System and method for risk detection and analysis in a computer network

US 20050193430A1
Filed: 04/28/2005
Published: 09/01/2005
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1-28. -28. (canceled)

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides systems and methods for risk detection and analysis in a computer network. Computerized, automated systems and methods can be provided. Raw vulnerability information and network information can be utilized in determining actual vulnerability information associated with network nodes. Methods are provided in which computer networks are modeled, and the models utilized in performing attack simulations and determining risks associated with vulnerabilities. Risks can be evaluated and prioritized, and fix information can be provided.

Citations

51 Claims

1-28. -28. (canceled)

29. A method for performing risk assessment in a computer network, the method comprising:
- generating a network topology model for the computer network that includes a set of network nodes, a set of services associated with the set of network nodes, and a set of actual vulnerabilities associated with the set of network nodes;
  
  using the network topology model to generate an attack graph comprising one or more graph nodes wherein each graph node represents a state of a single service in the computer network; and
  
  determining one or more potential attacks from one or more start points to one or more end points in the network topology model based on the attack graph.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 30. The method of claim 29 comprising associating one or more risks with the one or more potential attacks.
  - 31. The method of claim 30 wherein associating one or more risks comprises associating consequence data with end points.
  - 32. The method of claim 31 wherein associating consequence data comprises associating numerical consequence data.
  - 33. The method of claim 31 wherein associating one or more risks comprises deriving consequence data in accordance with potential damage caused by the one or more potential attacks reaching a given end point.
  - 34. The method of claim 30 comprising calculating probability data associated with the one or more potential attacks.
  - 35. The method of claim 34 wherein calculating probability data comprises using a difficulty level of executing a given potential attack.
  - 36. The method of claim 35 wherein calculating probability data comprises using the attack graph to determine a number of steps required for execution of a given potential attack.
  - 37. The method of claim 30 comprising associating risk using at least consequence data and probability data.
  - 38. The method of claim 29 comprising ranking one or more vulnerabilities.
  - 39. The method of claim 38 wherein ranking one or more vulnerabilities comprises ranking vulnerabilities according to an actual risk.
  - 40. The method of claim 29 wherein raking one or more vulnerabilities according to actual risk comprises using at least consequence data and probability data.
  - 41. The method of claim 29 comprising determining a given start point based on user input.
  - 42. The method of claim 29 comprising determining a given start point based on a set of access control lists and filtering rules associated with one or more network devices.
  - 43. The method of claim 42 wherein determining a given start point comprises analyzing the set of access control lists and filtering rules to determine potential inbound traffic that represents possible start points for potential attacks on the network.
  - 44. The method of claim 29 wherein generating an attack graph comprises using a moving front-line algorithm.
  - 45. The method of claim 44 wherein generating an attack graph using a moving front-line algorithm comprises:
    - selecting one or more first graph nodes;
      
      determining, for a second graph node, whether the constraints on the state of service associated with the second graph node are satisfied by the state of the one or more first graph nodes; and
      
      adding an edge connecting the one or more first graph nodes to the second graph node if the constraints on the state of service associated with the second graph node is satisfied by the state of the one or more first graph nodes.
  - 46. The method of claim 45, wherein selecting one or more first graph nodes comprises selecting one or more given start points.
  - 47. The method of claim 45, wherein the moving front-line algorithm comprises:
    - selecting one or more subsequent graph nodes;
      
      determining, for a given subsequent graph node, whether the constraints on the state of service associated with the given subsequent graph node is satisfied by the state of one or more prior graph nodes that have previously been reached; and
      
      adding an edge connecting one or more prior graph nodes to the subsequent graph node where the constraints on the state of service associated with the given subsequent graph node are satisfied by state of the one or more prior graph nodes.

48. A method of determining start points for performing risk assessment in a computer network, the method comprising:
- collecting a set of access control lists and filtering rules from one or more network devices in the computer network; and
  
  analyzing the set of access control lists and filtering rules to determine potential inbound traffic that represents possible start points for potential attacks on the network.

49. A method for generating an attack graph, the method comprising:
- determining one or more services in a computer network; and
  
  generating an attack graph through the use of a network topology model, the attack graph comprising one or more graph nodes wherein each graph node represents a state of a single service in the computer network.
- View Dependent Claims (50, 51)
- - 50. The method of claim 49 comprising determining one or more attacks from one or more start points to one or more end points based on the attack graph.
  - 51. The method of claim 50 comprising storing the results of a given attack simulation in a computer memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Cohen, Gideon, Meiseles, Moshe, Reshef, Eran

Granted Patent

US 8,099,760 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

System and method for risk detection and analysis in a computer network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for risk detection and analysis in a computer network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links