Method and tool for network vulnerability analysis
First Claim
1. A computer-implemented method for systematically identifying and characterizing vulnerabilities in a computer system comprising the steps of:
- describing a set of potential attacks on the computer system through which a change in status of the computer system could be effected, wherein the change comprises a transition from a start condition to an end condition which is different from the start condition;
defining a set of paths comprising at least one path for each potential attack described, wherein each path comprises at least one event necessary for transition from the start condition to the end condition, which transition can include passage through intermediate conditions in transit from the start condition to the end condition;
for each path in said set of paths, assigning a length value, L, corresponding to a metric reflecting at least one security significant condition bearing on likelihood of success of an attacker attempting to effect said transition from the start condition, through intermediate conditions, if any, to the end condition, so that the value of L correlates inversely with said likelihood of success;
identifying within said set of paths at least one shortest path defined as that having the smallest length value of paths in the set of paths;
identifying, from within the set of paths, specific paths (denoted “
epsilon optimal paths”
) having a length, L≦
(1+ε
) times the length of the shortest path, where ε
is a non-negative number that accounts for uncertainty in individual edge metrics and uncertainty in the actual path the attacker will choose; and
designating “
epsilon optimal paths”
as high risk attack paths.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in “attack templates”) to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in “attacker profiles”). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding “epsilon optimal paths.”
258 Citations
24 Claims
-
1. A computer-implemented method for systematically identifying and characterizing vulnerabilities in a computer system comprising the steps of:
-
describing a set of potential attacks on the computer system through which a change in status of the computer system could be effected, wherein the change comprises a transition from a start condition to an end condition which is different from the start condition; defining a set of paths comprising at least one path for each potential attack described, wherein each path comprises at least one event necessary for transition from the start condition to the end condition, which transition can include passage through intermediate conditions in transit from the start condition to the end condition; for each path in said set of paths, assigning a length value, L, corresponding to a metric reflecting at least one security significant condition bearing on likelihood of success of an attacker attempting to effect said transition from the start condition, through intermediate conditions, if any, to the end condition, so that the value of L correlates inversely with said likelihood of success; identifying within said set of paths at least one shortest path defined as that having the smallest length value of paths in the set of paths; identifying, from within the set of paths, specific paths (denoted “
epsilon optimal paths”
) having a length, L≦
(1+ε
) times the length of the shortest path, where ε
is a non-negative number that accounts for uncertainty in individual edge metrics and uncertainty in the actual path the attacker will choose; anddesignating “
epsilon optimal paths”
as high risk attack paths. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus for detecting and characterizing vulnerabilities in a computer system comprising:
-
a) a processing unit b) a storage system connected with the processing unit c) an input device connected with the processing unit d) an output device connected with the processing unit; e) potential attack set input means for using the input device to load a set of potential attacks into the storage system, wherein the set of potential attacks define attacks through which a change in status of the computer system could be effected, wherein the change comprises a transition from a start condition to an end condition which is different from the start condition; f) path set definition means for defining a set of paths comprising at least one path for each attack in the set of potential attacks, wherein each path comprises at least one event necessary for transition from the start condition to the end condition, which transition can include passage through intermediate conditions in transit from the start condition to the end condition; g) length value assigning means for assigning, for each path in the set of paths, a length value, L, corresponding to a metric reflecting at least one security significant condition bearing on likelihood of success of an attacker attempting to effect said transition from the start condition, through intermediate conditions, if any, to the end condition, so that the value of L correlates inversely with said likelihood of success; h) shortest path identification means for identifying within said set of paths at least one shortest path defined as that having the smallest length value of paths in the set of paths; i) epsilon optimal path identification means for identifying, from within the set of paths, specific paths (denoted “
epsilon optimal paths”
) having a length, L≦
(1+ε
) times the length of the shortest path, where ε
is a non-negative number that accounts for uncertainty in individual edge metrics and uncertainty in the actual path the attacker will choose; andj) output means for using the output device to communicate “
epsilon optimal paths”
to a user. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification