System, method and computer readable medium for evaluating potential attacks of worms

US 8,359,650 B2
Filed: 07/30/2007
Issued: 01/22/2013
Est. Priority Date: 10/01/2002
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising a non-transitory computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:

generate information representative of worm entities;

associate, in response to information representative of a network and of the worm entities, between worm entities and potential worm sources to provide associated worm sources;

wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, or when a likelihood of occurrences of a potential worm exceeds a certain threshold;

determine potential worm attacks that start from the associated worm sources, by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein the non-transitory computer usable medium is used for holding the model of the network and uses software entities for representing network components; and

evaluate at least one potential worm attack security metric associated with the potential worm attacks;

wherein the information representative of the worm entities comprises at least one profile of at least one group of potential worms;

wherein the computer program product stores instructions for generating the information representative of the worm entities comprising information representative of a group of worms that is less detailed than information representative of a specific worm.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for evaluating potential attacks of worms, the method includes: associating, in response to information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources; determining potential worm attacks that start from the associated worm sources; and evaluating at least one potential worm attack security metric associated with the potential worm attacks.

81 Citations

View as Search Results

34 Claims

1. A computer program product comprising a non-transitory computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- generate information representative of worm entities;
  
  associate, in response to information representative of a network and of the worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, or when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determine potential worm attacks that start from the associated worm sources, by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein the non-transitory computer usable medium is used for holding the model of the network and uses software entities for representing network components; and
  
  evaluate at least one potential worm attack security metric associated with the potential worm attacks;
  
  wherein the information representative of the worm entities comprises at least one profile of at least one group of potential worms;
  
  wherein the computer program product stores instructions for generating the information representative of the worm entities comprising information representative of a group of worms that is less detailed than information representative of a specific worm.
- View Dependent Claims (3, 4, 5)
- - 3. The computer program product according to claim 1, wherein the computer readable program when executed on a computer causes the computer to generate information representative of a worm entity that belongs to the worm entities by modeling known worms.
  - 4. The computer program product according to claim 1, wherein the computer readable program when executed on the computer causes the computer to associate between worm entities and potential worm sources, by using at least one parameter of a published worm, the at least one parameter is selected out of a worm age, a worm severity level, a worm current activity level;
    - to rank an importance of a worm entity based on the at least one parameter, and to decide, based on the importance of the worm entity, whether to associate the worm entity with a potential worm source.
  - 5. The computer program product according to claim 1, wherein the computer readable program when executed on the computer causes the computer to associate between a worm entity that is a potential worm and a potential worm source while using at least one parameter of the potential worm, the at least one parameter is selected out of a likelihood level of an occurrence of the potential worm and a relevancy of the potential worm to the network;
    - to rank an importance of the potential worm, and to decide, based on the importance of the potential worm, whether to associate the potential worm with the potential worm source.

2. The computer program product according to claim l, wherein the worm entities comprise worms and potential worms;
- wherein the computer program product stores instructions for generating information about potential worms that is less detailed than information about worms.

6. A computer program product comprising a non-transitory computer usable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- generate information representative of worm entities;
  
  associate, in response to information representative of a network and of the worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, or when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determine potential worm attacks that start from the associated worm sources, by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein the non-transitory computer usable medium is used for holding the model of the network and uses software entities for representing network components; and
  
  evaluate at least one potential worm attack security metric associated with the potential worm attacks;
  
  wherein the computer readable program when executed on a computer causes the computer to generate information representative of a worm entity that belongs to the worm entities by calculating a profile of a group of potential worms that is less detailed than at least one profile of a known worm.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 7. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to generate information representative of potential worms capable of exploiting already published vulnerabilities based upon vulnerability attributes.
  - 8. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to generate information representative of potential worms capable of exploiting vulnerabilities that are not published.
  - 9. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to generate information representative of potential worms capable of exploiting vulnerabilities that are not published based upon service attributes.
  - 10. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to identify security weaknesses in response to the at least one potential worm attack security metric.
  - 11. The computer program product according to claim 10, wherein the computer readable program when executed on a computer causes the computer to prioritize the identified security weaknesses.
  - 12. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to prioritize identified security weaknesses that comprise a vulnerability that facilitates a worm attack.
  - 13. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to provide an indication about at least one device that enabled an access that was utilized during a worm attack.
  - 14. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to amend information representative of the network in response to a selected security improvement action and repeating the stages of associating, determining and evaluating.
  - 15. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to evaluate a propagation of worm entities through network nodes while using vulnerabilities of these network nodes and evaluating possible infection of target nodes coupled to network nodes through which the worm propagates.
  - 16. The computer program product according to claim 6, wherein a worm source is coupled via an intermediate node to a target node;
    - wherein the computer readable program when executed on a computer causes the computer to evaluate in response to;
      
