US20090172813A1 - Non-Invasive Monitoring of the Effectiveness of Electronic Security Services - Google Patents
Non-Invasive Monitoring of the Effectiveness of Electronic Security Services Download PDFInfo
- Publication number
- US20090172813A1 US20090172813A1 US12/390,766 US39076609A US2009172813A1 US 20090172813 A1 US20090172813 A1 US 20090172813A1 US 39076609 A US39076609 A US 39076609A US 2009172813 A1 US2009172813 A1 US 2009172813A1
- Authority
- US
- United States
- Prior art keywords
- module
- attack
- network
- customer
- attacks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Definitions
- the present invention is generally related to electronic security services and, more particularly, is related to the non-invasive monitoring of the effectiveness of electronic security services.
- Electronic security services such as anti-virus protection, hacker intrusion detection, electronic privacy protection and firewalls are technically complicated and difficult for customers to understand. Due to this complexity, it is also extremely difficult for customers or providers of electronic security services to verify that such services are in fact properly protecting the customers as intended. Furthermore, it is particularly difficult to effect such verification in a way that does not seriously inconvenience the customer or significantly degrade the customer's service, at least temporarily.
- the preferred embodiments of the present invention provide a system and method for the non-invasive monitoring of the effectiveness of a customer's electronic security services.
- one embodiment of the system can be implemented to include a test generation engine for generating and launching a denatured attack towards a customer's network, an agent operatively coupled to the test generation engine, the agent adapted to monitor and evaluate the denatured attack, and a recording and analysis engine operatively coupled to the test generation engine and the agent to record and analyze the results of the denatured attack.
- the present invention can also be viewed as providing methods for the non-invasive monitoring of the effectiveness of electronic security services on a customer's network.
- one embodiment of such a method can be broadly summarized by the following steps: launching a denatured attack over a communications network toward a monitored customer's network, and analyzing results of the denatured attack.
- FIG. 1 is a block diagram of a preferred embodiment of a system for the non-invasive monitoring of electronic security services.
- FIG. 2 is a table listing illustrative examples of attack modules included in a hacker toolkit available on the Internet.
- FIG. 3 is a table listing illustrative examples of user-selectable attacks.
- FIG. 4 is a flow chart of an embodiment of an implementation of a generic attack.
- FIG. 5 is a table listing illustrative examples of attacks.
- FIG. 6 is a block diagram depicting a generic computer or processor-based system that can be used to implement a preferred embodiment of each of a monitoring and evaluation agent, test generation engine and recording and evaluation engine of the system for the non-invasive monitoring of an electronic security services.
- FIG. 7 is a block diagram depicting a preferred embodiment of logic of a monitoring and evaluation agent of the system for the non-invasive monitoring of electronic security services.
- FIG. 8 is a block diagram depicting a preferred embodiment of logic of a test generation engine of the system for the non-invasive monitoring of electronic security services.
- FIG. 9 is a block diagram depicting a preferred embodiment of logic of a recording and analysis engine of the system for the non-invasive monitoring of an electronic security services.
- FIG. 10 is a block diagram of a preferred embodiment of an illustrative example of altering a harmful code in a virus or mal-ware code.
- FIG. 11 is a block diagram preferred embodiment of an illustrative example of denaturing a bad data packet.
- FIG. 12 is a flow chart depicting general functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services.
- FIGS. 13A and 13B are flow charts depicting more specific functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services.
- an example system that can be used to implement the non-invasive monitoring of the effectiveness of an electronic security service is discussed with reference to the figures.
- this system is described in detail, it will be appreciated that this system is provided for purposes of illustration only and that various modifications are feasible without departing from the inventive concept.
- an example of operation of the system will be provided to explain the manner in which the system can be used to provide the non-invasive monitoring of electronic security service.
- FIG. 1 is a block diagram of a preferred embodiment of a system 10 for the non-invasive monitoring of an electronic security service.
- the system 10 includes customer networks 11 , 12 , and 13 configured to communicate with a provider network 14 .
- the provider network 14 can be provided and managed by a telecommunications company, such as BellSouth, Inc.
- the provider network 14 typically includes a central office 16 among other components.
- the central office 16 is a location that houses telecommunications equipment such as network switches and facility equipment.
- the central office 16 is linked to other central office(s) 18 in the provider network 14 using a telecommunications transport network 20 .
- Personnel located within the central offices 16 , 18 install, maintain, disconnect, monitor and troubleshoot equipment, facilities and services in the central office 16 , 18 .
- Central office personnel, or personnel in special central offices called “data centers,” can also provide electronic security services to customers.
- the central office 16 , 18 includes a variety of equipment for servicing customers such as routers 22 .
- Routers can be a separate device, or software in a computer, that directs information such as data packets, from one destination to another.
- the router 22 connects to the customer networks 11 , 12 , and 13 , and then provider network 14 , and determines which way to send each information data packet.
- a core router 24 in the provider network 14 can accept information data packets from a plurality of routers 22 and route them to a destination such as a centralized router 26 .
- the centralized router 26 can be located in a specialized central office such as a data center or a network operations center, or the central office 16 , 18 .
- the network operations center is a facility responsible for managing and monitoring network resources and includes tools and resources used to accomplish those activities.
- the data center is a facility that manages a customer's data needs.
- the customer networks 11 , 12 , and 13 also includes routers 28 for routing information data packets from computing devices, such as personal computers 30 , servers 32 , or from other routers 28 .
- the customer networks 11 , 12 and 13 includes any devices or resources attached to that network.
- MEA 34 attacks on the customer networks 11 , 12 and 13 are monitored and evaluated by a monitoring and evaluation agent (MEA) 34 .
- the MEA 34 can couple to routers 28 , servers 32 and personal computers 30 (as well as special computers known as firewalls, intrusion detection systems, etc.).
- MEAs 34 serve to detect and monitor the local effects of attacks that are either launched from the provider network 14 or initiated by the MEA 34 itself in accordance with a test list and schedule received by the MEA 34 .
- a test generation engine (TGE) 36 performs the attacks launched from the provider network 14 .
- the TGE 36 serves to generate tests based on test definitions and scheduling information received from a recording and analysis engine (RAE) 38 .
- the TGE 36 launches those tests against the customer's network of personal computers 30 , servers 32 , and MEAs 34 .
- the TGE 36 preferably handshakes with the MEAs 34 as needed to start and stop the test cycle.
- the RAE 38 serves to schedule tests, analyze and evaluate the test results collected from the MEAs 34 .
- the RAE 38 also provides user interaction capability.
- Authentication and encryption protects communication between the TGE 36 , RAE 38 and MEA 34 .
- authentication and encryption includes an IP security protocol (IPsec) for authentication, encryption and message integrity.
- IPsec IP security protocol
- SSL Secure Sockets Layer
- the TGE 36 generates and launches test attacks over the network toward the monitored customer's network 11 , 12 and 13 .
- the attacks are “denatured” meaning the attack has been rendered harmless but remains in a format as close as possible to an actual attack so that the attack resembles an actual attack.
- denaturing an attack a sufficient amount of the harmful appearance of the attack is preserved for the attack to still be recognizable, especially by the technical methods used by security services present. Further, in denaturing attacks, only minimum changes are made that are necessary to remove actual harm to the customer's target systems.
- the customer's security resources and/or protections should still perform as if the denatured attack is an actual (i.e., non-denatured) attack, so that the customer's protections will still block/stop/deny the denatured attack.
- the denaturing is performed so as to remove actual chances of harm, but is done in a way that “fools” the customer's protective measures, e.g., firewalls, antiviruses, intrusion detection systems, etc.
- a preferred method is to test the customer's protective measures by arranging the denaturing such that the customer's protective measures perform as if the attack is harmful, even though it is no longer harmful. Therefore, the denatured attack should appear to any security services present as if it has not been denatured.
- the attacks can be “denatured” in various ways including for example, (1) altering codes in a virus, trojan, etc. in order to render these harmless (although minimum alteration is used such that the virus, trojan, etc. would still be recognizable to code/signature checkers, which may depend on certain strings of code within the virus, trojan, etc. to be intact in order to recognize them); (2) replacing the virus, trojan, etc.
- dummy code which acts externally the same (e.g., uses same ports, sends similar message, mimics actions except for those aspects which are harmful) in order that the dummy does no harm but otherwise is identical in important ways; and (3) for network-based attacks, replacing harmful bits in a “bad” or “malformed” packet, or sequences of bits in sequences of packets, with special codes so that reception can be verified but damage avoided.
- the packets or packet sequences cannot be changed in certain attacks which depend on and exploit responses to such packets (rather than relying on damage caused directly by the packet or packet sequence)
- the packets can be unaltered but the response or subsequent action (which (which would normally cause the pertinent damage) can be altered so that no actual harm accrues.
- denaturing by “indirection” or “redirection” could also be done.
- the attack is changed such that, instead of targeting a resource (computer, server, etc.) within the customer's network, it is modified to target a nearby MEA 34 .
- This approach is useful where it is impossible or undesirable to alter the harmful portion of the attack itself, but by redirecting it the original target can be removed from harm while the security services intervening between the TGE 36 and MEA 34 which are being tested will still encounter, and should recognize, the attack (such that the test remains valid).
- TGE 36 As new attacks are discovered, analyzed and denatured, they can be incorporated into the test/attack catalog of the TGE 36 . Where appropriate, multiple TGEs 36 communicate with one another. This may be appropriate when certain specific attacks are by nature coordinated and need to originate from multiple sources.
- the TGE 36 communicates with the MEA 34 .
- the TGE 36 communicates with the MEA 34 when the MEA 34 requires advance knowledge of a planned test in order to properly monitor results.
- multiple TGEs 36 are used when the monitored security service involves multiple components that require monitoring.
- monitored components include MEAs 34 placed on or near firewalls, intrusion detection systems, deceptions hosts (also referred to as “honeypots”), computer hosts, PCs, mainframes.
- Multiple TGEs 36 may be used in a hierarchical architecture, for instance, multiple TGEs 36 controlled and coordinated by one central scheduler, which may be part of the centralized RAE 38 . Multiple TGEs 36 can more effectively cover multiple portions of a large network while avoiding undesired interactions with security measures which may be in place.
- TGEs 36 are placed close to customers so as to avoid attacks being blocked by the provider's own security protections, rather than the customer's own security services which are intended to be monitored/tested.
- the provider is likely to have various security protections in place in its own network, such as firewalls, intrusion detection, etc.
- the attacks launched by the TGEs 36 should not encounter any of these during testing (unless these are to be monitored/tested as well) since they may block the attack before it ever reaches the customer's security protection, resulting in misleading results (which, in effect, measure the provider's security rather than the customer's).
- FIG. 2 is a table 40 listing illustrative examples of attack modules included in a hacker toolkit available on the Internet.
- Toolkits can be software applications, but usually run on operating systems, for instance, Linux or Unix, instead of systems such as Microsoft Windows.
- FIG. 2 shows examples of attack modules available in a toolkit, however, numerous alternative embodiments of toolkits exist, and range from simple to very complex and elaborate.
- the toolkits often include a set of individual attack types which can be selected by the user (i.e., the hacker), either manually or as part of an automated “attack script.”
- FIG. 3 is a table 42 listing illustrative examples of user-selectable attacks.
- the individual attack names listed in FIG. 3 such as ice, teardrop, boink, jolt, land, nestea, newtear, etc., are examples of attack types that can be launched individually or included in one software program.
- attack types that can be launched individually or included in one software program.
- some of these attacks are built upon other less complex attacks (i.e., some complex attacks are specific sequences of basic attacks), and many types of variants exist. New attack types are being constantly generated using widely available software tools and modules.
- the attacks consist of the transmission of various malformed packets, malformed network protocol interchanges, viruses, Trojan or backdoor software, mobile code (java, javascript, etc.), or any other transmission which is intended to discover and/or take advantage of potential vulnerabilities in a target system, e.g., customer's network 11 , 12 and 13 .
- FIG. 4 is a flow chart of an embodiment of an implementation of a generic attack.
- the process begins at step 44 .
- the hacker performs a “reconnaissance” activity. Reconnaissance involves broadly gathering information to identify existing network resources. The hacker also attempts to identify a subset of the network resources, which represents potential attack targets. Further, the hacker attempts to identify potential avenues of attack.
- step 48 “sniffing” occurs. Sniffing is passively gathering detailed data, usually by surreptitiously installing special software on a network entity (computer, router, etc.) which listens to all traffic passing by, making all information which was previously internal to the network now available to the intruder. This step may also include “scanning,” or actively gathering detailed data. Scanning is similar technically to reconnaissance probes, in that information is gathered from responses received to various packets transmitted. A difference is that the scanning is done from inside the network being intruded upon.
- the intruder has much greater access to the network, and can gather much more information (of a much more sensitive nature since the hacker is now inside the perimeter protections, such as firewalls, such that the information obtained can be much more useful to the hacker).
- Sniffing is used to support one or more subsequent specific attacks (e.g., directed attacks). Sniffing and scanning may range from gathering information on specific IP addresses to the types of traffic and protocol elements being passed between nodes. elements being passed between nodes. This step may also include approaches such as “social engineering” or “dumpster diving” to gather passwords and other sensitive information.
- a specific “directed” attack occurs.
- the directed attack may generally include, (a) Denial of Service, (DoS) (b) “trawling” or otherwise gathering sensitive/valuable directory data, and (c) theft of service or service fraud.
- customer privacy can be a concern, although this is not generally thought of as an “attack” per se.
- Bad packet attacks aimed against specific targets could be considered separately or considered to be DoS attack.
- Web page exploits, viruses, trojans, and other mal-ware program infestations would be considered to be “passive” attacks since they have to be initiated by the target itself. The virus waits passively to be retrieved, and only after retrieval and activation does the actual attack begin. On the other hand, worms, spread on their own.
- worms do not have to be retrieved by the target but rather actively seek out subsequent targets from each site of infection. Worms automate the steps shown in FIG. 4 , and thereby continue to repeatedly spread from each subsequent target attacked and infected. The process ends at step 52 .
- the steps shown in FIG. 4 occur in sequence over a period less than 24 hours.
- the steps of FIG. 4 may be combined when the attacker employs certain automated software tools, which utilize combination methods or reiterated probing-attack steps. Less frequently, these stages may be spread out over days or weeks, and in fact the most dangerous attacks are often those which employ low bandwidth probing techniques over a long period (e.g., “low and slow” attacks) since these types of attacks can be very difficult or impossible to detect except by the damage that eventually accrues.
- the attacker may repeat the steps of FIG. 4 so as to “propagate” the attack to another host entity in the customer's network or to another network.
- the attacker capitalizes on the increased opportunities offered by a successful initial attack and also to increase the indirection existing between the attacker and the target often uses propagated attacks. For example, many successful attacks may have actually been accomplished via a “daisy chain” or string of four or more compromised machines, which often are chosen to be located in different time zones. Machines located in different time zones makes it difficult to get the associated network management personnel on the telephone at the same time, which would be needed to troubleshoot how the attack is occurring and backtrack/identify the true attacker. Further, hacker strategy often includes extensive planning to mount a significant attack on a target using intermediary customer machines which are used for no other purpose than stepping stones, but otherwise left largely unharmed, that is, as long as the hacker's presence remains undiscovered.
- the “recon” or reconnaissance step is normally the initial hacker attack stage.
- the hacker in this step is concerned with the initial gathering of information that can be exploited to help the attacker access or exploit the target network.
- This stage is generally not focused on attacking a specific host or machine, but rather is an attempt to map out the various ways an attacker might expect to get into the network, e.g., the customer's network.
- the associated time period of the reconnaissance step can be short or long. It is safer for the attacker to take more time, spacing out the actions over a considerable period of time, especially with networks that are monitored or secured in ways that may lead to someone noticing the hacker's attempts to probe.
- the associated bandwidth of the probe can be large or small, and can vary. Again, it is safer for the attacker to use a low bandwidth probe, although this self-imposed restriction on bandwidth will generally mean that the recon stage will take longer to accomplish.
- this stage seeks to identify the IP addresses of the ingress nodes for the target network, and subsequently to identify open ports and potentially usable protocols that may provide the means for intrusion.
- routers and network topology may be probed and mapped in order to support more complex intrusion techniques and attacks, which can involve multiple attacker machines and multiple ingress points, when present.
- Reconnaissance can proceed from a single origin point or can be distributed using multiple machines to originate probes from different locations. When multiple machines are probing, its actions can be arranged individually or coordinated. Cases of extremely capable, elegant probing involve the efforts of many machines in a coordinated complex fashion. Furthermore, these capabilities are increasingly likely to be encountered because these techniques are increasingly incorporated into automated software i.e., hacker tool kits. In general, methods of probing processes available to the hacker community, include coordinated route tracing, e.g., mapping out network topology and latencies, and inverse probes, e.g., accumulating data on unreachable rather than reachable addresses (via receiving automated routing responses from the network).
- coordinated route tracing e.g., mapping out network topology and latencies
- inverse probes e.g., accumulating data on unreachable rather than reachable addresses (via receiving automated routing responses from the network).
- the reconnaissance stage is most pronounced with external threats.
- an external attacker In order to enter the target network, an external attacker must first map out the routes and potential entry points to that target network (e.g., customer's network) along with potential protocols and ports on the ingress nodes that may be usable.
