Security risk analysis systems and methods

US 20060265324A1
Filed: 05/18/2005
Published: 11/23/2006
Est. Priority Date: 05/18/2005
Status: Abandoned Application

First Claim

Patent Images

1. A risk analyzer configured to associate a vulnerability affecting an asset of a communication network with another asset of the communication network which has a relationship with the asset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security risk analysis systems and methods are disclosed. Vulnerabilities affecting assets of a communication network are associated with other assets of the communication network according to relationships between assets. Security risk may thus be assessed on the basis of both vulnerabilities which directly affect assets and vulnerabilities which indirectly affect assets through their relationships with other assets. Risk exposure calculators which determine respective types of exposure of assets to vulnerabilities, illustratively direct and indirect exposures, are selectable so as to provide for customizable security risk analysis.

Citations

25 Claims

1. A risk analyzer configured to associate a vulnerability affecting an asset of a communication network with another asset of the communication network which has a relationship with the asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The risk analyzer of claim 1, wherein the relationship comprises one or more of:
    - a cabled-to relationship, a runs-on relationship, and a depends-on relationship.
  - 3. The risk analyzer of claim 1, wherein the risk analyzer is further configured to associate the vulnerability with each other asset which has a relationship with the asset.
  - 4. The risk analyzer of claim 3, wherein the risk analyzer is further configured to associate with the asset vulnerabilities affecting each other asset.
  - 5. The risk analyzer of claim 4, wherein the risk analyzer is further configured to determine a security risk to the asset based on the vulnerabilities affecting the asset and the vulnerabilities affecting each other asset and associated with the asset.
  - 6. The risk analyzer of claim 5, wherein the risk analyzer comprises:
    - a direct exposure calculator configured to determine a direct exposure risk to the asset based on the vulnerabilities affecting the asset;
      
      an indirect exposure calculator configured to determine an indirect exposure risk to the asset based on vulnerabilities affecting each other asset and associated with the asset;
      
      a total exposure calculator configured to determine a total exposure risk to the asset as a function of the direct exposure risk and the indirect exposure risk; and
      
      a risk calculator configured to determine a security risk to the asset based on the total exposure risk.
  - 7. The risk analyzer of claim 6, wherein the risk calculator is further configured to determine a security risk to a feature of the communication network based on the security risk to the asset.
  - 8. A security risk analysis system comprising:
    - the risk analyzer of claim 1;
      
      and a data system operatively coupled to the risk analyzer and configured to provide access to asset information, relationship information, and vulnerability information.
  - 9. The risk analyzer of claim 1, wherein the risk analyzer is further configured to determine a traversal order of a plurality of assets in the communication network, and to determine vulnerabilities affecting each of the plurality of assets in a sequence according to the traversal order.

10. A security risk analysis method comprising:
- providing a vulnerability affecting an asset of a communication network; and
  
  associating the vulnerability with another asset of the communication network which has a relationship with the asset.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein associating comprises associating the vulnerability with each other asset which has a relationship with the asset.
  - 12. The method of claim 11, further comprising:
    - associating with the asset vulnerabilities affecting each other asset.
  - 13. The method of claim 12, further comprising:
    - determining a security risk to the asset based on the vulnerabilities affecting the asset and the vulnerabilities affecting each other asset and associated with the asset.
  - 14. The method of claim 13, wherein determining a security risk comprises:
    - determining a direct exposure risk to the asset based on the vulnerabilities affecting the asset;
      
      determining an indirect exposure risk to the asset based on vulnerabilities affecting each other asset and associated with the asset;
      
      determining a total exposure risk to the asset as a function of the direct exposure risk and the indirect exposure risk; and
      
      determining a security risk to the asset based on the total exposure risk.
  - 15. The method of claim 14, further comprising:
    - determining a security risk to a feature of the communication network based on the security risk to the asset.

16. A security risk analysis system comprising:
- a plurality of risk exposure calculators configured to determine respective types of exposure of assets associated with a communication network to vulnerabilities in the communication network; and
  
  a risk calculator operatively coupled to the plurality of risk exposure calculators and configured to determine a security risk in the communication network based on an exposure determined by one or more selected calculators of the plurality of risk exposure calculators.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The system of claim 16, wherein the plurality of risk exposure calculators comprises one or more default risk exposure calculators for determining respective default exposures which are automatically selected for use by the risk calculator in determining the security risk.
  - 18. The system of claim 16, wherein the plurality of risk exposure calculators comprises one or more risk exposure calculators configured to determine their respective types of exposure only when selected for a current security risk analysis operation.
  - 19. The system of claim 16, wherein the plurality of risk exposure calculators comprises:
    - a direct exposure calculator configured to determine direct exposures of assets based on vulnerabilities affecting the assets; and
      
      an indirect exposure calculator configured to determine indirect exposures of assets based on vulnerabilities affecting the assets through other assets which have respective relationships with the assets.
  - 20. The system of claim 19, further comprising:
    - a total exposure calculator operatively coupled to the direct exposure calculator, to the indirect exposure calculator, and to the risk calculator, and configured to determine total exposures of assets as a function of the direct exposure, the indirect exposure, or both the direct and the indirect exposures, wherein the risk calculator is configured to determine the security risk based on the total exposures.
  - 21. The system of claim 16, further comprising:
    - a user interface configured to receive from a user risk analysis configuration information associated with the one or more selected risk exposure calculators to be used for a current security risk analysis operation.
  - 22. The system of claim 21, wherein the configuration information specifies, for a current security risk analysis operation, one or more of:
    - a risk exposure calculator and a type of exposure.

23. A security risk analysis method comprising:
- determining one or more types of exposure selected from a plurality of types of exposure of assets associated with a communication network to vulnerabilities in the communication network; and
  
  determining a security risk in the communication network based on the one or more types of exposure.

24. A machine-readable medium storing a data structure, the data structure comprising:
- a data field storing information identifying an asset of a communication network; and
  
  a data field storing an asset profile of the asset, the asset profile comprising relationship information, specifying respective relationships between the asset and one or more other assets of the communication network, in accordance with which a vulnerability affecting the asset is to be associated with the one or more other assets.

25. A machine-readable medium storing a data structure, the data structure comprising:
- a data field storing information identifying an asset of a communication network; and
  
  a data field storing security state information, the security state information comprising indirect exposure information relating to exposure of the asset, through respective relationships between the asset and one or more other assets of the communication network, to vulnerabilities affecting the one or more other assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel SA (Nokia Corporation)
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
D'Souza, Scott David, Leclerc, Yvon, Cosquer, Francois J.N.

Application Number

US11/131,598
Publication Number

US 20060265324A1
Time in Patent Office

Days
Field of Search
US Class Current

705/38
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06Q 40/03   Credit; Loans; Processing t...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Security risk analysis systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Security risk analysis systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links