System, Method and Computer Readable Medium for Evaluating a Security Characteristic

US 20130031635A1
Filed: 08/06/2012
Published: 01/31/2013
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating a security characteristic of a network, the method comprising:

(a) generating a network model representative of a topology of the network and of vulnerabilities of network nodes;

(b) generating an attack dictionary representative of attack actions on at least one network node of the network model;

(c) determining access and Intrusion Detection and Prevention (IDP) information representative of communication paths through the network model and of IDP rules applied through the communication paths;

(d) evaluating at least one first result of at least one attack on at least one network node, based on the network model; and

(g) evaluating a security characteristic in response to the at least one first result.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product for evaluating an IDP entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects.

Citations

22 Claims

1. A method for evaluating a security characteristic of a network, the method comprising:
- (a) generating a network model representative of a topology of the network and of vulnerabilities of network nodes;
  
  (b) generating an attack dictionary representative of attack actions on at least one network node of the network model;
  
  (c) determining access and Intrusion Detection and Prevention (IDP) information representative of communication paths through the network model and of IDP rules applied through the communication paths;
  
  (d) evaluating at least one first result of at least one attack on at least one network node, based on the network model; and
  
  (g) evaluating a security characteristic in response to the at least one first result.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein the security characteristic of the network relates to a security level of the network.
  - 3. The method according to claim 1 further comprising:
    - (e) altering at least one IDP parameter and repeating steps (a)-(c);
      
      (f) evaluating at least one second result of at least one attack on at least one network node; and
      
      wherein the evaluating of the security characteristic is further responsive to the at least one second result.
  - 4. The method according to claim 2 wherein the IDP parameter is a location of the at least one IDP entity.
  - 5. The method according to claim 1 wherein the IDP parameter is a IDP rule applied by at least one IDP entity.
  - 6. The method according to claim 1 wherein the security characteristic relates to at least one out of (1) a risk that attacks are expected to cause to network nodes or to business assets, the risk is responsive to a potential damage that are expected to be caused by the attacks and likelihood of the attacks, (2) a number and a severity of exploitable vulnerabilities of the network, and (3) a number and a severity of violations of a security policy defined for the network.
  - 7. The method according to claim 1 wherein the evaluating comprises determining a possibility to perform attack actions between nodes in the network.

8. A method for evaluating a security effectiveness of an Intrusion Detection and Prevention (IDP) entity of a network, the method comprises:
- generating a network model representative of a topology of the network and of vulnerabilities of network nodes;
  
  generating an attack dictionary representative of attack actions on at least one network node of the network model;
  
  evaluating at least one first result of at least one attack on at least one network node, based on the network model;
  
  evaluating an effect of at least one IDP rule applied by the IDP entity based upon the network model and an attack model; and
  
  determining an effectiveness of the IDP entity in response to the evaluated effects.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method according to claim 8, comprising finding a coverage rate of security problems of the IDP entity.
  - 10. The method according to claim 8, comprising identifying security problems that are associated with the IDP entity which are not addressed by the IDP entity.
  - 11. The method according to claim 8, comprising:
    - evaluating effects of at least one IDP rule applied by multiple IDP entities of the network based upon the network model and an attack model; and
      
      determining an effectiveness of the IDP entities in response to the evaluated effects.
  - 12. The method according to claim 8, comprising identifying a change in a configuration of at least one IDP entity of the multiple IDP entities that will prevent an attacking action.
  - 13. The method according to claim 8, comprising evaluating whether IDP entities in the network can protect against an attack in which a specified vulnerability is involved, and identifying rules that can be added to the configuration of IDP entities to protect against a potential attack in which a specified vulnerability is involved.
  - 14. The method according to claim 8 further comprising determining access and IDP information representative of possible communication paths through the network and of IDP rules applied during the possible communication paths.
  - 15. The method according to claim 8 further comprising altering at least one IDP parameter and repeating the steps of evaluating and the step of determining.

16. A method comprising:
- performing access and Intrusion Detection and Prevention (IDP) analysis, based on a network model representative of a topology of a network and of vulnerabilities of network nodes, such as to identify remote services that can be accessed from at least one source of the network model;
  
  wherein the performing comprises generating access information that represents sets of packets that can reach a network node from source nodes independently of a particular communication pattern or attacking action;
  
  remote services, related attacking actions that belong to a selected group of attack actions; and
  
  identifying the IDP rules which are supposed to be applied to packets that are represented by the access information and can reach the identified remote services.
- View Dependent Claims (17)
- - 17. The method according to claim 16 wherein the performing comprises receiving as a network model, possible sources and possible targets;
    - and scanning the network model, starting from possible source nodes to determine which packets can reach the network nodes, in response to access rules and in response to IDP rules.

18. A method for checking an access between a source node and a set of target nodes of a network, the method comprising:
- receiving a network model of the network;
  
  finding at least one accessible target node of the set of target nodes that is accessible from the source node independently of a particular communication pattern or a particular attacking action; and
  
  finding IDP rules that are expected to be applied to communications from the source node to the at least one accessible target node.
- View Dependent Claims (19, 20)
- - 19. The method according to claim 18, comprising determining a possibility of attacking actions to the any of the set of target nodes in response to the IDP rules that are expected to be applied to the communications and in response to vulnerabilities of the network.
  - 20. The method according to claim 18, comprising receiving as a network model, possible sources and possible targets;
    - and scanning the network model, starting from possible source nodes to determine which packets can reach the network nodes, in response to access rules and in response to IDP rules.

21. A computer program product comprising a non-transitory computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer togenerate a network model representative of a topology of the network and of vulnerabilities of network nodes;
- generate an attack dictionary representative of attack actions on at least one network node of the network model;
  
  determine access and Intrusion Detection and Prevention (IDP) information representative of communication paths through the network model and of IDP rules applied through the communication paths;
  
  evaluate at least one first result of at least one attack on at least one network node, based on the network model; and
  
  evaluate a security characteristic in response to the at least one first result.

22. A system for evaluating a security characteristic, the system comprises:
- at least one data base adapted to store a network model representative of a topology of a network and of vulnerabilities of network nodes, an attack dictionary representative of attack actions on at least one node of the network model; and
  
  a server computer that comprises a server software that comprises at least one module adapted to;
  
  determine access and Intrusion Detection and Prevention (IDP) information representative of communication paths through the network model and of IDP rules applied through the communication paths;
  
  evaluate at least one first result of at least one attack on at least one network node, based on the network model; and
  
  evaluate a security characteristic in response to the at least one first result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Lotem, Amnon, Cohen, Gideon, Horn, Ilan, Meiseles, Moshe

Granted Patent

US 8,997,236 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

System, Method and Computer Readable Medium for Evaluating a Security Characteristic

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Computer Readable Medium for Evaluating a Security Characteristic

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links