Platform for analyzing the security of communication protocols and channels

US 8,095,983 B2
Filed: 02/10/2006
Issued: 01/10/2012
Est. Priority Date: 03/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing a security vulnerability of a network device under analysis (DUA) to protocol abuse of a network communication protocol, comprising:

establishing a baseline snapshot of the DUA'"'"'s state when the DUA is operating normally, comprising;

sending to the DUA a message that is valid with respect to the network communication protocol;

observing the DUA'"'"'s response to the valid message; and

establishing the baseline snapshot, the baseline snapshot based at least in part on the observed response of the DUA to the valid message;

attacking the DUA multiple times, the attacks comprising sending to the DUA test messages that are invalid with respect to the network communication protocol;

periodically establishing snapshots of the DUA'"'"'s state during the attacks, based at least in part on observing responses of the DUA to the attacks;

determining, based on the baseline snapshot and the snapshots established during the attacks, whether the DUA includes a security vulnerability; and

responsive to a determination that the DUA includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security analyzer tests the security of a device by attacking the device and observing the device'"'"'s response. Attacking the device includes sending one or more messages to the device. A message can be generated by the security analyzer or generated independently of the security analyzer. The security analyzer uses various methods to identify a particular attack that causes a device to fail or otherwise alter its behavior. Monitoring includes analyzing data (other than messages) output from the device in response to an attack. Packet processing analysis includes analyzing one or more messages generated by the device in response to an attack. Instrumentation includes establishing a baseline snapshot of the device'"'"'s state when it is operating normally and then attacking the device in multiple ways while obtaining snapshots periodically during the attacks.

118 Citations

20 Claims

1. A method for analyzing a security vulnerability of a network device under analysis (DUA) to protocol abuse of a network communication protocol, comprising:
- establishing a baseline snapshot of the DUA'"'"'s state when the DUA is operating normally, comprising;
  
  sending to the DUA a message that is valid with respect to the network communication protocol;
  
  observing the DUA'"'"'s response to the valid message; and
  
  establishing the baseline snapshot, the baseline snapshot based at least in part on the observed response of the DUA to the valid message;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the DUA'"'"'s state during the attacks, based at least in part on observing responses of the DUA to the attacks;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the DUA includes a security vulnerability; and
  
  responsive to a determination that the DUA includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein establishing the baseline snapshot of the DUA'"'"'s state further comprises determining, responsive to receiving no response or an invalid response from the DUA for the valid message, that the DUA does not support the network communication protocol.
  - 3. The method of claim 1, wherein establishing the snapshots during the attacks further comprises:
    - sending to the DUA the valid message at different times during the attacks of the DUA; and
      
      establishing snapshots of the DUA based at least in part on a response of the DUA to the sent valid messages.
  - 4. The method of claim 3, wherein establishing snapshots of the DUA based at least in part on the response of the DUA to the sent valid messages further comprises:
    - observing a log output of the DUA after sending the valid message;
      
      executing a command on the DUA to obtain information of the DUA after sending the valid message; and
      
      establishing the snapshot of the DUA using the log output of the DUA and the information obtained through executing the command on the DUA.
  - 5. The method of claim 4, further comprising:
    - determining a probability that the identified attack actually caused the security vulnerability, based both on the log output and on the information obtained through executing the command on the DUA.
  - 6. The method of claim 1, wherein identifying which attack causes the security vulnerability further comprises:
    - using the snapshots established during the attacks to identify a subset of the attacks as candidate attacks;
      
      restarting the DUA, thus restoring the DUA to its normal operation;
      
      replaying the subset of attacks;
      
      periodically establishing snapshots of the DUA'"'"'s state during the replaying of the subset of attacks, the snapshots based at least in part on observing responses of the DUA to the attacks; and
      
      using the baseline snapshot and the snapshots established during the replaying of the subset of attacks to identify which attack causes the security vulnerability.
  - 7. The method of claim 6, wherein restarting the DUA further comprises power cycling the DUA.

8. A security analyzer device for analyzing a vulnerability of a network device under analysis (DUA) to protocol abuse of a network communications protocol, the security analyzer device comprising:
- a computer processor for executing computer program instructions; and
  
  a tangible computer-readable storage medium having executable computer program instructions stored thereon, the executable computer program instructions comprising instructions configured to cause the computer processor to perform the steps of;
  
  establishing a baseline snapshot of the DUA'"'"'s state when the DUA is operating normally, comprising;
  
  sending to the DUA a message that is valid with respect to the network communication protocol;
  
  observing the DUA'"'"'s response to the valid message; and
  
  establishing the baseline snapshot, the baseline snapshot based at least in part on the observed response of the DUA to the valid message;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the DUA'"'"'s state during the attacks, based at least in part on observing responses of the DUA to the attacks;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the DUA includes a security vulnerability; and
  
