Network maliciousness susceptibility analysis and rating

US 9,729,558 B2
Filed: 02/20/2015
Issued: 08/08/2017
Est. Priority Date: 02/21/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for auditing a computer network to determine susceptibility to malicious cyber attacks, the method comprising:

actively querying individual hosts of the computer network via data communications that are separate from data traffic sent to and received by the individual hosts during normal operation;

analyzing network data collected in response to the queries for a presence of a plurality of mismanagement and misconfiguration symptoms represented by a range of mismanagement metrics associated with the individual hosts within the computer network the plurality of mismanagement and misconfiguration symptoms being indicative of a failure to implement adequate network security practices or a deviation from known best security practices;

aggregating the range of mismanagement metrics associated with the individual hosts within the computer network at a particular network level granularity including (i) an autonomous system (AS) level, (ii) a network prefix level, (iii) an enterprise network level, or (iv) an arbitrarily-defined network level, the particular network level granularity being based upon the range of mismanagement metrics and which of the plurality of mismanagement and misconfiguration symptoms are available at a particular network granularity;

identifying, from the aggregation of the range of mismanagement metrics, one or more correlations between the plurality of mismanagement and misconfiguration symptoms and the range of mismanagement metrics;

from among the identified one or more correlations between the range of mismanagement metrics, determining a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network level of the mismanagement of the computer network that represents a susceptibility of the computer network to malicious cyber attacks as a combination of susceptibilities of the individual hosts to malicious cyber attacks; and

storing the unified mismanagement metric for use in comparison to a listing of potential malicious cyber attacks.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network security and robustness is analyzed by developing correlations among network maliciousness observations to determine attack susceptibility. Network traffic is analyzed at the autonomous system (AS) level, among connected Internet Protocol (IP) routing prefixes, to identify these observations. The traffic is monitored for any of a number of specified mismanagement metrics. Correlations among these metrics are determined and a unified network mismanagement metric is developed, indicating network susceptibility to potentially malicious attack.

18 Citations

View as Search Results

28 Claims

1. A computer-implemented method for auditing a computer network to determine susceptibility to malicious cyber attacks, the method comprising:
- actively querying individual hosts of the computer network via data communications that are separate from data traffic sent to and received by the individual hosts during normal operation;
  
  analyzing network data collected in response to the queries for a presence of a plurality of mismanagement and misconfiguration symptoms represented by a range of mismanagement metrics associated with the individual hosts within the computer network the plurality of mismanagement and misconfiguration symptoms being indicative of a failure to implement adequate network security practices or a deviation from known best security practices;
  
  aggregating the range of mismanagement metrics associated with the individual hosts within the computer network at a particular network level granularity including (i) an autonomous system (AS) level, (ii) a network prefix level, (iii) an enterprise network level, or (iv) an arbitrarily-defined network level, the particular network level granularity being based upon the range of mismanagement metrics and which of the plurality of mismanagement and misconfiguration symptoms are available at a particular network granularity;
  
  identifying, from the aggregation of the range of mismanagement metrics, one or more correlations between the plurality of mismanagement and misconfiguration symptoms and the range of mismanagement metrics;
  
  from among the identified one or more correlations between the range of mismanagement metrics, determining a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network level of the mismanagement of the computer network that represents a susceptibility of the computer network to malicious cyber attacks as a combination of susceptibilities of the individual hosts to malicious cyber attacks; and
  
  storing the unified mismanagement metric for use in comparison to a listing of potential malicious cyber attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the range of mismanagement metrics associated with the individual hosts include one or more of Open Recursive Resolvers, DNS Source Port Randomization, Consistent A and PTR records, BGP Misconfiguration, Egress Filtering, Untrusted HTTPS Certificates, SMTP server relaying, Publicly-Available Out-of-band Management Cards, and open NTP servers.
  - 3. The method of claim 1, wherein aggregating the range of mismanagement metrics associated with the individual hosts of the computer network at the particular network level granularity comprises aggregating the range of mismanagement metrics collected from the AS level of the computer network.
  - 4. The method of claim 1, wherein aggregating the range of mismanagement metrics associated with the individual hosts of the computer network at the particular network level granularity comprises aggregating the range of mismanagement metrics collected from an administrative boundary determined for the computer network.
  - 5. The method of claim 1, further comprising:
    - analyzing the network data collected in response to the queries in real time.
  - 6. The method of claim 1, further comprising:
    - analyzing the network data collected in response to the queries in periodic intervals or in response to a triggering event.
  - 7. The method of claim 1, further comprising:
    - correlating the unified mismanagement metric with any of a plurality of potential malicious cyber attacks.
  - 8. The method of claim 7, wherein the plurality of potential malicious cyber attacks include one or more of spam attacks, phishing attacks, malware attacks, and active attacks.
  - 9. The method of claim 7, wherein correlating the unified mismanagement metric with any of a plurality of potential malicious cyber attacks comprises:
    - aggregating a blacklist data table that stores data of the plurality of potential malicious cyber attacks;
      
      aggregating, at an autonomous system level, IP addresses for the individual hosts within the computer network; and
      
      identifying those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 10. The method of claim 7, wherein correlating the unified mismanagement metric with any of a plurality of potential malicious cyber attacks comprises:
    - aggregating a blacklist data table that stores data of the plurality of potential malicious cyber attacks;
      
      aggregating, at a predetermined administrative boundary, IP addresses for the individual hosts within the computer network; and
      
      identifying those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 11. The method of claim 1, further comprising:
    - comparing the unified network mismanagement metric for the computer network against mismanagement metrics for other computer networks; and
      
      determining a risk analysis rating based on the comparison.
  - 12. The method of claim 11, further comprising:
    - providing a warning to a user when the risk analysis rating is above a threshold value.
  - 13. The method of claim 11, further comprising:
    - communicating the risk analysis rating to an automated network management policy tool configured to automatically adjust network policy for the computer network in response to a level of the risk analysis rating.
  - 14. The method of claim 11, further comprising:
    - calculating a security rating based upon the risk analysis rating to give a third party auditing entity a real time assessment of security on the computer network.

15. A system for auditing a computer network to determine susceptibility to malicious cyber attacks, comprising:
- one or more processors and one or more memories, the one or more memories storing instructions that when executed by the one or more processors, cause the one or more processors to;
  
  actively query, in a monitoring module stored in the one or more memories, individual hosts of the computer network via data communications that are separate from data traffic sent to and received by the individual hosts during normal operation;
  
  analyzing network data collected in response to the queries for a presence of a plurality of mismanagement and misconfiguration symptoms represented by a range of mismanagement metrics associated with the individual hosts within the computer network, the plurality of mismanagement and misconfiguration symptoms being indicative of a failure to implement adequate network security practices or a deviation from known best security practices;
  
  aggregate, in an aggregation module stored in the one or more memories, the range of mismanagement metrics associated with the individual hosts within the computer network at a particular network level granularity including (i) an autonomous system (AS) level, (ii) a network prefix level, (iii) an enterprise network level, or (iv) an arbitrarily-defined network level, the particular network level granularity being based upon the range of mismanagement metrics and which of the plurality of mismanagement and misconfiguration symptoms are available at a particular network granularity;
  
  identify, in a correlation module, from among the aggregation of the range of mismanagement metrics, one or more correlations between the plurality of mismanagement and misconfiguration symptoms and the range of mismanagement metrics;
  
  from among the identified correlations between the range of mismanagement metrics, determine, in an assessment module, a unified mismanagement metric for the computer network, the unified mismanagement metric indicating a network level indication of the mismanagement of the computer network that represents a susceptibility of the computer network to malicious cyber attacks as a combination of susceptibilities of the individual hosts to malicious cyber attacks; and
  
  store the unified mismanagement metric for use in comparison to a listing of potential malicious cyber attacks.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, wherein the range of mismanagement metrics associated with the individual hosts include one or more of Open Recursive Resolvers, DNS Source Port Randomization, Consistent A and PTR records, BGP Misconfiguration, Egress Filtering, Untrusted HTTPS Certificates, SMTP server relaying, Publicly-Available Out-of-band Management Cards, and open NTP servers.
  - 17. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate the range of mismanagement metrics associated with the individual hosts of the computer network by aggregating the range of mismanagement metrics collected from the AS level of the computer network.
  - 18. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate the range of mismanagement metrics associated with the individual hosts of the computer network by aggregating the range of mismanagement metrics collected from an administrative boundary determined for the computer network.
  - 19. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - analyze the network data collected in response to the queries in real time.
  - 20. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - analyze the network data collected in response to the queries in periodic intervals or in response to a triggering event.
  - 21. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - correlate the unified mismanagement metric with any of a plurality of potential malicious cyber attacks.
  - 22. The system of claim 21, wherein the plurality of potential malicious cyber attacks include one or more of spam attacks, phishing attacks, malware attacks, and active attacks.
  - 23. The system of claim 21, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate a blacklist data table that stores data of the plurality of potential malicious cyber attacks to provide an aggregated blacklist data table;
      
      aggregate, at an autonomous system level, IP addresses for individual hosts within the computer network; and
      
      identify those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 24. The system of claim 21, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - aggregate a blacklist data table that stores data of the plurality of potential malicious cyber attacks to provide an aggregated blacklist data table;
      
      aggregate, at a predetermined administrative boundary, IP addresses for individual hosts within the computer network; and
      
      identify those IP addresses resulting in mismanagement metrics that correlate to the aggregated blacklist data table.
  - 25. The system of claim 15, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - compare, in risk analysis module stored in the one or more memories, the unified network mismanagement metric for the computer network against mismanagement metrics for other computer networks; and
      
      determine, in risk analysis module stored in the one or more memories, a risk analysis rating based on the comparison.
  - 26. The system of claim 25, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - provide a warning to a user when the risk analysis rating is above a threshold value.
  - 27. The system of claim 25, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - communicate the risk analysis rating to an automated network management policy tool configured to automatically adjust network policy for the computer network in response to a level of the risk analysis rating.
  - 28. The system of claim 25, the one or more memories storing further instructions that when executed by the one or more processors, cause the one or more processors to:
    - calculate a security rating based upon the risk analysis rating to give a third party auditing entity a real time assessment of security on the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Board of Regents of the University of Michigan (University of Michigan)
Inventors
Liu, Mingyan, Bailey, Michael, Karir, Manish, Zhang, Jing, Durumeric, Zakir
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US14/627,736
Publication Number

US 20160065620A1
Time in Patent Office

900 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1441 Countermeasures against mal...

Network maliciousness susceptibility analysis and rating

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Network maliciousness susceptibility analysis and rating

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links