- the sniffing step of FIG. 4 is concerned with gathering detailed information on network hosts, traffic types, protocols, etc. Simply accessing a target network's ingress node is usually not sufficient. Rather, access to those machines and hosts internal to the target network are usually desired. Therefore, in order to exploit the internal nodes, considerable information is required. First, the nodes of interest must be identified possibly by host name but ultimately by IP address. If the attacker can install “sniffer” software, network traffic may be observed so as to locate the most “interesting” machines, often the servers. DNS (name service) servers and LDAP (directory) servers, along with databases which can contain all kinds of sensitive information, e.g., financial or health info, passwords, employee records, would probably be perceived to be the most interesting potential targets.
- DNS name service
- LDAP directory
- Sniffing is generally passive, i.e., listening only, rather than generating or sending traffic.
- Distributed sniffing e.g., sniffing from multiple locations inside the target network, is often employed when possible.
- Distributed sniffing is utilized when the network has switching systems to effectively subdivide the network. This limits how much traffic any individual sniffer can sample.
- Active scanning can also be employed, when attempts are made to connect to a succession of IP addresses and port numbers. Scanning can be used (by the responses received or not received) to identify which addresses are present in the target network and which ports are available on the machines thus identified. The information obtained may then be sent back to, or retrieved by, the attacker via a a number of more or less covert or stealth techniques. These techniques can include encryption and communications using unexpected channels or ports or protocols, i.e., for which they generally were not designed, and thus are less likely to be detected. Likewise, the attacker may communicate into the network via encryption using unexpected channels or ports or protocols in order to send commands to software implanted in exploited hosts.
- sniffing is less intrusive and thus safer for the attacker. Sniffing may in fact be present without anyone realizing, and considerable information may thus be gathered. In contrast, scanning may be readily identified when network intrusion detection methods are employed or when the scanning is done at such high bandwidth that it becomes indirectly observable.
- the presence of a sniffer because its action is passive, i.e., listening only, is hard to detect. Active probing for the presence of a sniffer is unreliable but sometimes possible, but hacker software will sometimes detect this and respond negatively, e.g., damaging the files on the machine on which it has been surreptitiously installed.
- Additional information which may be obtained by the attacker in this stage, includes protocol version numbers, operating system types and version numbers.
- the attacker can also obtain application software types and version numbers, configuration options, general and specific information on what is happening in the customer's network and what the customer's network is being used for. Further, hackers try to obtain specific port numbers on which the various host machines are “listening.”
- the directed attack is an attack on a specific target machine, usually with a specific and harmful objective in mind. Directed attacks are sometimes employed to accomplish one or both of the two preceding stages. There are many kinds of directed attacks. Directed attacks range from simple SYN flood denial of Service (DoS) attacks (in which only the initial “SYN” portion of the TCP 3-way handshake is sent, but in great volume, so as to tie up the resources of the recipient), session redirection and hijacking, to complete takeovers of targeted systems to elaborate spoofing of intrusion detection systems.
- DoS flood denial of Service
- Simple flooding can crudely overwhelm a host with too much traffic, or alternatively, can use up system resources by employing a multitude of “half-open” TCP/IP connection attempts that completely utilize the target machine's processor (e.g., a SYN flood).
- Other more pernicious DoS attacks such as fragmentation attacks (e.g., land.c, death ping, etc.), do not just temporarily occupy the attention of a target host, but actually to crash the operating system via exploitation of particular software bugs, which often remain present in practice even when software fixes/patches are available. Fragmentation attacks take advantage of variable overflow that can occur upon reassembly of specially fragmented IP packets, which were purposefully designed by the hacker to exceed the maximum allowed/expected size.
- An adjunct to DoS crash attacks is a more elaborate approach, which seeks first to install harmful software or make harmful modifications prior to the actual DoS crash attack.
- This approach assumes that the attacker has effective methods of gaining authorization to insert software on the target machine.
- An attacker may gain access to the target machine by gaining access to the root shell or administrator account of a machine either via a variable/buffer overflow, or via a forced “controlled crash” of a running process inherently having these authorizations on the target machine.
- Protocol attacks involve exploitation of the actual communications exchanges in a defined protocol.
- the objective may range from simply interfering with the action of the protocol, as in a DoS attack, to causing a specific and normally unexpected result via the protocol.
- DoS attack a variety of protocol attacks are known.
- Session hijacking generally involves taking control of a TCP/IP session, i.e., forcefully taking the place of one of the two legitimate parties. This can be accomplished via a successful observation and determination of the sequence numbers occurring in the TCP/IP exchange (e.g., a sequence number attack) which allows the substitution of illegitimate packets into the session. This is normally done while simultaneously mounting a DoS attack on the party that is being substituted, substituted, so that it cannot interfere with, or otherwise thwart, the hijacking process.
- the attacker appears to be, and acts as, the actual substituted party, with all the authorizations and access associated with the substituted party.
- the attacker has this authorization at least for the duration of the session, and possible afterwards if the attacker can glean sufficient additional information, such as passwords, cryptographic keys, etc., during the lifetime of the hijacked session.
- Email attacks include simple techniques such as email flooding and spamming.
- Email flooding sends a large email message to many recipients, overloading the email system and in some cases causing system crashes of the mail server.
- Spamming sends unsolicited advertisements, or other undesired messages, to many recipients.
- Email is also a vector, i.e., delivery or infection mechanism, for well-known types of hostile software such as viruses, Trojan horses, worms, etc.
- Viruses and trojans usually require a specific user action to be activated. Worms activate and propagate without user action, instead they rely on and exploit some “action” or capability occurring automatically in the operating system or other running software process.
- Hostile software of these sorts can be designed to perform virtually any function possible on the infected machine, with potentially disastrous results. Worms are receiving increased attention in the hacker community since users are now generally aware of the dangers of viruses and trojans.
- Propagated attacks involve a “stepping stone” approach to move from one exploited host to the next, and then finally attack the ultimate target in a harmful fashion.
- the Internet provides indirection that helps the attacker escape easy detection and identification.
- propagated attacks are done inside one or more smaller networks, it usually embodies a more insidious attempt to surreptitiously control more resources, and in some cases may even be a prelude to a larger scale attack against a service provided on that network or elsewhere. Larger scale attacks can be triggered remotely i.e., via a covert communications channel, or via timers e.g., on a particular date.
- DDoS Distributed Denial of Service
- a large scale attack may attempt to bring down a service, or may have other less crude objectives such as, for example, a large scale privacy violation and public exposure with respect to many customers for instance, intending a subsequent flurry of customer litigation as the actual goal.
- “stealth” refers to attackers trying to cover their tracks or otherwise escape notice. There are many ways to do this. Some of the simplest include log erasure and process modifications to hide the attacker's presence once a machine in successfully accessed and exploited. Also, “fast takedown” techniques can sometimes be used to exploit certain aspects of specific operating systems so as to effectively hide the hacker's presence on a machine, e.g., by very quickly initiating some alteration, which interferes with or avoids the normal process registration within the operating system. Additional techniques include “camouflage” of communications and piggybacking on legitimate communications flows. Steanography, the cryptographic hiding of information within another information stream is similarly utilized. Software mutation techniques, as in mutating viruses, etc. also fall in this general category.
- FIG. 5 is a table 54 listing illustrative examples of attacks.
- the attacks are any one of many possible hostile actions or techniques employed against a customer's network, system, or attached host or machine. Attacks are generally undertaken as a direct or indirect means to gain unauthorized access or otherwise exploit the target(s).
- FIG. 6 is a block diagram depicting a generic computer or processor-based system that can be used to implement a preferred embodiment of each of the MEA, TGE and RAE of the system for the non-invasive monitoring of an electronic security service.
- the digital computer 60 includes, inter alia, a processor 62 and memory 66 .
- Input and/or output (J/O) devices can be communicatively coupled to a local interface 68 via a system I/O interface 70 , or directly connected to the local interface 68 .
- the local interface 68 can be, for example but not limited to, one or more buses or other wired or wireless connections, as is known in the art.
- the local interface 68 may have additional elements, which are omitted for simplicity, such as controllers, buffers (caches), drivers, repeaters, and receivers, to enable communications. Further, the local interface may include address, control, and/or data connections to enable appropriate communications among the aforementioned components.
- the processor 62 is a hardware device for executing software, particularly that stored in memory 66 .
- the processor 62 can be any custom made or commercially available processor, a central processing unit (CPU), an auxiliary processor among several processors, a semiconductor based microprocessor (in the form of a microchip or chip set), a macroprocessor, or generally any device for executing software instructions.
- the memory 66 can include any one or combination of volatile memory elements (e.g. random access memory (RAM, such as DRAM, SRAM, SDRAM, etc.)) and nonvolatile memory elements (e.g. ROM, hard drive, tape, CDROM, etc.). Moreover, the memory 66 may incorporate electronic, magnetic, optical, and/or other types of storage media. Note that the memory 66 can have a distributed architecture, where various components are situated remote from one another, but can be accessed by the processor 62 .
- volatile memory elements e.g. random access memory (RAM, such as DRAM, SRAM, SDRAM, etc.
- nonvolatile memory elements e.g. ROM, hard drive, tape, CDROM, etc.
- the memory 66 may incorporate electronic, magnetic, optical, and/or other types of storage media. Note that the memory 66 can have a distributed architecture, where various components are situated remote from one another, but can be accessed by the processor 62 .
- the software and/or firmware in memory 66 may include one or more separate programs, each of which comprises an ordered listing of executable instructions for implementing logical functions.
- the software in the memory 66 can include MEA, TGE or RAE logic and a suitable operating system (O/S).
- the operating system essentially controls the execution of other computer programs, and provides scheduling, input-output control, file and data management, memory management, and communication control and related services.
- the logic is a source program, executable program (object code), script, or any other entity comprising a set of instructions to be performed.
- the logic When the logic is implemented as a source program, then the program needs to be translated via a compiler, assembler, interpreter, or the like, which may or may not be included within the memory 66 , so as to operate properly in connection with the O/S.
- logic can be written as (a) an object oriented programming language, which has classes of data and methods, or (b) a procedure programming language, which has routines, subroutines, and/or functions, for example but not limited to, C, C++, Pascal, Basic, Fortran, Cobol, Perl, Java, and Ada.
- the I/O devices may include input devices, for example but not limited to, a keyboard, mouse, scanner, microphone, etc. Furthermore, the I/O devices may also include output devices, for example but not limited to, a printer, display, etc. Finally, the I/O devices may further include devices that communicate both inputs and outputs, for instance but not limited to, a modulator/demodulator (modem; for accessing another device, system, or network), a radio frequency (RF) or other transceiver, a telephonic interface, a bridge, a router, etc.
- modem for accessing another device, system, or network
- RF radio frequency
- logic can be stored on any computer-readable medium for use by or in connection with any computer related system or method.
- the logic can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
- a “computer-readable medium” can be any means that can store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
- the computer-readable medium can be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a nonexhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic) having one or more wires, a portable computer diskette (magnetic), a random access memory (RAM) (electronic), a read-only memory (ROM) (electronic), an erasable programmable read-only memory (EPROM, EEPROM, or Flash memory) (electronic), an optical fiber (optical), and a portable compact disc read-only memory (CDROM) (optical).
- an electrical connection having one or more wires
- a portable computer diskette magnetic
- RAM random access memory
- ROM read-only memory
- EPROM erasable programmable read-only memory
- EPROM erasable programmable read-only memory
- CDROM portable compact disc read-only memory
- the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
- the logic can be implemented with any or a combination of the following technologies, which are each well known in the art: a discrete logic circuit(s) having logic gates for implementing logic functions upon data signals, an application specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array(s) (PGA), a field programmable gate array (FPGA), etc.
- ASIC application specific integrated circuit
- PGA programmable gate array
- FPGA field programmable gate array
- the MEA logic could exist in memory, such as memory 66 of FIG. 6 . In other embodiment, the MEA logic could be resident in a monitoring device, utilizing the device hardware.
- the MEA 34 includes a sniffer module 72 , an innoculator module 74 , an analyzer module 76 , an evaluator module 78 and a communicator module 80 .
- the MEA 36 includes a decryption/encryption module and a cryptographic key module.
- the sniffer module 72 in a preferred embodiment couples to the operating system 73 and a network interface card (not shown) for communicating with the provider network via the customer network, in which the MEA 36 is generally located.
- the communicator module 80 couples to the operating system 73 , analyzer module 76 , evaluator module 78 and innoculator module 74 .
- the evaluator module 78 in a preferred embodiment couples to the operating system 73 , communicator module 80 , analyzer module 76 , and innoculator module 74 .
- the innoculator module 74 couples to the evaluator module 78 and communicator module 80 .
- the operating system also couples to other or existing software applications 84 .
- the sniffer module 72 observes all the packets such that patterns can be identified.
- the innoculator module 74 checks for special code/bits in packets and/or checks pre-received communication for a pre-planned attack or test. For instance, the innoculator module 74 can check for an authenticated and encrypted message from the RAE 38 or TGE 36 with a date/time stamped list of scheduled attacks or tests.
- the analyzer module 76 receives or determines the list of open ports and active services on the customer's network 11 , 12 , and 13 , to know what general and specific vulnerabilities may exit in the customer's network 11 , 12 and 13 .
- the analyzer module 76 can also view or determine if new applications, services or other items are installed, for example, a newly installed denatured virus, trojan, etc. Further, by using available software engineering methods, the analyzer module 76 can monitor other aspects of the host in which it resides, such as monitoring password changes or log alterations. In addition, the analyzer module 76 can monitor security devices to which it is attached. Where a firewall is used, the analyzer module 76 can monitor the types of packets blocked by the firewall.
- the analyzer module 76 can monitor attacks detected. In the case of a deception host, the analyzer module 76 monitors hacker activities such as probes, accesses and rootkit or hacker tool insertion. A matching algorithm can be used to determine potential associations with a pre-planned test or list of active tests. Thus, the progress of a denatured attack or test can be monitored so that it can be reported properly to the RAE 38 .
- the evaluator module 78 determines which attacks or tests would have caused damage if not denatured.
- the communicator module 80 listens and talks to the network provider's centralized RAE 38 and TGE 36 .
- the communicator module 80 acts as the communications interface between the other modules. It receives communications from the provider network 14 and likewise accepts communication from the tester in order to transmit these over the provider network.
- the communicator module 80 functions as a translator. Such translation is needed since software components, i.e., the modules of the RAE 38 , typically use data in somewhat different technical form or format than the form or format of data, which is transported over a typical provider network 14 .
- the communicator module 80 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating with TGEs 36 and the RAE 38 .
- these secure communication methods ensure that no unauthorized entity can masquerade as a TGE 36 , RAE 38 , or MEA 34 i.e., impersonate a TGE 36 , RAE 38 , or MEA 34 .
- Via encryption it further ensures that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications.
- the communicator module 80 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods.
- modules such as a decryption/encryption module can be included to enable the MEA 36 to look inside encrypted communications, for instance in virtual private networks (VPNs).
- a cryptographic key module can be included to hold and manage the associated crypto/secret keys.
- FIG. 8 is a block diagram depicting a preferred embodiment of logic of the TGE 36 of the system 10 for the non-invasive monitoring of electronic security services.
- the TGE logic could exist in memory, such as memory 66 of FIG. 6 . In other embodiments, the TGE logic could be resident on a monitored device, utilizing the device hardware.
- the TGE 36 includes a communicator module 86 , a server module 88 , a coordinator module 90 , a tester module 92 , and a test library module 94 .
- the operating system 73 couples to the communicator module 86 , other or existing software applications 84 , and the network interface card (not shown) utilized for communicating with the provider network.
- the server module 88 in a preferred embodiment couples to the communicator module 86 and coordinator module 90 .
- the communicator module 86 couples to the server module 88 , coordinator module 90 , operating system 73 and tester module 92 .
- the tester module 92 in a preferred embodiment couples to the communicator module 86 , coordinator module 90 , and test library module 94 .
- the test library module 94 has access to database 96 , such as oracle.
- the tester module 92 performs the actual testing except for tests, which are initiated by MEAs 34 rather than TGEs 36 . Controlled by the coordinator module 90 , the tester module 92 launches attacks at customer hosts and MEAs 34 as directed.
- the tester module 92 utilizes the test library module 94 to obtain data as to how to construct the tests. For example, for a Land attack, the tester module 92 will consult the library to determine the exact packet structure to employ, and substitutes the target IP address with a denatured IP address into the packet structure to obtain the actual packet to be launched.
- the tester module 92 serves as the “weapon,” which obtains its “ammunition” bullets from the test library module 94 , or uses the test library module 94 to find out how to build its bullets, and then fires them at the targets.
- the test library module 94 provides standard database access functionality, e.g., via SQL or Structured Query Language, to enable provisioning and access of a standard database, such as an Oracle database, which contains test or attack related data.
- the tester module 92 utilizes this functionality.
- the test library module 94 via its associated database 96 provides the detailed information needed to construct each type of attack based upon test definition data. Because of the large number and growing variety of potential attack types, and because attacks can be quite complex and thus difficult to generate, the amount of data is assumed to require a large database external to the module.
- the test library module 94 aggregates and pre-formats retrieved test definition data for use by the tester module 92 .
- the coordinator module 90 obtains schedule information from the RAE 38 via the communicator module 86 , handshakes with the MEAs 34 via the communicator module 86 , to signal “ready” and “finished,” and handshakes with other TGEs 36 as appropriate via the communicator module 86 .
- the coordinator module 90 works with the TGEs 36 for cooperative tests requiring multiple TGE 36 sources.
- the coordinator module 90 also controls the server so that it is properly set-up to respond to scheduled requests from MEAs 34 , and controls the tester module 92 to launch the appropriate tests, which it has received from the RAE 38 at the appropriate time.
- Each TGE 36 may also send a “finished” message via the communicator module 86 to the RAE 38 to let the RAE 38 know it has completed its portion of testing for a particular customer. This allows the RAE 38 to get ready to receive results from the MEAs 34 .
