K-zero day safety
Inventors
Jajodia, Sushil • Wang, Lingyu • Noel, Steven • Singhal, Anoop
Assignees
George Mason University • National Institute of Standards and Technology NIST • George Mason Intellectual Properties Inc • United States Department of Commerce
Publication Number
US-8918884-B2
Publication Date
2014-12-23
Expiration Date
2032-01-11
Interested in licensing this patent?
MTEC can help explore whether this patent might be available for licensing for your application.
Abstract
Systems and methods for determining a safety level of a network vulnerable to attack from at least one origin to at least one target are described. Machines, components, and vulnerabilities in a network may be associated to one another. Degrees of similarity among the vulnerabilities may be determined and subsets of vulnerabilities may be grouped based on their determined degrees of similarity to one another. This data may be used to generate an attack graph describing exploitation of vulnerabilities and grouped vulnerabilities and defining vulnerability exploit condition relationships between at least one origin and at least one target. The attack graph may be analyzed using a k-zero day metric function to determine a safety level.
Core Innovation
The invention describes systems and methods for determining a safety level of a network vulnerable to attack from at least one origin to at least one target by analyzing and modeling the network's machines, components, and vulnerabilities. The approach involves associating machines with components and vulnerabilities, determining degrees of similarity among the vulnerabilities, grouping subsets based on these similarities, generating an attack graph describing exploitation of vulnerabilities from origins to targets, and analyzing the attack graph using a k-zero day metric function to determine the network's safety level.
The problem being solved addresses the challenge of evaluating and quantifying the security of networks against zero day vulnerabilities, which are unknown vulnerabilities that satisfy particular severe conditions. Existing network scanning and analysis methods may be insufficient to determine how many zero day exploits a network can resist. The invention provides a metric, the k-zero day metric, that measures the minimum number of distinct zero day exploits required to compromise an asset or network, enabling network hardening and providing conservative security estimates.
Claims Coverage
The patent contains two independent claims covering a method and a computer system for determining network safety against zero day exploits. The main inventive features involve processing network components and vulnerabilities, generating attack graphs, and applying the k-zero day metric to assess safety.
Associating machines, components, and vulnerabilities for attack modeling
The invention associates machines in a network to their components and associates each component with at least one of multiple vulnerabilities. It includes determining degrees of similarity among vulnerabilities and grouping subsets of vulnerabilities based on these similarities, where each group corresponds to a distinct zero day exploit.
Generating and analyzing attack graphs using a k-zero day metric
An attack graph is generated that describes exploitation of vulnerabilities and defines exploit-condition relationships between origin and target components. The attack graph is analyzed using a k-zero day metric function to determine the minimum number of distinct zero day exploits required to compromise the target starting from the origin.
Determining safety level based on the k-zero day metric analysis
The safety level is determined based on the analysis of the attack graph using the k-zero day metric function, indicating either the minimum number of distinct zero day exploits needed to compromise the target or whether the target is safe from compromise by a specified number of distinct zero day exploits.
Computer structure enabling k-zero day safety determination
A computer with a processor constructed and arranged to perform the association of machines to components and vulnerabilities, determine degrees of similarity, group vulnerabilities, generate attack graphs, analyze using the k-zero day metric, and determine safety level accordingly.
The claims collectively cover the method and system for associating network elements, analyzing vulnerabilities grouped by similarity, generating attack graphs, and applying a k-zero day metric to determine network safety levels, including verifying if the network or target is safe against a given number of distinct zero day exploits.
Stated Advantages
Provides a conservative metric to quantify network resistance against multiple distinct zero day vulnerabilities, enabling more accurate security evaluation.
Allows differentiation of network security risk levels based on the minimum number of zero day exploits required to compromise targets, which is not discernible by traditional analysis.
Enables network hardening efforts by identifying the impact of added security controls on increasing the k-zero day metric and thus improving safety.
Supports analysis of complex attack sequences involving multiple hosts, services, and security components, including outsiders and insider attacks.
Documented Applications
Determining k-zero day safety for network assets to guide security hardening and configuration to improve resistance against zero day attacks.
Evaluating relative security risk of different networks or network configurations by computing the minimum number of distinct zero day vulnerabilities required to compromise given targets.
Generating visual representations of attack graphs for network vulnerability analysis.
Application in cloud networks for demonstrating network security levels to attract customers by showing higher k-zero day safety.
Interested in licensing this patent?