Patent Grant
11997129
This application relates generally to methods and systems for improving the ranking and prioritization of attack-related events.
High value information technology (IT) assets, such as endpoints, servers, and devices, are under continual attack by well-resources adversaries that can leverage component product and software defects in order to gain control of the assets. The impact of a significant compromise may be catastrophic. Compromise can be due to software bugs, configuration errors, or design flaws—all of which involve low-level technical details and are difficult to ascribe to high-level system services and mission needs. As adversaries probe complex systems, their activities will inevitably be visible in event logs, intrusion detection systems (IDS), and security information and event management (STEM) facilities.
Existing intrusion detection, logging, and security information and event management (SIEM) systems may provide security personnel with a deluge of information. However, much of the information may be either false alarms or activities with minimal impact. Continuous monitoring of an asset's typical behavior including running processes, communications, memory use, and storage may reveal useful anomalous events. However, false positive may be high, and human specialists may still spend considerable time sorting through events to determine the highest value investigations to pursue. It is difficult to see the critical alerts among the unimportant or false ones. Without a considerable reduction in false positives, there is little hope in providing sufficiently automated resolutions. False alarms drain resources and contribute to cognitive overload among analysts, whose time is limited and expensive.
In addition, large numbers of network probes threaten to drown out significant events that require analyst attention and immediate response. Due to lack of automated responses, accurate sensors and personnel, the time required to recognize, diagnose, and act upon events in the commercial sector is in the range of days and hours.
Host-based and network-based intrusion detection systems (IDS) may identify unauthorized, illicit, and anomalous behavior based on agents placed on hosts or upon network traffic. Logs from hosts, servers, firewalls and other devices may also provide an indication of unapproved and irregular activities within the network and on individual devices. Security information and event management technology has been developed and adopted by sectors in the commercial world that supports threat detection through real-time collection and analysis of security events from a wide variety of sensors and events.
Improvements in IDS and SIEM technology may gradually reduce false alarm rates, but these systems cannot take overall mission needs and priorities into account. What is needed is a system/mission model that maps high-level concerns to potential low-level vulnerabilities, compromises, or indications of suspicious activity. For enterprise-scale systems, such models can become very complex; a machine-readable model is needed that can perform automated calculations of various metrics (impact, potential for loss of life, remediation cost, etc.). Such a model is also requisite for any type of automated response: it is only by assessing larger impacts that an automated system can make necessary changes without disrupting essential services.
A driver for operating cost effective and secure operation environments may be availability of subject matter experts to monitor highly protected assets. Their labor hours may be a limited resource and the ability to focus their expertise on the highest value defense activities is an important way to most effectively leverage their resources. Therefore, there is a need for tools and means of ranking and prioritizing attack indicators so that their time may be more efficiently spent on the most important threats. Such tools and means may also lead to eventual automation of monitor and response capabilities, and help reduce time for most serious events down to hours/minutes.
What is therefore desired is to have a system that analyzes and prioritizes the impact of security alerts and security-relevant events on servers, endpoint hosts, and network devices. Embodiments disclosed herein describe a network security alerts analysis system, referred herein as a Silverline Run Time (SliverlineRT) system containing one or more instances of SilverlineRT applications. The SilverlineRT system may solve the aforementioned problems and other problems as well. The SilverlineRT system may consider the overall system architecture and mission goals, giving security analysts critical insight into the impact of potential compromise, triaging less serious events and responding as necessary to more grave ones. The SilverlineRT system may also compute security-relevant metrics for the mission system as a whole, including remediation costs and the impact of particular attacks, should they occur in the future. As a result, the SilverlineRT system may save time while providing more thorough, context-driven analysis and recommendations for manual or automated response—especially of the complex interconnections in typical large-scale mission/enterprise systems.
In one embodiment, a computer implemented method comprises generating, by a computer, an executable logic of an attack tree model based on a set of attack detection rules received by the computer through a graphical user interface (GUI) wherein the attack tree model is in a hierarchical structure comprising a root node and one or more child nodes, the root node representing a higher-level operating condition of an attack, and each of the one or more child nodes representing a lower-level operating condition of the attack; receiving, by the computer in real-time, electronic notifications of a plurality of alerts from a plurality of network devices interconnected to each other within a distributed network; detecting, by the computer, one or more attacks on the plurality of network devices based on the plurality of alerts by executing the logic of the attack tree model, wherein executing the logic of the attack tree model comprises traversing the attack tree model from the one or more child nodes to respective parent node based on the plurality of alerts, wherein the traversing comprises determining that an operating condition of a respective parent node is satisfied based upon the computer determining that the respective operating condition of at least one of the one or more child nodes is satisfied; determining, by the computer, impact and risk metrics for each of the one or more attacks by correlating configuration data of the plurality of network devices; calculating, by the computer, an impact score for each of the one or more attacks based on the corresponding impact and risk metrics; ranking and prioritizing, by the computer, the one or more attacks based on the corresponding impact score; and generating, by the computer in real-time, a dashboard comprising prioritized list of the one or more attacks, whereby the computer automatically responds to one or more higher priority attacks.
In another embodiment, a system comprises a plurality of network devices; a server in communication with the plurality of network devices and configured to: generate an executable logic of an attack tree model based on a set of attack detection rules received by the server through a graphical user interface (GUI), wherein the attack tree model is in a hierarchical structure comprising a root node and one or more child nodes, the root node representing a higher-level operating condition of an attack, and each of the one or more child nodes representing a lower-level operating condition of the attack; receive in real-time electronic notifications of a plurality of alerts from a plurality of network devices interconnected to each other within a distributed network; detect one or more attacks on the plurality of network devices based on the plurality of alerts by executing the logic of the attack tree model, wherein executing the logic of the attack tree model comprises traversing the attack tree model from the one or more child nodes to respective parent node based on the plurality of alerts, wherein the traversing comprises determining that an operating condition of a respective parent node is satisfied based upon the computer determining that the respective operating condition of at least one of the one or more child nodes is satisfied; determine impact and risk metrics for each of the one or more attacks by correlating configuration data of the plurality of network devices; calculate an impact score for each of the one or more attacks based on the corresponding impact and risk metrics; rank and prioritize the one or more attacks based on the corresponding impact score; and generate in real-time a dashboard comprising prioritized list of the one or more attacks, whereby the server automatically responds to one or more higher priority attacks.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed.
The accompanying drawings constitute a part of this specification and illustrate embodiments of the subject matter disclosed herein.
Reference will now be made to the illustrative embodiments illustrated in the drawings, and specific language will be used here to describe the same. It will nevertheless be understood that no limitation of the scope of the claims or this disclosure is thereby intended. Alterations and further modifications of the inventive features illustrated herein, and additional applications of the principles of the subject matter illustrated herein, which would occur to one ordinarily skilled in the relevant art and having possession of this disclosure, are to be considered within the scope of the subject matter disclosed herein. The present disclosure is here described in detail with reference to embodiments illustrated in the drawings, which form a part here. Other embodiments may be used and/or other changes may be made without departing from the spirit or scope of the present disclosure. The illustrative embodiments described in the detailed description are not meant to be limiting of the subject matter presented here.
Embodiments disclosed herein describe an analytic server that builds SliverlineRT tools that can show the context and impact of potential alerts. By executing SliverlineRT, the analytic server may prioritize and analyze security alerts and server/endpoint/network events according to the overall system architecture and mission goals. By using impact models based on an enhanced version of attack trees, the analytic server may give security personnel visibility into overall impact of alerts and potentially malicious activity, thereby allowing the security personnel to prioritize their response. The analytic server may also pave the way for automated responses that are consistent with overall mission needs and priorities. The analytic server may reduce the security personnel's burden, save time and yield more thorough, repeatable analysis of cyber events. The SilverlineRT system particularly excels in showing the impact of alerts within large-scale distributed systems, both within the air force and department of defense as well as in civilian critical infrastructure and commercial enterprise networks.
The analytic server may use mission- and system-specific context in the analysis and prioritization of alert information, thus giving insight into the overall context of problems and potential solutions, improving decision making and saving time for security personnel.
The analytic server 102 may be any computing device comprising a processor and other computing hardware and software components, configured to build a SilverlineRT system containing one or more SilverlineRT applications. The analytic server 102 may be logically and physically organized within the same or different devices or structures, and may be distributed across any number of physical structures and locations (e.g., cabinets, rooms, buildings, cities). The analytic server 102 may execute automated configuration and run-time status queries. At the same time, the analytic server 102 may receive logging and alert information from the servers, endpoints, and network devices under management. For example, the analytic server 102 may receive logging and alert information from the devices in the enterprise/distributed systems and network 106, the second analytic server 110 connected with the second network of distributed systems 112. The analytic server 102 may also query existing IDS and STEM systems for alert data, and receive such data asynchronously from the third party IDS or STEM 108. The logging and alert information collected on each device may be collected via standard protocols such as syslog, Windows Event Logs, secure shell (SSH), or the Simple Network Management Protocol (SNMP). The OASIS® Structured Threat Information eXpression (STIX) is a natural way of describing the logging and alert data and is supported in the SilverlineRT system via the OASIS Trusted Automated Exchange of Intelligence Information (TAXII) transport. In this way, the SilverlineRT system may leverage future/third-party advances in detection algorithms.
The analytic server 102 may build a SilverlineRT application 116 by using an attack tree model based on a set of aggregation rules, which dictate how various metrics are computed in terms of lower-level data. In the SilverlineRT application 116, the analytic server 102 may support a large set of aggregation functions, and the user can define custom functions if needed. The analytic server 102 may refine the interface for aggregation functions and provide a set of aggregators specific to assessing real-time cyber threat indicator data. The results of the aggregation rules can be in standard form such as National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) vectors or costs, or in mission domain-specific terms. As data arrives, the metrics will be recomputed in real-time, “bubbling up” the tree as appropriate.
After the analytic server 102 prioritizes and analyzes the aggregate impact of multiple alters, IDS notifications, and other attack indicators, the analytic server 102 may display the results on a user interface of the analytic server or on a computing device (not shown) associated with the analyst 114. The analyst 114 may easily see which alerts have the most significant “big picture” impact and which can be triaged for later assessment by low-level personnel. When cost or other metrics are available within the model, the analyst 114 may see which proposed remediation strategies have the most significant impact for the least cost or least mission disruption.
The analytic server 102 may operate the SilverlineRT application 116 in a federal manner, where portions of the tree model located at various sites or administrative domains and are maintained by local experts. At alternate sites, headless copies of SilverlineRT applications aggregate site-local data and alerts; the results may provide aggregated inputs to one or more “master” instances for analyst use. Such an architecture may allow for voluminous, potentially sensitive alert and IDS data to stay local (e.g., for forensic purposes) while enabling the entire system to scale up for very large enterprises.
Overall, the analytic server 102 may use the SilverlineRT application 116 to help the analyst 114 sort out false alarms from true attacks that have minimal impact on mission success, and highlight the attacks that must be addressed immediately and possibly automatically. Therefore, the analytic server 102 may save time and reduce cognitive burden on overloaded security analysts.
The SilverlineRT application 116 built by the analytic server 102 may include several components or modules, such as an import/export module, an attack tree analysis module, an agent tests module, a graphical user interface module. The import/export module may receive data from or transmit data to local knowledge database 104. The import/export module may also receive logging and alert information from devices under management, such as the servers, endpoints, and network devices in the distributed systems and network 106 through a third-party IDS or SIEM 108. The agent tests module may receive events and alerts from the operating system of the infrastructure platform within the enterprise/distributed systems and network 106 or applications and servers within the operating system. In addition, the agent tests module may perform configuration tests and remote agent tests on the operating system of the infrastructure platform within the enterprise/distributed systems and network 106. The agent tests module may interact with the attack tree analysis module to determine and analyze the security attacks. The attack tree module may comprise a set of aggregation rules for computing various metrics on threats and possible attacks on different devices. The graphical user interface module may comprise graphical interactive elements configured to display analysis results and cyber threat indicator data, receive user configuration, and any other interactive elements that allow the user to interact with the analytic server 102.
The local knowledge database 104 may be any non-transitory machine-readable media associated with the analytic server 102. The local knowledge database 104 may be configured to store data, including logging and alert information from different devices and systems, the attack tree model comprising aggregation rules and configurations for analyzing security threats and attacks, the metrics computed based on the aggregation rules in the attack tree model, the ranking and prioritization of attack-related events. The local knowledge database 104 may also include any other data that is helpful for analyzing security alerts and server/endpoint/network events.
The enterprise/distributed systems and network 106 may be any number of devices and systems connected with each other within a distributed network. Such devices and systems may be under management of the analytic server 102. The enterprise/distributed systems and network 106 may comprise infrastructure platform with operating system for servers and applications. The operating system may receive remote agent tests from the analytic server 102. The infrastructure platform of one system may be connected to another system (e.g., a second system). The infrastructure platform of each system may transmit logging and alert information to the analytic server 102 via a third-party IDS or SIEM 108.
The third-party IDS or STEM 108 may be any device or software application that monitors a network or systems for malicious activity or policy violations. The security information and event management (SIEM) system may report any malicious activity or violation to an administrator or analyst. The SIEM may combine outputs from multiple sources. The third-party IDS or STEM 108 may plug in the existing systems, aggregate the alerts and events from various systems and devices and import the alerts and events into the SilverlineRT application 116 running on the analytic server 102.
The second analytic server 110 connected with the second network of distributed systems 112 may be a similar system architecture as the analytic server 102 connected with the enterprise/distributed systems and network 106. The different analytic servers may be in communication with each other and feed alerts and events information into each other. The system 100 may comprise any number of such analytic servers and connected networks of distributed systems.
At step 202, the analytic server may generate an attack tree model based on attack detection rules. The attack tree model may be an executable logic for detecting attacks. The attack detection rules may be from user configuration and/or local knowledge in the database. The analytic server may build the attack tree based on a set of aggregation rules and other attack detection rules, which dictate how various metrics are computed in terms of lower-level data. The analytic server may support a large set of aggregation functions and attack detection rules. In some embodiments, the analytic server may provide a graphical user interface (GUI) for the analyst/user to define customer functions and rules.
At step 204, the analytic server may monitor systems and receive electronic notifications of alerts from various devices and systems under management in real-time. The analytic server may monitor a set of devices and systems with any number of devices connected with each other within a distributed network. For example, the analytic server may monitor a network with multiple heterogeneous systems by receiving alerts from external sensors and intrusion detection systems. Such devices and systems may be under management of the analytic server. The analytic server may receive logging and alert information from the infrastructure platform of the distributed systems and network via a third-party IDS or STEM. The third-party IDS or SIEM may plug in the existing systems, aggregate the alerts and events from various systems and devices and import the alerts and events into the analytic server.