- the server module 88 provides the TGE 36 with standard web, file, and email serving functionality. This is needed since some tests must be initiated by the MEAs 34 rather than the TGEs 36 , when requesting web pages, files, or emails which contain a test/attack such as a Javascript exploit, trojan, or virus. In these cases, the closest TGE 36 acts as the standard server to provide the infected web page, file, or email requested. Once the infected item is provided, the attack will then begin and can be monitored by the pertinent MEA 34 .
- the communicator module 86 acts as the communications interface between the other modules (except the test library module 94 ) and the provider network. It receives communications from the provider network in order to provide these to the tester or server, and likewise accepts communication from the tester in order to transmit these over the provider network.
- the communicator module 86 functions as a translator. Such translation is needed since software components, i.e., the modules of the RAE 38 , typically use data in somewhat different technical form or format than the form or format of data, which is transported over a typical provider network.
- the communicator module 86 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating with TGEs 36 and the RAE 38 .
- these secure communication methods ensure that no unauthorized entity can masquerade as a TGE 36 , RAE 38 , or MEA 34 i.e., impersonate a TGE 36 , RAE 38 , or MEA 34 .
- Via encryption they further ensure that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications.
- the communicator module 86 module 86 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods.
- FIG. 9 is a block diagram depicting a preferred embodiment of logic of the RAE 38 of the system 10 for the non-invasive monitoring of electronic security services.
- the RAE logic could exist in memory, such as memory 66 of FIG. 6 . In other embodiments, the RAE logic could be resident in a monitored device, utilizing the device hardware.
- the RAE 38 includes a scheduler module 98 , a global evaluator module 100 , a database interface module 102 , a user interface module 106 and a communicator module 108 .
- the operating system 73 couples to the communicator module 108 , other or existing software applications 84 , and the network interface card (not shown) utilized for communicating with the provider network.
- the scheduler module 98 in a preferred embodiment, couples to the communicator module 108 , database interface module 102 and user interface module 106 .
- the communicator module 108 couples to the global evaluator module 100 , scheduler module 98 , and operating system 73 .
- the global evaluator module 100 in a preferred embodiment, couples to the communicator module 108 and user interface module 106 .
- the user interface module 106 in a preferred embodiment, couples to the database interface module 102 , scheduler module 98 , global evaluator module 100 , and a user 110 .
- the database interface module 102 has access to a standard database 104 , such as an Oracle database, and couples to the scheduler module 98 and user interface module 106 .
- the scheduler module 98 provides the central test scheduling functionality and makes test schedule information available to TGE 36 s and MEAs 34 via the communicator module 108 .
- the scheduler module 98 is controlled by the user interface module 106 .
- the scheduler module 98 makes use of the database interface module 102 to include customer information as appropriate, in order to build schedules while incorporating certain data, such as the particular TGE 36 s and MEAs 34 serving a particular customer, into the schedule process.
- the global evaluator module 100 analyzes data returned by all the MEAs 34 serving a customer in the course of a test cycle, these data being received from the MEAs 34 via the communicator module 108 . Whereas the MEAs 34 provide local results of tests results obtained by a given MEA 34 at its location or for its immediate vicinity, the global evaluator module 100 uses all of these local results to obtain the overall results of the testing for a given customer. Thus the progress of a test attack can be traced as it made its way through the customer network 11 , 12 and 13 to its target, or conversely was stopped at some point (presumably by one of the security service being monitored/tested).
- the global evaluator module 100 obtains the pertinent test schedule from the scheduler module 98 , compares this with the MEA 34 results, and evaluates whether individual MEA 34 results or combinations of MEA 34 results indicate a particular test outcome for the customer. In a preferred embodiment, the global evaluator module 100 applies a set of If/Then rules to make this determination for each test included in the schedule e.g., if certain files or memory locations were erased or altered, or if certain email actions occurred, then attack by test # 123 for virus xyz was successful. This evaluation can be wholly implemented via code within the global evaluator module 100 , or can include the referencing of an “expected test result” database which can be wholly included in the module, or if necessary can be an externally located standard database.
- the database interface module 102 provides standard database access functionality e.g., via Structured Query Language (SQL) to enable provisioning and access of a standard database, such as an Oracle database, which contains customer data.
- SQL Structured Query Language
- the scheduler module 98 utilizes this functionality.
- the user interface module 106 can also utilize the database interface module 102 to provision, or load, the database with the necessary customer data.
- a data interface module 102 can also be used to provide an interface to an external database for the global evaluator module 100 .
- the user interface module 106 provides standard user interaction functionality via a standard windowing Applications Programming Interface (API) and/or command line capabilities of the underlying operating system, e.g., Unix, Linux, or Windows.
- API Application Programming Interface
- the user 110 can control the system, interact with the system e.g., to provision the database, order tests, set test parameters and cycles, and obtain and manipulate results.
- the communicator module 108 acts as the communications interface between the other modules, (except the database interface module 102 ) and the provider network 14 . It receives communications from the provider network in order to provide these to the global evaluator module 100 , and likewise accepts communication from the scheduler module 98 in order to transmit these test schedule information and data over the network.
- the communicator module 108 basically functions as a translator and is analogous to such functionality, which is found in many systems utilizing communications with other entities. Such translation is needed since software components, including for instance the modules of the RAE 38 , typically use data in somewhat different technical form or format than the form or format of data which is transported over a typical network.
- the communicator module 108 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating with TGEs 36 and MEAs 34 . Via authentication, these secure communication methods ensure that no unauthorized entity can masquerade as a TGE 36 , RAE 38 , or MEA 34 i.e., impersonate a TGE 36 , RAE 38 , or MEA 34 . Via encryption, the communicator module 108 further ensures that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications. The communicator module 108 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods.
- FIG. 10 is a block diagram 112 of an illustrative example of altering a harmful code in a virus or program, i.e., mal-ware code.
- the code is shown in a hexadecimal, or base-16, notation, e.g., 1, 2, 3 . . . A, B, C . . . F.
- Signature checkers for instance, anti-virus software, uses a portion of the code, A3555F77 to identify the presence of a virus. This portion of the code is not altered.
- a portion of the code, 632AA098, performs a harmful action. This portion of the code is altered.
- These code portions are typically different and are located in different locations within the code for each and every different virus or mal-ware used.
- the harmful portion of the code i.e., 632AA098, is altered to, F555555F, rendering the harmful portion of the code harmless.
- FIG. 11 is a block diagram 114 preferred embodiment of an illustrative example of denaturing a bad data packet. Additional fields, such as checksums, length fields, protocol conversion fields, etc., are not shown for simplicity.
- the block diagram of FIG. 11 shows a simplified example packet that could be used in a Land attack.
- a Land attack is a denial of service attack or crash attack wherein a TCP SYN packet (e.g., connection initiation) is sent that uses the same source and destination addressed for the target machine's IP address and port. This often causes operating systems to hang or crash, unless they are specifically designed and tested to resist such an attack.
- TCP SYN packet e.g., connection initiation
- the destination address is changed in order to denature the attack by “redirection.”
- Land attacks typically have the same destination address and source address, and thus the source address is also being changed in this example. Changing the source address is necessary to maintain an equal relationship between the destination address and sources address to retain a suitably harmful appearance.
- the source address need not be changed when the particular attack does not have a relationship between the destination address and the source address. In another alternative embodiment, it may be necessary to change other parts of the packet if the particular attack is defined by some relationship between the altered destination address and those other parts of the packet and the relationship should be maintained.
- the data packet includes fields for type of service 116 , source address and port 118 , destination address and port 120 , flags 122 and data payload 124 .
- the harmful characteristic is source address and port equal to the destination address and port.
- the harmful characteristic cannot itself be altered since that change makes the packet both harmless and no different from any regular packet, such that no security measure, even if interceding, would have any reason to block it.
- the destination address is changed.
- the potentially harmful packet is then directed at a MEA 34 near the target rather than the target itself. This process is called “denaturing by re-direction.”
- Due to the properties of the Land attack the source address is also changed. Both the source and destination addresses are changed from 10.1.1.1 to 10.1.1.33.
- Address 10.1.1.33 is the address of a nearby known MEA 34 , which will receive the attack, if the attack is not blocked in transit to the MEA 34 .
- the example packet of FIG. 11 also includes another attack. This involves including the harmful portion of the packet in the data payload 124 .
- An analysis of the bad packet attack type is necessary to determine both the location of the pertinent data elements and the appropriate alteration needed for the specific element or elements which cause harmful effect or effects.
- an identifier code number is added to the payload so that MEAs 34 will be able to keep track and check against pre-scheduled attacks.
- an identified code of 111 . . . 0010 is added to the data payload 124 .
- FIG. 12 is a flow chart depicting general functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services.
- the process begins at 130 .
- a denatured attack is launched across a customer's network.
- the attack is launched using a TGE.
- the customer's network is monitored.
- the customer's network is monitored using a MEA.
- the customer's network is monitored prior to the launch of a denatured attack.
- the customer's network is monitored during the launch of the denatured attack.
- the results of the denatured attack are analyzed.
- the results of the denatured attack are analyzed during the launch of a denatured attack.
- the process ends at 138 .
- FIGS. 13A and 13B are flow charts depicting more specific functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services.
- the process begins at 140 .
- the service provider selects the customer that will be monitored and/or receive a denatured attack.
- an examination of the customer's current records occurs. The examination includes, among others, obtaining the MEA list, host and network configurations and services utilized by the customer.
- the service provider selects the pertinent tests to perform over the customer's network. The tests performed are based on certain parameters such as the design and topology of the customer's network, perceived threats and any unique customer concerns about the security of its network.
- each MEA is polled for configuration changes. Any configuration changes found are added to the current customer information and the test selection modified to accommodate the configuration changed.
- the test list is finalized and scheduled. In addition, the TGEs and MEAs that will be used in the test are selected.
- the schedule for the test is sent to the TGEs and MEAs.
- the schedule is sent to the TGEs that will generate the attacks and the MEAs that will originate any passive attacks.
- the schedule also serves to inform the MEAs of planned attacks.
- the MEAs and TGEs perform handshake functions for a “ready” state.
- TGEs run tests against customer's network(s). In a preferred embodiment, the tests are run over a long period of time, for example, a week or a month.
- the MEAs detect and evaluate the effects of the tests.
- the MEAs originate any passive tests.
- each MEA provides rate feedback to the TGEs (those TGEs which originate the tests/attacks the MEA is monitoring).
- the rate feedback consists of data instructing each associated TGE to appropriately modify its rate of test generation and launching based on the MEA's monitoring/determination of test rates exceeding (or falling below) pre-set maximum (or minimum) thresholds, or otherwise exceeding (or falling below) test constraints pre-set or calculated by algorithmic means.
- the MEAs determine when the test cycles are finished utilizing a handshake with finished TGEs or based upon the completion of a scheduled test.
- each MEA sends its results to the RAE.
- the RAE analyzes, records and reports on the results of the tests for on the results of the tests for the selected customer. In a preferred embodiment, the results of the tests are summarized globally for the selected customer but may be localized as needed.
- the process ends.
- An advantage of this invention is that it provides for a set of harmless attacks against a customer's system that tests the effectiveness of the customer's electronic security services.
- Another advantage of this invention is that the results of the harmless attacks can be monitored and a record of results maintained.
- Still another advantage of this invention is that it performs the denatured attacks to a customer's network in a non-invasive method, for instance denatured attacks scheduled over a long period of time so as not to be noticeable by the customer. Further, feedback from the MEAs to the TGEs can adjust the rate of test launching so that the tests remain unobtrusive yet are completed in a timely manner.
Abstract
Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided.
Description
- This application is a continuation of U.S. patent application Ser. No. 10/159,757, filed on May 29, 2002 and entitled “Non-Invasive Monitoring of the Effectiveness of Electronic Security Services,” which is expressly incorporated herein by reference in its entirety.
- The present invention is generally related to electronic security services and, more particularly, is related to the non-invasive monitoring of the effectiveness of electronic security services.
- Electronic security services such as anti-virus protection, hacker intrusion detection, electronic privacy protection and firewalls are technically complicated and difficult for customers to understand. Due to this complexity, it is also extremely difficult for customers or providers of electronic security services to verify that such services are in fact properly protecting the customers as intended. Furthermore, it is particularly difficult to effect such verification in a way that does not seriously inconvenience the customer or significantly degrade the customer's service, at least temporarily.
- Thus, a heretofore-unaddressed need exists for a solution that addresses the aforementioned deficiencies and inadequacies.
- The preferred embodiments of the present invention provide a system and method for the non-invasive monitoring of the effectiveness of a customer's electronic security services.
- Briefly described, in architecture, one embodiment of the system, among others, can be implemented to include a test generation engine for generating and launching a denatured attack towards a customer's network, an agent operatively coupled to the test generation engine, the agent adapted to monitor and evaluate the denatured attack, and a recording and analysis engine operatively coupled to the test generation engine and the agent to record and analyze the results of the denatured attack.
- The present invention can also be viewed as providing methods for the non-invasive monitoring of the effectiveness of electronic security services on a customer's network. In this regard, one embodiment of such a method, among others, can be broadly summarized by the following steps: launching a denatured attack over a communications network toward a monitored customer's network, and analyzing results of the denatured attack.
- Other systems, methods, features, and advantages of the present invention will be or become apparent to one with skill in the art upon examination of the following drawings and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description and be within the scope of the present invention.
- Many aspects of the invention can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present invention. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views.
-
FIG. 1 is a block diagram of a preferred embodiment of a system for the non-invasive monitoring of electronic security services. -
FIG. 2 is a table listing illustrative examples of attack modules included in a hacker toolkit available on the Internet. -
FIG. 3 is a table listing illustrative examples of user-selectable attacks. -
FIG. 4 is a flow chart of an embodiment of an implementation of a generic attack. -
FIG. 5 is a table listing illustrative examples of attacks. -
FIG. 6 is a block diagram depicting a generic computer or processor-based system that can be used to implement a preferred embodiment of each of a monitoring and evaluation agent, test generation engine and recording and evaluation engine of the system for the non-invasive monitoring of an electronic security services. -
FIG. 7 is a block diagram depicting a preferred embodiment of logic of a monitoring and evaluation agent of the system for the non-invasive monitoring of electronic security services. -
FIG. 8 is a block diagram depicting a preferred embodiment of logic of a test generation engine of the system for the non-invasive monitoring of electronic security services. -
FIG. 9 is a block diagram depicting a preferred embodiment of logic of a recording and analysis engine of the system for the non-invasive monitoring of an electronic security services. -
FIG. 10 is a block diagram of a preferred embodiment of an illustrative example of altering a harmful code in a virus or mal-ware code. -
FIG. 11 is a block diagram preferred embodiment of an illustrative example of denaturing a bad data packet. -
FIG. 12 is a flow chart depicting general functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services. -
FIGS. 13A and 13B are flow charts depicting more specific functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services. - Disclosed herein are systems and methods for the non-invasive monitoring of the effectiveness of an electronic security service. To facilitate description of the inventive system, an example system that can be used to implement the non-invasive monitoring of the effectiveness of an electronic security service is discussed with reference to the figures. Although this system is described in detail, it will be appreciated that this system is provided for purposes of illustration only and that various modifications are feasible without departing from the inventive concept. After the example system has been described, an example of operation of the system will be provided to explain the manner in which the system can be used to provide the non-invasive monitoring of electronic security service.
- Referring now in more detail to the drawings, in which like numerals indicate corresponding parts throughout the several views,
FIG. 1 is a block diagram of a preferred embodiment of asystem 10 for the non-invasive monitoring of an electronic security service. Thesystem 10 includescustomer networks provider network 14. Theprovider network 14 can be provided and managed by a telecommunications company, such as BellSouth, Inc. Theprovider network 14 typically includes acentral office 16 among other components. Thecentral office 16 is a location that houses telecommunications equipment such as network switches and facility equipment. Traditionally, thecentral office 16 is linked to other central office(s) 18 in theprovider network 14 using atelecommunications transport network 20. Personnel located within thecentral offices central office - The
central office routers 22. Routers can be a separate device, or software in a computer, that directs information such as data packets, from one destination to another. Therouter 22 connects to thecustomer networks provider network 14, and determines which way to send each information data packet. Acore router 24 in theprovider network 14 can accept information data packets from a plurality ofrouters 22 and route them to a destination such as acentralized router 26. Thecentralized router 26 can be located in a specialized central office such as a data center or a network operations center, or thecentral office customer networks routers 28 for routing information data packets from computing devices, such aspersonal computers 30,servers 32, or fromother routers 28. In a preferred embodiment, thecustomer networks - In a preferred embodiment, attacks on the
customer networks routers 28,servers 32 and personal computers 30 (as well as special computers known as firewalls, intrusion detection systems, etc.). MEAs 34 serve to detect and monitor the local effects of attacks that are either launched from theprovider network 14 or initiated by the MEA 34 itself in accordance with a test list and schedule received by the MEA 34. - In a preferred embodiment, a test generation engine (TGE) 36 performs the attacks launched from the
provider network 14. The TGE 36 serves to generate tests based on test definitions and scheduling information received from a recording and analysis engine (RAE) 38. The TGE 36 launches those tests against the customer's network ofpersonal computers 30,servers 32, and MEAs 34. In addition, the TGE 36 preferably handshakes with theMEAs 34 as needed to start and stop the test cycle. TheRAE 38 serves to schedule tests, analyze and evaluate the test results collected from theMEAs 34. TheRAE 38 also provides user interaction capability. Authentication and encryption protects communication between theTGE 36,RAE 38 andMEA 34. In a preferred embodiment, authentication and encryption includes an IP security protocol (IPsec) for authentication, encryption and message integrity. In an alternative embodiment, authentication and encryption includes a Secure Sockets Layer (SSL) for authentication and encryption. - The
TGE 36 generates and launches test attacks over the network toward the monitored customer'snetwork - The attacks can be “denatured” in various ways including for example, (1) altering codes in a virus, trojan, etc. in order to render these harmless (although minimum alteration is used such that the virus, trojan, etc. would still be recognizable to code/signature checkers, which may depend on certain strings of code within the virus, trojan, etc. to be intact in order to recognize them); (2) replacing the virus, trojan, etc. with dummy code which acts externally the same (e.g., uses same ports, sends similar message, mimics actions except for those aspects which are harmful) in order that the dummy does no harm but otherwise is identical in important ways; and (3) for network-based attacks, replacing harmful bits in a “bad” or “malformed” packet, or sequences of bits in sequences of packets, with special codes so that reception can be verified but damage avoided.
