Meta-instrumentation for security analysis

US 7,774,637 B1
Filed: 09/05/2007
Issued: 08/10/2010
Est. Priority Date: 09/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, comprising:

establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;

establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;

establishing a baseline snapshot of the multi-device network system'"'"'s state when the multi-device network system is operating normally, comprising;

sending to the DUO through the second communication link a message that is valid with respect to the network communication protocol;

observing the DUO'"'"'s response to the valid message through the second communication link; and

establishing the baseline snapshot based at least in part on the observed response;

attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;

periodically establishing snapshots of the multi-device network system'"'"'s state during the attacks, comprising periodically;

sending to the DUO through the second communication link the valid message;

observing the DUO'"'"'s response to the valid message through the second communication link; and

establishing a snapshot of the multi-device network system'"'"'s state during the attacks based at least in part on the observed response;

determining, based on the baseline snapshot and the snapshots established during the attacks, whether the multi-device network system includes a security vulnerability; and

responsive to a determination that the multi-device network system includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for analyzing and/or testing member devices in a multi-device system. The multi-device system includes a device-under-analysis (DUA) and a device-under-observation (DUO). An analyzer that is external to the multi-device system generates and sends test messages to the DUA. The analyzer monitors the health of the multi-device system through the DUO and detects a system-wide impact of the DUA caused by the test messages. The analyzer analyzes the DUA based on the test messages and the system-wide impact.

Citations

22 Claims

1. A method for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, comprising:
- establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;
  
  establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;
  
  establishing a baseline snapshot of the multi-device network system'"'"'s state when the multi-device network system is operating normally, comprising;
  
  sending to the DUO through the second communication link a message that is valid with respect to the network communication protocol;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing the baseline snapshot based at least in part on the observed response;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the multi-device network system'"'"'s state during the attacks, comprising periodically;
  
  sending to the DUO through the second communication link the valid message;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing a snapshot of the multi-device network system'"'"'s state during the attacks based at least in part on the observed response;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the multi-device network system includes a security vulnerability; and
  
  responsive to a determination that the multi-device network system includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether the attacks cause a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.
  - 3. The method of claim 2, wherein the system-wide impact comprises a change or an attempt to change a system-wide variable.
  - 4. The method of claim 3, wherein the system-wide variable comprises at least one selected from a group consisting of a routing table and a shared database.
  - 5. The method of claim 2, wherein the system-wide impact comprises a malfunction in a member network device of the multi-device network system.
  - 6. The method of claim 1, wherein a communication protocol of the first communication link is different from a communication protocol of the second communication link.
  - 7. The method of claim 1, further comprising:
    - monitoring responses of the DUA to the attacks, wherein determining whether the multi-device network system includes a security vulnerability further comprises analyzing the DUA based on the responses.
  - 8. The method of claim 1, wherein determining whether the multi-device network system includes a security vulnerability further comprises:
    - comparing the baseline snapshot and the snapshots established during the attacks to identify a system-wide impact of the DUA in the multi-device network system.
  - 9. The method of claim 1, further comprising:
    - generating the attacks based on one of the following information;
      
      a supported communication protocol of the DUA, a software configuration of the DUA, and a hardware configuration of the DUA.
  - 10. The method of claim 1, wherein the second communication link does not pass through the DUA.

11. A computer program product for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, the computer program product comprising a computer-readable medium containing computer program code for performing a method comprising:
- establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;
  
  establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;
  
  establishing a baseline snapshot of the multi-device network system'"'"'s state when the multi-device network system is operating normally, comprising;
  
  sending to the DUO through the second communication link a message that is valid with respect to the network communication protocol;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing the baseline snapshot based at least in part on the observed response;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the multi-device network system'"'"'s state during the attacks, comprising periodically;
  
  sending to the DUO through the second communication link the valid message;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing a snapshot of the multi-device network system'"'"'s state during the attacks based at least in part on the observed response;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the multi-device network system includes a security vulnerability; and
  
  responsive to a determination that the multi-device network system includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether the attacks cause a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.
  - 13. The computer program product of claim 12, wherein the system-wide impact comprises a change or an attempt to change a system-wide variable.
  - 14. The computer program product of claim 13, wherein the system-wide variable comprises at least one selected from a group consisting of a routing table and a shared database.
  - 15. The computer program product of claim 12, wherein the system-wide impact comprises a malfunction in a member network device of the multi-device network system.
  - 16. The computer program product of claim 11, wherein a communication protocol of the first communication link is different from a communication protocol of the second communication link.
  - 17. The computer program product of claim 11, wherein the method further comprises:
    - monitoring responses of the DUA to the attacks, wherein determining whether the multi-device network system includes a security vulnerability further comprises analyzing the DUA based on the responses.
  - 18. The computer program product of claim 11, wherein determining whether the multi-device network system includes a security vulnerability further comprises:
    - comparing the baseline snapshot and the snapshots established during the attacks to identify a system-wide impact of the DUA in the multi-device network system.
  - 19. The computer program product of claim 11, wherein the method further comprises:
    - generating the attacks based on one of the following information;
      
      a supported communication protocol of the DUA, a software configuration of the DUA, and a hardware configuration of the DUA.
  - 20. The computer program product of claim 11, wherein the second communication link does not pass through the DUA.

21. A security analyzer device for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, comprising:
- a computer processor for executing computer program instructions; and
  
  a computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program instructions for the computer processor to perform the steps of;
  
  establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;
  
  establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;
  
  establishing a baseline snapshot of the multi-device network system'"'"'s state when the multi-device network system is operating normally, comprising;
  
  sending to the DUO through the second communication link a message that is valid with respect to the network communication protocol;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing the baseline snapshot based at least in part on the observed response;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the multi-device network system'"'"'s state during the attacks, comprising periodically;
  
  sending to the DUO through the second communication link the valid message;
  
  observing the DUO'"'"'s response to the valid message through the second communication link; and
  
  establishing a snapshot of the multi-device network system'"'"'s state during the attacks based at least in part on the observed response;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the multi-device network system includes a security vulnerability; and
  
  responsive to a determination that the multi-device network system includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (22)
- - 22. The security analyzer device of claim 21, wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether the attacks cause a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spirent Communications Incorporated
Original Assignee
Mu Dynamics, Inc.
Inventors
Beddoe, Marshall A., Maufer, Thomas A.
Primary Examiner(s)
Beausoliel; Robert
Assistant Examiner(s)
Ehne; Charles

Application Number

US11/850,164
Time in Patent Office

1,070 Days
Field of Search

714/4, 714/25, 714/38, 726/22, 726/26
US Class Current

714/38.1
CPC Class Codes

G06F 11/30 Monitoring

Meta-instrumentation for security analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Meta-instrumentation for security analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links