      (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by the worm entity, (iii) a likelihood of the intermediate node to be attacked by the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by the intermediate node and be infected by the worm entity.
  - 17. The computer program product according to claim 6, wherein a worm source is coupled via multiple intermediate nodes to a target node and wherein the computer readable program when executed on a computer causes the computer to evaluate in response to:
    - (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by a worm entity, (iii) a likelihood of each of the intermediate nodes to be attacked by the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by at least one of the intermediate nodes and be infected by the worm entity.
  - 18. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to evaluate in response to an impact of a successful worm attack.
  - 19. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to evaluate in response to at least one of the following:
    - (i) business assets imposed risk, (ii) network infrastructure risk, and (iii) worm infection risk related to recovery costs.
  - 20. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to associate in response to at least one of the following:
    - a worm source type, likelihood of occurrence of a potential worm, relevancy of a worm to the network.
  - 21. The computer program product according to claim 6, wherein the computer readable program when executed on a computer causes the computer to perform access analysis from each infected host in the network;
    - wherein the access analysis comprises simulating a provision of worm-generated packets.
  - 22. The computer program product according to claim 6 wherein the computer readable program when executed on a computer causes the computer to determine a maximal number of worm generated packets in response to a number of Internet Protocol addresses allowed by filtering devices.

23. A method for evaluating potential attacks of worms, the method comprising:
- generating information representative of worm entities;
  
  associating, in response to information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, or when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determining potential worm attacks that start from the associated worm sources by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein computerized media that is used for holding the model of the network use software entities for representing network components;
  
  evaluating at least one potential worm attack security metric associated with the potential worm attacks; and
  
  generating information representative of a worm entity that belongs to the worm entities by calculating a profile of a group of potential worms;
  
  wherein the profile of the group of potential worms is less detailed than at least one profile of a known worm, and wherein at least one characteristic of a potential worm is unknown when calculating the profile of the group of potential worms.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method according to claim 23 further comprising identifying security weaknesses in response to the at least one potential worm attack security metric.
  - 25. The method according to claim 24 further comprising prioritizing the identified security weaknesses.
  - 26. The method according to claim 23 wherein the determining of potential worm attacks comprises evaluating a propagation of worm entities through network nodes while using vulnerabilities of these network nodes and evaluating possible infection of target nodes coupled to network nodes through which the worm propagates.
  - 27. The method according to claim 23 wherein a worm source is coupled via multiple intermediate nodes to a target node;
    - wherein the evaluating is responsive to;
      
      (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by a worm entity, (iii) a likelihood of each of the intermediates node to be attacked by a previous node the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by the intermediate node and be infected by the worm entity.
  - 28. The method according to claim 23, comprising associating between worm entities and potential worm sources, by using at least one parameter of a published worm, the at least one parameter is selected out of a worm age, a worm severity level, a worm current activity level;
    - ranking an importance of a worm entity based on the at least one parameter, and deciding, based on the importance of the worm entity, whether to associate the worm entity with a potential worm source.
  - 29. The method according to claim 23, comprising associating between a worm entity that is a potential worm and a potential worm source while using at least one parameter of the potential worm, the at least one parameter is selected out of a likelihood level of an occurrence of the potential worm and a relevancy of the potential worm to the network;
    - ranking an importance of the potential worm, and deciding, based on the importance of the potential worm, whether to associate the potential worm with the potential worm source.

30. A system for evaluating potential attacks of worms, the system includes:
- a memory unit adapted to store information representative of a network and of worm entities; and
  
  a processor adapted to;
  
  associate, in response to the information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources;
  
  wherein the association is triggered when a new worm profile is received, when a new worm profile is generated, or when a likelihood of occurrences of a potential worm exceeds a certain threshold;
  
  determine potential worm attacks that start from the associated worm entities by applying a worm attack simulation to a model of the network that represents at least nodes, vulnerabilities and topology of the network, wherein computerized media that is used for holding the model of the network use software entities for representing network components; and
  
  evaluate at least one potential worm attack security metric associated with the potential worm attackswherein the processor is adapted to generate information representative of a worm entity that belongs to the worm entities by calculating a profile of a group of potential worms that is less detailed than at least one profile of a known worm.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The system according to claim 30 wherein the processor is adapted to identify security weaknesses in response to the at least one potential worm attack security metric.
  - 32. The system according to claim 30 wherein the processor is adapted to prioritize the identified security weaknesses.
  - 33. The system according to claim 30 wherein the processor is adapted to determine of potential worm attacks comprises evaluating a propagation of worm entities through network nodes while using vulnerabilities of these network nodes and evaluating possible infection of target nodes coupled to network nodes through which the worm propagates.
  - 34. The system according to claim 30 wherein a worm source is coupled via multiple intermediate nodes to a target node;
    - wherein the processor is adapted to evaluate in response to;
      
      (i) a likelihood of an existence of a worm entity, (ii) a likelihood of a worm source to be infected by a worm entity, (iii) a likelihood of each of the intermediates node to be attacked by a previous node the worm source and be infected by the worm entity, (iv) a likelihood of the target node to be attacked by the intermediate node and be infected by the worm entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skybox Security, Inc.
Original Assignee
Skybox Security, Inc.
Inventors
Lotem, Amnon, Cohen, Gideon, Meiseles, Moshe, Horn, Ilan
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US11/829,980
Publication Number

US 20080005555A1
Time in Patent Office

2,003 Days
Field of Search

726 22- 25
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

System, method and computer readable medium for evaluating potential attacks of worms

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

System, method and computer readable medium for evaluating potential attacks of worms

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others