- In an alternative embodiment, where the packets or packet sequences cannot be changed in certain attacks which depend on and exploit responses to such packets (rather than relying on damage caused directly by the packet or packet sequence), the packets can be unaltered but the response or subsequent action (which (which would normally cause the pertinent damage) can be altered so that no actual harm accrues.
- In a further, alternate embodiment, denaturing by “indirection” or “redirection” could also be done. The attack is changed such that, instead of targeting a resource (computer, server, etc.) within the customer's network, it is modified to target a
nearby MEA 34. This approach is useful where it is impossible or undesirable to alter the harmful portion of the attack itself, but by redirecting it the original target can be removed from harm while the security services intervening between theTGE 36 andMEA 34 which are being tested will still encounter, and should recognize, the attack (such that the test remains valid). Some attacks, for instance, would no longer look like attacks if their harmful portions are modified, so to alter them in that way would result in an invalid test of the security services (i.e., there is no reason for any security service to block or protect against something which is completely harmless). This invention denatures by changing the target while retaining its harmful nature. - As new attacks are discovered, analyzed and denatured, they can be incorporated into the test/attack catalog of the
TGE 36. Where appropriate,multiple TGEs 36 communicate with one another. This may be appropriate when certain specific attacks are by nature coordinated and need to originate from multiple sources. In addition, theTGE 36 communicates with theMEA 34. For example, theTGE 36 communicates with theMEA 34 when theMEA 34 requires advance knowledge of a planned test in order to properly monitor results. - In another alternative embodiment,
multiple TGEs 36 are used when the monitored security service involves multiple components that require monitoring. Examples of monitored components includeMEAs 34 placed on or near firewalls, intrusion detection systems, deceptions hosts (also referred to as “honeypots”), computer hosts, PCs, mainframes.Multiple TGEs 36 may be used in a hierarchical architecture, for instance,multiple TGEs 36 controlled and coordinated by one central scheduler, which may be part of thecentralized RAE 38.Multiple TGEs 36 can more effectively cover multiple portions of a large network while avoiding undesired interactions with security measures which may be in place. - In a preferred embodiment,
TGEs 36 are placed close to customers so as to avoid attacks being blocked by the provider's own security protections, rather than the customer's own security services which are intended to be monitored/tested. The provider is likely to have various security protections in place in its own network, such as firewalls, intrusion detection, etc. The attacks launched by theTGEs 36 should not encounter any of these during testing (unless these are to be monitored/tested as well) since they may block the attack before it ever reaches the customer's security protection, resulting in misleading results (which, in effect, measure the provider's security rather than the customer's). - A discussion of a variety of attacks that can be made to a
customer network - A. Hacker Tools
- Hackers are individuals who obtain unauthorized or attempt to obtain unauthorized access to the customer's
network network -
FIG. 2 is a table 40 listing illustrative examples of attack modules included in a hacker toolkit available on the Internet. Toolkits can be software applications, but usually run on operating systems, for instance, Linux or Unix, instead of systems such as Microsoft Windows.FIG. 2 shows examples of attack modules available in a toolkit, however, numerous alternative embodiments of toolkits exist, and range from simple to very complex and elaborate. The toolkits often include a set of individual attack types which can be selected by the user (i.e., the hacker), either manually or as part of an automated “attack script.” -
FIG. 3 is a table 42 listing illustrative examples of user-selectable attacks. The individual attack names listed inFIG. 3 , such as ice, teardrop, boink, jolt, land, nestea, newtear, etc., are examples of attack types that can be launched individually or included in one software program. There exists a great multitude of specific attacks and their variants, with sometimes only small technical differences resulting in very large differences of purpose, use, and effect. Also, some of these attacks are built upon other less complex attacks (i.e., some complex attacks are specific sequences of basic attacks), and many types of variants exist. New attack types are being constantly generated using widely available software tools and modules. Generally, the attacks consist of the transmission of various malformed packets, malformed network protocol interchanges, viruses, Trojan or backdoor software, mobile code (java, javascript, etc.), or any other transmission which is intended to discover and/or take advantage of potential vulnerabilities in a target system, e.g., customer'snetwork - B. An Example of a Generic Attack
- An unlimited number of attacks are possible, however, a focus on general similarities between threats allows for a grouping of processes into a “generic” attack. The generic attack is one example of an attack and does not capture all varieties and nuances of potential hacker activities, whether originating inside the customer's
network -
FIG. 4 is a flow chart of an embodiment of an implementation of a generic attack. The process begins atstep 44. Atstep 46, the hacker performs a “reconnaissance” activity. Reconnaissance involves broadly gathering information to identify existing network resources. The hacker also attempts to identify a subset of the network resources, which represents potential attack targets. Further, the hacker attempts to identify potential avenues of attack. - At
step 48, “sniffing” occurs. Sniffing is passively gathering detailed data, usually by surreptitiously installing special software on a network entity (computer, router, etc.) which listens to all traffic passing by, making all information which was previously internal to the network now available to the intruder. This step may also include “scanning,” or actively gathering detailed data. Scanning is similar technically to reconnaissance probes, in that information is gathered from responses received to various packets transmitted. A difference is that the scanning is done from inside the network being intruded upon. Thus, the intruder has much greater access to the network, and can gather much more information (of a much more sensitive nature since the hacker is now inside the perimeter protections, such as firewalls, such that the information obtained can be much more useful to the hacker). Sniffing is used to support one or more subsequent specific attacks (e.g., directed attacks). Sniffing and scanning may range from gathering information on specific IP addresses to the types of traffic and protocol elements being passed between nodes. elements being passed between nodes. This step may also include approaches such as “social engineering” or “dumpster diving” to gather passwords and other sensitive information. - At
step 50, a specific “directed” attack occurs. The directed attack may generally include, (a) Denial of Service, (DoS) (b) “trawling” or otherwise gathering sensitive/valuable directory data, and (c) theft of service or service fraud. Additionally, customer privacy can be a concern, although this is not generally thought of as an “attack” per se. Bad packet attacks aimed against specific targets could be considered separately or considered to be DoS attack. Web page exploits, viruses, trojans, and other mal-ware program infestations would be considered to be “passive” attacks since they have to be initiated by the target itself. The virus waits passively to be retrieved, and only after retrieval and activation does the actual attack begin. On the other hand, worms, spread on their own. For example, worms do not have to be retrieved by the target but rather actively seek out subsequent targets from each site of infection. Worms automate the steps shown inFIG. 4 , and thereby continue to repeatedly spread from each subsequent target attacked and infected. The process ends atstep 52. - In a typical attack scenario, the steps shown in
FIG. 4 , occur in sequence over a period less than 24 hours. However, the steps ofFIG. 4 may be combined when the attacker employs certain automated software tools, which utilize combination methods or reiterated probing-attack steps. Less frequently, these stages may be spread out over days or weeks, and in fact the most dangerous attacks are often those which employ low bandwidth probing techniques over a long period (e.g., “low and slow” attacks) since these types of attacks can be very difficult or impossible to detect except by the damage that eventually accrues. - Finally, post-attack, the attacker may repeat the steps of
FIG. 4 so as to “propagate” the attack to another host entity in the customer's network or to another network. The attacker capitalizes on the increased opportunities offered by a successful initial attack and also to increase the indirection existing between the attacker and the target often uses propagated attacks. For example, many successful attacks may have actually been accomplished via a “daisy chain” or string of four or more compromised machines, which often are chosen to be located in different time zones. Machines located in different time zones makes it difficult to get the associated network management personnel on the telephone at the same time, which would be needed to troubleshoot how the attack is occurring and backtrack/identify the true attacker. Further, hacker strategy often includes extensive planning to mount a significant attack on a target using intermediary customer machines which are used for no other purpose than stepping stones, but otherwise left largely unharmed, that is, as long as the hacker's presence remains undiscovered. - 1. The Reconnaissance Step
- The “recon” or reconnaissance step is normally the initial hacker attack stage. The hacker in this step is concerned with the initial gathering of information that can be exploited to help the attacker access or exploit the target network. This stage is generally not focused on attacking a specific host or machine, but rather is an attempt to map out the various ways an attacker might expect to get into the network, e.g., the customer's network.
- The associated time period of the reconnaissance step can be short or long. It is safer for the attacker to take more time, spacing out the actions over a considerable period of time, especially with networks that are monitored or secured in ways that may lead to someone noticing the hacker's attempts to probe. Likewise, the associated bandwidth of the probe can be large or small, and can vary. Again, it is safer for the attacker to use a low bandwidth probe, although this self-imposed restriction on bandwidth will generally mean that the recon stage will take longer to accomplish.
- In simplest form, this stage seeks to identify the IP addresses of the ingress nodes for the target network, and subsequently to identify open ports and potentially usable protocols that may provide the means for intrusion. In more complex form, routers and network topology may be probed and mapped in order to support more complex intrusion techniques and attacks, which can involve multiple attacker machines and multiple ingress points, when present.
- Reconnaissance can proceed from a single origin point or can be distributed using multiple machines to originate probes from different locations. When multiple machines are probing, its actions can be arranged individually or coordinated. Cases of extremely capable, elegant probing involve the efforts of many machines in a coordinated complex fashion. Furthermore, these capabilities are increasingly likely to be encountered because these techniques are increasingly incorporated into automated software i.e., hacker tool kits. In general, methods of probing processes available to the hacker community, include coordinated route tracing, e.g., mapping out network topology and latencies, and inverse probes, e.g., accumulating data on unreachable rather than reachable addresses (via receiving automated routing responses from the network).
- The reconnaissance stage is most pronounced with external threats. In order to enter the target network, an external attacker must first map out the routes and potential entry points to that target network (e.g., customer's network) along with potential protocols and ports on the ingress nodes that may be usable.
- 2. The Sniffing Step
- The sniffing step of
FIG. 4 is concerned with gathering detailed information on network hosts, traffic types, protocols, etc. Simply accessing a target network's ingress node is usually not sufficient. Rather, access to those machines and hosts internal to the target network are usually desired. Therefore, in order to exploit the internal nodes, considerable information is required. First, the nodes of interest must be identified possibly by host name but ultimately by IP address. If the attacker can install “sniffer” software, network traffic may be observed so as to locate the most “interesting” machines, often the servers. DNS (name service) servers and LDAP (directory) servers, along with databases which can contain all kinds of sensitive information, e.g., financial or health info, passwords, employee records, would probably be perceived to be the most interesting potential targets. - Sniffing is generally passive, i.e., listening only, rather than generating or sending traffic. Distributed sniffing, e.g., sniffing from multiple locations inside the target network, is often employed when possible. Distributed sniffing is utilized when the network has switching systems to effectively subdivide the network. This limits how much traffic any individual sniffer can sample.
- Active scanning can also be employed, when attempts are made to connect to a succession of IP addresses and port numbers. Scanning can be used (by the responses received or not received) to identify which addresses are present in the target network and which ports are available on the machines thus identified. The information obtained may then be sent back to, or retrieved by, the attacker via a a number of more or less covert or stealth techniques. These techniques can include encryption and communications using unexpected channels or ports or protocols, i.e., for which they generally were not designed, and thus are less likely to be detected. Likewise, the attacker may communicate into the network via encryption using unexpected channels or ports or protocols in order to send commands to software implanted in exploited hosts.
- Although passive sniffing is limited in the sense that the attacker must wait for traffic to be observed rather than actively scanning for items of interest, sniffing is less intrusive and thus safer for the attacker. Sniffing may in fact be present without anyone realizing, and considerable information may thus be gathered. In contrast, scanning may be readily identified when network intrusion detection methods are employed or when the scanning is done at such high bandwidth that it becomes indirectly observable. The presence of a sniffer because its action is passive, i.e., listening only, is hard to detect. Active probing for the presence of a sniffer is unreliable but sometimes possible, but hacker software will sometimes detect this and respond negatively, e.g., damaging the files on the machine on which it has been surreptitiously installed.
- Additional information, which may be obtained by the attacker in this stage, includes protocol version numbers, operating system types and version numbers. The attacker can also obtain application software types and version numbers, configuration options, general and specific information on what is happening in the customer's network and what the customer's network is being used for. Further, hackers try to obtain specific port numbers on which the various host machines are “listening.”
- 3. The Direct Attack Step
- The directed attack is an attack on a specific target machine, usually with a specific and harmful objective in mind. Directed attacks are sometimes employed to accomplish one or both of the two preceding stages. There are many kinds of directed attacks. Directed attacks range from simple SYN flood denial of Service (DoS) attacks (in which only the initial “SYN” portion of the TCP 3-way handshake is sent, but in great volume, so as to tie up the resources of the recipient), session redirection and hijacking, to complete takeovers of targeted systems to elaborate spoofing of intrusion detection systems.
- Simple flooding can crudely overwhelm a host with too much traffic, or alternatively, can use up system resources by employing a multitude of “half-open” TCP/IP connection attempts that completely utilize the target machine's processor (e.g., a SYN flood). Other more pernicious DoS attacks, such as fragmentation attacks (e.g., land.c, death ping, etc.), do not just temporarily occupy the attention of a target host, but actually to crash the operating system via exploitation of particular software bugs, which often remain present in practice even when software fixes/patches are available. Fragmentation attacks take advantage of variable overflow that can occur upon reassembly of specially fragmented IP packets, which were purposefully designed by the hacker to exceed the maximum allowed/expected size.
- An adjunct to DoS crash attacks is a more elaborate approach, which seeks first to install harmful software or make harmful modifications prior to the actual DoS crash attack. With this approach, unless the target machine is completely re-initialized from backup media, re-booting the machine causes subsequent crashes and additional damage, and possibly even more effects such as propagated attacks. This approach assumes that the attacker has effective methods of gaining authorization to insert software on the target machine. An attacker may gain access to the target machine by gaining access to the root shell or administrator account of a machine either via a variable/buffer overflow, or via a forced “controlled crash” of a running process inherently having these authorizations on the target machine.
- Protocol attacks involve exploitation of the actual communications exchanges in a defined protocol. The objective may range from simply interfering with the action of the protocol, as in a DoS attack, to causing a specific and normally unexpected result via the protocol. A variety of protocol attacks are known.
- Session hijacking generally involves taking control of a TCP/IP session, i.e., forcefully taking the place of one of the two legitimate parties. This can be accomplished via a successful observation and determination of the sequence numbers occurring in the TCP/IP exchange (e.g., a sequence number attack) which allows the substitution of illegitimate packets into the session. This is normally done while simultaneously mounting a DoS attack on the party that is being substituted, substituted, so that it cannot interfere with, or otherwise thwart, the hijacking process. Once the session is hijacked, the attacker appears to be, and acts as, the actual substituted party, with all the authorizations and access associated with the substituted party. The attacker has this authorization at least for the duration of the session, and possible afterwards if the attacker can glean sufficient additional information, such as passwords, cryptographic keys, etc., during the lifetime of the hijacked session.
- Email attacks include simple techniques such as email flooding and spamming. Email flooding sends a large email message to many recipients, overloading the email system and in some cases causing system crashes of the mail server. Spamming sends unsolicited advertisements, or other undesired messages, to many recipients.
- Email is also a vector, i.e., delivery or infection mechanism, for well-known types of hostile software such as viruses, Trojan horses, worms, etc. Viruses and trojans usually require a specific user action to be activated. Worms activate and propagate without user action, instead they rely on and exploit some “action” or capability occurring automatically in the operating system or other running software process. Hostile software of these sorts can be designed to perform virtually any function possible on the infected machine, with potentially disastrous results. Worms are receiving increased attention in the hacker community since users are now generally aware of the dangers of viruses and trojans.
- Propagated attacks involve a “stepping stone” approach to move from one exploited host to the next, and then finally attack the ultimate target in a harmful fashion. When propagated attacks are done across the Internet, the Internet provides indirection that helps the attacker escape easy detection and identification. When propagated attacks are done inside one or more smaller networks, it usually embodies a more insidious attempt to surreptitiously control more resources, and in some cases may even be a prelude to a larger scale attack against a service provided on that network or elsewhere. Larger scale attacks can be triggered remotely i.e., via a covert communications channel, or via timers e.g., on a particular date. Distributed Denial of Service (DDoS) attacks are a special case of this where large numbers of compromised computers become “zombies” under the hacker's remote control for the purpose of launching coordinated large-scale DoS attacks against a target. Large target. Large scale attacks may take considerable time to set up, requiring multiple intrusions on multiple machines in advance, and they may potentially result in broadly disastrous consequences. A large scale attack may attempt to bring down a service, or may have other less crude objectives such as, for example, a large scale privacy violation and public exposure with respect to many customers for instance, intending a subsequent flurry of customer litigation as the actual goal.
