. For example, the target information comprises one or more of a frequency of changes, a vulnerability history, a target type, a target location, services used by the target, service usages by the target, and other target information. For example, target location comprises proximity to a network. For example, target location comprises proximity to a public Internet. Closer proximity to the public Internet generally implies one or more of higher target visibility and increased risk of unauthorized access.
- For example, a target on the edge of the enterprise that is experiencing 20,000 uses per second might have a relatively high level of exposure, thereby increasing its critical level. For example, the target comprises a web server. A web server internal to the enterprise that has three internal connections every couple of days might have a reduced level of exposure. While both web servers need monitoring and scanning, the former web server needs more frequent deep scanning. The internal web server also would get a deep scanning but not as frequently. At the same time, a web server might be more static. Therefore, a series of changes would be more suspicious and would increase the level of monitoring more sharply than in the case of a highly dynamic target. Since the highly dynamic target is already watched more closely and changes regularly, fewer suspicions would be raised by the same behavior observed in it compared to a static web server.
- One advantage offered by embodiments of the invention is the ability for the IA to provide one or more of security monitoring and security defenses that are tailored to one or more of a specific target in the master system and the specific master system as a whole. This advantage is available from embodiments of the invention because, due to requests it receives from entities wishing to access the master system, the IA is constantly obtaining additional information that is unique to one or more of the master system as a whole and the individual target involved.
- The master system can comprise an arbitrary number of data-generating devices. The data-generating device can comprise one or more of a monitoring target, security software, a network monitoring tool, and another data-generating device. Security software provided by the IA may comprise one or more of asset management software, scanning of targets for known vulnerabilities, application scanning for detection of known attack methods, network scanning software, and other security software. The network scanning software comprises software configured to explore security weather patterns comprising one or more of a new device, a new service on an existing device, a changed service on an existing device, a change in a traffic pattern to a target, and a change in a traffic pattern from a target. This weather pattern collection differs from current systems in that current systems are sitting on a high traffic gateway. According to embodiments of the invention, small, inexpensive devices may be distributed throughout the master system to perform one or more of tracking traffic and collecting information regarding traffic. This includes being able to see traffic between two systems connected by a switch.
- Utilizing one or more of inbound information, algorithms, and methods, the IA adjusts one or more commands the IA is running to perform one or more of gathering, validating and generating data knowledge. This command adjustment may comprise one or more of blocking traffic, un-installing software, stopping a process, prohibiting binaries from running, building a temporary target, and diverting traffic to the temporary target. The IA may build a decoy system, the decoy system configured to replicate one or more of the appearance and the operation of the system, which we may call the master system. The decoy system may use decoy data unrelated to genuine data from the master system. The IA may perform one or more of collecting and observing traffic through the master system. For example, the IA may thereby identify a vulnerability. For example, the vulnerability comprises one or more of a new vulnerability, a pattern indicating a vulnerability, a series of communication events indicating a vulnerability, a new attack method, malware, a computer virus, a document comprising a secret, and another vulnerability.
- The IA may construct the decoy system. For example, the decoy system is configured to mislead an attacker into thinking he has entered into the master system.
- For example, for the decoy system one or more of an operating system, an application, a software version, a patch, and another decoy system parameter is substantially the same as in the master system. For example, wherever possible, content of the decoy system is substantially identical to content of the master system. For example, a decoy team collaboration software system comprises decoy company documents. For example, a decoy billing system comprises decoy credit card data that appears to comply with the Payment Card Industry Data Security Standards (PCI-DSS).
- For example, the IA can create an additional decoy system if the attacker tries to move beyond the first decoy system. The IA can observe the attacker's actions, and if the attacker is successful, can take corrective actions on one or more of the real system and a real network. The IA can do one or more of detect and divert data that may be vulnerable to the attacker. For example, the vulnerable data comprises one or more of a software application, a media, a document, and other vulnerable data. For example, the vulnerable media comprises one or more of a movie, an audio file, and other vulnerable media. For example, the vulnerable, document comprises one or more of a word processing document, a spreadsheet, and another vulnerable document. For example, the vulnerable data can be transmitted by one or more of electronic mail, a file transfer, the Internet, and another vulnerable data transmission method.
- For example, the IA diverts the vulnerability onto a temporary target. For example, the temporary target comprises a temporary storage. Then the IA profiles the vulnerable data. Effectively, the IA thereby gathers fingerprint information about the vulnerable data. Using the vulnerable data profile, the IA tracks the vulnerable data as it moves through the master system. If the IA later identifies vulnerable data as malicious data, the IA will already have knowledge of all the targets through which the vulnerable data passed. Next, the IA investigates the data. For example, investigating comprises one or more of virus scanning, binary analysis, text analysis, steganalysis, and other investigating.
FIG. 6 is a flowchart of amethod 600 for promoting cyber security using intelligent agents and a target over a network. The order of the steps in themethod 600 is not constrained to that shown inFIG. 6 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 610, an intelligent agent (IA) observes traffic through a master system.Block 610 then transfers control to block620. - In
step 620, the IA identifies a vulnerability.Block 620 then transfers control to block630. - In
step 630, the IA diverts the vulnerability onto a temporary target.Block 630 then transfers control to block640. - In
step 640, the IA constructs a decoy system configured to replicate one or more of the appearance and the operation of the master system.Block 640 then transfers control to block650. - In
step 650, the IA launches the decoy system.Block 650 then terminates the process. FIG. 7 is a flowchart of amethod 700 for promoting cyber security using intelligent agents and a target over a network. The order of the steps in themethod 700 is not constrained to that shown inFIG. 7 or described in the following discussion. Several of the steps could occur in a different order without affecting the final result.- In
step 710, an intelligent agent (IA) observes traffic through a master system.Block 710 then transfers control to block720. - In
step 720, the IA identifies a vulnerability.Block 720 then transfers control to block730. - In
step 730, the IA diverts the vulnerability onto a temporary target.Block 730 then transfers control to block740. - In
step 740, the IA tracks the vulnerability as it moves through the master system.Block 740 then transfers control to block750. - In step, the IA investigates the vulnerability, generating investigation results.
Block 750 then transfers control to block753. - In
step 753, the IA reports the investigation results to the master system.Block 753 then transfers control to block755. - In
step 755, the IA stores the investigation results.Block 755 then transfers control to block770. - In
step 770, the IA constructs a decoy system configured to replicate one or more of the appearance and the operation of the master system.Block 770 then transfers control to block780. - In
step 780, the IA launches the decoy system.Block 780 then transfers control to block790. - In
step 790, the IA reviews effectiveness of the decoy system in promoting safety of the master system.Block 790 then terminates the process. - For example, network scanning detects a new service in a target. In response, the IA creates an alert to a person to require human authorization of the service. Alternatively, or additionally, in response, long before the human is involved, the IA addresses the suspicious network behavior. For example, the IA performs enhanced network monitoring to do one or more of categorize, classify and identify the traffic. Commonly the IA performs this in ways that cannot be replicated by humans. The IA increases one or more of vulnerability scanning and network scanning that targets the host of the suspicious traffic. This can be done using one or more of software designed to expose Cross-Site-Scripting (CXX), database injections, and remote command execution.
- For example, asset information indicates a change in a target. In response, the IA creates an alert to a person to require human authorization of the change. Alternatively, or additionally, the IA investigates the changes. Alternatively, or additionally, the IA generates network scanning to analyze one or more of traffic to the target and traffic from the target. Commonly the IA performs this in ways that cannot be replicated by humans. The IA can initiate additional processing directly on the target. The additional processing may continue until the behavior has been identified as not a threat. The additional processing may continue until the behavior has been one or more of authorized by the IA, authorized by the human, and corrected.
- When the IA needs to make a deterministic decision, the IA can leverage neural-network (NN) technology. The IA can create an NN. The IA will generate training data and correct the NN as desired. The IA will analyze the NN in ways a human cannot, in order to provide efficient, fast results. These results are then used by the IA to make decisions.
- The NN can be generated new when needed, or one or more of NN structure and NN information can be stored for later retrieval and use. The IA can classify the NN for later use. The IA can study one or more of an NN's design and an NN's function to improve one or more of the NN and results. The IA maintains knowledge of one or more of the various NN's it has and their performance in order to do one or more of creating better future NN's and enhancing the current NN's that the IA has in memory.
- For example, the IA will use Elasticsearch, Logstash, and Kibana (ELK) for one or more of processing of events and logging data. For example, the IA uses stored ELK data when constructing an NN for a needed decision. The IA builds the NN based on one or more of what needs to be analyzed and the security controls to be implemented. Using the results of the NN, the IA does one or more of creating blocks, adjusting blocks, and applying security controls to components in the master system. For example, the IA implements one or more of a firewall rule, a spam rule for electronic mail, and another rule.
- For example, it will be understood by those skilled in the art that software used by the cyber security system and method using intelligent agents can be located in any location in which it may be accessed by the system. It will be further understood by those of skill in the art that the number of variations of the network, location of the software, and the like are virtually limitless. It is intended, therefore, that the subject matter in the above description shall be interpreted as illustrative and shall not be interpreted in a limiting sense.
- The representative embodiments and disclosed subject matter, which have been described in detail herein, have been presented by way of example and illustration and not by way of limitation. It will be understood by those skilled in the art that various changes may be made in the form and details of the described embodiments resulting in equivalent embodiments that remain within the scope of the invention. Other representative embodiments can be implemented using one or more of different configurations and different components.
- For example, it will be understood by those skilled in the art that software used by the cyber security system and method using intelligent agents may be located in any location in which it may be accessed by the system. For example, it will be understood by one of ordinary skill in the art that the order of certain fabrication steps and certain components can be altered without substantially impairing the functioning of the invention. It is intended, therefore, that the subject matter in the above description shall be interpreted as illustrative and shall not be interpreted in a limiting sense.
Claims (57)
1. A cyber security method using intelligent agents (IAs), comprising:
a) setting up, by the IA, a first network scan of a system over a network;
b) running, by the IA, using a first network scan parameter, the first network scan, generating first network scan results;
c) storing, by the IA, the first network scan results;
d) running, by the IA, using a second network scan parameter, a second network scan of the system over the network, generating second network scan results;
e) storing, by the IA, the second network scan results;
f) running a port scan of the system, by the IA, generating port scan results;
g) storing, by the IA, the port scan results;
h) using one or more of the first network scan results and the second network scan results, by the IA, optimizing the first network scan parameter;
i) using one or more of the first network scan parameter, the second network scan parameter, and the port scan configuring, by the IA, a vulnerability scan of the system over the network;
j) using one or more of the first network scan parameter, the second network scan parameter, and the port scan results, running the vulnerability scan of the system, generating vulnerability scan results;
k) storing, by the IA, the vulnerability scan results;
l) collecting, by the IA, at least one of service information and availability knowledge regarding at least one of an available target and an available service;
m) using the at least one of service information and availability knowledge, by the IA, identifying a needed setting; and
n) storing, by the IA, the needed setting.
