| CPC H04L 63/1433 (2013.01) | 20 Claims |
|
1. A method comprising:
accessing an attack record defining a sequence of actions executed on a machine on a second computer network and representing a known attack on the second computer network;
initializing an attack graph comprising a set of nodes;
for each action in the sequence of actions:
based on the attack record, deriving a start condition at the machine prior to start of the action;
based on the attack record, deriving an end condition at the machine following completion of the action;
based on the attack record, defining a nominal behavior:
representing the action executed by the machine during the known attack; and
executable by a target asset on a target network to emulate the action;
defining a set of alternative behaviors:
analogous to the nominal behavior; and
executable by the target asset to emulate a transition from the start condition to the end condition at the target asset;
defining a target hierarchy for the nominal behavior and the set of alternative behaviors; and
storing the nominal behavior and the set of alternative behaviors according to the target hierarchy in a node in the set of nodes in the attack graph;
linking the set of nodes in the attack graph according to the sequence of actions representing the known attack in the attack record;
scheduling the target asset on the target network to selectively execute nominal behaviors and alternative behaviors, according to target hierarchies, stored in the set of nodes in the attack graph during a first time period;
accessing a set of alerts generated by a set of security tools, deployed on the target network, during the first time period; and
characterizing a vulnerability of the target network based on presence of alerts, in the set of alerts, indicating detection and prevention of nominal behaviors and alternative behaviors, stored in nodes in the attack graph, executed by the target asset during the first time period.
|