At step 206, the analytic server may detect attacks using the attack tree while excluding false alarms. Based on the logging information, alerts, events received from various devices and systems under management, the analytic server may determine attacks by executing the logic of the attack tree model. Specifically, the analytic server may follow the logic of the attack tree model by traversing the attack tree model from bottom up and determine if the logging information, alerts and events data satisfy the operating conditions of the nodes. From the bottom up, child nodes are lower-level operating conditions of an attack, at least one of the child nodes must be satisfied to make the direct parent node true, the parent node may represent higher-level operating condition; when the root is satisfied (e.g., the highest level operating condition is satisfied), the attack is complete. The analytic server may perform automated evaluations and computations over the attack tree model, testing on-line to see whether particulate vulnerabilities are present or known-weak configurations or libraries are in use. In addition, by correlating information from multiple sources, the analytic server may be able to learn context for alerts and distinguish likely false alarms, as well as true, but unimportant, alerts. Thus, the analytic server may reduce false positives and cognitive load the false positives may cause.
At step 208, the analytic server may compute aggregate system impact and risk metrics in real-time. The analytic server may correlate context and configuration data from disparate servers, endpoints, and network sensors and determine overall system risk. The analytic server may not only determine if the combination of correlated data indicates an attack, but also how much of an impact the attack might have. For example, the analytic server may determine various security-relevant metrics for the mission system as a whole, such as impact, potential for loss of life, remediation cost, and the like. As data arrives, the analytic server may re-compute the metrics in real-time. The analytic server may develop aggregation modules for the SilverlineRT system's hierarchical model to compute (or update) impact metrics in terms of lower-level alerts and indicators from server, endpoint, and network sensors or intrusion detection systems. The SilverlineRT system's hierarchical system model may provide computed scores, such as Common Vulnerability Scoring System (CVSS) scores, to rank indicators and alerts.
At step 210, the analytic server may rank and prioritize the attacks based on an impact score calculated from the impact and risk metrics and display the attacks based on the ranking. After determining a set of impact and risk metrics from multiple data sources, the analytic server may calculate aggregated metrics (e.g., CVSS vectors) from base data. For example, the analytic server may calculate an impact score (e.g., CVSS score) based on the impact and risk metrics. The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit.
The analytic server may use aggregation functions to define how metrics at a single level of the attack tree model are computed in terms of metrics from the next level down. For example, a CVSS “impact” score for a set of servers may be the maximum CVSS impact value for all constituent servers. While the SilverlineRT system allows arbitrary aggregation functions to be defined, the analytic server may provide support for customizing the user interface to facilitate the definition of aggregation rules common in real-time intrusion alert systems. These rules may serve to correlate sensor data from servers, endpoints, network devices, and existing IDS in a mission/system-specific manner. Such a feature may give added value to SilverlineRT system's models: by knowing the context of an alert, the system may compute the impact to overall mission success.
The analytic server may rank attack indicators and alerts based on the CVSS scores and display the attacks on a user interface based on the ranking. The analytic server may show the context and impacts of alert on the user interface. As a result, the analyst may easily see which alters have the most significant “big picture” impact and which can be triaged for later assessment by low-level personnel. When cost or other metrics are available within the model, the analyst can easily see which proposed remediation strategies have the most significant impact for the least cost or least mission disruption. Thus, the SilverlineRT system may help triage unimportant issues from critical ones, save time and mental effort by subject matter experts (SME), maximize the effectiveness of limited SME time in real-time monitoring high value IT assets.
At step 212, the analytic server may generate in real-time reports in standard formats. The analytic server may display the report in a dashboard of a user interface. The dashboard may comprise the prioritized list of the attacks. The SilverlineRT system may be able to produce machine-readable alerts and human-readable reports to fit within an organization's cybersecurity ecosystem. The analytic server may support visualization and Portable Document Format (PDF) report-generation capabilities in the SilverlineRT system.
As with data importers, the analytic server may define a plug-in application programming interface (API) for generating alerts in arbitrary formats. The API may also be used to perform automated remediation or other actions in response to a suitably severe alert; the API may provide the automated response algorithm with information on the expected impact or disruption, both of which are critical in deciding whether to take automated action. In some embodiments, the analytic server may automatically respond to one or more higher priority attacks. As a result, the analytic server may lay the groundwork for automated response.
Internally, the analytic server may use straightforward Extensible Markup Language (XML) for data storage and processing and keep raw data in its native formats for forensic purposes. By combining such features, the analytic server may facilitate integration with other data processing tools. For instance, one could write an Extensible Stylesheet Language Transformations (XSLT) script that generates Hypertext Markup Language (HTML) reports from the SilverlineRT system test records.
As shown in
The foregoing method descriptions and the process flow diagrams are provided merely as illustrative examples and are not intended to require or imply that the steps of the various embodiments must be performed in the order presented. The steps in the foregoing embodiments may be performed in any order. Words such as “then,” “next,” etc. are not intended to limit the order of the steps; these words are simply used to guide the reader through the description of the methods. Although process flow diagrams may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, and the like. When a process corresponds to a function, the process termination may correspond to a return of the function to a calling function or a main function.
The various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of this disclosure or the claims.
Embodiments implemented in computer software may be implemented in software, firmware, middleware, microcode, hardware description languages, or any combination thereof. A code segment or machine-executable instructions may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.
The actual software code or specialized control hardware used to implement these systems and methods is not limiting of the claimed features or this disclosure. Thus, the operation and behavior of the systems and methods were described without reference to the specific software code being understood that software and control hardware can be designed to implement the systems and methods based on the description herein.
When implemented in software, the functions may be stored as one or more instructions or code on a non-transitory computer-readable or processor-readable storage medium. The steps of a method or algorithm disclosed herein may be embodied in a processor-executable software module, which may reside on a computer-readable or processor-readable storage medium. A non-transitory computer-readable or processor-readable media includes both computer storage media and tangible storage media that facilitate transfer of a computer program from one place to another. A non-transitory processor-readable storage media may be any available media that may be accessed by a computer. By way of example, and not limitation, such non-transitory processor-readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other tangible storage medium that may be used to store desired program code in the form of instructions or data structures and that may be accessed by a computer or processor. Disk and disc, as used herein, include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), floppy disk, and Blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media. Additionally, the operations of a method or algorithm may reside as one or any combination or set of codes and/or instructions on a non-transitory processor-readable medium and/or computer-readable medium, which may be incorporated into a computer program product.
The preceding description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the embodiments described herein and variations thereof. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the subject matter disclosed herein. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the following claims and the principles and novel features disclosed herein.
While various aspects and embodiments have been disclosed, other aspects and embodiments are contemplated. The various aspects and embodiments disclosed are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.
