NETWORK MALICIOUSNESS SUSCEPTIBILITY ANALYSIS AND RATING

US 20160065620A1
Filed: 02/20/2015
Published: 03/03/2016
Est. Priority Date: 02/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for auditing a computer network to determine susceptibility to malicious attack, the method comprising:

monitoring traffic of the computer network for a plurality of mismanagement metrics, where each of the plurality of mismanagement metrics results from one or more mismanagement symptoms of the computer network, and where the traffic is monitored at the network level of the computer network;

aggregating the traffic of the computer network at the network level and identifying, from the aggregation, one or more correlations between the plurality of mismanagement metrics;

from among the identified one or more correlations between the plurality of mismanagement metrics, determining a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network-traffic level indication of the mismanagement of the computer network; and

storing the unified mismanagement metric for use in comparison to a listing of potential maliciousness attacks.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network security and robustness is analyzed by developing correlations among network maliciousness observations to determine attack susceptibility. Network traffic is analyzed at the autonomous system (AS) level, among connected Internet Protocol (IP) routing prefixes, to identify these observations. The traffic is monitored for any of a number of specified mismanagement metrics. Correlations among these metrics are determined and a unified network mismanagement metric is developed, indicating network susceptibility to potentially malicious attack.

Citations

28 Claims

1. A computer-implemented method for auditing a computer network to determine susceptibility to malicious attack, the method comprising:
- monitoring traffic of the computer network for a plurality of mismanagement metrics, where each of the plurality of mismanagement metrics results from one or more mismanagement symptoms of the computer network, and where the traffic is monitored at the network level of the computer network;
  
  aggregating the traffic of the computer network at the network level and identifying, from the aggregation, one or more correlations between the plurality of mismanagement metrics;
  
  from among the identified one or more correlations between the plurality of mismanagement metrics, determining a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network-traffic level indication of the mismanagement of the computer network; and
  
  storing the unified mismanagement metric for use in comparison to a listing of potential maliciousness attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the plurality of mismanagement metrics are selected from the group consisting of Open Recursive Resolvers, DNS Source Port Randomization, Consistent A and PTR records, BGP Misconfiguration, Egress Filtering, Untrusted HTTPS Certificates, SMTP server relaying, Publicly-Available Out-of-band Management Cards, and open NTP servers.
  - 3. The method of claim 1, wherein aggregating the traffic of the computer network at the network level comprises aggregating traffic data collected from the autonomous system level of the computer network.
  - 4. The method of claim 1, wherein aggregating the traffic of the computer network at the network level comprises aggregating traffic data collected from an administrative boundary determined for the computer network.
  - 5. The method of claim 1, further comprising monitoring the computer network in real time.
  - 6. The method of claim 1, further comprising monitoring the computer network in periodic intervals or in response to triggering event.
  - 7. The method of claim 1, further comprising correlating the unified mismanagement metric with any of a plurality of potential malicious network attacks.
  - 8. The method of claim 7, wherein the plurality of potential malicious network attacks are selected from the group consisting of spam attacks, phishing attacks, malware attacks, and active attacks.
  - 9. The method of claim 7, wherein correlating the unified mismanagement metric with any of a plurality of potential malicious network attacks comprises:
    - aggregating a blacklist data table that stores data of the plurality of potential malicious network attacks;
      
      aggregating, at an autonomous system level, IP addresses for hosts within the computer network; and
      
      identifying those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 10. The method of claim 7, wherein correlating the unified mismanagement metric with any of a plurality of potential malicious network attacks comprises:
    - aggregating a blacklist data table that stores data of the plurality of potential malicious network attacks;
      
      aggregating, at a predetermined administrative boundary, IP addresses for hosts within the computer network; and
      
      identifying those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 11. The method of claim 1, further comprising:
    - comparing the unified network mismanagement metric for the computer network against mismanagement metrics for other computer networks; and
      
      determining a risk analysis rating based on the comparison.
  - 12. The method of claim 11, further comprising providing a warning to a user when the risk analysis rating is above a threshold value.
  - 13. The method of claim 11, further comprising communicating the risk analysis rating to an automated network management policy tool configured to automatically adjust network policy for the computer network in response to a level of the risk analysis rating.
  - 14. The method of claim 11, wherein the risk analysis rating an auditor security rating to give a third party auditing entity a real time assessment of security on the computer network.

15. A system comprising:
- one or more processors and one or more memories, the one or more memories storing instructions that when executed by the one or more processors, cause the one or more processors to;
  
  monitor, in a monitoring module stored in the one or more memories, traffic of the computer network for a plurality of mismanagement metrics, where each of the plurality of mismanagement metrics results from one or more mismanagement symptoms of the computer network, and where the traffic is monitored at the network level of the computer network;
  
  aggregate, in an aggregation module stored in the one or more memories, the traffic of the computer network at the network level and identify, in a correlation module, from among the aggregation, any correlations between the plurality of mismanagement metrics;
  
  from among the identified correlations between the plurality of mismanagement metrics, determine, in an assessment module, a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network-traffic level indication of the mismanagement of the computer network; and
  
  store the unified mismanagement metric for use in comparison to a listing of potential maliciousness attacks.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, wherein the plurality of mismanagement metrics are selected from the group consisting of Open Recursive Resolvers, DNS Source Port Randomization, Consistent A and PTR records, BGP Misconfiguration, Egress Filtering, Untrusted HTTPS Certificates, SMTP server relaying, Publicly-Available Out-of-band Management Cards, and open NTP servers.
  - 17. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - collect traffic data an autonomous system level of the computer network; and
      
      aggregate traffic data collected from the autonomous system level of the computer network.
  - 18. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate traffic data collected from an administrative boundary determined for the computer network.
  - 19. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - monitor the computer network in real time.
  - 20. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - monitor the computer network in periodic intervals or in response to triggering event.
  - 21. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - correlate the unified mismanagement metric with any of a plurality of potential malicious network attacks.
  - 22. The system of claim 21, wherein the plurality of potential malicious network attacks are selected from the group consisting of spam attacks, phishing attacks, malware attacks, and active attacks.
  - 23. The system of claim 21, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate a blacklist data table that stores data of the plurality of potential malicious network attacks;
      
      aggregate, at an autonomous system level, IP addresses for hosts within the computer network; and
      
      identify those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 24. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate a blacklist data table that stores data of the plurality of potential malicious network attacks;
      
      aggregate, at a predetermined administrative boundary, IP addresses for hosts within the computer network; and
      
      identify those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 25. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - compare, in risk analysis module stored in the one or more memories, the unified network mismanagement metric for the computer network against mismanagement metrics for other computer networks; and
      
      determine, in risk analysis module stored in the one or more memories, a risk analysis rating based on the comparison.
  - 26. The system of claim 25, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - provide a warning to a user when the risk analysis rating is above a threshold value.
  - 27. The system of claim 25, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - communicate the risk analysis rating to an automated network management policy tool configured to automatically adjust network policy for the computer network in response to a level of the risk analysis rating.
  - 28. The system of claim 15, wherein the risk analysis rating an auditor security rating to give a third party auditing entity a real time assessment of security on the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Liu, Mingyan, Karir, Manish, Zhang, Jing, Bailey, Michael, Durumeric, Zakir

Granted Patent

US 9,729,558 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

NETWORK MALICIOUSNESS SUSCEPTIBILITY ANALYSIS AND RATING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK MALICIOUSNESS SUSCEPTIBILITY ANALYSIS AND RATING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links