IDS Sensor Placement Using Attack Graphs
First Claim
1. A computer readable storage medium that contains instructions that when executed by at least one processor, causes the at least one processor to perform a method for identifying locations to deploy at least one IDS sensor within a network infrastructure, the method comprisinga) aggregating an attack graph into at least two protection domains, the attack graph describing at least one exploit in at least a part of the network infrastructure;
- b) identifying at least one edge, each of said “
at least one edge”
having at least one of the at least one exploit between two of the at least two protection domains;
c) define at least two sets, each set containing at least one of the at least one edge, all of the at least one of the at least one edge serviced by a common network traffic device;
d) selecting at least one of the at least two sets that collectively contain all of the at least one edge;
e) identifying the common network traffic device that services the selected sets as the locations to deploy the at least one IDS sensor within the network infrastructure.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention identify locations to deploy IDS sensor(s) within a network infrastructure and prioritize IDS alerts using attack graph analysis. An attack graph that describes exploitable vulnerability(ies) within a network infrastructure is aggregated into protection domains. Edge(s) that have exploit(s) between two protection domains are identified. Sets that contain edge(s) serviced by a common network traffic device are defined. Set(s) that collectively contain all of the edge(s) are selected. The common network traffic device(s) that service the selected sets are identified as the location(s) to deploy IDS sensor(s) within the network infrastructure.
87 Citations
20 Claims
-
1. A computer readable storage medium that contains instructions that when executed by at least one processor, causes the at least one processor to perform a method for identifying locations to deploy at least one IDS sensor within a network infrastructure, the method comprising
a) aggregating an attack graph into at least two protection domains, the attack graph describing at least one exploit in at least a part of the network infrastructure; -
b) identifying at least one edge, each of said “
at least one edge”
having at least one of the at least one exploit between two of the at least two protection domains;c) define at least two sets, each set containing at least one of the at least one edge, all of the at least one of the at least one edge serviced by a common network traffic device; d) selecting at least one of the at least two sets that collectively contain all of the at least one edge; e) identifying the common network traffic device that services the selected sets as the locations to deploy the at least one IDS sensor within the network infrastructure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A IDS location deployment identification module comprising
a) an attack graph aggregation module configured to aggregate an attack graph into at least two protection domains, the attack graph describing at least one exploit in at least a part of a network infrastructure; -
b) an edge identification module configured to identify at least one edge, each of the at least one edge having at least one of the at least one exploit between two of the at least two protection domains; c) a set definition module configured to define at least two sets, each set containing at least one of the at least one edge, all of the at least one of the at least one edge serviced by a common network traffic device; d) a set selection module configured to select at least one of the at least two sets that collectively contain all of the at least one edge; and e) an IDS sensor location module configured to identify the common network traffic device that services the selected sets as the locations to deploy the at least one IDS sensor within the network infrastructure. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification