Meta-instrumentation for security analysis

US 8,074,097 B2
Filed: 07/27/2010
Issued: 12/06/2011
Est. Priority Date: 09/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, comprising:

establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;

establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;

attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;

during and after attacking the DUA, monitoring, with the security analyzer, outputs from the DUO received over the second communication link;

determining, based on the outputs received from the DUO, whether the multi-device network system includes a security vulnerability;

responsive to a determination that the multi-device network system includes a security vulnerability, based on the outputs received from the DUO, identifying which attack causes the security vulnerability.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for analyzing and/or testing member devices in a multi-device system. The multi-device system includes a device-under-analysis (DUA) and a device-under-observation (DUO). An analyzer that is external to the multi-device system generates and sends test messages to the DUA. The analyzer monitors the health of the multi-device system through the DUO and detects a system-wide impact of the DUA caused by the test messages. The analyzer analyzes the DUA based on the test messages and the system-wide impact.

Citations

20 Claims

1. A method for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, comprising:
- establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;
  
  establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;
  
  during and after attacking the DUA, monitoring, with the security analyzer, outputs from the DUO received over the second communication link;
  
  determining, based on the outputs received from the DUO, whether the multi-device network system includes a security vulnerability;
  
  responsive to a determination that the multi-device network system includes a security vulnerability, based on the outputs received from the DUO, identifying which attack causes the security vulnerability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether the attacks cause a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.
  - 3. The method of claim 2, wherein the system-wide impact comprises a change or an attempt to change a system-wide variable.
  - 4. The method of claim 3, wherein the system-wide variable comprises at least one selected from a group consisting of a routing table and a shared database.
  - 5. The method of claim 2, wherein the system-wide impact comprises a malfunction in a member network device of the multi-device network system.
  - 6. The method of claim 1, wherein a communication protocol of the first communication link is different from a communication protocol of the second communication link.
  - 7. The method of claim 1, further comprising:
    - monitoring responses of the DUA to the attacks, wherein determining whether the multi-device network system includes a security vulnerability further comprises analyzing the DUA based on the responses.
  - 8. The method of claim 1, further comprising:
    - generating the attacks based on one of the following information;
      
      a supported communication protocol of the DUA, a software configuration of the DUA, and a hardware configuration of the DUA.
  - 9. The method of claim 1, wherein the second communication link does not pass through the DUA.

10. A computer program product for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, the method implemented by a security analyzer device, the computer program product comprising a computer-readable medium containing computer program code for performing a method comprising:
- establishing a first communication link between a member network device-under-analysis (DUA) of the multi-device network system and the security analyzer device;
  
  establishing a second communication link between a member network device-under-observation (DUO) of the multi-device network system and the security analyzer device, the DUA and the DUO being distinct member devices of the multi-device network system;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA through the first communication link test messages that are invalid with respect to the network communication protocol;
  
  during and after attacking the DUA, monitoring, with the security analyzer, outputs from the DUO received over the second communication link;
  
  determining, based on the outputs received from the DUO, whether the multi-device network system includes a security vulnerability;
  
  responsive to a determination that the multi-device network system includes a security vulnerability, based on the outputs received from the DUO, identifying which attack causes the security vulnerability.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether the attacks cause a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.
  - 12. The computer program product of claim 11, wherein the system-wide impact comprises a change or an attempt to change a system-wide variable.
  - 13. The computer program product of claim 11, wherein the system-wide impact comprises a malfunction in a member network device of the multi-device network system.
  - 14. The computer program product of claim 10, wherein the system-wide variable comprises at least one selected from a group consisting of a routing table and a shared database.
  - 15. The computer program product of claim 10, wherein a communication protocol of the first communication link is different from a communication protocol of the second communication link.
  - 16. The computer program product of claim 10, wherein the method further comprises:
    - monitoring responses of the DUA to the attacks, wherein determining whether the multi-device network system includes a security vulnerability further comprises analyzing the DUA based on the responses.
  - 17. The computer program product of claim 10, wherein the method further comprises:
    - generating the attacks based on one of the following information;
      
      a supported communication protocol of the DUA, a software configuration of the DUA, and a hardware configuration of the DUA.
  - 18. The computer program product of claim 10, wherein the second communication link does not pass through the DUA.

19. A security analyzer device for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, comprising:
- a computer processor configured to execute computer program instructions; and
  
  a computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program configured to cause the computer processor to perform the steps of;
  
  establishing a first communication link between the DUA and an analyzer, wherein the analyzer is external to the DUA;
  
  establishing a second communication link between a device-under-observation (DUO) and the analyzer, the DUA and the DUO being distinct member devices of a multi-device system;
  
  transmitting to the DUA via the first communication link a test case including a message which is malformed or invalid with respect to the network communications protocol;
  
  monitoring via the second communication link a system-wide impact of the DUA in the multi-device system caused by the test case; and
  
  analyzing whether the DUA has a security vulnerability based on the test case and the system-wide impact.

20. A security analyzer device for testing and analyzing a security vulnerability of a multi-device network system to protocol abuse of a network communications protocol, comprising:
- a computer processor configured to execute computer program instructions; and
  
  a computer-readable storage medium having executable computer program instructions tangibly embodied thereon, the executable computer program configured to cause the computer processor to perform the steps of;
  
  establishing a first communication link between the DUA and an analyzer, wherein the analyzer is external to the DUA;
  
  establishing a second communication link between a device-under-observation (DUO) and the analyzer, the DUA and the DUO being distinct member devices of a multi-device system;
  
  transmitting to the DUA via the first communication link a test case;
  
  monitoring via the second communication link a system-wide impact of the DUA in the multi-device system caused by the test case; and
  
  analyzing the DUA based on the test case and the system-wide impact,wherein the security analyzer device is not a member device of the multi-device network system, and wherein determining whether the multi-device network system includes a security vulnerability comprises (1) determining whether test case causes a system-wide impact through the DUA in the multi-device network system and (2) determining whether the system-wide impact comprises a security vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spirent Communications Incorporated
Original Assignee
Mu Dynamics, Inc.
Inventors
Beddoe, Marshall A., Maufer, Thomas A.
Primary Examiner(s)
Ehne, Charles

Application Number

US12/844,405
Publication Number

US 20100293415A1
Time in Patent Office

497 Days
Field of Search

714/4, 714/25, 714/38, 714/4.1, 714/38.1, 714/39, 726/22, 726/25
US Class Current

714/4.1
CPC Class Codes

G06F 11/30 Monitoring

Meta-instrumentation for security analysis

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Meta-instrumentation for security analysis

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links