This application is a continuation application of U.S. application Ser. No. 16/995,458, filed Aug. 17, 2020, entitled “Alert Systems and Methods for Attack-Related Events,” which is a continuation application of U.S. application Ser. No. 16/012,651, filed Jun. 19, 2018, entitled “Systems and Methods for Improving the Ranking and Prioritization of Attack-Related Events,” each of which is hereby incorporated by reference in its entirety. This application relates to U.S. application Ser. No. 15/485,784, filed Apr. 12, 2017, entitled “Software Assurance System for Runtime Environments,” and U.S. application Ser. No. 15/622,434, filed Jun. 14, 2017, entitled “Software Assurance for Heterogeneous Distributed Computing Systems,” each of which is hereby incorporated by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4895518 | Arnold et al. | Jan 1990 | A |
| 5115433 | Baran et al. | May 1992 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5601432 | Bergman | Feb 1997 | A |
| 5805893 | Sproul et al. | Sep 1998 | A |
| 5944783 | Nieten | Aug 1999 | A |
| 5974549 | Golan | Oct 1999 | A |
| 5974579 | Lepejian et al. | Oct 1999 | A |
| 6088804 | Hill et al. | Jul 2000 | A |
| 6345283 | Anderson | Feb 2002 | B1 |
| 6477683 | Killian et al. | Nov 2002 | B1 |
| 6658481 | Basso et al. | Dec 2003 | B1 |
| 6985476 | Elliott et al. | Jan 2006 | B1 |
| 7043663 | Pittelkow et al. | May 2006 | B1 |
| 7058968 | Rowland et al. | Jun 2006 | B2 |
| 7107347 | Cohen | Sep 2006 | B1 |
| 7228566 | Caceres et al. | Jun 2007 | B2 |
| 7234168 | Gupta et al. | Jun 2007 | B2 |
| 7257630 | Cole et al. | Aug 2007 | B2 |
| 7317733 | Olsson et al. | Jan 2008 | B1 |
| 7325252 | Bunker et al. | Jan 2008 | B2 |
| 7372809 | Chen et al. | May 2008 | B2 |
| 7496959 | Adelstein et al. | Feb 2009 | B2 |
| 7522908 | Hrastar | Apr 2009 | B2 |
| 7694328 | Joshi et al. | Apr 2010 | B2 |
| 7743074 | Parupudi et al. | Jun 2010 | B1 |
| 7748040 | Adelstein et al. | Jun 2010 | B2 |
| 7818804 | Marceau | Oct 2010 | B2 |
| 7886049 | Adelstein et al. | Feb 2011 | B2 |
| 7925984 | Awe et al. | Apr 2011 | B2 |
| 7930353 | Chickering et al. | Apr 2011 | B2 |
| 7962961 | Griffin et al. | Jun 2011 | B1 |
| 8079080 | Borders | Dec 2011 | B2 |
| 8156483 | Berg et al. | Apr 2012 | B2 |
| 8176557 | Adelstein et al. | May 2012 | B2 |
| 8250654 | Kennedy et al. | Aug 2012 | B1 |
| 8266320 | Bell et al. | Sep 2012 | B1 |
| 8296848 | Griffin et al. | Oct 2012 | B1 |
| 8307444 | Mayer et al. | Nov 2012 | B1 |
| 8321437 | Lim | Nov 2012 | B2 |
| 8341732 | Croft et al. | Dec 2012 | B2 |
| 8407801 | Ikegami et al. | Mar 2013 | B2 |
| 8433768 | Bush et al. | Apr 2013 | B1 |
| 8458805 | Adelstein et al. | Jun 2013 | B2 |
| 8490193 | Sarraute Yamada et al. | Jul 2013 | B2 |
| 8495229 | Kim | Jul 2013 | B2 |
| 8495583 | Bassin et al. | Jul 2013 | B2 |
| 8499354 | Satish et al. | Jul 2013 | B1 |
| 8554536 | Adelman et al. | Oct 2013 | B2 |
| 8615807 | Higbee et al. | Dec 2013 | B1 |
| 8862803 | Powers et al. | Oct 2014 | B2 |
| 8869235 | Qureshi et al. | Oct 2014 | B2 |
| 8893278 | Chechik | Nov 2014 | B1 |
| 9076342 | Brueckner et al. | Jul 2015 | B2 |
| 9081911 | Powers et al. | Jul 2015 | B2 |
| 9083741 | Powers | Jul 2015 | B2 |
| 9137325 | Muhunthan et al. | Sep 2015 | B2 |
| 9197649 | Carvalho | Nov 2015 | B2 |
| 9208323 | Karta et al. | Dec 2015 | B1 |
| 9225637 | Ramanujan et al. | Dec 2015 | B2 |
| 9246936 | Belani et al. | Jan 2016 | B1 |
| 9280911 | Sadeh-Koniecpol et al. | Mar 2016 | B2 |
| 9325728 | Kennedy et al. | Apr 2016 | B1 |
| 9344444 | Lippmann et al. | May 2016 | B2 |
| 9344445 | Burns et al. | May 2016 | B2 |
| 9384677 | Brueckner et al. | Jul 2016 | B2 |
| 9626414 | Kanjirathinkal et al. | Apr 2017 | B2 |
| 9742803 | Kras et al. | Aug 2017 | B1 |
| 9749360 | Irimie et al. | Aug 2017 | B1 |
| 9836598 | Iyer et al. | Dec 2017 | B2 |
| 9882912 | Joo | Jan 2018 | B2 |
| 10079850 | Patil et al. | Sep 2018 | B1 |
| 10083624 | Brueckner et al. | Sep 2018 | B2 |
| 10223760 | Ananthanpillai et al. | Mar 2019 | B2 |
| 10291634 | Arzi et al. | May 2019 | B2 |
| 10291638 | Chandana et al. | May 2019 | B1 |
| 10409995 | Wasiq | Sep 2019 | B1 |
| 10467419 | Youngberg et al. | Nov 2019 | B1 |
| 10469519 | Irimie et al. | Nov 2019 | B2 |
| 10540502 | Joyce et al. | Jan 2020 | B1 |
| 10558809 | Joyce et al. | Feb 2020 | B1 |
| 10581868 | Kras et al. | Mar 2020 | B2 |
| 10659488 | Rajasooriya et al. | May 2020 | B1 |
| 10686811 | Ehle | Jun 2020 | B1 |
| 10749890 | Aloisio et al. | Aug 2020 | B1 |
| 10803766 | Donovan et al. | Oct 2020 | B1 |
| 10868825 | Dominessy et al. | Dec 2020 | B1 |
| 10949338 | Sirianni et al. | Mar 2021 | B1 |
| 11063967 | Rego et al. | Jul 2021 | B2 |
| 11128654 | Joyce et al. | Sep 2021 | B1 |
| 11158207 | Sadeh-Koniecpol et al. | Oct 2021 | B1 |
| 11257393 | Atencio et al. | Feb 2022 | B2 |
| 11258806 | Berninger et al. | Feb 2022 | B1 |
| 11277203 | McLinden et al. | Mar 2022 | B1 |
| 20020038430 | Edwards et al. | Mar 2002 | A1 |
| 20020073204 | Dutta et al. | Jun 2002 | A1 |
| 20020078382 | Sheikh et al. | Jun 2002 | A1 |
| 20020129264 | Rowland et al. | Sep 2002 | A1 |
| 20020162017 | Sorkin et al. | Oct 2002 | A1 |
| 20030056116 | Bunker et al. | Mar 2003 | A1 |
| 20030182582 | Park et al. | Sep 2003 | A1 |
| 20030236993 | McCreight et al. | Dec 2003 | A1 |
| 20040039921 | Chuang | Feb 2004 | A1 |
| 20040133672 | Bhattacharya et al. | Jul 2004 | A1 |
| 20050132225 | Gearhart | Jun 2005 | A1 |
| 20050138413 | Lippmann et al. | Jun 2005 | A1 |
| 20050165834 | Nadeau et al. | Jul 2005 | A1 |
| 20050193173 | Ring et al. | Sep 2005 | A1 |
| 20050193430 | Cohen et al. | Sep 2005 | A1 |
| 20050203921 | Newman et al. | Sep 2005 | A1 |
| 20060037076 | Roy | Feb 2006 | A1 |
