Method and tool for network vulnerability analysis
Abstract
A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in "attacker profiles"). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding "epsilon optimal paths."
- Inventors:
-
- Albuquerque, NM
- Issue Date:
- Research Org.:
- Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 908549
- Patent Number(s):
- 7013395
- Application Number:
- 09/805,640
- Assignee:
- Sandra Corporation (Albuquerque, NM)
- Patent Classifications (CPCs):
-
H - ELECTRICITY H04 - ELECTRIC COMMUNICATION TECHNIQUE H04L - TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- DOE Contract Number:
- AC04-94AL85000
- Resource Type:
- Patent
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 97 MATHEMATICS AND COMPUTING
Citation Formats
Swiler, Laura Painton, and Phillips, Cynthia A. Method and tool for network vulnerability analysis. United States: N. p., 2006.
Web.
Swiler, Laura Painton, & Phillips, Cynthia A. Method and tool for network vulnerability analysis. United States.
Swiler, Laura Painton, and Phillips, Cynthia A. Tue .
"Method and tool for network vulnerability analysis". United States. https://www.osti.gov/servlets/purl/908549.
@article{osti_908549,
title = {Method and tool for network vulnerability analysis},
author = {Swiler, Laura Painton and Phillips, Cynthia A},
abstractNote = {A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in "attacker profiles"). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding "epsilon optimal paths."},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {2006},
month = {3}
}
Works referenced in this record:
A graph-based system for network-vulnerability analysis
conference, January 1998
- Phillips, Cynthia; Swiler, Laura Painton
- Proceedings of the 1998 workshop on New security paradigms - NSPW '98
Models and tools for quantitative assessment of operational security
book, January 1996
- Dacier, M.; Deswarte, Y.; Kaâniche, M.
- Information Systems Security
Experimenting with quantitative evaluation tools for monitoring operational security
journal, January 1999
- Ortalo, R.; Deswarte, Y.; Kaaniche, M.
- IEEE Transactions on Software Engineering, Vol. 25, Issue 5
Shortest paths algorithms: Theory and experimental evaluation
journal, May 1996
- Cherkassky, Boris V.; Goldberg, Andrew V.; Radzik, Tomasz
- Mathematical Programming, Vol. 73, Issue 2
A graph-based network-vulnerability analysis system
report, January 1998
- Swiler, L. P.; Phillips, C.; Gaylor, T.
Approximation algorithms for shortest path motion planning
conference, January 1987
- Clarkson, K.
- Proceedings of the nineteenth annual ACM conference on Theory of computing - STOC '87
On suboptimal alignments of biological sequences
book, January 1993
- Naor, Dalit; Brutlag, Douglas
- Combinatorial Pattern Matching