2. The method ofclaim 1 , wherein the step of setting up comprises setting the first network scan parameter.
3. The method ofclaim 1 , wherein the network comprises one or more of the Internet, the World-Wide Web (WWW), Secure Shell (SSH), Simple Network Management Protocol (SNMP), command-line interface (CLI), and another network protocol configured to facilitate access to the system.
4. The method ofclaim 1 , wherein the first network scan parameter comprises one or more of a scan frequency, a scan wait time, a blast rate, and another network scan parameter.
5. The method ofclaim 1 , wherein the step of running the first network scan comprises one or more of analyzing criticality of a target, scoring the criticality of the target, and exploring a security weather pattern.
6. The method ofclaim 5 , wherein the security weather pattern comprises one or more of a new device, a new service on an existing device, a changed service on an existing device, a change in traffic to a target, and a change in traffic from a target.
7. The method ofclaim 5 , wherein the target comprises one or more of a target device, a target sub-system, a target port, and another target.
8. The method ofclaim 5 , wherein the analyzing sub-step comprises
collecting target information; and
using the target information to perform the analysis.
9. The method ofclaim 8 , wherein the target information comprises one or more of a frequency of changes, a vulnerability history, a target type, a target location, services used by the target, service usages by the target, and other target information.
10. The method ofclaim 9 , wherein the target location comprises a proximity to a network.
11. The method ofclaim 5 , wherein the scoring sub-step comprises collecting target information; and
using the target information to perform the scoring.
12. The method ofclaim 1 , wherein the step of running the first network scan comprises continually running the first network scan.
13. The method ofclaim 1 , wherein the first network scan generates first pings.
14. The method ofclaim 13 , wherein the first pings comprise frequent, multiple, low accuracy first pings.
15. The method ofclaim 14 , wherein the first pings have an accuracy between approximately eighty percent and approximately 95 percent.
16. The method ofclaim 14 , wherein the first pings have return times of approximately thirty seconds to approximately sixty seconds for a system comprising 256 sub-systems.
17. The method ofclaim 1 , wherein the second network scan parameter comprises one or more of a number of target checks, a size of data being sent, and another second network scan parameter.
18. The method ofclaim 1 , wherein the step of running the first network scan comprises running the first network scan using one or more of an active scan of the network, a ping networking utility, a network mapping (NMAP) security scanner, and another first network scan.
19. The method ofclaim 18 , wherein the step of running the first network scan comprises a sub-step of:
actively scanning the network, by the IA.
20. The method ofclaim 19 , wherein the generating sub-step comprises using the first network scan results to accomplish one or more of maximizing a success rate, minimizing a scan time, minimizing a scan frequency, improving efficiency of scanning, and increasing scan frequency.
21. The method ofclaim 1 , wherein the step of running the second network scan comprises running the second network scan using one or more of an active scan of the network, a ping networking utility, a network mapping (NMAP) security scanner, and another second network scan.
22. The method ofclaim 21 , wherein the step of running the first network scan comprises a sub-step of:
actively scanning the network, by the IA.
23. The method ofclaim 1 , wherein the second network scan generates second pings.
24. The method ofclaim 23 , wherein the second pings comprise infrequent, high accuracy second pings.
25. The method ofclaim 24 , wherein the second pings have an accuracy of at least approximately ninety-five percent.
26. The method ofclaim 24 , wherein the second pings have return times of approximately seventeen minutes to approximately twenty-two minutes for a system comprising 256 sub-systems.
27. The method ofclaim 1 , wherein the step of running the second network scan comprises accessing the second network scan on an operating system of the system.
28. The method ofclaim 1 , wherein the second network scan results have an accuracy of at least approximately ninety-five percent.
29. The method ofclaim 1 , comprising additional steps, performed after the optimizing step h), of:
o) determining that a new second network scan is needed; and
p) returning to the step of d) running a second network scan.
30. The method ofclaim 1 , comprising an additional step, performed after the optimizing step h), of:
o) using the optimized first network scan parameter, by the IA, in one or more of a first network scan, a second network scans, a port scans, and a vulnerability scan.
31. The method ofclaim 30 , wherein the determining step comprises one or more of determine performance of the system, determining success of the first network scan, determining a second network scan start time, and determining a second network scan frequency.
32. The method ofclaim 1 , wherein the step of running a port scan comprises scanning the network to identify one or more of a target, a scan time, and a scan frequency.
33. The method ofclaim 1 , wherein the step of running a port scan comprises running a port scan using one or more of data stored in storage and environment information.
34. The method ofclaim 33 , wherein the environment information comprises one or more of network utilization information, resource usage, and other environment information.
35. The method ofclaim 1 , wherein the step of running the vulnerability scan comprises identifying an at-risk target.
36. The method ofclaim 35 , wherein identifying the at-risk target comprises identifying the at-risk target using one or more of pre-set risk determination parameters and risk determination parameters that are calculated on the fly.
37. The method ofclaim 1 , further comprising a step of providing a device configured to perform one or more of tracking traffic and collecting information regarding traffic.
