| CPC H04L 63/1433 (2013.01) [G06N 7/01 (2023.01)] | 20 Claims |
|
1. A method comprising:
during a first time period:
accessing a set of historical data representing permutations of techniques, in a set of techniques, implemented in attacks on a second computer network occurring prior to the first time period;
generating a transition probability container defining a set of transition probabilities based on the set of historical data, the set of transition probabilities comprising a first transition probability representing a first probability of transitioning from a first technique, in the set of techniques, to a second technique in the set of techniques;
defining a set of emission probability containers corresponding to the set of techniques, the set of emission probability containers comprising a first emission probability container representing:
a second probability of detecting the second technique; and
a third probability of preventing the second technique;
defining an initial technique container representing an initial probability distribution of techniques in the set of techniques; and
generating a model correlating a target sequence of observations with a hidden state sequence of techniques based on the transition probability container, the set of emission probability containers, and the initial technique container; and
during a second time period succeeding the first time period:
calculating a sequence of techniques in the set of techniques based on the model, the sequence of techniques exhibiting greatest probability to yield, for each technique in the sequence of techniques:
absence of detection of the technique; and
absence of prevention of the technique;
generating an attack graph comprising a set of nodes linked according to the sequence of techniques, each node in the set of nodes:
corresponding to a technique in the sequence of techniques; and
storing a behavior executable by a target asset on a target network to emulate the technique; and
scheduling the target asset on the target network to selectively execute behaviors stored in the set of nodes in the attack graph during a third time period succeeding the second time period.
|