Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic

US 9,117,084 B2
Filed: 05/15/2012
Issued: 08/25/2015
Est. Priority Date: 05/15/2012
Status: Active Grant

First Claim

Patent Images

1. A method for measuring detection accuracy of a security device using benign traffic, the method comprising:

at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface;

sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to include content associated with one or more malicious data packets;

receiving, by the second communications interface, one or more of the plurality of benign data packets via the security device; and

determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device, wherein determining the detection accuracy metric includes dividing a number of benign data packets returned to the IP traffic simulator via the security device by a number of benign data packets sent by the IP traffic simulator to the security device; and

identifying, using distinct characteristics associated with the plurality of benign data packets, wherein the distinct characteristics includes at least one characteristic that affects detection accuracy, a portion of a first packet of the plurality of benign data packets that causes the security device to block the first packet.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic are disclosed. According to one method, the method occurs at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface. The method includes sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to be similar to one or more malicious data packets. The method also includes receiving, by the second communications interface, zero or more of the plurality of benign data packets via the security device. The method further includes determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device.

Citations

20 Claims

1. A method for measuring detection accuracy of a security device using benign traffic, the method comprising:
- at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface;
  
  sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to include content associated with one or more malicious data packets;
  
  receiving, by the second communications interface, one or more of the plurality of benign data packets via the security device; and
  
  determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device, wherein determining the detection accuracy metric includes dividing a number of benign data packets returned to the IP traffic simulator via the security device by a number of benign data packets sent by the IP traffic simulator to the security device; and
  
  identifying, using distinct characteristics associated with the plurality of benign data packets, wherein the distinct characteristics includes at least one characteristic that affects detection accuracy, a portion of a first packet of the plurality of benign data packets that causes the security device to block the first packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the security device is an intrusion prevention system or a data leakage prevention system.
  - 3. The method of claim 1 wherein the benign data packets contain non-confidential information and the one or more malicious data packets contain confidential information.
  - 4. The method of claim 1 wherein the one or more malicious data packets include data for triggering a vulnerability in a target system.
  - 5. The method of claim 1 wherein the statistics associated with the plurality of benign data packets includes one or more packet counters for determining a number of benign data packets sent to the security device, received via the security device, or blocked by the security device.
  - 6. The method of claim 1 wherein the detection accuracy metric comprises an integer, a percentage, a probability, a code, a color, a value, or a range of values.
  - 7. The method of claim 1 wherein the plurality of benign data packets is provided by a security analysis entity.
  - 8. The method of claim 1 wherein each of the plurality of benign data packets is engineered to have distinct characteristics.
  - 9. The method of claim 1 wherein the first communications interface is associated with a first IP address and the second communications interface is associated with a second IP address.

10. A system for measuring detection accuracy of a security device using benign traffic, the system comprising:
- an Internet protocol (IP) traffic simulator, the IP traffic simulator comprising;
  
  a first physical communications interface configured to send a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to include content associated with one or more malicious data packets;
  
  a second physical communications interface configured to receive one or more of the plurality of benign data packets via the security device; and
  
  a detection accuracy module (DAM) configured to determine, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device, wherein determining the detection accuracy metric includes dividing a number of benign data packets returned to the IP traffic simulator via the security device by a number of benign data packets sent by the IP traffic simulator to the security device and to identify, using distinct characteristics associated with the plurality of benign data packets, wherein the distinct characteristics includes at least one characteristic that affects detection accuracy, a portion of a first packet of the plurality of benign data packets that causes the security device to block the first packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10 wherein the security device is an intrusion prevention system or a data leakage prevention system.
  - 12. The system of claim 10 wherein the benign data packets contain non-confidential information and the one or more malicious data packets contain confidential information.
  - 13. The system of claim 10 wherein the one or more malicious data packets include data for triggering a vulnerability in a target system.
  - 14. The system of claim 10 wherein the statistics associated with the plurality of benign data packets includes one or more packet counters for determining a number of benign data packets sent to the security device, received via the security device, or blocked by the security device.
  - 15. The system of claim 10 wherein the detection accuracy metric comprises an integer, a percentage, a probability, a code, a color, a value, or a range of values.
  - 16. The system of claim 10 wherein the plurality of benign data packets is provided by a security analysis entity.
  - 17. The system of claim 10 wherein the plurality of benign data packets is stored in a database.
  - 18. The system of claim 10 wherein each of the plurality of benign data packets is engineered to have distinct characteristics.
  - 19. The system of claim 10 wherein the first communications interface is associated with a first IP address and the second communications interface is associated with a second IP address.

20. A non-transitory computer readable medium comprising computer executable instructions embodied in the non-transitory computer readable medium that when executed by a processor of a computer control the computer to perform steps comprising:
- at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface;
  
  sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to include content associated with one or more malicious data packets;
  
  receiving, by the second communications interface, one or more of the plurality of benign data packets via the security device; and
  
  determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device, wherein determining the detection accuracy metric includes dividing a number of benign data packets returned to the IP traffic simulator via the security device by a number of benign data packets sent by the IP traffic simulator to the security device; and
  
  identifying, using distinct characteristics associated with the plurality of benign data packets, wherein the distinct characteristics includes at least one characteristic that affects detection accuracy, a portion of a first packet of the plurality of benign data packets that causes the security device to block the first packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Keysight Technologies Singapore Sales Pte Ltd (Keysight Technologies, Inc.)
Original Assignee
Ixia (Keysight Technologies, Inc.)
Inventors
Zecheru, George
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US13/472,116
Publication Number

US 20130312094A1
Time in Patent Office

1,197 Days
Field of Search

726 22- 25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links