| 20060104288 | Yim et al. | May 2006 | A1 |
| 20060109793 | Kim et al. | May 2006 | A1 |
| 20060167855 | Ishikawa et al. | Jul 2006 | A1 |
| 20060191010 | Benjamin | Aug 2006 | A1 |
| 20060248525 | Hopkins | Nov 2006 | A1 |
| 20060253906 | Rubin et al. | Nov 2006 | A1 |
| 20060271345 | Kasuya | Nov 2006 | A1 |
| 20070055766 | Petropoulakis et al. | Mar 2007 | A1 |
| 20070112714 | Fairweather | May 2007 | A1 |
| 20070143852 | Keanini et al. | Jun 2007 | A1 |
| 20070192863 | Kapoor et al. | Aug 2007 | A1 |
| 20080010225 | Gonsalves et al. | Jan 2008 | A1 |
| 20080167920 | Schmidt et al. | Jul 2008 | A1 |
| 20080183520 | Cutts et al. | Jul 2008 | A1 |
| 20080222734 | Redlich et al. | Sep 2008 | A1 |
| 20090007270 | Futoransky et al. | Jan 2009 | A1 |
| 20090113201 | Mackey et al. | Apr 2009 | A1 |
| 20090144827 | Peinado et al. | Jun 2009 | A1 |
| 20090150998 | Adelstein et al. | Jun 2009 | A1 |
| 20090158430 | Borders | Jun 2009 | A1 |
| 20090164522 | Fahey | Jun 2009 | A1 |
| 20090208910 | Brueckner et al. | Aug 2009 | A1 |
| 20090254572 | Redlich et al. | Oct 2009 | A1 |
| 20090288164 | Adelstein et al. | Nov 2009 | A1 |
| 20090319247 | Ratcliffe et al. | Dec 2009 | A1 |
| 20090319249 | White et al. | Dec 2009 | A1 |
| 20090319647 | White et al. | Dec 2009 | A1 |
| 20090319906 | White et al. | Dec 2009 | A1 |
| 20090320137 | White et al. | Dec 2009 | A1 |
| 20090328033 | Kohavi et al. | Dec 2009 | A1 |
| 20100010968 | Redlich et al. | Jan 2010 | A1 |
| 20100058114 | Perkins et al. | Mar 2010 | A1 |
| 20100082513 | Liu | Apr 2010 | A1 |
| 20100138925 | Barai et al. | Jun 2010 | A1 |
| 20100146615 | Locasto et al. | Jun 2010 | A1 |
| 20100284282 | Golic | Nov 2010 | A1 |
| 20100319069 | Granstedt et al. | Dec 2010 | A1 |
| 20110154471 | Anderson et al. | Jun 2011 | A1 |
| 20110177480 | Menon et al. | Jul 2011 | A1 |
| 20110282715 | Nguyen et al. | Nov 2011 | A1 |
| 20120198513 | Maida-Smith et al. | Aug 2012 | A1 |
| 20120210017 | Muhunthan et al. | Aug 2012 | A1 |
| 20120210427 | Bronner et al. | Aug 2012 | A1 |
| 20120258437 | Sadeh-Koniecpol et al. | Oct 2012 | A1 |
| 20130014264 | Kennedy et al. | Jan 2013 | A1 |
| 20130019312 | Bell et al. | Jan 2013 | A1 |
| 20130055404 | Khalili | Feb 2013 | A1 |
| 20130191919 | Basavapatna et al. | Jul 2013 | A1 |
| 20130273514 | Tambe et al. | Oct 2013 | A1 |
| 20130347085 | Hawthorn et al. | Dec 2013 | A1 |
| 20130347104 | Raber et al. | Dec 2013 | A1 |
| 20130347116 | Flores et al. | Dec 2013 | A1 |
| 20140046645 | White et al. | Feb 2014 | A1 |
| 20140099622 | Arnold et al. | Apr 2014 | A1 |
| 20140137257 | Martinez et al. | May 2014 | A1 |
| 20140165138 | Maida-Smith et al. | Jun 2014 | A1 |
| 20140287383 | Willingham et al. | Sep 2014 | A1 |
| 20140321735 | Zhang et al. | Oct 2014 | A1 |
| 20140337971 | Casassa Mont et al. | Nov 2014 | A1 |
| 20150033346 | Hebert et al. | Jan 2015 | A1 |
| 20150050623 | Falash et al. | Feb 2015 | A1 |
| 20150106324 | Puri et al. | Apr 2015 | A1 |
| 20150193695 | Cruz Mota et al. | Jul 2015 | A1 |
| 20150213260 | Park | Jul 2015 | A1 |
| 20150213730 | Brueckner et al. | Jul 2015 | A1 |
| 20150269383 | Lang et al. | Sep 2015 | A1 |
| 20150339477 | Abrams et al. | Nov 2015 | A1 |
| 20160028764 | Vasseur et al. | Jan 2016 | A1 |
| 20160099953 | Hebert et al. | Apr 2016 | A1 |
| 20160173495 | Joo | Jun 2016 | A1 |
| 20160188814 | Raghavan et al. | Jun 2016 | A1 |
| 20160205122 | Bassett | Jul 2016 | A1 |
| 20160219024 | Verzun et al. | Jul 2016 | A1 |
| 20160234242 | Knapp et al. | Aug 2016 | A1 |
| 20160246662 | Meng et al. | Aug 2016 | A1 |
| 20160285907 | Nguyen et al. | Sep 2016 | A1 |
| 20160307199 | Patel et al. | Oct 2016 | A1 |
| 20160330228 | Knapp et al. | Nov 2016 | A1 |
| 20160337400 | Gupta | Nov 2016 | A1 |
| 20170006055 | Strom et al. | Jan 2017 | A1 |
| 20170032694 | Brueckner et al. | Feb 2017 | A1 |
| 20170032695 | Brueckner et al. | Feb 2017 | A1 |
| 20170104778 | Shabtai et al. | Apr 2017 | A1 |
| 20170171230 | Leiderfarb et al. | Jun 2017 | A1 |
| 20170251010 | Irimie et al. | Aug 2017 | A1 |
| 20180048534 | Banga et al. | Feb 2018 | A1 |
| 20180068244 | Vashistha | Mar 2018 | A1 |
| 20180121657 | Hay et al. | May 2018 | A1 |
| 20180124108 | Irimie et al. | May 2018 | A1 |
| 20180129805 | Samuel | May 2018 | A1 |
| 20180139181 | Weinberger et al. | May 2018 | A1 |
| 20180150554 | Le et al. | May 2018 | A1 |
| 20180159894 | Reddy et al. | Jun 2018 | A1 |
| 20180191770 | Nachenberg et al. | Jul 2018 | A1 |
| 20180219887 | Luo et al. | Aug 2018 | A1 |
| 20180225471 | Goyal et al. | Aug 2018 | A1 |
| 20180295154 | Crabtree et al. | Oct 2018 | A1 |
| 20180367563 | Pfleger De Aguiar et al. | Dec 2018 | A1 |
| 20180375892 | Ganor | Dec 2018 | A1 |
| 20190014153 | Lang et al. | Jan 2019 | A1 |
| 20190034623 | Lowry et al. | Jan 2019 | A1 |
| 20190083876 | Morton et al. | Mar 2019 | A1 |
| 20190102564 | Li et al. | Apr 2019 | A1 |
| 20190164015 | Sigma | May 2019 | A1 |
| 20190171822 | Sjouwerman et al. | Jun 2019 | A1 |
| 20190182273 | Walsh et al. | Jun 2019 | A1 |
| 20190188615 | Liu | Jun 2019 | A1 |
| 20190222593 | Craig et al. | Jul 2019 | A1 |
| 20190238583 | Vaidya | Aug 2019 | A1 |
| 20190258953 | Lang et al. | Aug 2019 | A1 |
| 20190289029 | Chawla et al. | Sep 2019 | A1 |
| 20190312890 | Perilli | Oct 2019 | A1 |
| 20190356684 | Sinha et al. | Nov 2019 | A1 |
| 20190370473 | Matrosov et al. | Dec 2019 | A1 |
| 20190379705 | Murphy et al. | Dec 2019 | A1 |
| 20200050770 | Inagaki et al. | Feb 2020 | A1 |
| 20200177617 | Hadar et al. | Jun 2020 | A1 |
| 20200184053 | Kursun | Jun 2020 | A1 |
| 20200184847 | Gabay et al. | Jun 2020 | A1 |
| 20200201992 | Hadar et al. | Jun 2020 | A1 |
| 20200233955 | Ramzan et al. | Jul 2020 | A1 |
| 20200358803 | Roelofs et al. | Nov 2020 | A1 |