- Finally, “stealth” refers to attackers trying to cover their tracks or otherwise escape notice. There are many ways to do this. Some of the simplest include log erasure and process modifications to hide the attacker's presence once a machine in successfully accessed and exploited. Also, “fast takedown” techniques can sometimes be used to exploit certain aspects of specific operating systems so as to effectively hide the hacker's presence on a machine, e.g., by very quickly initiating some alteration, which interferes with or avoids the normal process registration within the operating system. Additional techniques include “camouflage” of communications and piggybacking on legitimate communications flows. Steanography, the cryptographic hiding of information within another information stream is similarly utilized. Software mutation techniques, as in mutating viruses, etc. also fall in this general category.
- C. Examples of Attacks
-
FIG. 5 is a table 54 listing illustrative examples of attacks. The attacks are any one of many possible hostile actions or techniques employed against a customer's network, system, or attached host or machine. Attacks are generally undertaken as a direct or indirect means to gain unauthorized access or otherwise exploit the target(s). -
FIG. 6 is a block diagram depicting a generic computer or processor-based system that can be used to implement a preferred embodiment of each of the MEA, TGE and RAE of the system for the non-invasive monitoring of an electronic security service. Generally, in terms of hardware architecture, as shown inFIG. 6 , thedigital computer 60 includes, inter alia, aprocessor 62 andmemory 66. Input and/or output (J/O) devices (or peripherals) can be communicatively coupled to alocal interface 68 via a system I/O interface 70, or directly connected to thelocal interface 68. Thelocal interface 68 can be, for example but not limited to, one or more buses or other wired or wireless connections, as is known in the art. Thelocal interface 68 may have additional elements, which are omitted for simplicity, such as controllers, buffers (caches), drivers, repeaters, and receivers, to enable communications. Further, the local interface may include address, control, and/or data connections to enable appropriate communications among the aforementioned components. - The
processor 62 is a hardware device for executing software, particularly that stored inmemory 66. Theprocessor 62 can be any custom made or commercially available processor, a central processing unit (CPU), an auxiliary processor among several processors, a semiconductor based microprocessor (in the form of a microchip or chip set), a macroprocessor, or generally any device for executing software instructions. - The
memory 66 can include any one or combination of volatile memory elements (e.g. random access memory (RAM, such as DRAM, SRAM, SDRAM, etc.)) and nonvolatile memory elements (e.g. ROM, hard drive, tape, CDROM, etc.). Moreover, thememory 66 may incorporate electronic, magnetic, optical, and/or other types of storage media. Note that thememory 66 can have a distributed architecture, where various components are situated remote from one another, but can be accessed by theprocessor 62. - The software and/or firmware in
memory 66 may include one or more separate programs, each of which comprises an ordered listing of executable instructions for implementing logical functions. In the example ofFIG. 6 , the software in thememory 66 can include MEA, TGE or RAE logic and a suitable operating system (O/S). The operating system essentially controls the execution of other computer programs, and provides scheduling, input-output control, file and data management, memory management, and communication control and related services. - The logic is a source program, executable program (object code), script, or any other entity comprising a set of instructions to be performed. When the logic is implemented as a source program, then the program needs to be translated via a compiler, assembler, interpreter, or the like, which may or may not be included within the
memory 66, so as to operate properly in connection with the O/S. Furthermore, logic can be written as (a) an object oriented programming language, which has classes of data and methods, or (b) a procedure programming language, which has routines, subroutines, and/or functions, for example but not limited to, C, C++, Pascal, Basic, Fortran, Cobol, Perl, Java, and Ada. - The I/O devices may include input devices, for example but not limited to, a keyboard, mouse, scanner, microphone, etc. Furthermore, the I/O devices may also include output devices, for example but not limited to, a printer, display, etc. Finally, the I/O devices may further include devices that communicate both inputs and outputs, for instance but not limited to, a modulator/demodulator (modem; for accessing another device, system, or network), a radio frequency (RF) or other transceiver, a telephonic interface, a bridge, a router, etc.
- When the logic is implemented in software, as is shown in
FIG. 60 , it should be noted that logic can be stored on any computer-readable medium for use by or in connection with any computer related system or method. The logic can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. In the context of this document, a “computer-readable medium” can be any means that can store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer-readable medium can be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a nonexhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic) having one or more wires, a portable computer diskette (magnetic), a random access memory (RAM) (electronic), a read-only memory (ROM) (electronic), an erasable programmable read-only memory (EPROM, EEPROM, or Flash memory) (electronic), an optical fiber (optical), and a portable compact disc read-only memory (CDROM) (optical). Note that the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory. - In an alternative embodiment, where the logic is implemented in hardware, the logic can be implemented with any or a combination of the following technologies, which are each well known in the art: a discrete logic circuit(s) having logic gates for implementing logic functions upon data signals, an application specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array(s) (PGA), a field programmable gate array (FPGA), etc.
- A. MEA
- Referring to
FIG. 7 , a block diagram depicting a preferred embodiment of logic of theMEA 34 of thesystem 10 for the non-invasive monitoring of electronic security services is shown. The MEA logic could exist in memory, such asmemory 66 ofFIG. 6 . In other embodiment, the MEA logic could be resident in a monitoring device, utilizing the device hardware. TheMEA 34 includes asniffer module 72, aninnoculator module 74, an analyzer module 76, anevaluator module 78 and acommunicator module 80. In an alternative embodiment, theMEA 36 includes a decryption/encryption module and a cryptographic key module. Thesniffer module 72 in a preferred embodiment couples to theoperating system 73 and a network interface card (not shown) for communicating with the provider network via the customer network, in which theMEA 36 is generally located. In a preferred embodiment, thecommunicator module 80 couples to theoperating system 73, analyzer module 76,evaluator module 78 andinnoculator module 74. Theevaluator module 78 in a preferred embodiment couples to theoperating system 73,communicator module 80, analyzer module 76, andinnoculator module 74. In a preferred embodiment, theinnoculator module 74 couples to theevaluator module 78 andcommunicator module 80. The operating system also couples to other or existingsoftware applications 84. - 1. Sniffer Module
- The
sniffer module 72 observes all the packets such that patterns can be identified. - 2. Innoculator Module
- The
innoculator module 74 checks for special code/bits in packets and/or checks pre-received communication for a pre-planned attack or test. For instance, theinnoculator module 74 can check for an authenticated and encrypted message from theRAE 38 orTGE 36 with a date/time stamped list of scheduled attacks or tests. - 3. Analyzer Module
- The analyzer module 76 receives or determines the list of open ports and active services on the customer's
network network - In the case where an intrusion detection system is used, the analyzer module 76 can monitor attacks detected. In the case of a deception host, the analyzer module 76 monitors hacker activities such as probes, accesses and rootkit or hacker tool insertion. A matching algorithm can be used to determine potential associations with a pre-planned test or list of active tests. Thus, the progress of a denatured attack or test can be monitored so that it can be reported properly to the
RAE 38. - 4. Evaluator Module
- The
evaluator module 78 determines which attacks or tests would have caused damage if not denatured. - 5. Communicator Module
- The
communicator module 80 listens and talks to the network provider'scentralized RAE 38 andTGE 36. - The
communicator module 80 acts as the communications interface between the other modules. It receives communications from theprovider network 14 and likewise accepts communication from the tester in order to transmit these over the provider network. Thecommunicator module 80 functions as a translator. Such translation is needed since software components, i.e., the modules of theRAE 38, typically use data in somewhat different technical form or format than the form or format of data, which is transported over atypical provider network 14. Thecommunicator module 80 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating withTGEs 36 and theRAE 38. Via authentication, these secure communication methods ensure that no unauthorized entity can masquerade as aTGE 36,RAE 38, orMEA 34 i.e., impersonate aTGE 36,RAE 38, orMEA 34. Via encryption, it further ensures that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications. Thecommunicator module 80 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods. - Other modules such as a decryption/encryption module can be included to enable the
MEA 36 to look inside encrypted communications, for instance in virtual private networks (VPNs). Another module such as, a cryptographic key module can be included to hold and manage the associated crypto/secret keys. - B. TGE
-
FIG. 8 is a block diagram depicting a preferred embodiment of logic of theTGE 36 of thesystem 10 for the non-invasive monitoring of electronic security services. The TGE logic could exist in memory, such asmemory 66 ofFIG. 6 . In other embodiments, the TGE logic could be resident on a monitored device, utilizing the device hardware. TheTGE 36 includes acommunicator module 86, aserver module 88, acoordinator module 90, atester module 92, and atest library module 94. In a preferred embodiment, theoperating system 73 couples to thecommunicator module 86, other or existingsoftware applications 84, and the network interface card (not shown) utilized for communicating with the provider network. Theserver module 88 in a preferred embodiment couples to thecommunicator module 86 andcoordinator module 90. In a preferred embodiment, thecommunicator module 86 couples to theserver module 88,coordinator module 90,operating system 73 andtester module 92. Thetester module 92 in a preferred embodiment couples to thecommunicator module 86,coordinator module 90, andtest library module 94. In an alternative embodiment, thetest library module 94 has access todatabase 96, such as oracle. - 1. Tester Module
- The
tester module 92 performs the actual testing except for tests, which are initiated byMEAs 34 rather thanTGEs 36. Controlled by thecoordinator module 90, thetester module 92 launches attacks at customer hosts andMEAs 34 as directed. Thetester module 92 utilizes thetest library module 94 to obtain data as to how to construct the tests. For example, for a Land attack, thetester module 92 will consult the library to determine the exact packet structure to employ, and substitutes the target IP address with a denatured IP address into the packet structure to obtain the actual packet to be launched. Thetester module 92 serves as the “weapon,” which obtains its “ammunition” bullets from thetest library module 94, or uses thetest library module 94 to find out how to build its bullets, and then fires them at the targets. - 2. Test Library Module
- The
test library module 94 provides standard database access functionality, e.g., via SQL or Structured Query Language, to enable provisioning and access of a standard database, such as an Oracle database, which contains test or attack related data. Thetester module 92 utilizes this functionality. Thetest library module 94, via its associateddatabase 96 provides the detailed information needed to construct each type of attack based upon test definition data. Because of the large number and growing variety of potential attack types, and because attacks can be quite complex and thus difficult to generate, the amount of data is assumed to require a large database external to the module. In an alternative embodiment, thetest library module 94 aggregates and pre-formats retrieved test definition data for use by thetester module 92. - 3. Coordinator Module
- The
coordinator module 90 obtains schedule information from theRAE 38 via thecommunicator module 86, handshakes with theMEAs 34 via thecommunicator module 86, to signal “ready” and “finished,” and handshakes withother TGEs 36 as appropriate via thecommunicator module 86. Thecoordinator module 90 works with theTGEs 36 for cooperative tests requiringmultiple TGE 36 sources. Thecoordinator module 90 also controls the server so that it is properly set-up to respond to scheduled requests fromMEAs 34, and controls thetester module 92 to launch the appropriate tests, which it has received from theRAE 38 at the appropriate time. EachTGE 36 may also send a “finished” message via thecommunicator module 86 to theRAE 38 to let theRAE 38 know it has completed its portion of testing for a particular customer. This allows theRAE 38 to get ready to receive results from theMEAs 34. - 4. Server Module
- The
server module 88 provides theTGE 36 with standard web, file, and email serving functionality. This is needed since some tests must be initiated by theMEAs 34 rather than theTGEs 36, when requesting web pages, files, or emails which contain a test/attack such as a Javascript exploit, trojan, or virus. In these cases, theclosest TGE 36 acts as the standard server to provide the infected web page, file, or email requested. Once the infected item is provided, the attack will then begin and can be monitored by thepertinent MEA 34. - 5. Communicator Module
- The
communicator module 86 acts as the communications interface between the other modules (except the test library module 94) and the provider network. It receives communications from the provider network in order to provide these to the tester or server, and likewise accepts communication from the tester in order to transmit these over the provider network. Thecommunicator module 86 functions as a translator. Such translation is needed since software components, i.e., the modules of theRAE 38, typically use data in somewhat different technical form or format than the form or format of data, which is transported over a typical provider network. Thecommunicator module 86 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating withTGEs 36 and theRAE 38. Via authentication, these secure communication methods ensure that no unauthorized entity can masquerade as aTGE 36,RAE 38, orMEA 34 i.e., impersonate aTGE 36,RAE 38, orMEA 34. Via encryption, they further ensure that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications. Thecommunicator module 86module 86 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods. - C. RAE
-
FIG. 9 is a block diagram depicting a preferred embodiment of logic of theRAE 38 of thesystem 10 for the non-invasive monitoring of electronic security services. The RAE logic could exist in memory, such asmemory 66 ofFIG. 6 . In other embodiments, the RAE logic could be resident in a monitored device, utilizing the device hardware. TheRAE 38 includes ascheduler module 98, aglobal evaluator module 100, adatabase interface module 102, auser interface module 106 and acommunicator module 108. In a preferred embodiment, theoperating system 73 couples to thecommunicator module 108, other or existingsoftware applications 84, and the network interface card (not shown) utilized for communicating with the provider network. Thescheduler module 98 in a preferred embodiment, couples to thecommunicator module 108,database interface module 102 anduser interface module 106. In a preferred embodiment, thecommunicator module 108 couples to theglobal evaluator module 100,scheduler module 98, andoperating system 73. Theglobal evaluator module 100 in a preferred embodiment, couples to thecommunicator module 108 anduser interface module 106. Theuser interface module 106 in a preferred embodiment, couples to thedatabase interface module 102,scheduler module 98,global evaluator module 100, and auser 110. In a preferred embodiment, thedatabase interface module 102 has access to astandard database 104, such as an Oracle database, and couples to thescheduler module 98 anduser interface module 106. - 1. Scheduler Module
- The
scheduler module 98 provides the central test scheduling functionality and makes test schedule information available to TGE 36s and MEAs 34 via thecommunicator module 108. Thescheduler module 98 is controlled by theuser interface module 106. Thescheduler module 98 makes use of thedatabase interface module 102 to include customer information as appropriate, in order to build schedules while incorporating certain data, such as the particular TGE 36s andMEAs 34 serving a particular customer, into the schedule process. - 2. Global Evaluator Module
- The
global evaluator module 100 analyzes data returned by all the MEAs 34 serving a customer in the course of a test cycle, these data being received from theMEAs 34 via thecommunicator module 108. Whereas theMEAs 34 provide local results of tests results obtained by a givenMEA 34 at its location or for its immediate vicinity, theglobal evaluator module 100 uses all of these local results to obtain the overall results of the testing for a given customer. Thus the progress of a test attack can be traced as it made its way through thecustomer network global evaluator module 100 obtains the pertinent test schedule from thescheduler module 98, compares this with theMEA 34 results, and evaluates whetherindividual MEA 34 results or combinations ofMEA 34 results indicate a particular test outcome for the customer. In a preferred embodiment, theglobal evaluator module 100 applies a set of If/Then rules to make this determination for each test included in the schedule e.g., if certain files or memory locations were erased or altered, or if certain email actions occurred, then attack by test # 123 for virus xyz was successful. This evaluation can be wholly implemented via code within theglobal evaluator module 100, or can include the referencing of an “expected test result” database which can be wholly included in the module, or if necessary can be an externally located standard database. - 3. Database Interface Module
- The
database interface module 102 provides standard database access functionality e.g., via Structured Query Language (SQL) to enable provisioning and access of a standard database, such as an Oracle database, which contains customer data. Thescheduler module 98 utilizes this functionality. Theuser interface module 106 can also utilize thedatabase interface module 102 to provision, or load, the database with the necessary customer data. Adata interface module 102 can also be used to provide an interface to an external database for theglobal evaluator module 100. - 4. User Interface Module
- The
user interface module 106 provides standard user interaction functionality via a standard windowing Applications Programming Interface (API) and/or command line capabilities of the underlying operating system, e.g., Unix, Linux, or Windows. Thus theuser 110 can control the system, interact with the system e.g., to provision the database, order tests, set test parameters and cycles, and obtain and manipulate results. - 5. Communicator Module
- The
communicator module 108 acts as the communications interface between the other modules, (except the database interface module 102) and theprovider network 14. It receives communications from the provider network in order to provide these to theglobal evaluator module 100, and likewise accepts communication from thescheduler module 98 in order to transmit these test schedule information and data over the network. Thecommunicator module 108 basically functions as a translator and is analogous to such functionality, which is found in many systems utilizing communications with other entities. Such translation is needed since software components, including for instance the modules of theRAE 38, typically use data in somewhat different technical form or format than the form or format of data which is transported over a typical network. Thecommunicator module 108 can use well-known methods for secure authenticated network communications, e.g., IPSEC, SSL, or SSH when communicating withTGEs 36 andMEAs 34. Via authentication, these secure communication methods ensure that no unauthorized entity can masquerade as aTGE 36,RAE 38, orMEA 34 i.e., impersonate aTGE 36,RAE 38, orMEA 34. Via encryption, thecommunicator module 108 further ensures that no unauthorized entity can intercept, eavesdrop upon, or alter any of the secured communications. Thecommunicator module 108 maintains the shared secrets, cryptographic keys, and/or security certificates utilized to enable these secure communication methods. - D. Example of Virus or Mal-Ware Code
-
FIG. 10 is a block diagram 112 of an illustrative example of altering a harmful code in a virus or program, i.e., mal-ware code. The code is shown in a hexadecimal, or base-16, notation, e.g., 1, 2, 3 . . . A, B, C . . . F. Signature checkers, for instance, anti-virus software, uses a portion of the code, A3555F77 to identify the presence of a virus. This portion of the code is not altered. A portion of the code, 632AA098, performs a harmful action. This portion of the code is altered. These code portions are typically different and are located in different locations within the code for each and every different virus or mal-ware used. Analysis of each virus or mal-ware is performed to determine both the location of the pertinent code portions, and the appropriate alteration needed to denature the code portions, which perform harmful actions. The harmful portion of the code, i.e., 632AA098, is altered to, F555555F, rendering the harmful portion of the code harmless. - E. Example of Denaturing a Bad Data Packet
-
FIG. 11 is a block diagram 114 preferred embodiment of an illustrative example of denaturing a bad data packet. Additional fields, such as checksums, length fields, protocol conversion fields, etc., are not shown for simplicity. The block diagram ofFIG. 11 shows a simplified example packet that could be used in a Land attack. Generally, a Land attack is a denial of service attack or crash attack wherein a TCP SYN packet (e.g., connection initiation) is sent that uses the same source and destination addressed for the target machine's IP address and port. This often causes operating systems to hang or crash, unless they are specifically designed and tested to resist such an attack. In the example of a Land attack shown inFIG. 11 , the destination address is changed in order to denature the attack by “redirection.” Land attacks typically have the same destination address and source address, and thus the source address is also being changed in this example. Changing the source address is necessary to maintain an equal relationship between the destination address and sources address to retain a suitably harmful appearance. - In an alternative embodiment, the source address need not be changed when the particular attack does not have a relationship between the destination address and the source address. In another alternative embodiment, it may be necessary to change other parts of the packet if the particular attack is defined by some relationship between the altered destination address and those other parts of the packet and the relationship should be maintained.
