Adaptive risk analysis methods and apparatus

US 8,321,944 B1
Filed: 06/12/2007
Issued: 11/27/2012
Est. Priority Date: 06/12/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a computer system including a display device comprising:

receiving, by the computer system, configuration data for at least one network device in a network, wherein the configuration data includes at least one device configuration file;

receiving, by the computer system, a network topology for at least a portion of the network, wherein the network topology indicates a first server location and a threat source remote from the first server location, and configuration data associated with at least the portion of the network, wherein the network topology comprises incomplete information about the first server location;

determining, by the computer system, at least a first vulnerability to the threat source associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes; and

determining, by the computer system, a first security exposure of the first server location by determining a reachability of the first server location from the threat source using at least the configuration data;

determining, by the computer system, a coverage factor score for the first server location correlating to the incomplete information, based on the network topology, and the at least one device configuration file;

accounting for the incomplete information by determining, by the computer system, a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology;

thereafterreceiving updated network data selected from a group consisting of;

updated configuration data, updated network topology;

determining a second security exposure of the first server location with respect to the threat source in response to the updated network data, and to configuration data associated with the first server location; and

displaying an indication of a difference between the first security exposure and the second security exposure on the display device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system method includes receiving a network topology and associated configuration data, wherein the network topology indicates a host location and a threat location, determining a vulnerability associated with the host location, determining a security exposure for the host location with respect to the threat location from the configuration data, the network topology, and to incomplete configuration data for the host location, determining a first vulnerability certainty for the host location with respect the vulnerability in response to incomplete configuration data, thereafter receiving updated network data selected from a group consisting of: updated configuration data, updated network topology, determining an updated security exposure for the host location with respect to the threat location from the updated network data, and to the incomplete configuration data, and displaying a difference between of the first security exposure and the second security exposure on the display.

Citations

24 Claims

1. A method for a computer system including a display device comprising:
- receiving, by the computer system, configuration data for at least one network device in a network, wherein the configuration data includes at least one device configuration file;
  
  receiving, by the computer system, a network topology for at least a portion of the network, wherein the network topology indicates a first server location and a threat source remote from the first server location, and configuration data associated with at least the portion of the network, wherein the network topology comprises incomplete information about the first server location;
  
  determining, by the computer system, at least a first vulnerability to the threat source associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes; and
  
  determining, by the computer system, a first security exposure of the first server location by determining a reachability of the first server location from the threat source using at least the configuration data;
  
  determining, by the computer system, a coverage factor score for the first server location correlating to the incomplete information, based on the network topology, and the at least one device configuration file;
  
  accounting for the incomplete information by determining, by the computer system, a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology;
  
  thereafterreceiving updated network data selected from a group consisting of;
  
  updated configuration data, updated network topology;
  
  determining a second security exposure of the first server location with respect to the threat source in response to the updated network data, and to configuration data associated with the first server location; and
  
  displaying an indication of a difference between the first security exposure and the second security exposure on the display device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 22, 23, 24)
- - 2. The method of claim 1 further comprising displaying an indication of a difference between the first vulnerability certainty and a second vulnerability certainty associated with the second security exposure.
  - 3. The method of claim 2 wherein the indication of the difference between of the first security exposure and the second security exposure comprises an icon with a color on the display device, wherein the color is determined in response to the first security exposure and the second security exposure.
  - 4. The method of claim 3 wherein the color is red when the second security exposure is greater than the first security exposure.
  - 5. The method of claim 1 wherein the updated configuration data is selected from a group consisting of:
    - a change in a policy of a network device, adding an application to a network device, and removing an application from a network device.
  - 6. The method of claim 1 wherein the updated network topology is selected from a group consisting of:
    - removing a network device from the network, adding a network device to the network, and rearranging the network topology.
  - 7. The method of claim 1 further comprising:
    - receiving additional configuration data associated with the first server location;
      
      determining a second vulnerability certainty associated with the first server location with respect to the vulnerability in response to incomplete configuration data associated with the first server location and in response to the additional configuration data; and
      
      displaying an indication of a difference between the second vulnerability certainty and the first vulnerability certainty on the display device.
  - 22. The method of claim 1 wherein the network topology further comprises information indicating that it is unknown whether there is a server at the first server location.
  - 23. The method of claim 1 wherein the network topology further comprises information indicating that it is known that there is a first server at the first server location, and that information about the first server is incomplete.
  - 24. The method of claim 1 wherein the method is completed without verifying the reachability of the first server location by contacting any server at the first server location.

