System and method for identifying exploitable weak points in a network
First Claim
1. A system for identifying exploitable weak points in a network, comprising:
- one or more passive scanners configured to observe one or more connections in the network to identify one or more network addresses and one or more open ports associated with the observed connections;
one or more active scanners configured to scan the network to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the enumerated current connections in the network; and
one or more hardware processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more hardware processors are configured to;
model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts;
identify, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating;
include the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services;
simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and
enumerate one or more remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.
208 Citations
29 Claims
-
1. A system for identifying exploitable weak points in a network, comprising:
-
one or more passive scanners configured to observe one or more connections in the network to identify one or more network addresses and one or more open ports associated with the observed connections; one or more active scanners configured to scan the network to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the enumerated current connections in the network; and one or more hardware processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more hardware processors are configured to; model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identify, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating; include the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services; simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerate one or more remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for identifying exploitable weak points in a network, comprising:
-
one or more passive scanners configured to observe one or more connections in the network to identify one or more network addresses and one or more open ports associated with the observed connections; one or more active scanners configured to scan the network to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the enumerated current connections in the network; and one or more hardware processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more hardware processors are configured to; model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identify, among the network addresses and the open ports associated with the connections observed with the one or more passive scanners, one or more network addresses having exploitable services on port zero; identify, among the network addresses and open ports associated with the current connections enumerated with the one or more active scanners, one or more network addresses having remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; include the identified network addresses having the exploitable services on port zero and the identified network addresses having the remotely exploitable patch audits associated with one or more of the medium access complexity rating or the high access complexity rating among the hosts that have the exploitable client software; simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerate one or more remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. - View Dependent Claims (14)
-
-
15. A method for identifying exploitable weak points in a network, comprising:
-
configuring one or more passive scanners to identify one or more network addresses and one or more open ports associated with one or more connections that the one or more passive scanners observe in the network; configuring one or more active scanners to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the current connections enumerated with the one or more active scanners; modeling trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identifying exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identifying, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating; including the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services; simulating an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerating one or more remote network addresses that could compromise the network and determining an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for identifying exploitable weak points in a network, comprising:
-
configuring one or more passive scanners to identify one or more network addresses and one or more open ports associated with one or more connections that the one or more passive scanners observe in the network; configuring one or more active scanners to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the current connections enumerated with the one or more active scanners; modeling trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identifying exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identifying, among the network addresses and the open ports associated with the connections observed with the one or more passive scanners, one or more network addresses having exploitable services on port zero; identifying, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, one or more network addresses having remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; including the identified network addresses having the exploitable services on port zero and the identified network addresses having the remotely exploitable patch audits associated with one or more of the medium access complexity rating or the high access complexity rating among hosts that have exploitable client software; simulating an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerating one or more remote network addresses that could compromise the network and determining an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. - View Dependent Claims (27)
-
-
28. A computer-readable storage device having computer-executable instructions stored thereon for identifying exploitable weak points in a network, wherein executing the computer-executable instructions on one or more processors causes the one or more processors to:
-
configure one or more passive scanners to identify one or more network addresses and one or more open ports associated with one or more connections that the one or more passive scanners observe in the network; configure one or more active scanners to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the current connections enumerated with the one or more active scanners; model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identify, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating; include the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services; simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerate one or more remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
-
-
29. A computer-readable storage device having computer-executable instructions stored thereon for identifying exploitable weak points in a network, wherein executing the computer-executable instructions on one or more processors causes the one or more processors to:
-
configure one or more passive scanners to identify one or more network addresses and one or more open ports associated with one or more connections that the one or more passive scanners observe in the network; configure one or more active scanners to enumerate one or more current connections in the network and identify one or more network addresses and one or more open ports associated with the current connections enumerated with the one or more active scanners; model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners; identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, wherein the exploitable weak points include one or more hosts that have internally exploitable services, one or more hosts that have remotely exploitable services, one or more hosts that have exploitable client software, one or more hosts that have exploitable client software and connect to remote networks or process content from the remote networks, one or more destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and one or more destination hosts that accept exploitable trust relationships from remotely exploitable source hosts; identify, among the network addresses and the open ports associated with the connections observed with the one or more passive scanners, one or more network addresses having exploitable services on port zero; identify, among the network addresses and the open ports associated with the current connections enumerated with the one or more active scanners, one or more network addresses having remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; include the identified network addresses having the exploitable services on port zero and the identified network addresses having the remotely exploitable patch audits associated with one or more of the medium access complexity rating or the high access complexity rating among the hosts that have the exploitable client software; simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and enumerate one or more remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
-
Specification