  responsive to a determination that the DUA includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The security analyzer device of claim 8, wherein establishing the baseline snapshot of the DUA further comprises determining, responsive to receiving no response or an invalid response from the DUA for the valid message, that the DUA does not support the network communication protocol.
  - 10. The security analyzer device of claim 8, wherein establishing the snapshots during the attacks further comprises:
    - sending to the DUA the valid message at different times during the attacks of the DUA; and
      
      establishing snapshots of the DUA based at least in part on a response of the DUA to the sent valid messages.
  - 11. The security analyzer device of claim 10, wherein establishing snapshots of the DUA based at least in part on the response of the DUA to the sent valid messages further comprises:
    - observing a log output of the DUA after sending the valid message;
      
      executing a command on the DUA to obtain information of the DUA after sending the valid message; and
      
      establishing the snapshot of the DUA using the log output of the DUA and the information obtained through executing the command on the DUA.
  - 12. The security analyzer device of claim 11, wherein the executable computer program instructions further comprise instructions for performing the step of determining a probability that the identified attack actually caused the security vulnerability, based both on the log output and on the information obtained through executing the command on the DUA.
  - 13. The security analyzer device of claim 8, wherein identifying which attack causes the security vulnerability further comprises:
    - using the snapshots established during the attacks to identify a subset of the attacks as candidate attacks;
      
      restarting the DUA, thus restoring the DUA to its normal operation;
      
      replaying the subset of attacks;
      
      periodically establishing snapshots of the DUA'"'"'s state during the replaying of the subset of attacks, the snapshots based at least in part on observing responses of the DUA to the attacks; and
      
      using the baseline snapshot and the snapshots established during the replaying of the subset of attacks to identify which attack causes the security vulnerability.
  - 14. The security analyzer device of claim 13, wherein restarting the DUA further comprises power cycling the DUA.

15. An article of manufacture, the article of manufacture including a computer-readable recording medium having stored thereon executable computer program instructions for analyzing vulnerability of a network device under analysis (DUA) to protocol abuse of a network communication protocol tangibly embodied thereon, the executable computer program instructions comprising instructions for performing the steps of:
- establishing a baseline snapshot of the DUA'"'"'s state when the DUA is operating normally, comprising;
  
  sending to the DUA a message that is valid with respect to the network communication protocol;
  
  observing the DUA'"'"'s response to the valid message; and
  
  establishing the baseline snapshot, the baseline snapshot based at least in part on the observed response of the DUA to the valid message;
  
  attacking the DUA multiple times, the attacks comprising sending to the DUA test messages that are invalid with respect to the network communication protocol;
  
  periodically establishing snapshots of the DUAs state during the attacks, based at least in part on observing responses of the DUA to the attacks;
  
  determining, based on the baseline snapshot and the snapshots established during the attacks, whether the DUA includes a security vulnerability;
  
  and responsive to a determination that the DUA includes a security vulnerability, using the baseline snapshot and the snapshots established during the attacks to identify which attack causes the security vulnerability.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The article of manufacture of claim 15, wherein establishing the baseline snapshot of the DUA further comprises determining, responsive to receiving no response or an invalid response from the DUA for the valid message, that the DUA does not support the network communication protocol.
  - 17. The article of manufacture of claim 15, wherein establishing the snapshots during the attacks further comprises:
    - sending to the DUA the valid message at different times during the attacks of the DUA; and
      
      establishing snapshots of the DUA based at least in part on a response of the DUA to the sent valid messages.
  - 18. The article of manufacture of claim 17, wherein establishing snapshots of the DUA based at least in part on the response of the DUA to the sent valid messages further comprises:
    - observing a log output of the DUA after sending the valid message;
      
      executing a command on the DUA to obtain information of the DUA after sending the valid message; and
      
      establishing the snapshot of the DUA using the log output of the DUA and the information obtained through executing the command on the DUA.
  - 19. The article of manufacture of claim 18, wherein the executable computer program instructions further comprise instructions for performing the step of determining a probability that the identified attack actually caused the security vulnerability, based both on the log output and on the information obtained through executing the command on the DUA.
  - 20. The article of manufacture of claim 15, wherein identifying which attack causes the security vulnerability further comprises:
    - using the snapshots established during the attacks to identify a subset of the attacks as candidate attacks;
      
      restarting the DUA, thus restoring the DUA to its normal operation;
      
      replaying the subset of attacks;
      
      periodically establishing snapshots of the DUA'"'"'s state during the replaying of the subset of attacks, the snapshots based at least in part on observing responses of the DUA to the attacks; and
      
      using the baseline snapshot and the snapshots established during the replaying of the subset of attacks to identify which attack causes the security vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spirent Communications Incorporated
Original Assignee
Mu Dynamics, Inc.
Inventors
Guruswamy, Kowsik
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US11/351,403
Publication Number

US 20070174917A1
Time in Patent Office

2,160 Days
Field of Search

713/201, 726 22- 25, 709221-224
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Platform for analyzing the security of communication protocols and channels

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Platform for analyzing the security of communication protocols and channels

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links