Validation of security monitoring through automated attack testing

US 10,614,222 B2
Filed: 02/21/2017
Issued: 04/07/2020
Est. Priority Date: 02/21/2017
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

a processor; and

a memory device including instructions embodied thereon, wherein the instructions, which when executed by the processor, configure the processor to perform electronic operations that;

deploy command instructions and a payload for a bot process to a target computing device located within a target infrastructure, the command instructions having been selected based on at least one criterion, wherein the command instructions are configured to test a security feature in the target infrastructure with an automated attack action in the bot process, and wherein the bot process is configured to execute on the target computing device and is configured to start with use of the command instructions and the payload;

communicate with the target computing device to control the automated attack action within the target infrastructure, wherein the automated attack action is configured to perform within the bot process;

send a command to the target computing device, the command configured to initiate a second bot process on the target computing device, the second bot process configured to start using the payload that was deployed with the command instructions;

obtain results of the automated attack action performed within the bot process from the target computing device; and

validate the target infrastructure or identify a vulnerability within the target infrastructure based on the results of the automated attack action.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, devices, and methods of an automatic attack testing framework for the security testing of an operational service are disclosed. In an example, such systems, devices, and methods may include operations that: deploy command instructions and a payload for a bot process to a computing device located within a target infrastructure, with the command instructions being selected based on criteria to test a security feature in the target infrastructure with an automated attack action in the bot process, and with the bot process being executed on the computing device and being started with use of the command instructions and the payload; communicate with the computing device to control the automated attack action within the target infrastructure, such that the automated attack action is performed within the bot process; and obtain results of the automated attack action performed within the bot process from the computing device.

Citations

19 Claims

1. A computing device, comprising:
- a processor; and
  
  a memory device including instructions embodied thereon, wherein the instructions, which when executed by the processor, configure the processor to perform electronic operations that;
  
  deploy command instructions and a payload for a bot process to a target computing device located within a target infrastructure, the command instructions having been selected based on at least one criterion, wherein the command instructions are configured to test a security feature in the target infrastructure with an automated attack action in the bot process, and wherein the bot process is configured to execute on the target computing device and is configured to start with use of the command instructions and the payload;
  
  communicate with the target computing device to control the automated attack action within the target infrastructure, wherein the automated attack action is configured to perform within the bot process;
  
  send a command to the target computing device, the command configured to initiate a second bot process on the target computing device, the second bot process configured to start using the payload that was deployed with the command instructions;
  
  obtain results of the automated attack action performed within the bot process from the target computing device; and
  
  validate the target infrastructure or identify a vulnerability within the target infrastructure based on the results of the automated attack action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computing device of claim 1, wherein the instructions configure the processor to perform further electronic operations that:
    - deploy a communication configuration to the target computing device, wherein the communication configuration is used to communicate a network location to enable the target computing device to obtain the command instructions and the payload.
  - 3. The computing device of claim 2, wherein the communication configuration is provided in a script that is executable by the target computing device, wherein execution of the script causes the target computing device to retrieve the command instructions and the payload from the network location.
  - 4. The computing device of claim 1, wherein the command instructions deployed to the target computing device define a life span of the bot process, an identifier of the bot process, and information to securely communicate with the computing device, and wherein the automated attack action is designated for performance by the target computing device based on the identifier of the bot process.
  - 5. The computing device of claim 1, wherein the instructions configure the processor to perform further electronic operations that:
    - log the results of the automated attack action performed within the bot process from the target computing device.
  - 6. The computing device of claim 1, wherein the target computing device is a server of a plurality of servers in the target infrastructure, wherein respective command instructions and payloads are deployed to the plurality of servers, wherein respective bot processes are started among the plurality of servers, and wherein the respective bot processes are used to perform additional automated attack actions respectively.
  - 7. The computing device of claim 1, wherein the automated attack action is included in a set of automated attack actions of a scenario, and wherein the scenario is initiated by the computing device in a recurring, automated fashion.
  - 8. The computing device of claim 1, wherein the automated attack action is performed with a remote access toolkit selected from a library of toolkits.
  - 9. The computing device of claim 1, wherein an identifier of the hot process and an identifier of the second hot process are associated with a defined scenario, wherein the hot process and the second hot process are used to coordinate automated attack actions of the defined scenario.

