US2017329975A1PendingUtilityA1

Threat and defense evasion modeling system and method

42
Assignee: NSS LABS INCPriority: Apr 23, 2014Filed: May 26, 2017Published: Nov 16, 2017
Est. expiryApr 23, 2034(~7.8 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06F 21/577
42
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for modeling viable threats and for evading deployed defenses on a network are described. As a defensive tool used for threat modeling, the system and method allows those responsible for the safety of their critical infrastructure and intellectual property to have a clear view of all failures in the security countermeasure products they have deployed. As an offensive tool used for defense evasion modeling, the system and method can be used to quickly ascertain a viable attack vector, select exploitation code, and cross-reference those exploits that will bypass every layer of countermeasure technologies to commercially- and publicly-accessible crimeware and security testing tools.

Claims

exact text as granted — not AI-modified
1 . A method for modeling computer and network threats, comprising:
 receiving information about an entity that is to be protected from threats, the entity being one of an application and an operating system;   receiving information about one or more security products for protecting the entity;   modeling each security product to identify one or more exploits that are not stopped by the security product; and   displaying a graphical output of a representation of the one or more security products for protecting the entity and a plurality of known exploits and each exploit is linked to one or more of the security products, each security product having an icon and a particular security product having an indication that more exploits are linked to the particular security product that other security products.   
     
     
         2 . The method of  claim 1 , wherein modeling each security product further comprises using a transform for modeling each security product. 
     
     
         3 . The method of  claim 2 , wherein using the transform for modeling each security product further comprises correlating failures of security products to stop a particular exploit. 
     
     
         4 . The method of  claim 1  further comprising indicating each security product that best protects the entity against the one or more exploits. 
     
     
         5 . The method of  claim 1  further comprising indicating the one or more exploits used to threaten the entity. 
     
     
         6 . The method of  claim 1 , wherein the modeling models one of attacker initiated attacks and target initiated attacks. 
     
     
         7 . The method of  claim 1  further comprising generating correlated failures in the one or more security products to detect an exploit that is not stopped by the one or more security products. 
     
     
         8 . The method of  claim 1  further comprising indicating if the one or more exploits are in a crimeware kit. 
     
     
         9 . The method of  claim 1  further comprising generating a common vulnerabilities and exposures (CVE) data for each exploit. 
     
     
         10 . The method of  claim 9  further comprising displaying the security products known to fail to detect an exploit with the CVE data. 
     
     
         11 . The method of  claim 1  further comprising using the modeling as one of an offensive tool and a defensive tool. 
     
     
         12 . The method of  claim 11 , wherein using the modeling as an offensive tool further comprises identifying one or more tools that bypass the one or more security products. 
     
     
         13 . An apparatus for modeling computer and network threats, comprising:
 a computer system having a processor, a memory and a plurality of lines of instructions that is configured to:   receive information about an entity that is to be protected from threats, the entity being one of an application and an operating system and to receive information about one or more security products for protecting the entity;   model each security product to identify one or more exploits that are not stopped by the security product; and   display a graphical output of a representation of the one or more security products for protecting the entity and a plurality of known exploits and each exploit is linked to one or more of the security products, each security product having an icon and a particular security product having an indication that more exploits are linked to the particular security product that other security products.   
     
     
         14 . The apparatus of  claim 13 , wherein the processor configured to model each security product further comprises the processor configured to use a transform for modeling each security product. 
     
     
         15 . The apparatus of  claim 14 , wherein processor configured to use the transform further comprises the processor configured to correlate failures of security products to stop a particular exploit. 
     
     
         16 . The apparatus of  claim 13 , wherein the processor is configured to indicate each security product that best protects the entity against the one or more exploits. 
     
     
         17 . The apparatus of  claim 13 , wherein the processor is configured to indicate the one or more exploits used to threaten the entity. 
     
     
         18 . The apparatus of  claim 13 , wherein the processor is configured to generate correlated failures in the one or more security products to detect an exploit that is not stopped by the one or more security products. 
     
     
         19 . The apparatus of  claim 13 , wherein the processor is configured to indicate if the one or more exploits are in a crimeware kit. 
     
     
         20 . The apparatus of  claim 13 , wherein the processor is configured to generate a common vulnerabilities and exposures (CVE) data for each exploit. 
     
     
         21 . The apparatus of  claim 20 , wherein the processor is configured to display the security products known to fail to detect an exploit with the CVE data. 
     
     
         22 . The apparatus of  claim 13 , wherein the processor is configured to be used as one of an offensive tool and a defensive tool. 
     
     
         23 . The apparatus of  claim 22 , wherein the processor is configured to identify one or more tools that bypass the one or more security products when used as the offensive tool. 
     
     
         24 . The apparatus of  claim 13 , wherein the threat modeling component is remote from the entity being protected. 
     
     
         25 . The apparatus of  claim 13 , wherein the threat modeling component is embedded in a network to which the entity to be protected is connected.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.