38. A cyber security method using intelligent agents (IAs), comprising:
watching, by the IA, over a network, a software program running on a system;
receiving, by the IA, results generated by the software;
presenting, by the IA, the results;
categorizing the results, by the IA, for efficient storage and efficient future retrieval;
saving, by the IA, the categorized results;
using the categorized results, by the IA, inferring new knowledge;
categorizing the new knowledge, by the IA, for efficient storage and efficient future retrieval;
saving, by the IA, the categorized new knowledge; and
using one or more of the saved categorized results and the saved categorized new knowledge, by the IA, configuring the software.
39. The method ofclaim 38 , wherein the step of watching comprises identifying in the software one or more of an inefficiency, a deficiency, an incomplete aspect and an error.
40. The method ofclaim 38 , wherein the step of presenting comprises presenting the results for usage by a human user.
41. The method ofclaim 40 , wherein the step of presenting comprises presenting the results for usage by a human user in one or more of an alert, a web page update, a graph, a database entry, and a report.
42. A cyber security method using intelligent agents (IAs), comprising:
seeking, by the IA, required configuration information from storage;
determining, by the IA, that the required configuration information cannot be retrieved from storage;
identifying, by the IA, a software program;
running, by the IA, the software program;
verifying, by the IA, that the required configuration information has been obtained;
re-running the software program, by the IA, using the required configuration information, generating a result;
reviewing the result, by the IA;
determining, by the IA, that the result is acceptable; and
using the result, by the IA, generating a result response.
43. The method ofclaim 42 , wherein the configuration information comprises one or more of an Internet Protocol (IP) address, login information, a device type, network access information, and other configuration information.
44. The method ofclaim 42 , wherein the result response comprises one or more of an alert, a web page update, a graph, a database entry, a report, recommended corrective action on a target, and another result response.
45. A cyber security method using intelligent agents (IAs), comprising:
after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target;
collecting, by the IA, configuration information required to run the target;
using the configuration information, by the IA, attempting a connection to the target;
passing, by the IA, to a human user interface target information regarding the target;
using the human user interface, by the IA, accumulating pertinent knowledge regarding one or more of a connection method and target information;
using the human user interface, by the IA, communicating with the target using the pertinent knowledge;
using the human user interface, receiving, by the IA, a response to the command from the target;
processing the response, by the IA, thereby generating a result;
transmitting, by the IA, the result to the knowledge base program;
using the knowledge base program, by the IA, processing the result;
receiving the processed result, by the IA, from the knowledge base program; and
transmitting, by the IA, the processed result to storage.
46. The method ofclaim 45 , wherein the step of attempting a connection comprises attempting a connection to the target in descending order of estimated likelihood of success for the connection method, until a connection succeeds.
47. The method ofclaim 45 , wherein the human user interface comprises one or more of a Graphical User Interface (GUI), a Command Line Interface (CLI), and another human user interface.
48. The method ofclaim 45 , wherein the processing step comprises one or more of interpreting the response, categorizing the response, placing the response into storage, and processing the response in another way.
49. The method ofclaim 45 , wherein the processing response comprises processing the result using a processing block comprised in the knowledge base program.
50. A cyber security method using intelligent agents (IAs), comprising:
after initial setup, directing, by the IA, a knowledge base program to scan data comprised in a target;
collecting, by the IA, configuration information required to run the target;
using the configuration information, by the IA, attempting a connection to the target;
using one or more of a connection method and target information regarding the target,
sending, by the IA, a command to the target;
receiving, by the IA, a response to the command from the target;
processing the response, by the IA, thereby generating a result;
transmitting, by the IA, the result to the knowledge base program;
using the knowledge base program, by the IA, processing the result;
receiving the processed result, by the IA, from the knowledge base program; and
transmitting, by the IA, the processed result to storage.
51. A cyber security method using intelligent agents (IAs), comprising:
observing, by the IA, traffic through a master system;
identifying, by the IA, a vulnerability;
diverting, by the IA, the vulnerability onto a temporary target;
constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system; and
launching, by the IA, the decoy system.
52. The method ofclaim 51 , wherein the vulnerability comprises one or more of a a new vulnerability, a pattern indicating a vulnerability, a series of communication events indicating a vulnerability, a new attack method, malware, a computer virus, a document comprising a secret, and another vulnerability.
53. The system ofclaim 51 , wherein the decoy system is configured to mislead an attacker into thinking he has entered into the master system.
54. The system ofclaim 51 , wherein for the decoy system, one or more of an operating system, an application, a software version, a patch, and another decoy system parameter is substantially the same as in the master system.
55. The method ofclaim 51 , further comprising an additional step, performed after the launching step, of:
reviewing, by the IA, effectiveness of the decoy system in promoting safety of the master system.
56. A cyber security method using intelligent agents (IAs), comprising:
observing, by the IA, traffic through a master system;
identifying, by the IA, a vulnerability;
diverting, by the IA, the vulnerability onto a temporary target;
tracking the vulnerability as it moves through the master system;
investigating the vulnerability, generating investigation results;
reporting the investigation results to the master system;
storing the investigation results;
constructing, by the IA, a decoy system configured to replicate one or more of the appearance and the operation of the master system;
launching, by the IA, the decoy system; and
reviewing, by the IA, effectiveness of the decoy system in promoting safety of the master system.
