1. Field of the Invention
Embodiments of the present invention relate to methods and systems for dynamic threat assessment using computer or computer network security devices. More particularly, embodiments of the present invention relate to systems and methods for combining attack identification and event correlation from one or more security devices that generate events. These systems and methods provide a real-time assessment of which internal computers are at future risk for what type of attack, and which external computers may need to be watched more closely in the future.
2. Background Information
Most successful computer intrusions and computer network attacks consist of a series of calculated steps. While each step may not normally constitute an intrusion or attack, the culmination of steps often does. In addition, the end goals of each series of steps that constitutes an intrusion or attack vary widely. For example, an attacker may have the goal of compromising a host for conducting future attacks. Such an attacker will most likely do port reconnaissance, host service identification, service exploitation, and finally installation of a root kit or backdoor. Another attacker may have the goal of compromising a host to take specific information located on that host. Such an attacker may guess a user's password and transfer the desired files back across the network to a zombie host to defeat trace backs.
In view of the foregoing, it can be appreciated that a substantial need exists for systems and methods that can advantageously predict or discover an intrusion or attack by analyzing a series of security device events over time.