SYSTEM AND METHOD FOR MITIGATING CYBER SECURITY THREATS BY DEVICES USING RISK FACTORS

20240414187

18/734707

June 05, 2024

A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors and assumed risk behaviors, wherein the observed risk behaviors are indicated by data related to network activity by the device, wherein the assumed risk behaviors are extrapolated based on known contextual information related to the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

Armis Security Ltd. (Tel Aviv, IL)

1.-19. (canceled)

20. A method for mitigating cyber security threats by devices using risk factors, comprising: determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors, wherein the observed risk behaviors are determined based on data related to at least one of: configuration of the device, network activity by the device, geographic movement of the device, signal strength of the device, and a protocol used by the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

21. The method of claim 20, wherein the plurality of risk factors is determined for the device when at least one of: the device connects to a network, the device is turned on in physical proximity to a network, and the device becomes physically proximate to network infrastructure.

22. The method of claim 20, wherein the at least one mitigation action includes monitoring network activity by the device when the risk score is below a threshold, further comprising: updating the risk score based on the monitored network activity; and performing at least one subsequent mitigation action based on the updated risk score.

23. The method of claim 20, wherein the plurality of risk factors includes a manufacturer reputation risk factor, wherein the manufacturer reputation risk factor is determined based on a quotient of a number of common vulnerabilities and exposures attributed to a manufacturer of the device over a number of employees of the manufacturer of the device.

24. The method of claim 20, wherein the plurality of risk factors includes a data entropy risk factor, wherein the data entropy risk factor is determined based on entropy of at least one of: data received by the device, and data sent by the device.

25. The method of claim 20, wherein the plurality of risk factors includes at least one of: an attack surface exposure risk factor, a cloud synchronization risk factor, a connection security risk factor, a boundary evasion risk factor, a third party application stores risk factor, a malicious domains risk factor, a vulnerability history risk factor, a data-at-rest risk factor, an external connectivity risk factor, a user authentication risk factor, a software version risk factor, a certificate reuse risk factor, a manufacturer reputation risk factor, and a device model reputation risk factor.

26. The method of claim 20, wherein the plurality of risk factors is determined based further on a plurality of known device behaviors, wherein each of the plurality of known device behaviors is associated with a plurality of known risk factors, wherein each of the plurality of known risk factors is associated with at least one risk behavior.

27. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising: determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors, wherein the observed risk behaviors are determined based on data related to at least one of: configuration of the device, network activity by the device, geographic movement of the device, signal strength of the device, and a protocol used by the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.

28. The non-transitory computer readable medium of claim 27, wherein the plurality of risk factors is determined for the device when at least one of: the device connects to a network, the device is turned on in physical proximity to a network, and the device becomes physically proximate to network infrastructure.

29. The non-transitory computer readable medium of claim 27, wherein the at least one mitigation action includes monitoring network activity by the device when the risk score is below a threshold, further comprising: updating the risk score based on the monitored network activity; and performing at least one subsequent mitigation action based on the updated risk score.

30. The non-transitory computer readable medium of claim 27, wherein the plurality of risk factors includes a manufacturer reputation risk factor, wherein the manufacturer reputation risk factor is determined based on a quotient of a number of common vulnerabilities and exposures attributed to a manufacturer of the device over a number of employees of the manufacturer of the device.

31. The non-transitory computer readable medium of claim 27, wherein the plurality of risk factors includes a data entropy risk factor, wherein the data entropy risk factor is determined based on entropy of at least one of: data received by the device, and data sent by the device.

32. The non-transitory computer readable medium of claim 27, wherein the plurality of risk factors includes at least one of: an attack surface exposure risk factor, a cloud synchronization risk factor, a connection security risk factor, a boundary evasion risk factor, a third party application stores risk factor, a malicious domains risk factor, a vulnerability history risk factor, a data-at-rest risk factor, an external connectivity risk factor, a user authentication risk factor, a software version risk factor, a certificate reuse risk factor, a manufacturer reputation risk factor, and a device model reputation risk factor.

33. The non-transitory computer readable medium of claim 27, wherein the plurality of risk factors is determined based further on a plurality of known device behaviors, wherein each of the plurality of known device behaviors is associated with a plurality of known risk factors, wherein each of the plurality of known risk factors is associated with at least one risk behavior.

34. A system for mitigating cyber security threats by devices using risk factors, comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: determine a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors, wherein the observed risk behaviors are determined based on data related to at least one of: configuration of the device, network activity by the device, geographic movement of the device, signal strength of the device, and a protocol used by the device; determine a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and perform at least one mitigation action based on the risk score.

35. The system of claim 34, wherein the plurality of risk factors is determined for the device when at least one of: the device connects to a network, the device is turned on in physical proximity to a network, and the device becomes physically proximate to network infrastructure.

36. The system of claim 34, wherein the at least one mitigation action includes monitoring network activity by the device when the risk score is below a threshold, wherein the system is further configured to: update the risk score based on the monitored network activity; and perform at least one subsequent mitigation action based on the updated risk score.

37. The system of claim 34, wherein the plurality of risk factors includes a manufacturer reputation risk factor, wherein the manufacturer reputation risk factor is determined based on a quotient of a number of common vulnerabilities and exposures attributed to a manufacturer of the device over a number of employees of the manufacturer of the device.

38. The system of claim 34, wherein the plurality of risk factors includes a data entropy risk factor, wherein the data entropy risk factor is determined based on entropy of at least one of: data received by the device, and data sent by the device.

39. The system of claim 34, wherein the plurality of risk factors includes at least one of: an attack surface exposure risk factor, a cloud synchronization risk factor, a connection security risk factor, a boundary evasion risk factor, a third party application stores risk factor, a malicious domains risk factor, a vulnerability history risk factor, a data-at-rest risk factor, an external connectivity risk factor, a user authentication risk factor, a software version risk factor, a certificate reuse risk factor, a manufacturer reputation risk factor, and a device model reputation risk factor.

04; 06

edspap.20240414187