System and method for probabilistic attack planning

US 8,490,193 B2
Filed: 09/08/2010
Issued: 07/16/2013
Est. Priority Date: 09/08/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-based method for designing a penetration test for a penetration testing framework, comprising the steps of:

defining a variable to be optimized;

receiving information through an input/output device of a computer that defines a scenario, wherein the scenario further comprises,a definition of a target network,a list of penetration testing modules that are available, wherein each penetration testing module has an associated probability of success, requirements, and an expected value for the variable to be optimized, anda goal of the penetration test;

producing, with a computer-based processor, a probabilistic plan, an estimated probability of success for the probabilistic plan, and an expected value for the variable, based on the received information;

determining, with the computer-based processor, an attack plan for the penetration test based on the probabilistic plan, the probability of success for the probabilistic plan and the expected value for the variable,wherein the probabilistic plan, the estimated probability of success, and the expected value for the variable are produced without reference to a particular event that already has occurred in the target network.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for automated probabilistic planning of network attacks against infrastructures of computer networks and applications is provided. The embodiments automate the analysis and probabilistic planning of multi-step attacks to computer and application networks (in particular in the context of automating penetration tests), optimizing with respect to one of the following metrics: the probability of success of the actions, a numerical parameter that must be minimized (e.g., running time), or the number of logs generated by the control devices in the target network.

70 Citations

View as Search Results

10 Claims

1. A computer-based method for designing a penetration test for a penetration testing framework, comprising the steps of:
- defining a variable to be optimized;
  
  receiving information through an input/output device of a computer that defines a scenario, wherein the scenario further comprises,a definition of a target network,a list of penetration testing modules that are available, wherein each penetration testing module has an associated probability of success, requirements, and an expected value for the variable to be optimized, anda goal of the penetration test;
  
  producing, with a computer-based processor, a probabilistic plan, an estimated probability of success for the probabilistic plan, and an expected value for the variable, based on the received information;
  
  determining, with the computer-based processor, an attack plan for the penetration test based on the probabilistic plan, the probability of success for the probabilistic plan and the expected value for the variable,wherein the probabilistic plan, the estimated probability of success, and the expected value for the variable are produced without reference to a particular event that already has occurred in the target network.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-based method of claim 1, wherein the probabilistic plan further comprises a directed acyclic graph having branches, wherein the acyclic graph is defined as:
    - having a single starting node, a first type of end node labelled success, a second type of end node labelled fail, and a penetration testing module node for each penetration testing module within the scenario, wherein the penetration testing module nodes are referred to as action nodes; and
      
      for each action node, either, requirements associated with the action of the action node are satisfied according to the scenario description, or there is a second action node that precedes this action node and is associated with an action that checks if this requirement is satisfied.
  - 3. The computer-based method of claim 1 wherein, the variable to be optimized is time.
  - 4. The computer-based method of claim 1, further comprising the step of executing the probabilistic plan in the penetration testing framework.

5. A computer-based method for designing a probabilistic plan for attacking from a first host a second host, for a penetration testing framework, comprising the steps of:
- defining a variable to be optimized;
  
  defining a scenario, wherein the scenario further comprises, a description of the first host located within a target network, the second host located within the target network, and how the first host and second host are connected, a list of penetration testing modules that are available, wherein each penetration testing module has associated with a probability of success, requirements, and an expected value for the variable to be optimized;
  
  producing, with a computer-based processor, a probabilistic plan that has as a goal to install an agent in the second host, an estimated probability of success for the probabilistic plan, and an expected value for the variable;
  
  determining, with the computer-based processor, a probability of success for the probabilistic plan and an amount of time to execute the probabilistic plan; and
  
  determining, with the computer-based processor, an attack plan for a penetration test based on the probabilistic plan, the probability of success for the probabilistic plan and the amount of time to execute the probabilistic plan,wherein the probabilistic plan, the probability of success, and the amount of time to execute are determined without reference to a particular event that already has occurred in the target network.
- View Dependent Claims (6, 7)
- - 6. The computer-based method of claim 5, wherein the variable to be optimized is time, or a number of alerts generated in the target network.
  - 7. The computer-based method of claim 5, further comprising the step of executing the probabilistic plan in the penetration testing framework.

8. A computer-based method for designing a penetration test, the computer-based method comprising:
- receiving information through a computer based input/output device about a scenario, wherein the information comprises information about hosts, including computers and applications, on a target computer network;
  
  producing, with a computer-based processor, a list of ordered pairs of the hosts, where the hosts in each ordered pair are different and satisfy an attackability property, wherein a particular ordered pair of hosts satisfy an attackability property if, given that a network agent is running in a first host of the particular ordered pair, there exists a set of actions that lead to installing a remote agent in a second host of the particular ordered pair;
  
  determining, with the computer-based processor, for each particular ordered pair of hosts in the list, a probabilistic plan for attacking from a first of the hosts in the particular ordered pair to a second of the hosts in the particular ordered pair;
  
  determining, with the computer-based processor, for each particular probabilistic plan a probability of success and an amount of time to execute; and
  
  determining, with the computer-based processor, an attack plan for the penetration test based on the respective probabilistic plans for attacking, the respective probabilities of success and the respective amounts of time to execute,wherein the respective probabilistic plans for attacking, the respective probabilities of success, and the respective amounts of time to execute are determined without reference to a particular event that already has occurred in the target network.
- View Dependent Claims (9)
- - 9. The computer-based method of claim 8, wherein the attack plan for the penetration test is determined without reference to a particular event that already has occurred in the target network.

10. A computer-based method for designing a penetration test for a penetration testing framework, comprising the steps of:
- defining a variable to be optimized;
  
  receiving information through an input/output device of a computer that defines a scenario, wherein the scenario further comprises;
  
  a definition of a target network,a list of penetration testing modules that are available, wherein each penetration testing module has associated with a probability of success, requirements, and an expected value for the variable to be optimized, anda goal of the penetration test;
  
  producing, with a computer-based processor, a probabilistic plan, an estimated probability of success for the probabilistic plan, and an expected value for the variable, based on the received information,wherein the probabilistic plan, the estimated probability of success for the probabilistic plan, and the expected value for the variable are produced without reference to a particular event that already has occurred in the target network,wherein the probabilistic plan further comprises a directed acyclic graph having branches, wherein the acyclic graph is defined as;
  
  having a single starting node, a first type of end node labelled success, a second type of end node labelled fail, and a penetration testing module node for each penetration testing module within the scenario, wherein the penetration testing module nodes are referred to as action nodes; and
  
  for each action node, either, requirements associated with the action of the action node are satisfied according to the scenario description, or there is a second action node that precedes this action node and is associated with an action that checks if this requirement is satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Core Security Technologies (HelpSystems, LLC)
Inventors
Sarraute Yamada, Carlos Emilio, Futoransky, Ariel, Richarte, Gerardo Gabriel, Lucangeli Obes, Jorge
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/877,815
Publication Number

US 20110061104A1
Time in Patent Office

1,042 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 41/0823   characterised by the purpos...

H04L 41/145   involving simulating, desig...

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

System and method for probabilistic attack planning

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

System and method for probabilistic attack planning

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others