| 20210168170 | Asai et al. | Jun 2021 | A1 |
| 20210203682 | Bajpai | Jul 2021 | A1 |
| Number | Date | Country |
|---|---|---|
| 101075917 | Nov 2007 | CN |
| 106709613 | May 2017 | CN |
| WO-02071192 | Sep 2002 | WO |
| WO-2017105383 | Jun 2017 | WO |
| Entry |
|---|
| Homer, John, et al. “Aggregating vulnerability metrics in enterprise networks using attack graphs.” Journal of Computer Security 21.4 (2013): 561-597. (Year: 2013). |
| Haque, Md Shariful, and Travis Atkison. “An evolutionary approach of attack graph to attack tree conversion.” International Journal of Computer Network and Information Security 11.11 (2017): 1. (Year: 2017). |
| “Cybersecurity”, U.S. Department of Defense Instruction, No. 8500.01, Mar. 14, 2014, incorporating change effective Oct. 7, 2019, accessible at URL: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/850001_2014.pdf (58 pages). |
| “Cybersecurity,” U.S. Department of Defense Instruction, No. 8500.01, Mar. 14, 2014, 58 pages,accessible via.https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/850001_2014.pdf. |
| “Cyberspace Operations”, U.S. Air Force, Air Force Policy Directive 10-17, Jul. 31, 2012, retrieved from URL: https://fas.org/irp/doddir/usaf/afpd10-17.pdf (9 pages). |
| “CYDEST: CYber DEfense Simulation Trainer”, Air Force SBIR/STTR Award Details, Phase I, Award Details Status: Completed (Invited for Phase II) Start: Apr. 13, 2005 End Jan. 13, 2006, retrieved on Aug. 30, 2020 from URL: http://www.itfsbirsttr.com/award/AWARDDetails.aspx?pk=12036 (2 pages). |
| “Identification and Significance of the Problem or Opportunity”, Architecture Technology Corporation, Proposal No. F172-D12-0184, Topic No. OSD172-D12, 10 pages (undated). |
| 2015 DFRWS Forensics Challenge, “Submitted Solutions and Source Code Released”, GPU Malware Research, retrieved on Mar. 22, 2020 from http://www.cs.uno.edu/-golden/gpumalware-research.html, 5 pages. |
| Architecture Technology Corporation et al.“, Cydest (Cyber Defense Simulation Trainer),”http://web.archive.org/web/2006110701024 7/www.atcorp.com/securesystems/cydest.html, Dec. 2005, 1 page. |
| ATC-NY et al., “Cyber Defense Simulation Trainer (CYDEST)”, CYDEST Congressional Briefing, Feb. 19, 2007, 1 page. |
| ATC-NY, OSD172-D11, F172-D11-0024, Phase 1 SBIR Proposal, “SilverlineRT”, Jul. 20, 2017, 16 pages. |
| ATC-NY, SB172-007, D172-007-0014, Phase I SBIR Proposal, Silverline Human Performance Detection (Silverline-HPD), Jul. 20, 2017 (17 pages). |
| Atighetchi et al., “Metrinome-Continuous Monitoring and Security Validation of Distributed Systems”, Journal of Cyber Security and Information Systems vol. II, No. 1, Knowledge Management, Mar. 2014, pp. 20-26. |
| Baloch et al., “Comparative Study of Risk Management in Centralized and Distributed Software Development Environment”, Sci. Int.(Lahore), vol. 26, No. 4, 2014, pp. 1523-1528. |
| Balzarotti et al., “The Impact of GPU-Assisted Malware on Memory Forensics: A Case Study”, DFRWS 2015, Elsevier, Digital Investigation, vol. 14, 2015, pp. S16-S24. |
| Becker et al., “Applying Game Theory to Analyze Attacks and Defenses in Virtual Coordinate Systems,” 41st International Conference on Dependable Systems & Networks (DSN), Jun. 2011, pp. 133-142. |
| Bergstromb et al., “The Distributed Open Network Emulator: Using Relativistic Time for Distributed Scalable Simulation”, Proceedings of the 20th Workshop on Principles of Advanced and Distributed Simulation, May 23-26, 2006, 7 pages. |
| Brueckner et al., “CYDEST Cyber Defense Simulation Trainer”, ATC-NY a subsidiary of Architecture Technology Corporation, Oct. 29, 2007, 20 pages. |
| C.M.U. Entertainment Technology Center, “CyberSecurity”, found at http://www.etc.cmu.edu/projects/cybersecurity/, Feb. 2000, 16 pages. |
| Carson et al., “NIST NET: A Linux-based network emulation tool” ACM SIGCOMM, Computer Communication Review, vol. 33, Issue 3, Jul. 2003, 16 pages. |
| Carver et al., “Military Academy Attack/Defense Network”, IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, West Point, NY, Jun. 17-19, 2002, 6 pages. |
| Challagulla et al., “Empirical Assessment of Machine Learning based Software Defect Prediction Techniques”, Proceedings of the 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems (WORDS'05), Feb. 2-4, 2005, 8 pages. |
| Crumb, Francis L., “Cyber Security Boot Camp graduates Class of '06”, Academy Spirit, vol. 46, No. 33, Aug. 18, 2006, U.S. Air Force Academy, Colorado (1 page). |
| Crumb, Francis L., “Hackfest Highlights Cyber Security Boot Camp”, Air Force Research Laboratory (AFRL) Information Directorate document, Oct./Nov. 2004 (1 page). |
| Davoli, “Virtual Square: all the virtuality you always wanted but you were afraid to ask,” http://virtualsguare.org/copyright Renzo Davoli, May 27, 2004, 3 pages. |
| Davoli, “Virtual Square”, Proceedings of the First International Conference on Open Source Systems, Genova, Jul. 11-15, 2005, 6 pages. |
| De Gusmao et al., “Abstract of Cybersecurity risk analysis model using fault tree analysis and fuzzy decision theory”, 2018, International Journal of Information Management, pp. 1-3. |
| Duggirala et al., “Open Network Emulator”, Jan. 15, 2005, available at URL: https://web.archive.org/web/2010*/http://csrl.cs.vt.edu/net_emulation.html (5 pages). |
| Edwards et al., “Hajime: Analysis of a decentralized internet worm for IoT devices”, RapidityNetworks, Security Research Group, Oct. 16, 2016, pp. 1-18. |
| Final Office Action for U.S. Appl. No. 16/256,810 dated Jan. 24, 2022 (19 pages). |
| Final Office Action on U.S. Appl. No. 16/256,810 dated Jun. 3, 2021 (16 pages). |
| Fisher, “Developing Software in a Multicore & Multiprocessor World,” Klocwork White Paper, Klocwork.com., Sep. 2010, pp. 1-11. |