- Referring to
FIG. 11 , the data packet includes fields for type ofservice 116, source address andport 118, destination address andport 120,flags 122 anddata payload 124. In the Land attack, and some other attacks, the harmful characteristic is source address and port equal to the destination address and port. The harmful characteristic cannot itself be altered since that change makes the packet both harmless and no different from any regular packet, such that no security measure, even if interceding, would have any reason to block it. Thus, the destination address is changed. The potentially harmful packet is then directed at aMEA 34 near the target rather than the target itself. This process is called “denaturing by re-direction.” Due to the properties of the Land attack, the source address is also changed. Both the source and destination addresses are changed from 10.1.1.1 to 10.1.1.33. Address 10.1.1.33 is the address of a nearby knownMEA 34, which will receive the attack, if the attack is not blocked in transit to theMEA 34. - The example packet of
FIG. 11 also includes another attack. This involves including the harmful portion of the packet in thedata payload 124. An analysis of the bad packet attack type is necessary to determine both the location of the pertinent data elements and the appropriate alteration needed for the specific element or elements which cause harmful effect or effects. Referring toFIG. 11 , to denature an attack against thedata payload 124, an identifier code number is added to the payload so that MEAs 34 will be able to keep track and check against pre-scheduled attacks. For thedata payload 124 ofFIG. 2 , an identified code of 111 . . . 0010, is added to thedata payload 124. -
FIG. 12 is a flow chart depicting general functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services. The process begins at 130. At 132, a denatured attack is launched across a customer's network. In a preferred embodiment, the attack is launched using a TGE. At 134, the customer's network is monitored. In a preferred embodiment, the customer's network is monitored using a MEA. In an alternative embodiment, the customer's network is monitored prior to the launch of a denatured attack. In another alternative embodiment, the customer's network is monitored during the launch of the denatured attack. At 136, the results of the denatured attack are analyzed. In an alternative embodiment, the results of the denatured attack are analyzed during the launch of a denatured attack. The process ends at 138. -
FIGS. 13A and 13B are flow charts depicting more specific functionality of a preferred embodiment of a system for the non-invasive monitoring of electronic security services. The process begins at 140. At 142, the service provider selects the customer that will be monitored and/or receive a denatured attack. At 144, an examination of the customer's current records occurs. The examination includes, among others, obtaining the MEA list, host and network configurations and services utilized by the customer. At 146, the service provider selects the pertinent tests to perform over the customer's network. The tests performed are based on certain parameters such as the design and topology of the customer's network, perceived threats and any unique customer concerns about the security of its network. At 148, each MEA is polled for configuration changes. Any configuration changes found are added to the current customer information and the test selection modified to accommodate the configuration changed. At 150, the test list is finalized and scheduled. In addition, the TGEs and MEAs that will be used in the test are selected. - At 152, the schedule for the test is sent to the TGEs and MEAs. The schedule is sent to the TGEs that will generate the attacks and the MEAs that will originate any passive attacks. The schedule also serves to inform the MEAs of planned attacks. At 154, the MEAs and TGEs perform handshake functions for a “ready” state.
- Referring now to
FIG. 13B , at 156, TGEs run tests against customer's network(s). In a preferred embodiment, the tests are run over a long period of time, for example, a week or a month. At 158, the MEAs detect and evaluate the effects of the tests. At 160, the MEAs originate any passive tests. At 162, each MEA provides rate feedback to the TGEs (those TGEs which originate the tests/attacks the MEA is monitoring). The rate feedback consists of data instructing each associated TGE to appropriately modify its rate of test generation and launching based on the MEA's monitoring/determination of test rates exceeding (or falling below) pre-set maximum (or minimum) thresholds, or otherwise exceeding (or falling below) test constraints pre-set or calculated by algorithmic means. At 164, the MEAs determine when the test cycles are finished utilizing a handshake with finished TGEs or based upon the completion of a scheduled test. At 166, each MEA sends its results to the RAE. At 168, the RAE analyzes, records and reports on the results of the tests for on the results of the tests for the selected customer. In a preferred embodiment, the results of the tests are summarized globally for the selected customer but may be localized as needed. At 170, the process ends. - Any process descriptions or blocks in flow charts should be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
- An advantage of this invention is that it provides for a set of harmless attacks against a customer's system that tests the effectiveness of the customer's electronic security services.
- Another advantage of this invention is that the results of the harmless attacks can be monitored and a record of results maintained.
- Still another advantage of this invention is that it performs the denatured attacks to a customer's network in a non-invasive method, for instance denatured attacks scheduled over a long period of time so as not to be noticeable by the customer. Further, feedback from the MEAs to the TGEs can adjust the rate of test launching so that the tests remain unobtrusive yet are completed in a timely manner.
- It should be emphasized that the above-described embodiments of the present invention, particularly, any “preferred” embodiments, are merely possible examples of implementations, merely set forth for a clear understanding of the principles of the invention. Many variations and modifications may be made to the above-described embodiment(s) of the invention without departing substantially from the spirit and principles of the invention. All such modifications and variations are intended to be included herein within the scope of this disclosure and the present invention and protected by the following claims.
Claims (1)
1. A system for the non-invasive monitoring of the effectiveness of a customer's electronic security services, comprising:
a test generation engine for generating and launching a denatured attack towards a customer's network;
an agent operatively coupled to the test generation engine, the agent adapted to monitor and evaluate the denatured attack; and
a recording and analysis engine operatively coupled to the test generation engine and the agent, the recording and analysis engine adapted to record and analyze results of the denatured attack.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/390,766 US20090172813A1 (en) | 2002-05-29 | 2009-02-23 | Non-Invasive Monitoring of the Effectiveness of Electronic Security Services |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/159,757 US7509675B2 (en) | 2002-05-29 | 2002-05-29 | Non-invasive monitoring of the effectiveness of electronic security services |
US12/390,766 US20090172813A1 (en) | 2002-05-29 | 2009-02-23 | Non-Invasive Monitoring of the Effectiveness of Electronic Security Services |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/159,757 Continuation US7509675B2 (en) | 2002-05-29 | 2002-05-29 | Non-invasive monitoring of the effectiveness of electronic security services |
Publications (1)
Publication Number | Publication Date |
---|---|
US20090172813A1 true US20090172813A1 (en) | 2009-07-02 |
Family
ID=40347726
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/159,757 Expired - Fee Related US7509675B2 (en) | 2002-05-29 | 2002-05-29 | Non-invasive monitoring of the effectiveness of electronic security services |
US12/390,766 Abandoned US20090172813A1 (en) | 2002-05-29 | 2009-02-23 | Non-Invasive Monitoring of the Effectiveness of Electronic Security Services |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/159,757 Expired - Fee Related US7509675B2 (en) | 2002-05-29 | 2002-05-29 | Non-invasive monitoring of the effectiveness of electronic security services |
Country Status (1)
Country | Link |
---|---|
US (2) | US7509675B2 (en) |
Cited By (27)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016035083A3 (en) * | 2014-09-06 | 2016-04-21 | Andriani Matthew | Non-disruptive ddos testing |
US9836512B1 (en) * | 2016-05-11 | 2017-12-05 | Acalvio Technologies, Inc. | Systems and methods for identifying similar hosts |
US10038711B1 (en) | 2017-01-30 | 2018-07-31 | XM Ltd. | Penetration testing of a networked system |
US10068095B1 (en) | 2017-05-15 | 2018-09-04 | XM Cyber Ltd | Systems and methods for selecting a termination rule for a penetration testing campaign |
US10122750B2 (en) | 2017-01-30 | 2018-11-06 | XM Cyber Ltd | Setting-up penetration testing campaigns |
US10257220B2 (en) | 2017-01-30 | 2019-04-09 | Xm Cyber Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
US10367846B2 (en) | 2017-11-15 | 2019-07-30 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US10382473B1 (en) | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10412112B2 (en) | 2017-08-31 | 2019-09-10 | Xm Cyber Ltd. | Time-tagged pre-defined scenarios for penetration testing |
US10440044B1 (en) | 2018-04-08 | 2019-10-08 | Xm Cyber Ltd. | Identifying communicating network nodes in the same local network |
US10447721B2 (en) | 2017-09-13 | 2019-10-15 | Xm Cyber Ltd. | Systems and methods for using multiple lateral movement strategies in penetration testing |
US10462177B1 (en) | 2019-02-06 | 2019-10-29 | Xm Cyber Ltd. | Taking privilege escalation into account in penetration testing campaigns |
US10469521B1 (en) | 2018-11-04 | 2019-11-05 | Xm Cyber Ltd. | Using information about exportable data in penetration testing |
US10534917B2 (en) | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
US10574687B1 (en) | 2018-12-13 | 2020-02-25 | Xm Cyber Ltd. | Systems and methods for dynamic removal of agents from nodes of penetration testing systems |
US10574684B2 (en) | 2017-07-09 | 2020-02-25 | Xm Cyber Ltd. | Locally detecting phishing weakness |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
US10637883B1 (en) | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10686822B2 (en) | 2017-01-30 | 2020-06-16 | Xm Cyber Ltd. | Systems and methods for selecting a lateral movement strategy for a penetration testing campaign |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
WO2023057950A1 (en) * | 2021-10-07 | 2023-04-13 | Mazebolt Technologies Ltd. | Non-disruptive diagnostic and attack testing methods and systems |
Families Citing this family (211)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8260961B1 (en) * | 2002-10-01 | 2012-09-04 | Trustwave Holdings, Inc. | Logical / physical address state lifecycle management |
US8136155B2 (en) * | 2003-04-01 | 2012-03-13 | Check Point Software Technologies, Inc. | Security system with methodology for interprocess communication control |
US8095982B1 (en) | 2005-03-15 | 2012-01-10 | Mu Dynamics, Inc. | Analyzing the security of communication protocols and channels for a pass-through device |
US8095983B2 (en) * | 2005-03-15 | 2012-01-10 | Mu Dynamics, Inc. | Platform for analyzing the security of communication protocols and channels |
US8316447B2 (en) * | 2006-09-01 | 2012-11-20 | Mu Dynamics, Inc. | Reconfigurable message-delivery preconditions for delivering attacks to analyze the security of networked systems |
US9172611B2 (en) | 2006-09-01 | 2015-10-27 | Spirent Communications, Inc. | System and method for discovering assets and functional relationships in a network |
US7958230B2 (en) | 2008-09-19 | 2011-06-07 | Mu Dynamics, Inc. | Test driven deployment and monitoring of heterogeneous network systems |
US7954161B1 (en) | 2007-06-08 | 2011-05-31 | Mu Dynamics, Inc. | Mechanism for characterizing soft failures in systems under attack |
US7774637B1 (en) | 2007-09-05 | 2010-08-10 | Mu Dynamics, Inc. | Meta-instrumentation for security analysis |
US8871096B2 (en) * | 2007-09-10 | 2014-10-28 | Res Usa, Llc | Magnetic separation combined with dynamic settling for fischer-tropsch processes |
US8250658B2 (en) * | 2007-09-20 | 2012-08-21 | Mu Dynamics, Inc. | Syntax-based security analysis using dynamically generated test cases |
US20100107257A1 (en) * | 2008-10-29 | 2010-04-29 | International Business Machines Corporation | System, method and program product for detecting presence of malicious software running on a computer system |
US20110030059A1 (en) * | 2009-07-30 | 2011-02-03 | Greenwald Lloyd G | Method for testing the security posture of a system |
JP2013523043A (en) | 2010-03-22 | 2013-06-13 | エルアールディシー システムズ、エルエルシー | How to identify and protect the integrity of a source dataset |
US8463860B1 (en) | 2010-05-05 | 2013-06-11 | Spirent Communications, Inc. | Scenario based scale testing |
US8547974B1 (en) | 2010-05-05 | 2013-10-01 | Mu Dynamics | Generating communication protocol test cases based on network traffic |
US9106514B1 (en) | 2010-12-30 | 2015-08-11 | Spirent Communications, Inc. | Hybrid network software provision |
US8464219B1 (en) | 2011-04-27 | 2013-06-11 | Spirent Communications, Inc. | Scalable control system for test execution and monitoring utilizing multiple processors |
US8949992B2 (en) * | 2011-05-31 | 2015-02-03 | International Business Machines Corporation | Detecting persistent vulnerabilities in web applications |
US8972543B1 (en) | 2012-04-11 | 2015-03-03 | Spirent Communications, Inc. | Managing clients utilizing reverse transactions |
US10009065B2 (en) | 2012-12-05 | 2018-06-26 | At&T Intellectual Property I, L.P. | Backhaul link for distributed antenna system |
US9113347B2 (en) | 2012-12-05 | 2015-08-18 | At&T Intellectual Property I, Lp | Backhaul link for distributed antenna system |
US9398038B2 (en) | 2013-02-08 | 2016-07-19 | PhishMe, Inc. | Collaborative phishing attack detection |
US9356948B2 (en) | 2013-02-08 | 2016-05-31 | PhishMe, Inc. | Collaborative phishing attack detection |
US8966637B2 (en) | 2013-02-08 | 2015-02-24 | PhishMe, Inc. | Performance benchmarking for simulated phishing attacks |
US9253207B2 (en) | 2013-02-08 | 2016-02-02 | PhishMe, Inc. | Collaborative phishing attack detection |
US9053326B2 (en) | 2013-02-08 | 2015-06-09 | PhishMe, Inc. | Simulated phishing attack with sequential messages |
US9999038B2 (en) | 2013-05-31 | 2018-06-12 | At&T Intellectual Property I, L.P. | Remote distributed antenna system |
US9525524B2 (en) | 2013-05-31 | 2016-12-20 | At&T Intellectual Property I, L.P. | Remote distributed antenna system |
US8897697B1 (en) | 2013-11-06 | 2014-11-25 | At&T Intellectual Property I, Lp | Millimeter-wave surface-wave communications |
US9209902B2 (en) | 2013-12-10 | 2015-12-08 | At&T Intellectual Property I, L.P. | Quasi-optical coupler |
US9262629B2 (en) | 2014-01-21 | 2016-02-16 | PhishMe, Inc. | Methods and systems for preventing malicious use of phishing simulation records |
US9692101B2 (en) | 2014-08-26 | 2017-06-27 | At&T Intellectual Property I, L.P. | Guided wave couplers for coupling electromagnetic waves between a waveguide surface and a surface of a wire |
US9768833B2 (en) | 2014-09-15 | 2017-09-19 | At&T Intellectual Property I, L.P. | Method and apparatus for sensing a condition in a transmission medium of electromagnetic waves |
US10063280B2 (en) | 2014-09-17 | 2018-08-28 | At&T Intellectual Property I, L.P. | Monitoring and mitigating conditions in a communication network |
US9628854B2 (en) | 2014-09-29 | 2017-04-18 | At&T Intellectual Property I, L.P. | Method and apparatus for distributing content in a communication network |
US9615269B2 (en) | 2014-10-02 | 2017-04-04 | At&T Intellectual Property I, L.P. | Method and apparatus that provides fault tolerance in a communication network |
US9685992B2 (en) | 2014-10-03 | 2017-06-20 | At&T Intellectual Property I, L.P. | Circuit panel network and methods thereof |
US9503189B2 (en) | 2014-10-10 | 2016-11-22 | At&T Intellectual Property I, L.P. | Method and apparatus for arranging communication sessions in a communication system |
US9762289B2 (en) | 2014-10-14 | 2017-09-12 | At&T Intellectual Property I, L.P. | Method and apparatus for transmitting or receiving signals in a transportation system |
US9973299B2 (en) | 2014-10-14 | 2018-05-15 | At&T Intellectual Property I, L.P. | Method and apparatus for adjusting a mode of communication in a communication network |
US9769020B2 (en) | 2014-10-21 | 2017-09-19 | At&T Intellectual Property I, L.P. | Method and apparatus for responding to events affecting communications in a communication network |
US9312919B1 (en) | 2014-10-21 | 2016-04-12 | At&T Intellectual Property I, Lp | Transmission device with impairment compensation and methods for use therewith |
US9653770B2 (en) | 2014-10-21 | 2017-05-16 | At&T Intellectual Property I, L.P. | Guided wave coupler, coupling module and methods for use therewith |
US9627768B2 (en) | 2014-10-21 | 2017-04-18 | At&T Intellectual Property I, L.P. | Guided-wave transmission device with non-fundamental mode propagation and methods for use therewith |
US9520945B2 (en) | 2014-10-21 | 2016-12-13 | At&T Intellectual Property I, L.P. | Apparatus for providing communication services and methods thereof |
US9564947B2 (en) | 2014-10-21 | 2017-02-07 | At&T Intellectual Property I, L.P. | Guided-wave transmission device with diversity and methods for use therewith |
US9780834B2 (en) | 2014-10-21 | 2017-10-03 | At&T Intellectual Property I, L.P. | Method and apparatus for transmitting electromagnetic waves |
US9577306B2 (en) | 2014-10-21 | 2017-02-21 | At&T Intellectual Property I, L.P. | Guided-wave transmission device and methods for use therewith |
US9571517B2 (en) * | 2014-11-11 | 2017-02-14 | Goldman, Sachs & Co. | Synthetic cyber-risk model for vulnerability determination |
US9654173B2 (en) | 2014-11-20 | 2017-05-16 | At&T Intellectual Property I, L.P. | Apparatus for powering a communication device and methods thereof |
US10243784B2 (en) | 2014-11-20 | 2019-03-26 | At&T Intellectual Property I, L.P. | System for generating topology information and methods thereof |
US9680670B2 (en) | 2014-11-20 | 2017-06-13 | At&T Intellectual Property I, L.P. | Transmission device with channel equalization and control and methods for use therewith |
US10340573B2 (en) | 2016-10-26 | 2019-07-02 | At&T Intellectual Property I, L.P. | Launcher with cylindrical coupling device and methods for use therewith |
US9997819B2 (en) | 2015-06-09 | 2018-06-12 | At&T Intellectual Property I, L.P. | Transmission medium and method for facilitating propagation of electromagnetic waves via a core |
US9544006B2 (en) | 2014-11-20 | 2017-01-10 | At&T Intellectual Property I, L.P. | Transmission device with mode division multiplexing and methods for use therewith |
US9461706B1 (en) | 2015-07-31 | 2016-10-04 | At&T Intellectual Property I, Lp | Method and apparatus for exchanging communication signals |
US9742462B2 (en) | 2014-12-04 | 2017-08-22 | At&T Intellectual Property I, L.P. | Transmission medium and communication interfaces and methods for use therewith |
US9800327B2 (en) | 2014-11-20 | 2017-10-24 | At&T Intellectual Property I, L.P. | Apparatus for controlling operations of a communication device and methods thereof |
US10009067B2 (en) | 2014-12-04 | 2018-06-26 | At&T Intellectual Property I, L.P. | Method and apparatus for configuring a communication interface |
US9954287B2 (en) | 2014-11-20 | 2018-04-24 | At&T Intellectual Property I, L.P. | Apparatus for converting wireless signals and electromagnetic waves and methods thereof |
US9906538B2 (en) * | 2014-12-03 | 2018-02-27 | Guardicore Ltd. | Automatic network attack detection and remediation using information collected by honeypots |
US9712555B2 (en) * | 2014-12-03 | 2017-07-18 | Phantom Cyber Corporation | Automated responses to security threats |
US10144036B2 (en) | 2015-01-30 | 2018-12-04 | At&T Intellectual Property I, L.P. | Method and apparatus for mitigating interference affecting a propagation of electromagnetic waves guided by a transmission medium |
US9876570B2 (en) | 2015-02-20 | 2018-01-23 | At&T Intellectual Property I, Lp | Guided-wave transmission device with non-fundamental mode propagation and methods for use therewith |
US9749013B2 (en) | 2015-03-17 | 2017-08-29 | At&T Intellectual Property I, L.P. | Method and apparatus for reducing attenuation of electromagnetic waves guided by a transmission medium |
US9906539B2 (en) | 2015-04-10 | 2018-02-27 | PhishMe, Inc. | Suspicious message processing and incident response |
US9705561B2 (en) | 2015-04-24 | 2017-07-11 | At&T Intellectual Property I, L.P. | Directional coupling device and methods for use therewith |
US10224981B2 (en) | 2015-04-24 | 2019-03-05 | At&T Intellectual Property I, Lp | Passive electrical coupling device and methods for use therewith |
US9948354B2 (en) | 2015-04-28 | 2018-04-17 | At&T Intellectual Property I, L.P. | Magnetic coupling device with reflective plate and methods for use therewith |
US9793954B2 (en) | 2015-04-28 | 2017-10-17 | At&T Intellectual Property I, L.P. | Magnetic coupling device and methods for use therewith |
US9748626B2 (en) | 2015-05-14 | 2017-08-29 | At&T Intellectual Property I, L.P. | Plurality of cables having different cross-sectional shapes which are bundled together to form a transmission medium |
US9490869B1 (en) | 2015-05-14 | 2016-11-08 | At&T Intellectual Property I, L.P. | Transmission medium having multiple cores and methods for use therewith |
US9871282B2 (en) | 2015-05-14 | 2018-01-16 | At&T Intellectual Property I, L.P. | At least one transmission medium having a dielectric surface that is covered at least in part by a second dielectric |
US10679767B2 (en) | 2015-05-15 | 2020-06-09 | At&T Intellectual Property I, L.P. | Transmission medium having a conductive material and methods for use therewith |
US10650940B2 (en) | 2015-05-15 | 2020-05-12 | At&T Intellectual Property I, L.P. | Transmission medium having a conductive material and methods for use therewith |
US9917341B2 (en) | 2015-05-27 | 2018-03-13 | At&T Intellectual Property I, L.P. | Apparatus and method for launching electromagnetic waves and for modifying radial dimensions of the propagating electromagnetic waves |
US9912381B2 (en) | 2015-06-03 | 2018-03-06 | At&T Intellectual Property I, Lp | Network termination and methods for use therewith |
US9866309B2 (en) | 2015-06-03 | 2018-01-09 | At&T Intellectual Property I, Lp | Host node device and methods for use therewith |
US10103801B2 (en) | 2015-06-03 | 2018-10-16 | At&T Intellectual Property I, L.P. | Host node device and methods for use therewith |
US10348391B2 (en) | 2015-06-03 | 2019-07-09 | At&T Intellectual Property I, L.P. | Client node device with frequency conversion and methods for use therewith |
US10812174B2 (en) | 2015-06-03 | 2020-10-20 | At&T Intellectual Property I, L.P. | Client node device and methods for use therewith |
US10154493B2 (en) | 2015-06-03 | 2018-12-11 | At&T Intellectual Property I, L.P. | Network termination and methods for use therewith |
US9913139B2 (en) | 2015-06-09 | 2018-03-06 | At&T Intellectual Property I, L.P. | Signal fingerprinting for authentication of communicating devices |
US10142086B2 (en) | 2015-06-11 | 2018-11-27 | At&T Intellectual Property I, L.P. | Repeater and methods for use therewith |
US9608692B2 (en) | 2015-06-11 | 2017-03-28 | At&T Intellectual Property I, L.P. | Repeater and methods for use therewith |
US9820146B2 (en) | 2015-06-12 | 2017-11-14 | At&T Intellectual Property I, L.P. | Method and apparatus for authentication and identity management of communicating devices |
US9667317B2 (en) | 2015-06-15 | 2017-05-30 | At&T Intellectual Property I, L.P. | Method and apparatus for providing security using network traffic adjustments |
US9865911B2 (en) | 2015-06-25 | 2018-01-09 | At&T Intellectual Property I, L.P. | Waveguide system for slot radiating first electromagnetic waves that are combined into a non-fundamental wave mode second electromagnetic wave on a transmission medium |
US9640850B2 (en) | 2015-06-25 | 2017-05-02 | At&T Intellectual Property I, L.P. | Methods and apparatus for inducing a non-fundamental wave mode on a transmission medium |
US9509415B1 (en) | 2015-06-25 | 2016-11-29 | At&T Intellectual Property I, L.P. | Methods and apparatus for inducing a fundamental wave mode on a transmission medium |
US9882257B2 (en) | 2015-07-14 | 2018-01-30 | At&T Intellectual Property I, L.P. | Method and apparatus for launching a wave mode that mitigates interference |
US10205655B2 (en) | 2015-07-14 | 2019-02-12 | At&T Intellectual Property I, L.P. | Apparatus and methods for communicating utilizing an antenna array and multiple communication paths |
US10033107B2 (en) | 2015-07-14 | 2018-07-24 | At&T Intellectual Property I, L.P. | Method and apparatus for coupling an antenna to a device |
US9847566B2 (en) | 2015-07-14 | 2017-12-19 | At&T Intellectual Property I, L.P. | Method and apparatus for adjusting a field of a signal to mitigate interference |
US10044409B2 (en) | 2015-07-14 | 2018-08-07 | At&T Intellectual Property I, L.P. | Transmission medium and methods for use therewith |
US10148016B2 (en) | 2015-07-14 | 2018-12-04 | At&T Intellectual Property I, L.P. | Apparatus and methods for communicating utilizing an antenna array |
US10341142B2 (en) | 2015-07-14 | 2019-07-02 | At&T Intellectual Property I, L.P. | Apparatus and methods for generating non-interfering electromagnetic waves on an uninsulated conductor |
US9722318B2 (en) | 2015-07-14 | 2017-08-01 | At&T Intellectual Property I, L.P. | Method and apparatus for coupling an antenna to a device |
US9853342B2 (en) | 2015-07-14 | 2017-12-26 | At&T Intellectual Property I, L.P. | Dielectric transmission medium connector and methods for use therewith |
US9628116B2 (en) | 2015-07-14 | 2017-04-18 | At&T Intellectual Property I, L.P. | Apparatus and methods for transmitting wireless signals |
US10170840B2 (en) | 2015-07-14 | 2019-01-01 | At&T Intellectual Property I, L.P. | Apparatus and methods for sending or receiving electromagnetic signals |
US10033108B2 (en) | 2015-07-14 | 2018-07-24 | At&T Intellectual Property I, L.P. | Apparatus and methods for generating an electromagnetic wave having a wave mode that mitigates interference |
US10320586B2 (en) | 2015-07-14 | 2019-06-11 | At&T Intellectual Property I, L.P. | Apparatus and methods for generating non-interfering electromagnetic waves on an insulated transmission medium |
US9836957B2 (en) | 2015-07-14 | 2017-12-05 | At&T Intellectual Property I, L.P. | Method and apparatus for communicating with premises equipment |
US10090606B2 (en) | 2015-07-15 | 2018-10-02 | At&T Intellectual Property I, L.P. | Antenna system with dielectric array and methods for use therewith |
US9793951B2 (en) | 2015-07-15 | 2017-10-17 | At&T Intellectual Property I, L.P. | Method and apparatus for launching a wave mode that mitigates interference |
US9608740B2 (en) | 2015-07-15 | 2017-03-28 | At&T Intellectual Property I, L.P. | Method and apparatus for launching a wave mode that mitigates interference |
US9912027B2 (en) | 2015-07-23 | 2018-03-06 | At&T Intellectual Property I, L.P. | Method and apparatus for exchanging communication signals |
US9948333B2 (en) | 2015-07-23 | 2018-04-17 | At&T Intellectual Property I, L.P. | Method and apparatus for wireless communications to mitigate interference |
US9871283B2 (en) | 2015-07-23 | 2018-01-16 | At&T Intellectual Property I, Lp | Transmission medium having a dielectric core comprised of plural members connected by a ball and socket configuration |
US10784670B2 (en) | 2015-07-23 | 2020-09-22 | At&T Intellectual Property I, L.P. | Antenna support for aligning an antenna |
US9749053B2 (en) | 2015-07-23 | 2017-08-29 | At&T Intellectual Property I, L.P. | Node device, repeater and methods for use therewith |
US9967173B2 (en) | 2015-07-31 | 2018-05-08 | At&T Intellectual Property I, L.P. | Method and apparatus for authentication and identity management of communicating devices |
US9735833B2 (en) | 2015-07-31 | 2017-08-15 | At&T Intellectual Property I, L.P. | Method and apparatus for communications management in a neighborhood network |
US10020587B2 (en) | 2015-07-31 | 2018-07-10 | At&T Intellectual Property I, L.P. | Radial antenna and methods for use therewith |
US9904535B2 (en) | 2015-09-14 | 2018-02-27 | At&T Intellectual Property I, L.P. | Method and apparatus for distributing software |
US10051629B2 (en) | 2015-09-16 | 2018-08-14 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system having an in-band reference signal |
US10009063B2 (en) | 2015-09-16 | 2018-06-26 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system having an out-of-band reference signal |
US9705571B2 (en) | 2015-09-16 | 2017-07-11 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system |
US10079661B2 (en) | 2015-09-16 | 2018-09-18 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system having a clock reference |
US10009901B2 (en) | 2015-09-16 | 2018-06-26 | At&T Intellectual Property I, L.P. | Method, apparatus, and computer-readable storage medium for managing utilization of wireless resources between base stations |
US10136434B2 (en) | 2015-09-16 | 2018-11-20 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system having an ultra-wideband control channel |
US9769128B2 (en) | 2015-09-28 | 2017-09-19 | At&T Intellectual Property I, L.P. | Method and apparatus for encryption of communications over a network |
US9729197B2 (en) | 2015-10-01 | 2017-08-08 | At&T Intellectual Property I, L.P. | Method and apparatus for communicating network management traffic over a network |
US9882277B2 (en) | 2015-10-02 | 2018-01-30 | At&T Intellectual Property I, Lp | Communication device and antenna assembly with actuated gimbal mount |
US9876264B2 (en) | 2015-10-02 | 2018-01-23 | At&T Intellectual Property I, Lp | Communication system, guided wave switch and methods for use therewith |
US10074890B2 (en) | 2015-10-02 | 2018-09-11 | At&T Intellectual Property I, L.P. | Communication device and antenna with integrated light assembly |
US10355367B2 (en) | 2015-10-16 | 2019-07-16 | At&T Intellectual Property I, L.P. | Antenna structure for exchanging wireless signals |
US10051483B2 (en) | 2015-10-16 | 2018-08-14 | At&T Intellectual Property I, L.P. | Method and apparatus for directing wireless signals |
US10665942B2 (en) | 2015-10-16 | 2020-05-26 | At&T Intellectual Property I, L.P. | Method and apparatus for adjusting wireless communications |
US10462160B2 (en) * | 2015-12-09 | 2019-10-29 | Check Point Software Technologies Ltd. | Method and system for identifying uncorrelated suspicious events during an attack |
US10440036B2 (en) | 2015-12-09 | 2019-10-08 | Checkpoint Software Technologies Ltd | Method and system for modeling all operations and executions of an attack and malicious process entry |
US10536476B2 (en) | 2016-07-21 | 2020-01-14 | Sap Se | Realtime triggering framework |
US9912419B1 (en) | 2016-08-24 | 2018-03-06 | At&T Intellectual Property I, L.P. | Method and apparatus for managing a fault in a distributed antenna system |
US10482241B2 (en) | 2016-08-24 | 2019-11-19 | Sap Se | Visualization of data distributed in multiple dimensions |
US9860075B1 (en) | 2016-08-26 | 2018-01-02 | At&T Intellectual Property I, L.P. | Method and communication node for broadband distribution |
US10542016B2 (en) | 2016-08-31 | 2020-01-21 | Sap Se | Location enrichment in enterprise threat detection |
US10291311B2 (en) | 2016-09-09 | 2019-05-14 | At&T Intellectual Property I, L.P. | Method and apparatus for mitigating a fault in a distributed antenna system |
US11032819B2 (en) | 2016-09-15 | 2021-06-08 | At&T Intellectual Property I, L.P. | Method and apparatus for use with a radio distributed antenna system having a control channel reference signal |
US10673879B2 (en) | 2016-09-23 | 2020-06-02 | Sap Se | Snapshot of a forensic investigation for enterprise threat detection |
US10630705B2 (en) | 2016-09-23 | 2020-04-21 | Sap Se | Real-time push API for log events in enterprise threat detection |
US10135146B2 (en) | 2016-10-18 | 2018-11-20 | At&T Intellectual Property I, L.P. | Apparatus and methods for launching guided waves via circuits |
US10340600B2 (en) | 2016-10-18 | 2019-07-02 | At&T Intellectual Property I, L.P. | Apparatus and methods for launching guided waves via plural waveguide systems |
US10135147B2 (en) | 2016-10-18 | 2018-11-20 | At&T Intellectual Property I, L.P. | Apparatus and methods for launching guided waves via an antenna |
US10374316B2 (en) | 2016-10-21 | 2019-08-06 | At&T Intellectual Property I, L.P. | System and dielectric antenna with non-uniform dielectric |
US9991580B2 (en) | 2016-10-21 | 2018-06-05 | At&T Intellectual Property I, L.P. | Launcher and coupling system for guided wave mode cancellation |
US10811767B2 (en) | 2016-10-21 | 2020-10-20 | At&T Intellectual Property I, L.P. | System and dielectric antenna with convex dielectric radome |