10. A non-transitory device-readable storage medium, the device-readable storage medium including instructions that, when executed by a processor and memory of a computing device, causes the computing device to perform operations that:
- deploy command instructions and a payload for a bot process to a target computing device located within a target infrastructure, the command instructions having been selected based on at least one criterion, wherein the command instructions are configured to test a security feature in the target infrastructure with an automated attack action in the bot process, and wherein the bot process is configured to execute on the target computing device and is configured to start with use of the command instructions and the payload;
  
  communicate with the target computing device to control the automated attack action within the target infrastructure, wherein the automated attack action is configured to perform within the bot process;
  
  send a command to the target computing device, the command configured to initiate a second bot process on the target computing device, the second bot process configured to start using the payload that was deployed with the command instructions;
  
  obtain results of the automated attack action performed within the bot process from the target computing device; and
  
  validate the target infrastructure or identify a vulnerability within the target infrastructure based on the results of the automated attack action.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The device-readable storage medium of claim 10, wherein the command instructions deployed to the target computing device define a life span of the bot process, an identifier of the bot process, and information to securely communicate with the computing device, and wherein the automated attack action is designated for performance by the target computing device based on the identifier of the bot process.
  - 12. The device-readable storage medium of claim 10, wherein the automated attack action is included in a set of automated attack actions of a scenario, and wherein the scenario is initiated by the computing device in a recurring, automated fashion.
  - 13. The device-readable storage medium of claim 10, wherein the automated attack action is performed with a remote access toolkit selected from a library of toolkits.
  - 14. The device-readable storage medium of claim 10, wherein the instructions further cause the computing device to perform operations that:
    - wherein an identifier of the bot process and an identifier of the second bot process are associated with a defined scenario, wherein the bot process and the second bot process are used to coordinate automated attack actions of the defined scenario.

15. A method, comprising a plurality of electronic operations executed with a processor and memory of a computing device, the plurality of electronic operations including:
- deploying command instructions and a payload for a bot process to a target computing device located within a target infrastructure, the command instructions having been selected based on at least one criterion, wherein the command instructions are configured to test a security feature in the target infrastructure with an automated attack action in the bot process, and wherein the bot process is configured to execute on the target computing device and is configured to start with use of the command instructions and the payload;
  
  communicating with the target computing device to control the automated attack action within the target infrastructure, wherein the automated attack action is configured to perform within the bot process;
  
  sending a command to the target computing device, the command configured to initiate a second bot process on the target computing device, the second bot process configured to start using the payload that was deployed with the command instructions;
  
  obtaining results of the automated attack action performed within the bot process from the target computing device; and
  
  validating the target infrastructure or identify a vulnerability within the target infrastructure based on the results of the automated attack action.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the command instructions deployed to the target computing device define a life span of the bot process, an identifier of the bot process, and information to securely communicate with the computing device, and wherein the automated attack action is designated for performance by the target computing device based on the identifier of the bot process.
  - 17. The method of claim 15, wherein the automated attack action is included in a set of automated attack actions of a scenario, and wherein the scenario is initiated by the computing device in a recurring, automated fashion.
  - 18. The method of claim 15, wherein the automated attack action is performed with a remote access toolkit selected from a library of toolkits.
  - 19. The method of claim 15, the electronic operations further including:
    - wherein an identifier of the bot process and an identifier of the second bot process are associated with a defined scenario, wherein the bot process and the second bot process are used to coordinate automated attack actions of the defined scenario.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Godard, Benjamin J., Sadovsky, Art, Rhodes, Travis W., Marshall, David A., Lundeen, Richard A.
Primary Examiner(s)
Naghdali, Khalil

Application Number

US15/438,435
Publication Number

US 20180239902A1
Time in Patent Office

1,141 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

Validation of security monitoring through automated attack testing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Validation of security monitoring through automated attack testing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links