| Home Invasion 2.0, “Attacking Network-Connected Embedded Devices”, retrieved from the internet on Jun. 20, 2018, https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf, 15 pages. |
| Honeynet Project, “Know Your Enemy: Defining Virtual Honeynets,” http://old.honeynel.org/papers.virtual/, Jan. 27, 2003, 7 pages. |
| Howard et al., “A Common Language for Computer Security Incidents,” Sandia National Laboratories Report, SAND9B 8667, Oct. 1998, 32 pages. |
| Ingoldsby, T. “Attack Tree-based Threat Risk Analysis” (2010) Amenaza Technologies Limited (2010): 3-9 (62 pages). |
| Jones, “Software Defect Origins and Removal Methods,” International Function Point Users Group, Capers Jones, Dec. 28, 2012, pp. 1-31. |
| Joyce et al., “MEGA: A Tool for Mac OS X Operating System and Application Forensics,” Digital Investigation, vol. 5, Elsevier, Proceedings of the Digital Forensic Research Conference, Aug. 11-13, 2008, pp. 583-590. |
| Joyce, “TrestleHSM: Hierarchical Security Modeling for Naval Control Systems”, Phase 1 SBIR Proposal, Topic: N181-051, Unified Cybersecurity System Modeling of Naval Control Systems, Architecture Technology Corporation, 25 pages. |
| Keshav, “REAL: A Network Simulator,” Computer Science Division, Department of Electrical Engineering and Computer Science, University of California, Berkeley, Dec. 1988, 16 pages. |
| Kimball, “Silverline Human Performance Detection (Silverline-HPD)”, Phase 1 SBIR Proposal, Architecture Technology Corporation, SB172-007, D172-007-0014, Jul. 20, 2017, 17 pages. |
| Krishna et al., “V-Netlab: A Cost-Effective Platform to Support Course Projects in Computer Security”, Department of Computer Science, Stony Brook University, Jun. 2005, 7 pages. |
| Lathrop et al., “Information Warfare in the Trenches: Experiences from the Firing Range,” U.S. Military Academy, Security education and critical infrastructures, Kluwer Academic Publishers Norwell, MA, USA .copyright, Jun. 23-26, 2003, 21 pages. |
| Lathrop et al., “Modeling Network Attacks”, 12th Conference on Behavior Representation in Modeling and Simulation, 2003, pp. 401-407 (8 pages). |
| Lathrop et al., “Modeling Network Attacks”, 12th Conference on Behavior Representation in Modeling and Simulation, May 2003, pp. 19-26 (8 pages). |
| Li, et al., “Unified threat model for analyzing and evaluating software threats,” Security and Communication Networks; vol. 7; Jul. 5, 2012; pp. 1454-1466. |
| Libicki, “Cyberdeterrence and Cyberwar,” Rand Corporation, Project Air Force, 2009, 240 pages. |
| Liljenstam et al., RINSE: “The Real-Time Immersive Network Simulation Environment for Network Security Exercises”, Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation (PADS), Jun. 2005, 10 pages. |
| Maciel, et al. “Impact of a DDOS Attack on Computer Systems: An approach based on an Attack Tree Model,” 2018 Annual IEEE International Systems Conference (SysCon), Vancouver, BC, 2018, pp. 1-8. |
| McDonald, Chris, “A Network Specification Language and Execution Environment for Undergraduate Teaching”, ACM SIGCSE Bulletin, vol. 23, Issue 1, Mar. 1991, DOI: 10.1145/107005.107012 (10 pages). |
| McGrath et al., “NetSim: A Distributed Network Simulation to Support Cyber Exercises”, Institute for Security Technology Studies, Dartmouth College, Huntsville Simulation Conference, Mar. 9-11, 2004, Huntsville, Alabama, 6 pages. |
| McHale, “The Aegis Combat System's continuous modernization”, Military Embedded Systems, Retrieved on Mar. 22, 2020 from http://mil-Embedded.com/articles/the-aegis-combat-systems-continuous-modernization/, 8 pages. |
| McLinden, “Segmented Attack Prevention System for IoT Networks (SAPSIN)”, Abstract-SBIR Phase 1 Proposal, DoD SBIR 2017.2, Proposal No. F172-D12-0184, Topic No. OSD172-D12, 1 page (undated). |
| Non-Final Office Action for U.S. Appl. No. 16/012,695 dated Mar. 20, 2020 (11 pages). |
| Non-Final Office Action for U.S. Appl. No. 16/256,810 dated Feb. 10, 2021 (18 pages). |
| Non-Final Office Action for U.S. Appl. No. 16/256,810 dated Sep. 29, 2021 (19 pages). |
| Non-Final Office Action for U.S. Appl. No. 16/661,513 dated Nov. 29, 2021 (15 pages). |
| Non-Final Office Action for U.S. Appl. No. 16/741,953 dated Mar. 7, 2022 (16 pages). |
| Non-Final Office Action on U.S. Appl. No. 17/080,359 dated Sep. 2, 2022. |
| Non-Final Office Action on U.S. Appl. No. 16/995,458 dated Mar. 23, 2022 (18 pages). |
| Notice of Allowance for U.S. Appl. No. 16/012,651 dated Apr. 8, 2020 (8 pages). |
| Notice of Allowance for U.S. Appl. No. 16/012,651 dated Feb. 20, 2020 (12 pages). |
| Notice of Allowance for U.S. Appl. No. 16/012,695 dated Jun. 29, 2020 (7 pages). |
| Notice of Allowance for U.S. Appl. No. 16/267,304 dated May 26, 2021 (9 pages). |
| Notice of Allowance on U.S. Appl. No. 16/455,254 dated Mar. 29, 2022. |
| Notice of Allowance on U.S. Appl. No. 16/256,810 dated Apr. 26, 2022 (13 pages). |
| Notice of Allowance on U.S. Appl. No. 16/661,513 dated Apr. 29, 2022 (7 pages). |
| Notice of Allowance on U.S. Appl. No. 16/741,953 dated Jul. 13, 2022 (9 pages). |
| Padman et al., “Design of a Virtual Laboratory for Information Assurance Education and Research”, Proceedings of the 2002 IEEE, Workshop on Information Assurance and Security, U.S. Military Academy, West Point, Jun. 2002, 7 pages. |
| Porche III et al., “A Cyberworm that Knows no Boundaries”, RAND Corporation, National Defense Research Institute, 2011, 55 pages. |
| PR Newswire, “ATCorp Releases CSAS-Cloud Security Analysis Suite for Applications in the Cloud”, Architecture Technology Corporation, Feb. 26, 2016, 4 pages. |
| Proposal Author: Matthew Donovan; Topic Name and No. N182-131: Red Team in a Box for Embedded and Non-IP Devices; Title: Automated Cyber Evaluation System, Jun. 30, 2018, 24 pages. |
| Quinlan et al., “ROSE User Manual: A Tool for Building Source-to-Source Translators”, Draft User Manual, Version 0.9.11.115, Lawrence Livermore National Laboratory, Sep. 12, 2019 (337 pages). |
| Quinlan et al., “Rose User Manual: A Tool for Building Source-to-Source Translators”, Draft User Manual, Version D.9.6a, Lawrence Livermore National Laboratory, Dec. 16, 2015 (169 pages). |
| Rahman et al., “Defect Management Life Cycle Process for Software Quality Improvement,” World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering, vol. 9, No. 12, 2015 3rd International Conference on Artificial Intelligence, Modelling and Simulation, Nov. 24, 2015, pp. 241-244. |
| Richard III, “Memory Analysis, Meet GPU Malware”, University of New Orleans, CERIAS, Oct. 22, 2014, retrieved from URL: http://www.cerias.purdue.edu/news_and_events/events/security_seminar/details/index/popenihmencsf2v5mggg5ulfd4 (2 pages). |
| Richard III, Golden G., “Memory Analysis, Meet GPU Malware”, CERIAS, Oct. 22, 2014, retrieved 2021 from URL: https://www.cerias.purdue.edu/news_and_events/events/security_seminar/details/index/popenihmencsf2v5mggg5ulfd4 (3 pages). |
| Robbio, “How Will A1 Impact Software Development?”, Forbes Technology Council, Aug. 31, 2017, retrieved on Mar. 23, 2020 from https://www.forbes.com/sites/forbestechcouncil/2017/08/31/how-will-ai-impact-software-development/#325be7e7264d, 16 pages. |
| ROSE: Main Page, Lawrence Livermore National Laboratory, retrieved on Mar. 23, 2020 from http://rosecompiler.org/ROSE_HTML_Reference/, 3 pages. |
| Saic et al., “TeamDefend, A White Paper on Strengthening the Weakest Link: Organizational Cyber Defense Training”, 17th Annual FIRST Conference, Jun. 26-Jul. 1, 2005, 6 pages. |
| Saunders, “Simulation Approaches in Information Security Education”, Proceedings of the Sixth National Colloquium for Information Systems Security Education, Redmond, Washington, Jun. 4-6, 2002, 15 pages. |
| Schafer et al., “The IWAR Range: A Laboratory for Undergraduate Information Assurance Education”, Military Academy West Point, NY, Research paper, found at http://handle.dtic.mil/100.2/ADM08301, Nov. 7, 2000, 7 pages. |
| Schepens et al., “The Cyber Defense Exercise: An Evaluation of the Effectiveness of Information Assurance Education”, 2003, 14 pages. |
| Schneier, B., “Attack Trees—Schneier on Security”, Dr. Dobb's Journal, Dec. 1999, retrieved Mar. 23, 2020 from URL: https://www.schneier.com/academic/archives/1999/12/attack_trees.html (9 pages). |
| Shiva et al., “Game Theory for Cyber Security,” Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, Article No. 34, Apr. 2010, 10 pages. |
| Sirianni, “A19-080 Cyber Security Tool Kits For Engineers and Soldiers,” Phase 1 SBIR Proposal, Architecture Technology Corporation, 24 pages (undated). |
| Sironi et al., “Metronome: Operating System Level Performance Management via Self-Adaptive Computing”, DAC 2012, Jun. 3-7, 2012, pp. 856-865. |
| Snyder et al., “Ensuring U.S. Air Force Operations During Cyber Attacks Against Combat Support Systems—Guidance for Where to Focus Mitigation Efforts,” RAND Corporation, 2015, 37 pages. |
| Stumpf et al., “NoSE-building virtual honeynets made easy”, Darmstadt University of Technology, Department of Computer Science, D-64289 Darmstadt, Germany, 2005, 11 pages. |
| Stytz et al., “Realistic and Affordable Cyberware Opponents for the Information Warfare BattleSpace,” Jun. 2003, 42 pages. |
| U.S. Notice of Allowance on U.S. Appl. No. 16/995,458 dated Jul. 14, 2022 (11 pages). |
| Varga, “The OMNeT ++ Discrete Event Simulation System”, Department of Telecommunications, Budapest University of Technology and Economics, Proceedings of the European Simulation Multiconference, Jun. 2001, 7 pages. |
| Vasiliadis et al., “GPU-Assisted Malware”, 2010 5th International Conference on Malicious and Unwanted Software, 2010, pp. 1-6. |
| Vrable et al., “Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm,” SOSP, Oct. 23-26, 2005, 15 pages. |
| Wang et al., “The design and implementation of the NCTUns 1.0 network simulator”, Computer Networks, vol. 42, Issue 2, Jun. 2003, 23 pages. |
| White et al., “Cyber Security Exercises: Testing an Organization's Ability to Prevent, Detect and Respond to Cyber Security Events,” Proceeding of the 37th Hawaii International Conference on System Sciences, Jan. 2004, 10 pages. |
| Wikipedia-OpenCL, Mar. 29, 2017, Retrieved from https://en.wikipedia.org/wiki/OpenCL, 23 pages. |
| Wu et al., “An Attack Modeling Based on Hierarchical Colored Petri Nets”, 2008 International Conference on Computer and Electrical Engineering, Phuket, 2008, pp. 918-921. |
| Xie et al., “Security Analysis on Cyber-Physical System Using Attack Tree”, 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, IEEE Computer Society, IEEE, 2013, pp. 429-432, DOI: 10.1109/IIH-MSP.2013.113 (4 pages). |
| Xu et al., “A Minimum Defense Cost Calculation Method for Cyber Physical System”, 2019 Seventh International Conference on Advanced Cloud and Big Data (CBD), IEEE, 2019, pp. 192-197, DOI: 10.1109/CBD.2019.00043 (6 pages). |
| Xu et al., “Attack Identification for Software-Defined networking based on attack trees and extension innovation methods,” 2017 9th IEEE Intl. Conf. on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Bucharest, 2017, pp. 485-489. |
| Zeng et al., “GloMoSim: A Library for Parallel Simulation of Large-scale Wireless Networks” ACM SIGSIM Simulation Digest, vol. 28, Issue 1, Jul. 1998, 8 pages. |
| Machine Translation of CN108780480 (Year: 2018). |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16995458 | Aug 2020 | US |
| Child | 17967533 | US | |
| Parent | 16012651 | Jun 2018 | US |
| Child | 16995458 | US |