57. The method ofclaim 56 , wherein the step of investigating comprises one or more of virus scanning, binary analysis, text analysis, steganalysis, and other investigating.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US15/566,691US20180146002A1 (en) | 2015-07-16 | 2016-07-18 | Cyber Security System and Method Using Intelligent Agents |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201562193486P | 2015-07-16 | 2015-07-16 | |
| US15/566,691US20180146002A1 (en) | 2015-07-16 | 2016-07-18 | Cyber Security System and Method Using Intelligent Agents |
| PCT/US2016/042820WO2017011833A1 (en) | 2015-07-16 | 2016-07-18 | Cyber security system and method using intelligent agents |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/US2016/042820A-371-Of-InternationalWO2017011833A1 (en) | 2015-07-16 | 2016-07-18 | Cyber security system and method using intelligent agents |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US17/202,176DivisionUS11962611B2 (en) | 2015-07-16 | 2021-03-15 | Cyber security system and method using intelligent agents |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| US20180146002A1true US20180146002A1 (en) | 2018-05-24 |
Family
ID=57757695
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US15/566,691AbandonedUS20180146002A1 (en) | 2015-07-16 | 2016-07-18 | Cyber Security System and Method Using Intelligent Agents |
| US17/202,176Active2036-08-02US11962611B2 (en) | 2015-07-16 | 2021-03-15 | Cyber security system and method using intelligent agents |
| US18/635,726ActiveUS12335299B2 (en) | 2015-07-16 | 2024-04-15 | Cyber security system and method using intelligent agents |
Family Applications After (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US17/202,176Active2036-08-02US11962611B2 (en) | 2015-07-16 | 2021-03-15 | Cyber security system and method using intelligent agents |
| US18/635,726ActiveUS12335299B2 (en) | 2015-07-16 | 2024-04-15 | Cyber security system and method using intelligent agents |
Country Status (5)
| Country | Link |
|---|---|
| US (3) | US20180146002A1 (en) |
| EP (1) | EP3281114B1 (en) |
| CA (1) | CA2983458A1 (en) |
| HK (1) | HK1244072A1 (en) |
| WO (1) | WO2017011833A1 (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110865774A (en)* | 2018-12-28 | 2020-03-06 | 哈尔滨安天科技集团股份有限公司 | Information security detection method and device for printing equipment |
| US10757137B1 (en)* | 2018-09-26 | 2020-08-25 | NortonLifeLock Inc. | Thwarting an impersonation attack using online decoy text |
| US20210392153A1 (en)* | 2020-06-10 | 2021-12-16 | Saudi Arabian Oil Company | System and method for vulnerability remediation prioritization |
| US11263295B2 (en)* | 2019-07-08 | 2022-03-01 | Cloud Linux Software Inc. | Systems and methods for intrusion detection and prevention using software patching and honeypots |
| US20220309174A1 (en)* | 2021-03-24 | 2022-09-29 | Bank Of America Corporation | System for dynamic exposure monitoring |
| WO2022231926A1 (en)* | 2021-04-29 | 2022-11-03 | Google Llc | Determining the exposure level of vulnerabilities |
| US20230308467A1 (en)* | 2022-03-24 | 2023-09-28 | At&T Intellectual Property I, L.P. | Home Gateway Monitoring for Vulnerable Home Internet of Things Devices |
| US11790537B2 (en) | 2019-03-28 | 2023-10-17 | Olympus Corporation | Tracking device, endoscope system, and tracking method |
| CN118764246A (en)* | 2024-07-04 | 2024-10-11 | 中国人民解放军总医院 | A network scanning method, device, equipment and storage medium |
| US12272363B2 (en) | 2021-06-30 | 2025-04-08 | Google Llc | Advancing the use of text and speech in ASR pretraining with consistency and contrastive losses |
| US20250209156A1 (en)* | 2023-12-21 | 2025-06-26 | Microsoft Technology Licensing, Llc | Security threat mitigation |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3366755B1 (en) | 2017-02-22 | 2023-11-29 | Infineum International Limited | Improvements in and relating to lubricating compositions |
| WO2020194663A1 (en)* | 2019-03-28 | 2020-10-01 | オリンパス株式会社 | Tracking device, pretained model, endoscope system, and tracking method |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6363411B1 (en)* | 1998-08-05 | 2002-03-26 | Mci Worldcom, Inc. | Intelligent network |
| US20030051026A1 (en)* | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
| US20030152034A1 (en)* | 2002-02-01 | 2003-08-14 | Microsoft Corporation | Peer-to-peer method of quality of service (Qos) probing and analysis and infrastructure employing same |
| US20040015728A1 (en)* | 2002-01-15 | 2004-01-22 | Cole David M. | System and method for network vulnerability detection and reporting |
| US20040039942A1 (en)* | 2000-06-16 | 2004-02-26 | Geoffrey Cooper | Policy generator tool |
| US20040088403A1 (en)* | 2002-11-01 | 2004-05-06 | Vikas Aggarwal | System configuration for use with a fault and performance monitoring system using distributed data gathering and storage |
| US20040193918A1 (en)* | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
| US20050015624A1 (en)* | 2003-06-09 | 2005-01-20 | Andrew Ginter | Event monitoring and management |
| US20060159025A1 (en)* | 2002-06-24 | 2006-07-20 | Miguel Abdo | Determination of network performance characteristics |
