Network attack modeling, analysis, and response

US 7,904,962 B1
Filed: 03/10/2006
Issued: 03/08/2011
Est. Priority Date: 03/10/2005
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium containing a computer program that when executed by one or more processors, causes the one or more processors to perform the steps of:

a) mapping at least one machine to at least one component;

b) mapping at least one of said at least one component to at least one vulnerability;

c) mapping at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition;

d) generating an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances;

e) performing an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and

f) determining at least one hardening option using each of said at least one hardening option including applying at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system for modeling, analyzing, and responding to network attacks. Machines are mapped to components, components are mapped to vulnerabilities, and vulnerabilities are mapped to exploits. Each of the exploits includes at least one precondition mapped to at least one postcondition. An attack graph which defines inter-exploit distances is generated using at least one of the exploits. The attack graph is aggregated. At least one hardening option is determined using the aggregated attack graph. Hardening options include applying at least one corrective measure to at least one initial condition, where the initial condition is the initial state of a precondition.

78 Citations

View as Search Results

20 Claims

1. A non-transitory computer readable medium containing a computer program that when executed by one or more processors, causes the one or more processors to perform the steps of:
- a) mapping at least one machine to at least one component;
  
  b) mapping at least one of said at least one component to at least one vulnerability;
  
  c) mapping at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition;
  
  d) generating an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances;
  
  e) performing an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and
  
  f) determining at least one hardening option using each of said at least one hardening option including applying at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A computer readable medium according to claim 1, further including the step of taking a remedial responsive measure to stop subsequent network intrusions.
  - 3. A computer readable medium according to claim 1, wherein at least one of said at least one component is any unit of computational processing that can contributes to a network attack vulnerability.
  - 4. A computer readable medium according to claim 1, wherein said step of mapping at least one machine to at least one component includes at least one application of at least one corrective measure on a selective basis.
  - 5. A computer readable medium according to claim 1, wherein said step of generating an attack graph and said step of performing an aggregation process are performed simultaneously.
  - 6. A computer readable medium according to claim 1, further including the step of generating a visual representation of at least one part of said attack graph.
  - 7. A computer readable medium according to claim 6, wherein manual intervention is performed using said visual representation.
  - 8. A computer readable medium according to claim 1, further including culling said attack graph.
  - 9. A computer readable medium according to claim 1, further including the step of monitoring for at least one intrusion events, at least one of said at least one intrusion events associated with at least one of said multitude of exploits.
  - 10. A computer readable medium according to claim 9, further including the step of correlating at least one of said at least one intrusion event to detect at least one coordinated attack.

11. A non-transitory computer readable medium containing a computer program comprising:
- a) a machine mapper, configured to map at least one machine to at least one component;
  
  b) a component mapper, configured to map at least one of said at least one component to at least one vulnerability;
  
  c) a vulnerability mapper configured to map at least one of said at least one vulnerability to at least one of a multitude of exploits, each of said multitude of exploits including at least one precondition mapped to at least one postcondition;
  
  d) an attack graph generator configured to generate an attack graph using at least one of said multitude of exploits, said attack graph defining inter-exploit distances;
  
  e) an aggregator configured to perform an aggregation process upon said attack graph including collapsing non-overlapping subgraphs to provide compression; and
  
  f) a hardener configured to determine at least one hardening option using each of said at least one hardening option configured to apply at least one corrective measure to at least one initial condition, said initial condition being the initial state of at least one of said at least one precondition.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A non-transitory computer readable medium according to claim 11, further including a responder configured to take a remedial responsive measure to stop subsequent network intrusions.
  - 13. A non-transitory computer readable medium according to claim 11, wherein at least one of said at least one component is any unit of computational processing that contributes to a network attack vulnerability.
  - 14. A non-transitory computer readable medium according to claim 11, wherein said machine mapper is additionally configured to apply of at least one corrective measure on a selective basis.
  - 15. A non-transitory computer readable medium according to claim 11, wherein said attack graph generator and said aggregator operate simultaneously.
  - 16. A non-transitory computer readable medium according to claim 11, further including a visual representation generator configured to generate a visual representation of at least one part of said attack graph.
  - 17. A non-transitory computer readable medium according to claim 16, wherein manual intervention is performed using said visual representation.
  - 18. A non-transitory computer readable medium according to claim 11, further including a culler configured to cull said attack graph.
  - 19. A non-transitory computer readable medium according to claim 11, further including an intrusion monitor configured to monitor for at least one intrusion event, at least one of said at least one intrusion event associated with at least one of said multitude of exploits.
  - 20. A non-transitory computer readable medium according to claim 19, further including a correlator configured to correlate at least one of said at least one intrusion event to detect at least one coordinated attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
George Mason Intellectual Properties, Inc.
Original Assignee
George Mason Intellectual Properties, Inc.
Inventors
Jajodia, Sushil, O'Berry, Brian C., Robertson, Eric B., Jacobs, Michael A., Weierbach, Robert G., Noel, Steven E., Kalapa, Pramod
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
HERZOG, MADHURI R

Application Number

US11/371,937
Time in Patent Office

1,824 Days
Field of Search

726 22- 25, 709223-224
US Class Current

726/25
CPC Class Codes

H04L 41/12 Discovery or management of ...

H04L 63/1425 Traffic logging, e.g. anoma...

Network attack modeling, analysis, and response

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Network attack modeling, analysis, and response

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others