Generating a multiple-prerequisite attack graph
First Claim
1. A computer-implemented method comprising:
- in response to a real or simulated cyber attack at a starting node, using a computer to generate an attack graph comprising;
generating a first state node representing the starting node of the cyber attack and corresponding to access to a first host in a network;
generating a first directed edge from the first state node to a first prerequisite node, the first prerequisite node having a first precondition satisfied by the first state node;
generating a second directed edge from the first prerequisite node to a first vulnerability instance node, the first vulnerability instance node having a second precondition satisfied by the first prerequisite node;
generating a third directed edge from the first vulnerability instance node to a second state node, the second state node having a third precondition satisfied by the first vulnerability instance node; and
determining if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising;
the first state node;
the first vulnerability instance node;
the first prerequisite node; and
the second state node; and
using the attack graph to identify the vulnerabilities in the network.
1 Assignment
0 Petitions
Accused Products
Abstract
In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.
50 Citations
31 Claims
-
1. A computer-implemented method comprising:
in response to a real or simulated cyber attack at a starting node, using a computer to generate an attack graph comprising; generating a first state node representing the starting node of the cyber attack and corresponding to access to a first host in a network; generating a first directed edge from the first state node to a first prerequisite node, the first prerequisite node having a first precondition satisfied by the first state node; generating a second directed edge from the first prerequisite node to a first vulnerability instance node, the first vulnerability instance node having a second precondition satisfied by the first prerequisite node; generating a third directed edge from the first vulnerability instance node to a second state node, the second state node having a third precondition satisfied by the first vulnerability instance node; and determining if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising;
the first state node;
the first vulnerability instance node;
the first prerequisite node; and
the second state node; and
using the attack graph to identify the vulnerabilities in the network.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. An apparatus to generate an attack graph, comprising:
-
circuitry to generate an attack graph in response to a real or simulated cyber attack at a starting node comprising circuitry to; generate a first state node representing the starting point of the cyber attack and corresponding to access to a first host in a network; generate a first directed edge from the first state node to a first prerequisite node, the first prerequisite node having a first precondition satisfied by the first state node; generate a second directed edge from the first prerequisite node to a first vulnerability instance node, the first vulnerability instance node having a second precondition satisfied by the first prerequisite node; generate a third directed edge from the first vulnerability instance node to a second state node, the second state node having a third precondition satisfied by the first vulnerability instance node; and determine if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node, wherein the attack graph is configured to be used to identify vulnerabilities in a network. - View Dependent Claims (18, 19, 20)
-
-
21. An article comprising:
-
a non-transitory machine-readable medium that stores executable instructions to generate an attack graph response to a real or simulated cyber attack at a starting node, the instructions causing a machine to; generate a first state node representing the starting point of the cyber attack and corresponding to access to a first host in a network; generate a first directed edge from the first state node to a first prerequisite node, the first prerequisite node having a first precondition satisfied by the first state node; generate a second directed edge from the first prerequisite node to a first vulnerability instance node, the first vulnerability instance node having a second precondition satisfied by the first prerequisite node; generate a third directed edge from the first vulnerability instance node to a second state node, the second state node having a third precondition satisfied by the first vulnerability instance node; and determine if a potential node, having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising;
the first state node;
the first vulnerability instance node;
the first prerequisite node; and
the second state node,wherein the attack graph is configured to be used to identify vulnerabilities in a network. - View Dependent Claims (22, 23)
-
-
24. A computer-implemented method comprising:
-
in response to a real or simulated cyber attack at a starting node, using a computer to generate an attack graph comprising; generating a first state node representing the starting node of the cyber attack; generating a first directed edge from the first state node to a first prerequisite node, the first prerequisite node having a first precondition satisfied by the first state node; generating a second directed edge from the first prerequisite node to a first vulnerability instance node, the first vulnerability instance node having a second precondition satisfied by the first prerequisite node; generating a third directed edge from the first vulnerability instance node to a second state node, the second state node having a third precondition satisfied by the first vulnerability instance node; identifying one or more potential nodes for inclusion in the attack graph; and determining if a first one of the one or more potential nodes having a fourth precondition satisfied by a current node on the attack graph, provides a fifth precondition equivalent to one of preconditions provided by a group of preexisting nodes, the group of preexisting nodes comprising the first state node, the first vulnerability instance node, the first prerequisite node and the second state node; and using the attack graph to identify the vulnerabilities in a network. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
30. A computer implemented method comprising:
in response to a real or simulated cyber attack at a starting node, using a computer to generate an attack graph comprising; determining if a potential node being considered for inclusion in the attack graph includes a precondition equivalent to one or more of a plurality of preconditions provided by a group of preexisting nodes on the attack graph, the group of preexisting nodes comprising a first state node, at least one vulnerability instance node, at least one prerequisite node, and a second state node, each vulnerability instance node on the attack graph having a single directed edge from the vulnerability instance node to exactly one state node wherein each vulnerability instance node indicating a presence of a vulnerability, each prerequisite node representing a prerequisite required to access at least one port associated with a vulnerability instance node; and using the attack graph to identify the vulnerabilities in a network. - View Dependent Claims (31)
Specification