Interactive Analysis of Attack Graphs Using Relational Queries
First Claim
1. ) A system for analyzing attack graphs, comprising modules residing on at least one tangible computer readable medium containing a set of computer readable instructions that are executable by one or more processors, the modules comprising:
- a) a network configuration information input module configured to input network configuration information that describes the configuration of a network, al least part of the network configuration information describing at least part of the physical structure of the network, the network configuration information including at least one of the following;
i) host information;
ii) host configuration information;
iii) application information;
iv) network service information;
or v) operating system information;
or vi) a combination of the above;
b) a domain knowledge input module configured to input domain knowledge for the network, the domain knowledge including knowledge about at least one exploit;
c) a network configuration information storage module configured to store the network configuration information in at least one network database table;
d) a domain knowledge storage module configured to store the domain knowledge in at least one exploit database table, the domain knowledge including exploit information; and
e) a result generation module configured to generate a result using the network database table and exploit database table in response to a query to a database management system, the result including at least one of the following;
i) a metric;
ii) an attack path;
iii) part of an attack path;
iv) a collection of paths;
v) an exploit;
vi) a condition-exploit pair;
vii) an exploit-condition pair;
or viii) a table that describes an attack graph;
or ix) a combination of the above; and
wherein the network is reconfigured using attack information learned from the result.
6 Assignments
0 Petitions
Accused Products
Abstract
An attack graph analysis tool that includes a network configuration information input module, a domain knowledge input module, a network configuration information storage module, a domain knowledge storage module, and a result generation module. The network configuration information input module inputs network configuration information. The domain knowledge input module inputs domain knowledge for the network. The network configuration information storage module stores network configuration information in a network database table. The domain knowledge storage module stores the domain knowledge in an exploit database table. The result generation module generates a result using the network database table and exploit database table. The result may be generated in response to a query to a database management system that has access to the network database table and exploit database table. The network may be reconfigured to decrease the likelihood of future attacks using the attack information learned from the result.
-
Citations
23 Claims
-
1. ) A system for analyzing attack graphs, comprising modules residing on at least one tangible computer readable medium containing a set of computer readable instructions that are executable by one or more processors, the modules comprising:
-
a) a network configuration information input module configured to input network configuration information that describes the configuration of a network, al least part of the network configuration information describing at least part of the physical structure of the network, the network configuration information including at least one of the following;
i) host information;
ii) host configuration information;
iii) application information;
iv) network service information;
orv) operating system information;
orvi) a combination of the above;
b) a domain knowledge input module configured to input domain knowledge for the network, the domain knowledge including knowledge about at least one exploit;
c) a network configuration information storage module configured to store the network configuration information in at least one network database table;
d) a domain knowledge storage module configured to store the domain knowledge in at least one exploit database table, the domain knowledge including exploit information; and
e) a result generation module configured to generate a result using the network database table and exploit database table in response to a query to a database management system, the result including at least one of the following;
i) a metric;
ii) an attack path;
iii) part of an attack path;
iv) a collection of paths;
v) an exploit;
vi) a condition-exploit pair;
vii) an exploit-condition pair;
orviii) a table that describes an attack graph;
orix) a combination of the above; and
wherein the network is reconfigured using attack information learned from the result.
-
-
2. ) A system for analyzing attack graphs, comprising:
-
a) a network configuration information input module configured to input network configuration information that describes the configuration of a network;
b) a domain knowledge input module configured to input domain knowledge for the network, the domain knowledge including knowledge about at least one exploit;
c) a network configuration information storage module configured to store the network configuration information in a network database table;
d) a domain knowledge storage module configured to store the domain knowledge in an exploit database table; and
e) a result generation module configured to generate a result describing at least part of a network attack using the network database table and exploit database table. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. ) A tangible computer readable medium containing a set of computer readable instructions that when executed by one or more processors, causes the one or more processors to perform a method for analyzing a network, the method comprising the steps of:
-
a) inputting network configuration information that describes the configuration of a network;
b) inputting domain knowledge for the network, the domain knowledge including knowledge about at least one exploit;
c) storing the network configuration information in a network database table;
d) storing the domain knowledge in an exploit database table, e) generating a result describing at least part of a network attack using the network database table and exploit database table.
-
Specification