Threat analysis

US 7,530,104 B1
Filed: 02/09/2004
Issued: 05/05/2009
Est. Priority Date: 02/09/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for analyzing a threat to system security, comprising:

identifying a threat agent having an existing access level attained by the threat agent in the course of an attack;

using the existing access level to analyze an attack path between the threat agent and an asset, including by;

setting an updated access level initially to the existing access level; and

iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and

in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path;

wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Virtual penetration testing using threat analysis is disclosed. Threat analysis may be achieved by evaluating attack paths and chain reactions of compromised assets created by threats, threat agents, or threat mechanisms. A threat agent having an existing access level is identified. The existing access level is used to analyze an attack path between the threat agent and an asset. The existing access level is updated if the analysis of the attack path between the threat agent and the asset indicates that an attack along the path would be successful.

330 Citations

17 Claims

1. A method for analyzing a threat to system security, comprising:
- identifying a threat agent having an existing access level attained by the threat agent in the course of an attack;
  
  using the existing access level to analyze an attack path between the threat agent and an asset, including by;
  
  setting an updated access level initially to the existing access level; and
  
  iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and
  
  in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path;
  
  wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. A method as recited in claim 1 wherein using the existing access level to analyze an attack path between the threat agent and an asset comprises identifying a vulnerability associated with the asset.
  - 3. A method as recited in claim 1 wherein using the existing access level to analyze an attack path between the threat agent and an asset comprises identifying an exploit method associated with a vulnerability associated with the asset.
  - 4. A method as recited in claim 3 wherein the exploit method has associated with it a prerequisite access level required to use the exploit method to exploit the vulnerability successfully.
  - 5. A method as recited in claim 4 wherein using the existing access level to analyze an attack path between the threat agent and an asset comprises comparing the existing access level to the prerequisite access level.
  - 6. A method as recited in claim 3 wherein the exploit has associated with it a resulting access level that may be attained by using the exploit to exploit the vulnerability successfully.
  - 7. A method as recited in claim 6 further including determining whether a control affects the resulting access level.
  - 8. A method as recited in claim 1 further including determining whether the asset is subject to compromise by the threat agent.
  - 9. A method as recited in claim 1 further including determining whether a control affects the existing access level of the threat agent.
  - 10. A method as recited in claim 9 further including updating the existing access level to reflect the affect of the control prior to using the existing access level to analyze an attack path between the threat agent and an asset.
  - 11. A method as recited in claim 1 wherein identifying a threat agent comprises receiving from a network security system or application data comprising an identification of the threat agent.
  - 12. A method as recited in claim 1 wherein identifying a threat agent comprises receiving from a network security system or application data that may be used to identify the threat agent.
  - 13. A method as recited in claim 1 further including providing output data reflecting a result of the analysis of the attack path.
  - 14. A method as recited in claim 13 wherein the output data comprises a report of the highest level of access that has been or could be achieved by the threat agent through one or more attacks along the attack path.
  - 15. A method as recited in claim 1 wherein using the existing access level further includes evaluating recorded data to determine the attack path.
  - 16. A method as recited in claim 1 wherein the attack path is determined by computing a transitive closure.

17. A computer program product for analyzing a threat to system security, the computer program product being embodied in a computer readable medium and comprising computer instructions for:
- identifying a threat agent having an existing access level attained by the threat agent in the course of an attack;
  
  using the existing access level to analyze an attack path between the threat agent and an asset, including by;
  
  setting an updated access level initially to the existing access level; and
  
  iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and
  
  in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path;
  
  wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bhattacharya, Sourav S., Thrower, Woodrow A.
Primary Examiner(s)
Brown; Christopher J

Application Number

US10/775,758
Time in Patent Office

1,912 Days
Field of Search

726/25, 726/22, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/554 involving event detection a...

H04L 63/1433 Vulnerability analysis

Threat analysis

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

330 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Threat analysis

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

330 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others