| US20070050777A1 (en)* | 2003-06-09 | 2007-03-01 | Hutchinson Thomas W | Duration of alerts and scanning of large data stores |
| US20070180490A1 (en)* | 2004-05-20 | 2007-08-02 | Renzi Silvio J | System and method for policy management |
| US20080159162A1 (en)* | 2006-12-28 | 2008-07-03 | Morikuni James J | Universal Plug-and-Play latency and delay compensation |
| US20140165130A1 (en)* | 2012-12-11 | 2014-06-12 | Kaspersky Lab Zao | Application-specific re-adjustment of computer security settings |
| US9578060B1 (en)* | 2012-06-11 | 2017-02-21 | Dell Software Inc. | System and method for data loss prevention across heterogeneous communications platforms |
| US20170222972A1 (en)* | 2014-09-30 | 2017-08-03 | Hitachi Kokusai Electric Inc. | Ip communication system, ip address setting unit, and ip address setting method |
Family Cites Families (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU8567798A (en)* | 1998-06-19 | 2000-01-05 | Netsafe, Inc. | Method and apparatus for providing connections over a network |
| US6321338B1 (en)* | 1998-11-09 | 2001-11-20 | Sri International | Network surveillance |
| US6202062B1 (en)* | 1999-02-26 | 2001-03-13 | Ac Properties B.V. | System, method and article of manufacture for creating a filtered information summary based on multiple profiles of each single user |
| US20030074301A1 (en)* | 1999-11-01 | 2003-04-17 | Neal Solomon | System, method, and apparatus for an intelligent search agent to access data in a distributed network |
| US6981028B1 (en)* | 2000-04-28 | 2005-12-27 | Obongo, Inc. | Method and system of implementing recorded data for automating internet interactions |
| US6918066B2 (en)* | 2001-09-26 | 2005-07-12 | International Business Machines Corporation | Method and system for evaluating applications on different user agents |
| CA2410118C (en)* | 2001-10-26 | 2007-12-18 | Research In Motion Limited | System and method for controlling configuration settings for mobile communication devices and services |
| CA2472268A1 (en)* | 2001-12-31 | 2003-07-17 | Citadel Security Software Inc. | Automated computer vulnerability resolution system |
| US7664845B2 (en)* | 2002-01-15 | 2010-02-16 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
| US20030135507A1 (en)* | 2002-01-17 | 2003-07-17 | International Business Machines Corporation | System and method for managing and securing meta data using central repository |
| DK1365537T3 (en)* | 2002-05-24 | 2004-11-01 | Swisscom Mobile Ag | Devices and methods for certification of digital signatures |
| US9009084B2 (en)* | 2002-10-21 | 2015-04-14 | Rockwell Automation Technologies, Inc. | System and methodology providing automation security analysis and network intrusion protection in an industrial environment |
| US9503470B2 (en)* | 2002-12-24 | 2016-11-22 | Fred Herz Patents, LLC | Distributed agent based model for security monitoring and response |
| US7099853B1 (en)* | 2004-02-09 | 2006-08-29 | Trend Micro Incorporated | Configurable hierarchical content filtering system |
| US8605715B2 (en)* | 2005-11-02 | 2013-12-10 | Panayiotis Thermos | System and method for detecting vulnerabilities in voice over IP networks |
| CN101495992A (en)* | 2006-01-24 | 2009-07-29 | 游戏解决方案国际有限公司 | Systems and methods for data mining and interactive presentation of same |
| US8429746B2 (en)* | 2006-05-22 | 2013-04-23 | Neuraliq, Inc. | Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems |
| US7930256B2 (en)* | 2006-05-23 | 2011-04-19 | Charles River Analytics, Inc. | Security system for and method of detecting and responding to cyber attacks on large network systems |
| SG141289A1 (en)* | 2006-09-29 | 2008-04-28 | Wireless Intellect Labs Pte Lt | An event update management system |
| US8302196B2 (en)* | 2007-03-20 | 2012-10-30 | Microsoft Corporation | Combining assessment models and client targeting to identify network security vulnerabilities |
| US20090006399A1 (en)* | 2007-06-29 | 2009-01-01 | International Business Machines Corporation | Compression method for relational tables based on combined column and row coding |
| US8281396B2 (en)* | 2008-08-15 | 2012-10-02 | Qualys, Inc. | System and method for performing remote security assessment of firewalled computer |
| US8549650B2 (en)* | 2010-05-06 | 2013-10-01 | Tenable Network Security, Inc. | System and method for three-dimensional visualization of vulnerability and asset data |
| KR20120004162A (en)* | 2010-07-06 | 2012-01-12 | 삼성전자주식회사 | Database management method and database server system using the same |
| US9246932B2 (en)* | 2010-07-19 | 2016-01-26 | Sitelock, Llc | Selective website vulnerability and infection testing |
| RU2446459C1 (en)* | 2010-07-23 | 2012-03-27 | Закрытое акционерное общество "Лаборатория Касперского" | System and method for checking web resources for presence of malicious components |
| WO2012109633A2 (en)* | 2011-02-11 | 2012-08-16 | Achilles Guard, Inc. D/B/A Critical Watch | Security countermeasure management platform |
| US20130263226A1 (en)* | 2012-01-22 | 2013-10-03 | Frank W. Sudia | False Banking, Credit Card, and Ecommerce System |
