Network attack modeling, analysis, and response
First Claim
1. A non-transitory computer readable medium containing a computer program that when executed by one or more processors, causes the one or more processors to perform the steps of:
- a) mapping at least one machine to at least one component;
b) mapping at least one of said at least one component to at least one vulnerability;
c) mapping at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition;
d) generating an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances;
e) performing an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and
f) determining at least one hardening option using each of said at least one hardening option including applying at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system for modeling, analyzing, and responding to network attacks. Machines are mapped to components, components are mapped to vulnerabilities, and vulnerabilities are mapped to exploits. Each of the exploits includes at least one precondition mapped to at least one postcondition. An attack graph which defines inter-exploit distances is generated using at least one of the exploits. The attack graph is aggregated. At least one hardening option is determined using the aggregated attack graph. Hardening options include applying at least one corrective measure to at least one initial condition, where the initial condition is the initial state of a precondition.
78 Citations
20 Claims
-
1. A non-transitory computer readable medium containing a computer program that when executed by one or more processors, causes the one or more processors to perform the steps of:
-
a) mapping at least one machine to at least one component; b) mapping at least one of said at least one component to at least one vulnerability; c) mapping at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition; d) generating an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances; e) performing an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and f) determining at least one hardening option using each of said at least one hardening option including applying at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer readable medium containing a computer program comprising:
-
a) a machine mapper, configured to map at least one machine to at least one component; b) a component mapper, configured to map at least one of said at least one component to at least one vulnerability; c) a vulnerability mapper configured to map at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition; d) an attack graph generator configured to generate an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances; e) an aggregator configured to perform an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and f) a hardener configured to determine at least one hardening option using each of said at least one hardening option configured to apply at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification