System and method for assessing the security posture of a network using goal oriented fuzzy logic decision rules

US 6,883,101 B1
Filed: 02/08/2000
Issued: 04/19/2005
Est. Priority Date: 02/08/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for assessing the security posture of a network comprising the steps of:

creating a system object model database representing a network, wherein the system object model database supports the information data requirements of separate, non-integrated network vulnerability analysis programs;

exporting only the required data from the system object model database representing the network to each respective network vulnerability analysis program;

analyzing the network with each network vulnerability analysis program to produce data results from each program;

storing the data results from respective network vulnerability analysis programs and the common system model database within a data fact base; and

applying goal oriented fuzzy logic decision rules to the data fact base to determine the security posture of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and data processing system assesses the security vulnerability of a network. A system object model database is created and supports the information data requirements of disparate network vulnerability analysis programs. Only the required data from the system object model database representing the network is imported to the programs, which then analyze the network to produce data results from each program. These data results are stored in a common system model database and within the data fact base. Goal oriented fuzzy logic decision rules are applied to determine the vulnerability posture of the network.

94 Citations

View as Search Results

27 Claims

1. A method for assessing the security posture of a network comprising the steps of:
- creating a system object model database representing a network, wherein the system object model database supports the information data requirements of separate, non-integrated network vulnerability analysis programs;
  
  exporting only the required data from the system object model database representing the network to each respective network vulnerability analysis program;
  
  analyzing the network with each network vulnerability analysis program to produce data results from each program;
  
  storing the data results from respective network vulnerability analysis programs and the common system model database within a data fact base; and
  
  applying goal oriented fuzzy logic decision rules to the data fact base to determine the security posture of the network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, and further comprising the step of exporting only the required data from the system object model database via filters associated with respective network vulnerability programs.
  - 3. A method according to claim 1, and further comprising the step of exporting the system object model database to the network vulnerability analysis programs via an integrated application programming interface.
  - 4. A method according to claim 1, and further comprising the step of modeling the network as a map on a graphical user interface.
  - 5. A method according to claim 1, and further comprising the step of establishing a class hierarchy to define components of the network vulnerability analysis programs that share common data and programming traits.
  - 6. A method according to claim 1, and further comprising the step of running the network vulnerability analysis programs to obtain data results pertaining to network system details, network topologies, node level vulnerabilities and network level vulnerabilities.

7. A method for assessing the security posture of a network comprising the steps of:
- creating a system object model database representing a network, wherein the system object model database supports the information data requirements of separate, non-integrated network vulnerability analysis programs; and
  
  exporting only the required data from the system object model database to respective network vulnerability analysis programs to produce data results from each program;
  
  storing the data results from respective network vulnerability analysis programs and the common system model database within a data fact base; and
  
  applying goal oriented fuzzy logic decision rules to the data fact base by the use of a plurality of fuzzy expert rules to merge results from the network vulnerability analysis programs so as to determine the security posture of the network.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. A method according to claim 7, and further comprising the step of applying the fuzzy logic decision rules based on evidential reasoning.
  - 9. A method according to claim 7, and further comprising the step of exporting only the required data via filters associated with respective network vulnerability programs.
  - 10. A method according to claim 7, and further comprising the step of exporting the system object model database to the network vulnerability analysis programs via an integrated application programming interface.
  - 11. A method according to claim 7, and further comprising the step of modeling the network as a map on a graphical user interface.
  - 12. A method according to claim 7, and further comprising the step of establishing a class hierarchy to define components of the disparate network vulnerability analysis programs that share common data and programming traits.
  - 13. A method according to claim 7, and further comprising the step of running the network vulnerability analysis programs to obtain data results pertaining to network system details, network topologies, node level vulnerabilities and network level vulnerabilities.

14. A computer program that resides on a medium that can be read by a program, wherein the computer program comprises instructions to cause a computer to create a system object model database representing a network, wherein the system object model database supports the information data requirements of separate, non-integrated network vulnerability analysis programs;
- export only the required data from the system object model database representing the network to each respective network vulnerability analysis program;
  
  analyze the network with each network vulnerability analysis program to produce data results from each program;
  
  store the results from respective network vulnerability analysis programs and the common system model database within a data fact base; and
  
  apply goal oriented fuzzy logic decision rules to the data fact base to determine the security posture of the network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. A computer program according to claim 14, and further comprising instructions for applying the fuzzy logic decision rules by the use of a plurality of fuzzy expert rules to merge results from the network vulnerability analysis programs.
  - 16. A computer program according to claim 14, and further comprising instructions for applying the fuzzy logic decision rules based on evidential reasoning.
  - 17. A computer program according to claim 14, and further comprising instructions for exporting only the required data via filters associated with respective network vulnerability programs.
  - 18. A computer program according to claim 14, and further comprising instructions for importing the system object model database to the network vulnerability analysis programs via an integrated application programming interface.
  - 19. A computer program according to claim 14, and further comprising instructions for modeling the network as a map on a graphical user interface.
  - 20. A computer program according to claim 14, and further comprising instructions for establishing a class hierarchy to define components of the network vulnerability analysis programs that share common data and programming traits.
  - 21. A computer program according to claim 14, and further comprising instructions for running the network vulnerability analysis programs to obtain data results pertaining to network system details, network topologies, node level vulnerabilities and network level vulnerabilities.

22. A data processing system for assessing the security posture of a network comprising:
- a plurality of separate, non-integrated network vulnerability analysis programs used for analyzing a network;
  
  a system object model database that represents the network to be analyzed, wherein the system object model database supports the information data requirements of the network vulnerability analysis programs;
  
  an applications programming interface for importing the system object model database of the network to the network vulnerability analysis programs;
  
  a filter associated with the applications programming interface and each respective network vulnerability analysis program for filtering data from the system object model database and importing only the required data;
  
  a data fact base for storing the results obtained from respective network vulnerability analysis programs after analyzing the network and the common system model database; and
  
  a fuzzy logic processor for applying goal oriented fuzzy logic decision rules to the fact database by the use of a plurality of fuzzy expert rules for merging results from the network vulnerability analysis programs and determining the security posture of the network.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. A data processing system according to claim 22, wherein the fuzzy logic decision rules are based on evidential reasoning.
  - 24. A data processing system according to claim 22, wherein the applications programming interface for exporting the system object model database comprises a graphical user interface.
  - 25. A data processing system according to claim 22, and further comprising a graphical user interface that models the network as a map.
  - 26. A data processing system according to claim 22, and further comprising a graphical user interface for displaying the security posture of the network.
  - 27. A data processing system according to claim 22, wherein the database further comprises an object oriented class hierarchy to define components of the network vulnerability analysis programs that share common data and programming traits.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Fox, Kevin L., Henning, Ronda R., Farrell, John T., Miller, Clifford C.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Ho, Thomas

Application Number

US09/500,269
Time in Patent Office

1,897 Days
Field of Search

706/45, 706/8, 706/52, 706/47, 706/1, 706/3, 706/4, 707/103, 707/103.Y, 707/103.Z, 709/224, 713/201
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Y10S 707/99944   Object-oriented database st...

Y10S 707/99945   Object-oriented database st...

System and method for assessing the security posture of a network using goal oriented fuzzy logic decision rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

94 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for assessing the security posture of a network using goal oriented fuzzy logic decision rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links