Systems and methods for attack simulation on a production network

US 10,212,186 B2
Filed: 02/24/2017
Issued: 02/19/2019
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method for controlled execution of a malicious behavior between multiple different components in a production network to test at least a portion of a security system of the production network, the method comprising:

(a) identifying, by a server, a packet capture (PCAP) file to use for providing instructions for controlled execution of malicious behavior on a plurality of different components of a production network;

(b) identifying, by a server a first attack to execute against a first device of a plurality of different components and a first network path selected for the first attack and a second attack to execute against a second device of the plurality of different components and a second network path selected for the second attack and a third attack, and a third network path for the third attack, to execute against a network component of the plurality of different components intermediary to the first end point device and the second device;

(c) communicating, by the server based on at least the PCAP file, a first set of instructions to a first pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the first device, a second set of instructions to a second pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the second device and a third set of instructions to a third pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the network component intermediary to the first device and the second device;

(d) aggregating, by the server, results of each of the first attack, the second attack and the third attack to provide an aggregated view of the malicious behavior between the first device and the second device via the network component.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.

5 Citations

18 Claims

1. A method for controlled execution of a malicious behavior between multiple different components in a production network to test at least a portion of a security system of the production network, the method comprising:
- (a) identifying, by a server, a packet capture (PCAP) file to use for providing instructions for controlled execution of malicious behavior on a plurality of different components of a production network;
  
  (b) identifying, by a server a first attack to execute against a first device of a plurality of different components and a first network path selected for the first attack and a second attack to execute against a second device of the plurality of different components and a second network path selected for the second attack and a third attack, and a third network path for the third attack, to execute against a network component of the plurality of different components intermediary to the first end point device and the second device;
  
  (c) communicating, by the server based on at least the PCAP file, a first set of instructions to a first pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the first device, a second set of instructions to a second pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the second device and a third set of instructions to a third pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the network component intermediary to the first device and the second device;
  
  (d) aggregating, by the server, results of each of the first attack, the second attack and the third attack to provide an aggregated view of the malicious behavior between the first device and the second device via the network component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein one of the first device or the second device is an end point device.
  - 3. The method of claim 1, wherein (a) further comprises determining, by the server, from processing of the PCAP file one of a type of application traffic or communication protocol represented by the PCAP file.
  - 4. The method of claim 1, wherein (a) further comprises extracting, by the server, from the PCAP file an application layer record of requests and responses exchanged between an attacker and a target captured in the PCAP file.
  - 5. The method of claim 1, wherein (a) further comprises identifying, by the server, the malicious behavior from the PCAP file.
  - 6. The method of claim 5, further comprising extracting, by the server, from the PCAP file content of a malware file for communicating the malicious behavior.
  - 7. The method of claim 1, wherein (c) further comprises communicating, by the server, to each of the first pair of attack and target nodes, second pair of attack and target nodes and third part of attack and target nodes instructions comprising metadata determined from the PCAP file.
  - 8. The method of claim 1, wherein (d) further comprises receiving, by the server, results of controlled execution of each of the first attack between the first attack node and first target node of the first attack-target node pair, the second attack between the second attack node and second target node of the second attack-target node pair, and the third attack between the third attack node and third target node of the third attack-target node pair.
  - 9. The method of claim 8, further comprising communicating, by the server, the aggregated results to an event management device to determine security events that occurred during the controlled execution of at least one of the first attack, the second attack, or the third attack.

10. A system for controlled execution of a malicious behavior between multiple different components in a production network to test at least a portion of a security system of the production network, the system comprising:
- a server comprising one or more processors, coupled to memory and configured to identify;
  
  a packet capture (PCAP) file to use for providing instructions for controlled execution of malicious behavior on a plurality of different components of a production network anda first attack to execute against a first device of a plurality of different components and a first network path selected for the first attack and a second attack to execute against a second device of the plurality of different components and a second network path selected for the second attack and a third attack, and a third network path for the third attack, to execute against a network component of the plurality of different components intermediary to the first end point device and the second device;
  
  wherein the server is configured, based on at least the PCAP file, to communicate a first set of instructions to a first pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the first device, a second set of instructions to a second pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the second device and a third set of instructions to a third pair of attack and target nodes in the production network to initiate the malicious behavior of the PCAP file against the network component intermediary to the first device and the second device; and
  
  wherein the server is configured to aggregate results of each of the first attack, the second attack and the third attack to provide an aggregated view of the malicious behavior between the first device and the second device via the network component.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein one of the first device or the second device is an end point device.
  - 12. The system of claim 10, wherein the server is further configured to determine from processing of the PCAP file one of a type of application traffic or communication protocol represented by the PCAP file.
  - 13. The system of claim 10, wherein the server is further configured to extract from the PCAP file an application layer record of requests and responses exchanged between an attacker and a target captured in the PCAP file.
  - 14. The system of claim 10, wherein the server is further configured to identify the malicious behavior from the PCAP file.
  - 15. The system of claim 14, wherein the server is further configured to extract from the PCAP file content of a malware file for communicating the malicious behavior.
  - 16. The system of claim 10, wherein the server is further configured to communicate each of the first pair of attack and target nodes, second pair of attack and target nodes and third part of attack and target nodes instructions comprising metadata determined from the PCAP file.
  - 17. The system of claim 10, wherein the server is further configured to receive results of controlled execution of each of the first attack between the first attack node and first target node of the first attack-target node pair, the second attack between the second attack node and second target node of the second attack-target node pair, and the third attack between the third attack node and third target node of the third attack-target node pair.
  - 18. The system of claim 17, wherein the server is further configured to communicate the aggregated results to an event management device to determine security events that occurred during the controlled execution of at least one of the first attack, the second attack or the third attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Verodin, Inc. (Alphabet Inc.)
Inventors
Key, Christopher B., Holzberger, Jr., Paul E.
Primary Examiner(s)
Rashid, Harunur

Application Number

US15/442,212
Publication Number

US 20170244745A1
Time in Patent Office

725 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Systems and methods for attack simulation on a production network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

5 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for attack simulation on a production network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

5 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others