Threat emulation framework
| DWPI Title: Method for emulating threats in virtual network computing environment using computer network defense system to employ computer networks on e.g. hardware system, in day-to-day activities, involves presenting collected behavioral and performance data to user through interface by processors |
| Abstract: A method for emulating threats in virtual network computing environment is provided. The method comprises creating a number of virtual machines in the virtual network computing environment. A number of threat actors are emulated, wherein each threat actor comprises a number of threat artifacts that form a sequence of attack steps against the virtual network computing environment. The threat actors are then deployed against the virtual network computing environment. Behavioral data about actions of the threat actors in the virtual network computing environment is collected, as is performance data about the virtual network computing environment in response to the threat actors. The collected behavioral and performance data is then presented to a user via an interface. |
| Use: Method for emulating threats in a virtual network computing environment using a computer network defense system to employ virtual computer networks on a computer system e.g. hardware system and data processing systems, in day-to-day activities. Uses include but are not limited to a computer, a server computer, a laptop computer, a work station and a tablet computer in payroll, human resources, research, sales and marketing activities. |
| Advantage: The method enables collecting behavioral data about actions of the threat actors in the virtual network computing environment and the performance data about the environment in response to the threat actors and presenting the collected behavioral and performance data to the user through the interface, thus providing a sufficiently realistic environment to perform actions to show capabilities and providing an ability to obtain insight into the actions taken by an adversary attacking computer network, and hence mitigating effects of a current attack or protecting against attacks on a computer network. |
| Novelty: The method (800) involves creating (802) a number of virtual machines (VMs) in a virtual network computing environment by a number of processors. A VM exit handler is hooked to intercept function calls and exceptions to gain control over the number of VMs in the virtual network computing environment. A number of threat actors is emulated (804) by the number of processors, where each threat actor comprises a number of threat artifacts that form a sequence of attack steps against the virtual network computing environment. The threat actors are deployed (806) against the environment by the number of processors. Behavioral data about actions of the threat actors in the environment are collected (808) by the number of processors. Performance data about the environment in response to the threat actors are collected (810) by the number of processors. The collected behavioral and performance data are presented (812) to a user through an interface by the number of processors. |
| Filed: 11/15/2019 |
| Application Number: US16685907A |
| Tech ID: SD 15009.0 |
| This invention was made with Government support under Contract No. DE-NA0003525 awarded by the United States Department of Energy/National Nuclear Security Administration. The Government has certain rights in the invention. |
| Data from Derwent World Patents Index, provided by Clarivate All rights reserved. Republication or redistribution of Clarivate content, including by framing or similar means, is prohibited without the prior written consent of Clarivate. Clarivate and its logo, as well as all other trademarks used herein are trademarks of their respective owners and used under license. |