8. A non-transitory computer-readable storage medium storing computer-system executable-code comprising:
- code that directs a computer system to receive configuration data for at least one network device in a network, wherein the configuration data includes at least one device configuration file;
  
  code that directs the computer system to receive a network topology for at least a portion of the network, wherein the network topology indicates a first server location and a threat source remote from the first server location, and configuration data associated with at least the portion of the network, wherein the network topology comprises incomplete information about the first server location;
  
  code that directs the computer system to determine at least a first vulnerability associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes; and
  
  code that directs the computer system to determine a first security exposure of the first server location by determining a reachability of the first server location from the threat source using at least the configuration data;
  
  code that directs the computer system to determine a coverage factor score for the first server location correlating to the incomplete information, based on the network topology, and the at least one device configuration file;
  
  code that directs the computer system to account for the incomplete information by determining a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology;
  
  code that directs the computer system to receive updated network data selected from a group consisting of;
  
  updated configuration data, and updated network topology;
  
  code that directs the computer system to determine a second security exposure of the first server location with respect to the threat source in response to the updated network data, and to configuration data associated with the first server location; and
  
  code that directs the computer system to display an indication of a difference between the first security exposure and the second security exposure on a display device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory medium of claim 8 further comprising code that directs the computer system to display an indication of a difference between the first vulnerability certainty and a second vulnerability certainty.
  - 10. The non-transitory medium of claim 9 wherein the indication of the difference between of the first security exposure and the second security exposure comprises an icon with a color on the display device, wherein the color is determined in response to the first security exposure and the second security exposure.
  - 11. The non-transitory medium of claim 10 wherein the color is red when the second security exposure is greater than the first security exposure.
  - 12. The non-transitory medium of claim 8 wherein the updated configuration data is selected from a group consisting of:
    - a change in a policy of a network device, adding an application to a network device, and removing an application from a network device.
  - 13. The non-transitory medium of claim 8 wherein the updated network topology is selected from a group consisting of:
    - removing a network device from the network, adding a network device to the network, and rearranging the network topology.
  - 14. The non-transitory medium of claim 8 further comprising:
    - code that directs the computer system to receive additional configuration data associated with the first server location;
      
      code that directs the computer system to determine a second vulnerability certainty associated with the first server location with respect to the vulnerability in response to incomplete configuration data associated with the first server location and in response to the additional configuration data; and
      
      code that directs the computer system to display an indication of a difference between the second vulnerability certainty and the first vulnerability certainty on the display device.

15. A computer system comprising:
- a display device configured to output data to a user;
  
  a memory configured to store configuration data for at least one network device in a network, wherein the configuration data is based on at least one device configuration file; and
  
  a processor coupled to the memory, wherein the processor is configured to receive a network topology for at least a portion of the network, wherein the network topology indicates a first server location and a threat source remote from the first server location, and configuration data associated with at least the portion of the network, wherein the network topology comprises incomplete information about the first server location;
  
  wherein the processor is configured to determine at least a first vulnerability associated with the first server location, wherein the vulnerability includes a plurality of vulnerability attributes, andwherein the processor is configured to determine a first security exposure of the first server location by determining a reachability of the first server location from the threat source using at least the configuration data,wherein the processor is configured to determine a coverage factor score for the first server location correlating to the incomplete information, based on the network topology, and the at least one device configuration file;
  
  wherein the processor is configured to account for the incomplete information by determining a first vulnerability certainty associated with the first server location with respect to the vulnerability by calculating a probability that the first vulnerability exists based on the coverage factor score for the first server location and the network topology,wherein the processor is configured to receive updated network data selected from a group consisting of;
  
  updated configuration data, updated network topology,wherein the processor is configured to determine a second security exposure of the first server location with respect to the threat source in response to the updated network data, and to configuration data associated with the first server location, and wherein the processor is configured to display an indication of a difference between the first security exposure and the second security exposure on the display device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer system of claim 15 wherein the processor is configured to display an indication of a difference between the first vulnerability certainty and a second vulnerability certainty.
  - 17. The computer system of claim 16 wherein the indication of the difference between of the first security exposure and the second security exposure comprises an icon with a color on the display device, wherein the color is determined in response to the first security exposure and the second security exposure.
  - 18. The computer system of claim 17 wherein the color is associated with an elevated priority condition when the second security exposure is greater than the first security exposure.
  - 19. The computer system of claim 15 wherein the updated configuration data is selected from a group consisting of:
    - a change in a policy of a network device, adding an application to a network device, and removing an application from a network device.
  - 20. The computer system of claim 15 wherein the updated network topology is selected from a group consisting of:
    - removing a network device from the network, adding a network device to the network, and rearranging the network topology.
  - 21. The computer system of claim 15wherein the processor is configured to receive additional configuration data associated with the first server location;
    - wherein the processor is configured to determine a second vulnerability certainty associated with the first server location with respect to the vulnerability in response to incomplete configuration data associated with the first server location and in response to the additional configuration data; and
      
      wherein the processor is configured to display an indication of a difference between of the second vulnerability certainty and a first vulnerability certainty on the display device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Redseal, Inc.
Original Assignee
RedSeal Networks, Inc (Redseal, Inc.)
Inventors
Mayer, Alain Jules, Laing, Brian, Lloyd, Michael
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
Schwartz, Darren B

Application Number

US11/761,982
Time in Patent Office

1,995 Days
Field of Search

726 11- 14, 726 22- 23, 726/25, 709223-226, 703/1, 703/2, 703/13
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2145   Inheriting rights or proper...

H04L 41/22   comprising specially adapte...

H04L 63/1433   Vulnerability analysis

H04L 67/125   involving control of end-de...

H04L 67/75   Indicating network or usage...

Adaptive risk analysis methods and apparatus

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive risk analysis methods and apparatus

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links