Methods and apparatus for determining network risk based upon incomplete network configuration data

US 8,307,444 B1
Filed: 06/12/2007
Issued: 11/06/2012
Est. Priority Date: 06/12/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a computer system including a display device, the method comprising:

receiving, by the computer system, configuration data for at least one network device in a network;

determining, by the computer system, a network topology for at least a portion of the network in response to the configuration data, wherein the network topology indicates a location of a first server and existence of a threat source remote from the first server location, and wherein the network topology comprises incomplete information about the first server location;

determining, by the computer system, at least a first vulnerability to said threat source associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes; and

determining, by the computer system, a coverage factor score for the first server location correlating to the incomplete information, based on the network topology and the configuration data;

determining, by the computer system, a first security exposure of the first server location with respect to the threat source by analyzing the configuration data to determine a reachability of the first server location from the threat source; and

accounting for the incomplete information by determining, by the computer system, a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology; and

outputting a visual representation of the first security exposure and thefirst vulnerability certainty on the display device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for a computer system includes receiving configuration data from a network device in a network, determining a topology for a portion of the network from the configuration data, wherein the topology indicates a server location and a threat server at a threat server location in the network, determining a vulnerability including vulnerability attributes for the first server location, and when configuration data for the first server location is incomplete, the method includes determining a security exposure of the first server location with respect to the threat server in response to the configuration data, the topology, and to the configuration data associated the host server location, determining a vulnerability certainty for the first server location with respect the vulnerability in response to the configuration data associated the host server location, and outputting a visual representation of the security exposure and the vulnerability certainty on a display.

Citations

23 Claims

1. A method for a computer system including a display device, the method comprising:
- receiving, by the computer system, configuration data for at least one network device in a network;
  
  determining, by the computer system, a network topology for at least a portion of the network in response to the configuration data, wherein the network topology indicates a location of a first server and existence of a threat source remote from the first server location, and wherein the network topology comprises incomplete information about the first server location;
  
  determining, by the computer system, at least a first vulnerability to said threat source associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes; and
  
  determining, by the computer system, a coverage factor score for the first server location correlating to the incomplete information, based on the network topology and the configuration data;
  
  determining, by the computer system, a first security exposure of the first server location with respect to the threat source by analyzing the configuration data to determine a reachability of the first server location from the threat source; and
  
  accounting for the incomplete information by determining, by the computer system, a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology; and
  
  outputting a visual representation of the first security exposure and thefirst vulnerability certainty on the display device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22, 23)
- - 2. The method of claim 1 wherein the network topology does not indicate whether a host server is present at the first server location.
  - 3. The method of claim 1 further comprising:
    - determining if a host server device is present at the first server location,if the host server device is present at the first server location, then determining a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology; and
      
      if the host server device is present at the first server location, then determining a second vulnerability certainty associated with the first server location with respect to the vulnerability; and
      
      outputting a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 4. The method of claim 1 further comprising:
    - determining if a first host application is present in a host server at the first server location;
      
      if the first host application is present in the host server at the first server location, then determining a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology; and
      
      if the first host application is present in the host server at the first server location, then determining a second vulnerability certainty associated with the first server location with respect to the vulnerability; and
      
      outputting a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 5. The method of claim 1 further comprising:
    - determining whether at least one patch is installed in a host server at the first server location;
      
      if the at least one patch is installed in the host server at the first server location, then determining a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology; and
      
      if the at least one patch is installed in the host server at the first server location, then determining a second vulnerability certainty associated with the first server location with respect to the vulnerability; and
      
      outputting a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 6. The method of claim 5 wherein the second security exposure is greater than the first security exposure.
  - 7. The method of claim 1 wherein determining the first security exposure comprises:
    - determining a vulnerability reachability from the threat source location to the first server location; and
      
      presuming data for the first server location that is not within the network topology.
  - 21. The method of claim 1 wherein the network topology further comprises information indicating that it is unknown whether there is a server at the first server location.
  - 22. The method of claim 1 wherein the network topology further comprises information indicating that it is known that there is a first server at the first server location, and that information about the first server is incomplete.
  - 23. The method of claim 1 wherein the method is completed without verifying the reachability of the first server location by contacting any server at the first server location.

8. A non-transitory computer-readable storage medium storing computer-system executable-code, the code comprising:
- code that directs a computer system to receive configuration data for at least one network device in a network;
  
  code that directs the computer system to determine a network topology for at least a portion of the network in response to the configuration data, wherein the network topology indicates a location of a first server device and existence of a threat source remote from the first server location and wherein the network topology comprises incomplete information about the first server location;
  
  code that directs the computer system to determine at least a first vulnerability associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes;
  
  code that directs the computer system to determine a coverage factor score for the first server location correlating to the incomplete information, based on the network topology and the configuration data;
  
  code that directs the computer system to determine a first security exposure of the first server location with respect to the threat source by analyzing the configuration data to determine a reachability of the first server location from the threat source;
  
  code that directs the computer system to account for the incomplete information by determining a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology; and
  
  code that directs the computer system to output a visual representation of the first security exposure and the first vulnerability certainty on the display device.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory medium of claim 8 wherein the network topology does not indicate whether a host server is present at the first server location.
  - 10. The non-transitory medium of claim 8 further comprising:
    - code that determines whether a host server is present at the first server location;
      
      code that directs the computer system to determine a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology, if the network topology indicates that the host server is present at the first server location;
      
      code that directs the computer system to determine a second vulnerability certainty associated with the first server location with respect to the vulnerability, if the network topology indicates that the host server is present at the first server location; and
      
      code that directs the computer system to output a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 11. The non-transitory medium of claim 8 further comprising:
    - code that directs the computer system to determine whether at least one patch is installed in a host server at the first server location;
      
      code that directs the computer system to determine a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology, if the at least one patch is installed in the host server at the first server location;
      
      code that directs the computer system to determine a second vulnerability certainty associated with the first server location with respect to the vulnerability, if the at least one patch is installed in the host server at the first server location; and
      
      code that directs the computer system to output a visual representation of the second security exposure and the second vulnerability certainty on the display;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 12. The non-transitory medium of claim 11 wherein the second security exposure is greater than the first security exposure.
  - 13. The non-transitory medium of claim 8 wherein code that directs the computer system to determine the first security exposure comprises:
    - code that directs the computer system to determine a vulnerability reachability from the threat source location to the first server location; and
      
      code that directs the computer system to presume data for the first server location that is not within the network topology.

14. A computer system comprising:
- a display device configured to output data to a user;
  
  a memory configured to store configuration data for at least one network device in a network; and
  
  a processor coupled to the memory, wherein the processor is configured to;
  
  determine a network topology for at least a portion of the network in response to the configuration data, wherein the network topology indicates a first server location and existence of a threat source remote from the first server location, and wherein the network topology comprises incomplete information about the first server location,determine at least a first vulnerability associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes,determine a coverage factor score for the first server location correlating to the incomplete information, based on the network topology and the configuration data,determine a first security exposure of the first server location with respect to the threat source by analyzing the configuration data to determine a reachability of the first server location from the threat source,account for the incomplete information by determining a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology, andoutput a visual representation of the first security exposure and the first vulnerability certainty on the display device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer system of claim 14 wherein the network topology does not indicate whether a host server is present at the first server location.
  - 16. The computer system of claim 14 wherein the processor is further configured to:
    - determine whether a host server is present at the first server location;
      
      determine a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology, if the host server is present at the first server location;
      
      determine a second vulnerability certainty associated with the first server location with respect to the vulnerability if the host server is present at the first server location; and
      
      output a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 17. The computer system of claim 14 wherein the processor is further configured to:
    - determine whether a first host application is present in a host server at the first server location;
      
      determine a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology, if the first host application is present in the host server at the first server location;
      
      determine a second vulnerability certainty associated with the first server location with respect to the vulnerability, if the first host application is present in the host server at the first server location; and
      
      output a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 18. The computer system of claim 14 wherein the processor is further configured to:
    - determine whether at least one patch is installed in a host server at the first server location;
      
      determine a second security exposure of the first server location with respect to the threat source based on the configuration data, and the network topology, if the at least one patch is installed in the host server at the first server location;
      
      determine a second vulnerability certainty associated with the first server location with respect to the vulnerability, if the at least one patch is installed in the host server at the first server location; and
      
      output a visual representation of the second security exposure and the second vulnerability certainty on the display device;
      
      wherein the second vulnerability certainty is higher than the first vulnerability certainty.
  - 19. The computer system of claim 18 wherein the second security exposure is greater than the first security exposure.
  - 20. The computer system of claim 14 wherein the processor is further configured to:
    - determine a vulnerability reachability from a location of the threat source to the first server location; and
      
      presume data for the first server location that is not within the network topology.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
RedSeal Networks, Inc (Redseal, Inc.)
Inventors
Mayer, Alain Jules, Laing, Brian, Lloyd, Michael
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Schwartz, Darren B

Application Number

US11/761,968
Time in Patent Office

1,974 Days
Field of Search

726 11- 14, 726 22- 23, 726/24, 709223-226, 703/1, 703/2, 703/13
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2145   Inheriting rights or proper...

H04L 41/22   comprising specially adapte...

H04L 63/1433   Vulnerability analysis

H04L 67/125   involving control of end-de...

H04L 67/75   Indicating network or usage...

Methods and apparatus for determining network risk based upon incomplete network configuration data

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for determining network risk based upon incomplete network configuration data

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links