System and method for vulnerability risk analysis

US 9,317,692 B2
Filed: 05/21/2010
Issued: 04/19/2016
Est. Priority Date: 12/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing risk, the method comprising:

accessing, within an electronic system, host configuration information of a host;

querying a vulnerability database based on said host configuration information;

receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host;

accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one software product of said host are respectively associated with more than one of said plurality of vulnerability scores;

determining a composite risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;

determining an aggregate risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;

generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability, and wherein said path ends at an end node having relatively higher vulnerability impact; and

determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate risk score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores.

32 Citations

View as Search Results

20 Claims

1. A method for analyzing risk, the method comprising:
- accessing, within an electronic system, host configuration information of a host;
  
  querying a vulnerability database based on said host configuration information;
  
  receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host;
  
  accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one software product of said host are respectively associated with more than one of said plurality of vulnerability scores;
  
  determining a composite risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;
  
  determining an aggregate risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;
  
  generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability, and wherein said path ends at an end node having relatively higher vulnerability impact; and
  
  determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate risk score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein said host configuration information comprises information about a plurality of software applications and an operating system.
  - 3. The method of claim 1 further comprising:
    - querying a fixes database based on said list of vulnerabilities;
      
      receiving a list of fixes; and
      
      checking said list of fixes against said host configuration information.
  - 4. The method of claim 3 further comprising:
    - determining a software product contributing the most risk to an enterprise.
  - 5. The method of claim 4 further comprising:
    - determining a host contributing the most risk to said enterprise.
  - 6. The method of claim 5 further comprising:
    - determining a vulnerability contributing the most risk to said enterprise.
  - 7. The method of claim 1 wherein said vulnerability database is a National Vulnerability Database (NVD).
  - 8. The method of claim 1 wherein said vulnerability scores comprise Common Vulnerability Scoring System (CVSS) scores.

9. A non-transitory computer readable storage medium having stored thereon, computer executable instructions that, if executed by a computer system cause the computer system to perform a method of risk analysis comprising:
- accessing, within an electronic system, host configuration information of a host;
  
  querying a vulnerability database based on said host configuration information;
  
  receiving a list of vulnerabilities, wherein said list of vulnerabilities corresponds to vulnerabilities of said host;
  
  accessing a plurality of vulnerability scores for said host and at least one software product of said host, wherein said plurality of vulnerability scores measure access vulnerability and vulnerability impact, and wherein said host and said at least one software product of said host are respectively associated with more than one of said plurality of vulnerability scores;
  
  determining a composite risk score for at least one of said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;
  
  determining an aggregate risk score for said host and said at least one software product of said host based on said plurality of vulnerability scores, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;
  
  generating a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins at a start node having relatively lower access vulnerability, and wherein said path ends at an end node having relatively higher vulnerability impact; and
  
  determining a risk score based on said path through said graph and at least one of said composite risk score and said aggregate risk score.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer readable storage medium of claim 9, wherein said host configuration information comprises information about a plurality of software applications and an operating system.
  - 11. The computer readable storage medium of claim 9, wherein said method further comprises:
    - querying a fixes database based on said list of vulnerabilities;
      
      receiving a list of fixes; and
      
      checking said list of fixes against said host configuration information.
  - 12. The computer readable storage medium of claim 9, wherein said method further comprises:
    - determining a software product contributing the most risk to an enterprise.
  - 13. The computer readable storage medium of claim 9, wherein said method further comprises:
    - determining a host contributing the most risk to said enterprise.
  - 14. The computer readable storage medium of claim 9, wherein said method further comprises:
    - determining a vulnerability contributing the most risk to said enterprise.
  - 15. The computer readable storage medium of claim 9, wherein said vulnerability scores comprise Common Vulnerability Scoring System (CVSS) scores.
  - 16. The computer readable storage medium of claim 9, wherein said vulnerability database is a National Vulnerability Database (NVD).

17. A system comprising:
- a host configuration access module for accessing host configuration information;
  
  a vulnerability database query module for querying a vulnerability database, wherein a host and at least one software product of said host are respectively associated with more than one of a plurality of vulnerability scores;
  
  a fix database query module for querying a fix database;
  
  a composite risk determination module for determining a composite risk score based on data from said vulnerability database and based on data from said fix database, wherein said composite risk score measures at least in part a severity reflecting that an exploited vulnerability is needed by an attacker to compromise at least one of said host and said at least one software product of said host, and wherein said composite risk score is based on a highest vulnerability score among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host;
  
  an aggregate risk determination module for determining an aggregate risk score based on data from said vulnerability database and based on data from said fix database, wherein said aggregate risk score measures at least in part a number of options available to said attacker for compromising at least one of said host and said at least one software product of said host, and wherein said aggregate risk score is based on a summation among the more than one of said plurality of vulnerability scores respectively associated with at least one of said host and said at least one software product of said host; and
  
  a risk determination module for determining and reporting a risk score based on at least one of said composite risk score and said aggregate risk score, and based on a graph representing said at least one software product of said host, wherein nodes of said graph represent software states of said at least one software product, wherein edges of said graph represent vulnerabilities detected in said at least one software product, wherein a path through said graph begins from a start node having relatively lower access vulnerability based on data from said vulnerability database, and wherein said path ends at an end node having relatively higher vulnerability impact.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17 further comprising:
    - a software product risk contribution module for determining a software product contributing the most risk to an enterprise.
  - 19. The system of claim 17 further comprising:
    - a host risk contribution module for determining a host contributing the most risk to an enterprise.
  - 20. The system of claim 17 further comprising:
    - a vulnerability risk contribution module for determining a vulnerability contributing the most risk to an enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Elder, Matthew Cruz, Kienzle, Darrell Martin, Manadhata, Pratyusa K., Persaud, Ryan Kumar
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US12/784,972
Publication Number

US 20140189873A1
Time in Patent Office

2,160 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

System and method for vulnerability risk analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for vulnerability risk analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others