| KR101909141B1 (en)* | 2012-07-27 | 2018-10-17 | 엘지전자 주식회사 | Electronic device and method for controlling electronic device |
| US8756698B2 (en)* | 2012-08-10 | 2014-06-17 | Nopsec Inc. | Method and system for managing computer system vulnerabilities |
| US20140108215A1 (en)* | 2012-10-12 | 2014-04-17 | Optionsxpress Holdings, Inc. | System and methods for trading |
| US20140181975A1 (en)* | 2012-11-06 | 2014-06-26 | William Spernow | Method to scan a forensic image of a computer system with multiple malicious code detection engines simultaneously from a master control point |
| US9912549B2 (en)* | 2013-06-14 | 2018-03-06 | Catbird Networks, Inc. | Systems and methods for network analysis and reporting |
| US9208324B2 (en)* | 2013-09-17 | 2015-12-08 | iViZ Techno Solutions Private Limited | System and method to perform secure web application testing based on a hybrid pipelined approach |
| US10305929B2 (en)* | 2013-09-27 | 2019-05-28 | Mcafee, Llc | Managed software remediation |
| GB2520987B (en)* | 2013-12-06 | 2016-06-01 | Cyberlytic Ltd | Using fuzzy logic to assign a risk level profile to a potential cyber threat |
| WO2015134008A1 (en)* | 2014-03-05 | 2015-09-11 | Foreground Security | Automated internet threat detection and mitigation system and associated methods |
| US9864952B2 (en)* | 2014-05-27 | 2018-01-09 | Genesys Telecommunications Laboratories, Inc. | Controlled question and answer knowledge system management confirming customer does not want to terminate/cancel service/relationship |
| US9386078B2 (en)* | 2014-05-30 | 2016-07-05 | Ca, Inc. | Controlling application programming interface transactions based on content of earlier transactions |
| US10936616B2 (en)* | 2014-06-09 | 2021-03-02 | Oracle International Corporation | Storage-side scanning on non-natively formatted data |
| US9619655B2 (en)* | 2014-09-12 | 2017-04-11 | Salesforce.Com, Inc. | Cloud-based security profiling, threat analysis and intelligence |
| US10878039B2 (en)* | 2014-09-22 | 2020-12-29 | International Business Machines Corporation | Creating knowledge base of similar systems from plurality of systems |
| US10146635B1 (en)* | 2015-06-30 | 2018-12-04 | EMC IP Holding Company LLC | Virtual machine backup |
| US10567396B2 (en)* | 2015-12-15 | 2020-02-18 | Webroot Inc. | Real-time scanning of IP addresses |
| US20180041533A1 (en)* | 2016-08-03 | 2018-02-08 | Empow Cyber Security Ltd. | Scoring the performance of security products |
| CN114915446B (en)* | 2022-04-02 | 2023-08-29 | 中国人民解放军国防科技大学 | An Intelligent Network Security Detection Method Integrating Prior Knowledge |
- 2016
- 2016-07-18HKHK18103373.1Apatent/HK1244072A1/enunknown
- 2016-07-18WOPCT/US2016/042820patent/WO2017011833A1/ennot_activeCeased
- 2016-07-18USUS15/566,691patent/US20180146002A1/ennot_activeAbandoned
- 2016-07-18EPEP16825311.0Apatent/EP3281114B1/enactiveActive
- 2016-07-18CACA2983458Apatent/CA2983458A1/enactivePending
- 2021
- 2021-03-15USUS17/202,176patent/US11962611B2/enactiveActive
- 2024
- 2024-04-15USUS18/635,726patent/US12335299B2/enactiveActive
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6363411B1 (en)* | 1998-08-05 | 2002-03-26 | Mci Worldcom, Inc. | Intelligent network |
| US20040039942A1 (en)* | 2000-06-16 | 2004-02-26 | Geoffrey Cooper | Policy generator tool |
| US20030051026A1 (en)* | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
| US20040015728A1 (en)* | 2002-01-15 | 2004-01-22 | Cole David M. | System and method for network vulnerability detection and reporting |
| US20030152034A1 (en)* | 2002-02-01 | 2003-08-14 | Microsoft Corporation | Peer-to-peer method of quality of service (Qos) probing and analysis and infrastructure employing same |
| US20060159025A1 (en)* | 2002-06-24 | 2006-07-20 | Miguel Abdo | Determination of network performance characteristics |
| US20040088403A1 (en)* | 2002-11-01 | 2004-05-06 | Vikas Aggarwal | System configuration for use with a fault and performance monitoring system using distributed data gathering and storage |
| US20040193918A1 (en)* | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
| US20050015624A1 (en)* | 2003-06-09 | 2005-01-20 | Andrew Ginter | Event monitoring and management |
| US20070050777A1 (en)* | 2003-06-09 | 2007-03-01 | Hutchinson Thomas W | Duration of alerts and scanning of large data stores |
| US20070180490A1 (en)* | 2004-05-20 | 2007-08-02 | Renzi Silvio J | System and method for policy management |
| US20080159162A1 (en)* | 2006-12-28 | 2008-07-03 | Morikuni James J | Universal Plug-and-Play latency and delay compensation |
| US9578060B1 (en)* | 2012-06-11 | 2017-02-21 | Dell Software Inc. | System and method for data loss prevention across heterogeneous communications platforms |
| US20140165130A1 (en)* | 2012-12-11 | 2014-06-12 | Kaspersky Lab Zao | Application-specific re-adjustment of computer security settings |
| US20170222972A1 (en)* | 2014-09-30 | 2017-08-03 | Hitachi Kokusai Electric Inc. | Ip communication system, ip address setting unit, and ip address setting method |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10757137B1 (en)* | 2018-09-26 | 2020-08-25 | NortonLifeLock Inc. | Thwarting an impersonation attack using online decoy text |
| CN110865774A (en)* | 2018-12-28 | 2020-03-06 | 哈尔滨安天科技集团股份有限公司 | Information security detection method and device for printing equipment |
| US11790537B2 (en) | 2019-03-28 | 2023-10-17 | Olympus Corporation | Tracking device, endoscope system, and tracking method |
| US11263295B2 (en)* | 2019-07-08 | 2022-03-01 | Cloud Linux Software Inc. | Systems and methods for intrusion detection and prevention using software patching and honeypots |
| US20210392153A1 (en)* | 2020-06-10 | 2021-12-16 | Saudi Arabian Oil Company | System and method for vulnerability remediation prioritization |
| US11477231B2 (en)* | 2020-06-10 | 2022-10-18 | Saudi Arabian Oil Company | System and method for vulnerability remediation prioritization |
| US11783068B2 (en)* | 2021-03-24 | 2023-10-10 | Bank Of America Corporation | System for dynamic exposure monitoring |
| US20220309174A1 (en)* | 2021-03-24 | 2022-09-29 | Bank Of America Corporation | System for dynamic exposure monitoring |
| WO2022231926A1 (en)* | 2021-04-29 | 2022-11-03 | Google Llc | Determining the exposure level of vulnerabilities |
| US11824886B2 (en) | 2021-04-29 | 2023-11-21 | Google Llc | Determining the exposure level of vulnerabilities |
| US12120144B2 (en) | 2021-04-29 | 2024-10-15 | Google Llc | Determining the exposure level of vulnerabilities |
| US12272363B2 (en) | 2021-06-30 | 2025-04-08 | Google Llc | Advancing the use of text and speech in ASR pretraining with consistency and contrastive losses |
| US20230308467A1 (en)* | 2022-03-24 | 2023-09-28 | At&T Intellectual Property I, L.P. | Home Gateway Monitoring for Vulnerable Home Internet of Things Devices |
| US12432244B2 (en)* | 2022-03-24 | 2025-09-30 | At&T Intellectual Property I, L.P. | Home gateway monitoring for vulnerable home internet of things devices |
| US20250209156A1 (en)* | 2023-12-21 | 2025-06-26 | Microsoft Technology Licensing, Llc | Security threat mitigation |
| CN118764246A (en)* | 2024-07-04 | 2024-10-11 | 中国人民解放军总医院 | A network scanning method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| HK1244072A1 (en) | 2018-07-27 |
| US20210281599A1 (en) | 2021-09-09 |
| CA2983458A1 (en) | 2017-01-19 |
| US11962611B2 (en) | 2024-04-16 |
| US20240275811A1 (en) | 2024-08-15 |
| EP3281114A1 (en) | 2018-02-14 |
| US12335299B2 (en) | 2025-06-17 |
| EP3281114B1 (en) | 2025-10-01 |
| EP3281114A4 (en) | 2018-03-14 |
| WO2017011833A1 (en) | 2017-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12335299B2 (en) | Cyber security system and method using intelligent agents | |
| US11171925B2 (en) | Evaluating and modifying countermeasures based on aggregate transaction status | |
| US11316891B2 (en) | Automated real-time multi-dimensional cybersecurity threat modeling | |
| EP3776307B1 (en) | Distributed system for adaptive protection against web-service-targeted vulnerability scanners | |
| US10972461B2 (en) | Device aware network communication management | |
| US10491630B2 (en) | System and method for providing data-driven user authentication misuse detection | |
| Siadati et al. | Detecting structurally anomalous logins within enterprise networks | |
| EP3369232B1 (en) | Detection of cyber threats against cloud-based applications | |
| RU2676021C1 (en) | DDoS-ATTACKS DETECTION SYSTEM AND METHOD | |
| US8356001B2 (en) | Systems and methods for application-level security | |
| US20230095415A1 (en) | Helper agent and system | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| US10542044B2 (en) | Authentication incident detection and management | |
| JP2019506674A (en) | Pattern matching based dataset extraction | |
| US11481478B2 (en) | Anomalous user session detector | |
| Cotroneo et al. | Automated root cause identification of security alerts: Evaluation in a SaaS Cloud | |
| US20220159026A1 (en) | Anomalous asset detection based on open ports | |
| KR102018348B1 (en) | User behavior analysis based target account exploit detection apparatus | |
| US12341672B2 (en) | Logging configuration system and method | |
| US12413610B1 (en) | Assessing security of service provider computing systems | |
| RU2665919C1 (en) | System and method of determination of ddos-attacks under failure of service servers | |
| RU2659735C1 (en) | System and method of setting security systems under ddos attacks | |
| Lin | Log Analysis | |
| KR20220016592A (en) | Security system for detecting data breach and method thereof | |
| Lehtinen | Anomaly detection in interception proxies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| STPP | Information on status: patent application and granting procedure in general | Free format text:DOCKETED NEW CASE - READY FOR EXAMINATION | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:NON FINAL ACTION MAILED | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:NON FINAL ACTION MAILED | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER | |
| STPP | Information on status: patent application and granting procedure in general | Free format text:FINAL REJECTION MAILED | |
| STCB | Information on status: application discontinuation | Free format text:ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |