SYSTEM, METHOD AND COMPUTER READABLE MEDIUM FOR EVALUATING POTENTIAL ATTACKS OF WORMS

US 20130219503A1
Filed: 01/20/2013
Published: 08/22/2013
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. (canceled)

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for evaluating potential attacks of worms, the method includes: associating, in response to information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources; determining potential worm attacks that start from the associated worm sources; and evaluating at least one potential worm attack security metric associated with the potential worm attacks.

89 Citations

View as Search Results

49 Claims

1. (canceled)

2. (canceled)

3. (canceled)

4. (canceled)

5. (canceled)

6. (canceled)

7. (canceled)

8. (canceled)

9. (canceled)

10. (canceled)

11. (canceled)

12. (canceled)

13. (canceled)

14. (canceled)

15. (canceled)

16. (canceled)

17. (canceled)

18. (canceled)

19. (canceled)

20. (canceled)

21. (canceled)

22. (canceled)

23. (canceled)

24. (canceled)

25. (canceled)

26. (canceled)

27. (canceled)

28. (canceled)

29. (canceled)

30. A computer program product comprising a non-transitory computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- generate information representative of worm entities;
  
  associate, in response to information representative of a network and of the worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, and when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determine potential worm attacks that start from the associated worm sources, by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein the non-transitory computer usable medium is used for holding the model of the network and uses software entities for representing network components; and
  
  evaluate at least one potential worm attack security metric associated with the potential worm attacks.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 31. The computer program product according to claim 30, wherein the evaluating of security metric relates to the number of hosts which can be infected.
  - 32. The computer program product according to claim 30, wherein the computer readable program when executed on a computer causes the computer to compute the risk imposed by the worm entities to business assets.
  - 33. The computer program product according to claim 32, wherein a computing of the risk imposed to business assets involves multiplication of a potential of damage to occur due to the risk and an estimated likelihood of an occurrence of the damage.
  - 34. The computer program product according to claim 33, wherein the computer readable program when executed on a computer causes the computer to estimate the likelihood in response to (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by a worm entity, (iii) a likelihood of each of the intermediate nodes to be attacked by the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by at least one of the intermediate nodes and be infected by the worm entity.
  - 35. The computer program product according to claim 30, wherein the computer readable program when executed on a computer causes the computer to identify security weaknesses in response to the at least one potential worm attack security metric.
  - 36. The computer program product according to claim 30, wherein the computer readable program when executed on a computer causes the computer to prioritize the identified security weaknesses.
  - 37. The computer program product according to claim 30, wherein a determining of potential worm attacks comprises evaluating a propagation of worm entities through network nodes while using vulnerabilities of these network nodes and evaluating possible infection of target nodes coupled to network nodes through which the worm propagates.
  - 38. The computer program product according to claim 30, wherein the computer readable program when executed on a computer causes the computer to select and evaluate security improvement actions where the security improvement actions can relate to mitigating vulnerabilities, adding access filtering rules of network devices, or changing the configurations of prevention systems
  - 39. The computer program product according to claim 30, wherein the computer readable program when executed on a computer causes the computer to select security improvement actions using a rank associated with weaknesses to be prevented by the security improvement actions.

40. A method, comprising generating information representative of worm entities;
- associating, in response to information representative of a network and of the worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the associating is triggered when a new worm profile is received, when a new worm profile is generated, and when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determining potential worm attacks that start from the associated worm sources, by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein the non-transitory computer usable medium is used for holding the model of the network and uses software entities for representing network components; and
  
  evaluating at least one potential worm attack security metric associated with the potential worm attacks.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
- - 41. The method according to claim 40, wherein the evaluating of security metric relates to the number of hosts which can be infected.
  - 42. The method according to claim 40, comprising computing the risk imposed by the worm entities to business assets.
  - 43. The method according to claim 42, wherein the computing of the risk imposed to business assets involves multiplication of a potential of damage to occur due to the risk and an estimated likelihood of an occurrence of the damage.
  - 44. The method according to claim 43, comprising estimating the likelihood in response to (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by a worm entity, (iii) a likelihood of each of the intermediate nodes to be attacked by the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by at least one of the intermediate nodes and be infected by the worm entity.
  - 45. The method according to claim 40, comprising identifying security weaknesses in response to the at least one potential worm attack security metric.
  - 46. The method according to claim 40, comprising prioritizing the identified security weaknesses.
  - 47. The method according to claim 40, wherein a determining of potential worm attacks comprises evaluating a propagation of worm entities through network nodes while using vulnerabilities of these network nodes and evaluating possible infection of target nodes coupled to network nodes through which the worm propagates.
  - 48. The method according to claim 40, comprising selecting and evaluating security improvement actions where the security improvement actions can relate to mitigating vulnerabilities, adding access filtering rules of network devices, or changing the configurations of prevention systems.

49. A system for evaluating potential attacks of worms, the system includes:
- a memory unit adapted to store information representative of a network and of worm entities; and
  
  a processor adapted to;
  
  associate, in response to the information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, and when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determine potential worm attacks that start from the associated worm entities by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein computerized media that is used for holding the model of the network use software entities for representing network components; and
  
  evaluate at least one potential worm attack security metric associated with the potential worm attacks

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Cohen, Gideon, Meiseles, Moshe, Amnon, Lotem, Horn, Ilan

Granted Patent

US 8,904,542 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

SYSTEM, METHOD AND COMPUTER READABLE MEDIUM FOR EVALUATING POTENTIAL ATTACKS OF WORMS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND COMPUTER READABLE MEDIUM FOR EVALUATING POTENTIAL ATTACKS OF WORMS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links