US9876605B1 (en) | 2016-10-21 | 2018-01-23 | At&T Intellectual Property I, L.P. | Launcher and coupling system to support desired guided wave mode |
US10312567B2 (en) | 2016-10-26 | 2019-06-04 | At&T Intellectual Property I, L.P. | Launcher with planar strip antenna and methods for use therewith |
US10225025B2 (en) | 2016-11-03 | 2019-03-05 | At&T Intellectual Property I, L.P. | Method and apparatus for detecting a fault in a communication system |
US10498044B2 (en) | 2016-11-03 | 2019-12-03 | At&T Intellectual Property I, L.P. | Apparatus for configuring a surface of an antenna |
US10224634B2 (en) | 2016-11-03 | 2019-03-05 | At&T Intellectual Property I, L.P. | Methods and apparatus for adjusting an operational characteristic of an antenna |
US10291334B2 (en) | 2016-11-03 | 2019-05-14 | At&T Intellectual Property I, L.P. | System for detecting a fault in a communication system |
US9626522B1 (en) | 2016-11-16 | 2017-04-18 | Robert H. Flowers | Method and apparatus for the network steganographic assessment of a test subject |
US10090594B2 (en) | 2016-11-23 | 2018-10-02 | At&T Intellectual Property I, L.P. | Antenna system having structural configurations for assembly |
US10340603B2 (en) | 2016-11-23 | 2019-07-02 | At&T Intellectual Property I, L.P. | Antenna system having shielded structural configurations for assembly |
US10535928B2 (en) | 2016-11-23 | 2020-01-14 | At&T Intellectual Property I, L.P. | Antenna system and methods for use therewith |
US10178445B2 (en) | 2016-11-23 | 2019-01-08 | At&T Intellectual Property I, L.P. | Methods, devices, and systems for load balancing between a plurality of waveguides |
US10340601B2 (en) | 2016-11-23 | 2019-07-02 | At&T Intellectual Property I, L.P. | Multi-antenna system and methods for use therewith |
US10361489B2 (en) | 2016-12-01 | 2019-07-23 | At&T Intellectual Property I, L.P. | Dielectric dish antenna system and methods for use therewith |
US10305190B2 (en) | 2016-12-01 | 2019-05-28 | At&T Intellectual Property I, L.P. | Reflecting dielectric antenna system and methods for use therewith |
US10439675B2 (en) | 2016-12-06 | 2019-10-08 | At&T Intellectual Property I, L.P. | Method and apparatus for repeating guided wave communication signals |
US10326494B2 (en) | 2016-12-06 | 2019-06-18 | At&T Intellectual Property I, L.P. | Apparatus for measurement de-embedding and methods for use therewith |
US10135145B2 (en) | 2016-12-06 | 2018-11-20 | At&T Intellectual Property I, L.P. | Apparatus and methods for generating an electromagnetic wave along a transmission medium |
US10819035B2 (en) | 2016-12-06 | 2020-10-27 | At&T Intellectual Property I, L.P. | Launcher with helical antenna and methods for use therewith |
US10755542B2 (en) | 2016-12-06 | 2020-08-25 | At&T Intellectual Property I, L.P. | Method and apparatus for surveillance via guided wave communication |
US10637149B2 (en) | 2016-12-06 | 2020-04-28 | At&T Intellectual Property I, L.P. | Injection molded dielectric antenna and methods for use therewith |
US10694379B2 (en) | 2016-12-06 | 2020-06-23 | At&T Intellectual Property I, L.P. | Waveguide system with device-based authentication and methods for use therewith |
US9927517B1 (en) | 2016-12-06 | 2018-03-27 | At&T Intellectual Property I, L.P. | Apparatus and methods for sensing rainfall |
US10020844B2 (en) | 2016-12-06 | 2018-07-10 | T&T Intellectual Property I, L.P. | Method and apparatus for broadcast communication via guided waves |
US10382976B2 (en) | 2016-12-06 | 2019-08-13 | At&T Intellectual Property I, L.P. | Method and apparatus for managing wireless communications based on communication paths and network device positions |
US10534908B2 (en) | 2016-12-06 | 2020-01-14 | Sap Se | Alerts based on entities in security information and event management products |
US10727599B2 (en) | 2016-12-06 | 2020-07-28 | At&T Intellectual Property I, L.P. | Launcher with slot antenna and methods for use therewith |
US10027397B2 (en) | 2016-12-07 | 2018-07-17 | At&T Intellectual Property I, L.P. | Distributed antenna system and methods for use therewith |
US10359749B2 (en) | 2016-12-07 | 2019-07-23 | At&T Intellectual Property I, L.P. | Method and apparatus for utilities management via guided wave communication |
US10243270B2 (en) | 2016-12-07 | 2019-03-26 | At&T Intellectual Property I, L.P. | Beam adaptive multi-feed dielectric antenna system and methods for use therewith |
US10547348B2 (en) | 2016-12-07 | 2020-01-28 | At&T Intellectual Property I, L.P. | Method and apparatus for switching transmission mediums in a communication system |
US10389029B2 (en) | 2016-12-07 | 2019-08-20 | At&T Intellectual Property I, L.P. | Multi-feed dielectric antenna system with core selection and methods for use therewith |
US10139820B2 (en) | 2016-12-07 | 2018-11-27 | At&T Intellectual Property I, L.P. | Method and apparatus for deploying equipment of a communication system |
US10446936B2 (en) | 2016-12-07 | 2019-10-15 | At&T Intellectual Property I, L.P. | Multi-feed dielectric antenna system and methods for use therewith |
US10168695B2 (en) | 2016-12-07 | 2019-01-01 | At&T Intellectual Property I, L.P. | Method and apparatus for controlling an unmanned aircraft |
US9893795B1 (en) | 2016-12-07 | 2018-02-13 | At&T Intellectual Property I, Lp | Method and repeater for broadband distribution |
US9911020B1 (en) | 2016-12-08 | 2018-03-06 | At&T Intellectual Property I, L.P. | Method and apparatus for tracking via a radio frequency identification device |
US10530505B2 (en) | 2016-12-08 | 2020-01-07 | At&T Intellectual Property I, L.P. | Apparatus and methods for launching electromagnetic waves along a transmission medium |
US10916969B2 (en) | 2016-12-08 | 2021-02-09 | At&T Intellectual Property I, L.P. | Method and apparatus for providing power using an inductive coupling |
US10326689B2 (en) | 2016-12-08 | 2019-06-18 | At&T Intellectual Property I, L.P. | Method and system for providing alternative communication paths |
US10777873B2 (en) | 2016-12-08 | 2020-09-15 | At&T Intellectual Property I, L.P. | Method and apparatus for mounting network devices |
US9998870B1 (en) | 2016-12-08 | 2018-06-12 | At&T Intellectual Property I, L.P. | Method and apparatus for proximity sensing |
US10411356B2 (en) | 2016-12-08 | 2019-09-10 | At&T Intellectual Property I, L.P. | Apparatus and methods for selectively targeting communication devices with an antenna array |
US10601494B2 (en) | 2016-12-08 | 2020-03-24 | At&T Intellectual Property I, L.P. | Dual-band communication device and method for use therewith |
US10389037B2 (en) | 2016-12-08 | 2019-08-20 | At&T Intellectual Property I, L.P. | Apparatus and methods for selecting sections of an antenna array and use therewith |
US10103422B2 (en) | 2016-12-08 | 2018-10-16 | At&T Intellectual Property I, L.P. | Method and apparatus for mounting network devices |
US10938108B2 (en) | 2016-12-08 | 2021-03-02 | At&T Intellectual Property I, L.P. | Frequency selective multi-feed dielectric antenna system and methods for use therewith |
US10069535B2 (en) | 2016-12-08 | 2018-09-04 | At&T Intellectual Property I, L.P. | Apparatus and methods for launching electromagnetic waves having a certain electric field structure |
US10264586B2 (en) | 2016-12-09 | 2019-04-16 | At&T Mobility Ii Llc | Cloud-based packet controller and methods for use therewith |
US9838896B1 (en) | 2016-12-09 | 2017-12-05 | At&T Intellectual Property I, L.P. | Method and apparatus for assessing network coverage |
US10340983B2 (en) | 2016-12-09 | 2019-07-02 | At&T Intellectual Property I, L.P. | Method and apparatus for surveying remote sites via guided wave communications |
US10534907B2 (en) | 2016-12-15 | 2020-01-14 | Sap Se | Providing semantic connectivity between a java application server and enterprise threat detection system using a J2EE data |
US10530792B2 (en) | 2016-12-15 | 2020-01-07 | Sap Se | Using frequency analysis in enterprise threat detection to detect intrusions in a computer system |
US11470094B2 (en) | 2016-12-16 | 2022-10-11 | Sap Se | Bi-directional content replication logic for enterprise threat detection |
US10552605B2 (en) | 2016-12-16 | 2020-02-04 | Sap Se | Anomaly detection in enterprise threat detection |
US10764306B2 (en) | 2016-12-19 | 2020-09-01 | Sap Se | Distributing cloud-computing platform content to enterprise threat detection systems |
US9973940B1 (en) | 2017-02-27 | 2018-05-15 | At&T Intellectual Property I, L.P. | Apparatus and methods for dynamic impedance matching of a guided wave launcher |
US10298293B2 (en) | 2017-03-13 | 2019-05-21 | At&T Intellectual Property I, L.P. | Apparatus of communication utilizing wireless network devices |
US10530794B2 (en) | 2017-06-30 | 2020-01-07 | Sap Se | Pattern creation in enterprise threat detection |
GB2569302B (en) * | 2017-12-12 | 2022-05-25 | F Secure Corp | Probing and responding to computer network security breaches |
US10681064B2 (en) | 2017-12-19 | 2020-06-09 | Sap Se | Analysis of complex relationships among information technology security-relevant entities using a network graph |
US10986111B2 (en) | 2017-12-19 | 2021-04-20 | Sap Se | Displaying a series of events along a time axis in enterprise threat detection |
US11303668B2 (en) * | 2019-09-27 | 2022-04-12 | Veeam Software Ag | Secure restore |
CN114285626B (en) * | 2021-12-21 | 2023-10-13 | 北京知道创宇信息技术股份有限公司 | Honeypot attack chain construction method and honeypot system |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US2593067A (en) * | 1947-02-13 | 1952-04-15 | Raytheon Mfg Co | High-frequency apparatus |
US2895828A (en) * | 1958-02-06 | 1959-07-21 | Gen Electric | Electronic heating methods and apparatus |
US3019399A (en) * | 1959-03-06 | 1962-01-30 | Microwave Ass | Circular waveguide diameter transformer |
US3681652A (en) * | 1968-08-22 | 1972-08-01 | Raytheon Co | Capacitive filter for suppression of spurious electrical radiation |
US4210795A (en) * | 1978-11-30 | 1980-07-01 | Litton Systems, Inc. | System and method for regulating power output in a microwave oven |
US5191182A (en) * | 1990-07-11 | 1993-03-02 | International Business Machines Corporation | Tuneable apparatus for microwave processing |
US5806961A (en) * | 1996-04-12 | 1998-09-15 | Eveready Battery Company, Inc. | Rechargeable flashlight assembly with nightlight |
US5892903A (en) * | 1996-09-12 | 1999-04-06 | Internet Security Systems, Inc. | Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system |
US6088804A (en) * | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US6185689B1 (en) * | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
US6205552B1 (en) * | 1998-12-31 | 2001-03-20 | Mci Worldcom, Inc. | Method and apparatus for checking security vulnerability of networked devices |
US6298445B1 (en) * | 1998-04-30 | 2001-10-02 | Netect, Ltd. | Computer security |
US6343362B1 (en) * | 1998-09-01 | 2002-01-29 | Networks Associates, Inc. | System and method providing custom attack simulation language for testing networks |
US6535227B1 (en) * | 2000-02-08 | 2003-03-18 | Harris Corporation | System and method for assessing the security posture of a network and having a graphical user interface |
US6584569B2 (en) * | 2000-03-03 | 2003-06-24 | Sanctum Ltd. | System for determining web application vulnerabilities |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202552B1 (en) * | 1999-01-20 | 2001-03-20 | Billington Welding & Manufacturing, Inc. | Adjustable printing press |
US6647400B1 (en) * | 1999-08-30 | 2003-11-11 | Symantec Corporation | System and method for analyzing filesystems to detect intrusions |
US7565692B1 (en) * | 2000-05-30 | 2009-07-21 | At&T Wireless Services, Inc. | Floating intrusion detection platforms |
US20030051163A1 (en) * | 2001-09-13 | 2003-03-13 | Olivier Bidaud | Distributed network architecture security system |
-
2002
- 2002-05-29 US US10/159,757 patent/US7509675B2/en not_active Expired - Fee Related
-
2009
- 2009-02-23 US US12/390,766 patent/US20090172813A1/en not_active Abandoned
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US2593067A (en) * | 1947-02-13 | 1952-04-15 | Raytheon Mfg Co | High-frequency apparatus |
US2895828A (en) * | 1958-02-06 | 1959-07-21 | Gen Electric | Electronic heating methods and apparatus |
US3019399A (en) * | 1959-03-06 | 1962-01-30 | Microwave Ass | Circular waveguide diameter transformer |
US3681652A (en) * | 1968-08-22 | 1972-08-01 | Raytheon Co | Capacitive filter for suppression of spurious electrical radiation |
US4210795A (en) * | 1978-11-30 | 1980-07-01 | Litton Systems, Inc. | System and method for regulating power output in a microwave oven |
US5191182A (en) * | 1990-07-11 | 1993-03-02 | International Business Machines Corporation | Tuneable apparatus for microwave processing |
US5806961A (en) * | 1996-04-12 | 1998-09-15 | Eveready Battery Company, Inc. | Rechargeable flashlight assembly with nightlight |
US5892903A (en) * | 1996-09-12 | 1999-04-06 | Internet Security Systems, Inc. | Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system |
US6088804A (en) * | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
US6298445B1 (en) * | 1998-04-30 | 2001-10-02 | Netect, Ltd. | Computer security |
US6185689B1 (en) * | 1998-06-24 | 2001-02-06 | Richard S. Carson & Assoc., Inc. | Method for network self security assessment |
US6343362B1 (en) * | 1998-09-01 | 2002-01-29 | Networks Associates, Inc. | System and method providing custom attack simulation language for testing networks |
US6205552B1 (en) * | 1998-12-31 | 2001-03-20 | Mci Worldcom, Inc. | Method and apparatus for checking security vulnerability of networked devices |
US6535227B1 (en) * | 2000-02-08 | 2003-03-18 | Harris Corporation | System and method for assessing the security posture of a network and having a graphical user interface |
US6584569B2 (en) * | 2000-03-03 | 2003-06-24 | Sanctum Ltd. | System for determining web application vulnerabilities |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016035083A3 (en) * | 2014-09-06 | 2016-04-21 | Andriani Matthew | Non-disruptive ddos testing |
US10509909B2 (en) | 2014-09-06 | 2019-12-17 | Mazebolt Technologies Ltd. | Non-disruptive DDoS testing |
US9836512B1 (en) * | 2016-05-11 | 2017-12-05 | Acalvio Technologies, Inc. | Systems and methods for identifying similar hosts |
US10505969B2 (en) | 2017-01-30 | 2019-12-10 | Xm Cyber Ltd. | Setting-up penetration testing campaigns |
US10038711B1 (en) | 2017-01-30 | 2018-07-31 | XM Ltd. | Penetration testing of a networked system |
US10122750B2 (en) | 2017-01-30 | 2018-11-06 | XM Cyber Ltd | Setting-up penetration testing campaigns |
US10257220B2 (en) | 2017-01-30 | 2019-04-09 | Xm Cyber Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
US10686822B2 (en) | 2017-01-30 | 2020-06-16 | Xm Cyber Ltd. | Systems and methods for selecting a lateral movement strategy for a penetration testing campaign |
US20180219904A1 (en) * | 2017-01-30 | 2018-08-02 | XM Ltd. | Penetration Testing of a Networked System |
US10637882B2 (en) * | 2017-01-30 | 2020-04-28 | Xm Cyber Ltd. | Penetration testing of a networked system |
US10999308B2 (en) | 2017-01-30 | 2021-05-04 | Xm Cyber Ltd. | Setting-up penetration testing campaigns |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
US10068095B1 (en) | 2017-05-15 | 2018-09-04 | XM Cyber Ltd | Systems and methods for selecting a termination rule for a penetration testing campaign |
US10534917B2 (en) | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
US10574684B2 (en) | 2017-07-09 | 2020-02-25 | Xm Cyber Ltd. | Locally detecting phishing weakness |
US10412112B2 (en) | 2017-08-31 | 2019-09-10 | Xm Cyber Ltd. | Time-tagged pre-defined scenarios for penetration testing |
US10447721B2 (en) | 2017-09-13 | 2019-10-15 | Xm Cyber Ltd. | Systems and methods for using multiple lateral movement strategies in penetration testing |
US10454966B2 (en) | 2017-11-15 | 2019-10-22 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US11206282B2 (en) | 2017-11-15 | 2021-12-21 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US10367846B2 (en) | 2017-11-15 | 2019-07-30 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US10440044B1 (en) | 2018-04-08 | 2019-10-08 | Xm Cyber Ltd. | Identifying communicating network nodes in the same local network |
US10382473B1 (en) | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10469521B1 (en) | 2018-11-04 | 2019-11-05 | Xm Cyber Ltd. | Using information about exportable data in penetration testing |
US10574687B1 (en) | 2018-12-13 | 2020-02-25 | Xm Cyber Ltd. | Systems and methods for dynamic removal of agents from nodes of penetration testing systems |
US10462177B1 (en) | 2019-02-06 | 2019-10-29 | Xm Cyber Ltd. | Taking privilege escalation into account in penetration testing campaigns |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
US10637883B1 (en) | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
WO2023057950A1 (en) * | 2021-10-07 | 2023-04-13 | