Generating a multiple-prerequisite attack graph
First Claim
1. A method to generate an attack graph, comprising:
- using a computer processor for;
selecting a first state node as a starting point of a cyber attack, the first state node corresponding to access to a first host in a network;
coupling the first state node to a first prerequisite node having a first precondition satisfied by the first state node by generating a first directed edge from the first state node to the prerequisite node;
coupling the first prerequisite node to a first vulnerability instance node having a second precondition satisfied by the first prerequisite node by generating a second directed edge from the first prerequisite node to the first vulnerability instance node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node;
coupling the first vulnerability instance node to a second state node having a third precondition satisfied by the first vulnerability instance node by generating a third directed edge from the first vulnerability instance node to the second state node;
determining if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node;
if the fifth precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling the current node to a preexisting node providing the precondition equivalent to the fifth precondition by generating a fourth directed edge from the current node to the preexisting node; and
if the fifth precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes;
generating the potential node as a new node on the attack graph; and
coupling the new node to the current node by generating a fifth directed edge from the current node to the new node.
1 Assignment
0 Petitions
Accused Products
Abstract
In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.
92 Citations
33 Claims
-
1. A method to generate an attack graph, comprising:
using a computer processor for; selecting a first state node as a starting point of a cyber attack, the first state node corresponding to access to a first host in a network; coupling the first state node to a first prerequisite node having a first precondition satisfied by the first state node by generating a first directed edge from the first state node to the prerequisite node; coupling the first prerequisite node to a first vulnerability instance node having a second precondition satisfied by the first prerequisite node by generating a second directed edge from the first prerequisite node to the first vulnerability instance node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; coupling the first vulnerability instance node to a second state node having a third precondition satisfied by the first vulnerability instance node by generating a third directed edge from the first vulnerability instance node to the second state node; determining if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node; if the fifth precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling the current node to a preexisting node providing the precondition equivalent to the fifth precondition by generating a fourth directed edge from the current node to the preexisting node; and if the fifth precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes; generating the potential node as a new node on the attack graph; and coupling the new node to the current node by generating a fifth directed edge from the current node to the new node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
13. A method to generate an attack graph comprising:
using a computer processor for; determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph, the group of preexisting nodes comprising a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node on the attack graph to a preexisting node providing the precondition equivalent to the first precondition by generating a first directed edge from the current node to the preexisting node; and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes;
generating the potential node as a new node on the attack graph and coupling the new node to the current node by generating a second directed edge from the current node to the new node.- View Dependent Claims (14, 15, 16)
-
17. A multiple-prerequisite attack graph, comprising:
-
a first state node corresponding to access to a first host in a network, the first host being a starting point of a cyber attack on the network; a first prerequisite node coupled to the first state node by a first directed edge from the first state node to the first prerequisite node; a first vulnerability instance node coupled to the first prerequisite node by a second directed edge from the first prerequisite node to the first vulnerability instance node and coupled to a second state node by a third directed edge from the first vulnerability instance node to the second state node, the second state node corresponding to access to a second host in the network, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node points to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; and a current node coupled to one of a group of preexisting nodes by a fourth directed edge from the current node to the one of the group of preexisting nodes, the one of a group of preexisting nodes satisfying a precondition equivalent to a precondition provided by a potential node, the group of preexisting nodes comprising the first state node, the first vulnerability instance node and the first prerequisite node, wherein the multiple-prerequisite attack graph is rendered by a computer processor. - View Dependent Claims (18, 19, 20, 21)
-
-
22. An apparatus to generate an attack graph, comprising:
circuitry to; couple a first state node to a first prerequisite node having a first precondition satisfied by the first state node by generating a first directed edge from the first state node to the first prerequisite node, the first state node being a starting point of a cyber attack and corresponding to access to a first host in a network; couple the first prerequisite node to a first vulnerability instance node having a second precondition satisfied by the first prerequisite node by generating a second directed edge from the first prerequisite node to the first vulnerability instance node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; couple the first vulnerability instance node to a second state node having a third precondition satisfied by the first vulnerability instance node by generating a third directed edge from the first vulnerability instance node to the second state node; determine if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node; if the fifth precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, couple the current node to a preexisting node providing the precondition equivalent to the fifth precondition by generating a fourth directed edge from the current node to the preexisting node; and if the fifth precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes; generate the potential node as a new node on the attack graph; and couple the new node to the current node by generating a fifth directed edge from the current node to the new node. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
29. An article comprising:
a non-transitory machine-readable medium that stores executable instructions to generate an attack graph, the instructions causing a machine to; couple a first state node to a first prerequisite node having a first precondition satisfied by the first state node by generating a first directed edge from the first state node to the first prerequisite node, the first state node being a starting point of a cyber attack and corresponding to access to a first host in a network; couple the first prerequisite node to a first vulnerability instance node having a second precondition satisfied by the first prerequisite node by generating a second directed edge from the first prerequisite node to the first vulnerability instance node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node, each vulnerability instance node indicating a presence of a vulnerability on a port, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; couple the first vulnerability instance node to a second state node having a third precondition satisfied by the first vulnerability instance node by generating a third directed edge from the first vulnerability instance node to the second state node; determine if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node; if the fifth precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, couple the current node to a preexisting node providing the precondition equivalent to the fifth precondition by generating a fourth directed edge from the current node to the preexisting node; and if the fifth precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes; generate the potential node as a new node on the attack graph; and couple the new node to the current node by generating a fifth directed edge from the current node to the new node. - View Dependent Claims (30, 31, 32, 33)
Specification