CPC G06N 3/08 (2013.01) [G06N 3/04 (2013.01); H04L 63/1491 (2013.01)] | 19 Claims |
1. A method of defending a production network from a cyber-attack, the method comprising the steps of:
providing an adaptive deception system comprising:
a deception management system in communication with a management network, including a monitor and a manager, and hosting at least one container system service; the container system service including at least one deception device available for deployment to a production network; and
a control system including:
at least one sensor in communication with said monitor, and
at least one actuator in communication with said manager;
receiving, by one of said at least one sensor, production device properties defining production devices of the production network;
receiving, by one of said at least one sensor, deception device properties defining the at least one deception device of the production network;
utilizing said monitor to make deception management system observations and providing said deception management system observations to one of said at least one sensor;
aggregating said deception management system observations to derive attacker observations;
processing by said control system said production device properties, said deception device properties, said deception management system observations, and said derived attacker observations, to provide a hypothesis test adaption specification defining a hypothesis to be tested;
activating said actuators to implement said hypothesis test adaption specification;
updating said deception management system in accordance with said hypothesis test adaption specification;
receiving, by one of said at least one sensor, new production device properties defining production devices of the production network;
receiving, by one of said at least one sensor, new deception device properties defining the at least one deception device of the production network;
utilizing said monitor to make new deception management system observations and providing said new deception management system observations to one of said at least one sensor; and
processing by said control system said new production device properties, said new deception device properties, and said new deception management system observations, to evaluate said hypothesis.
|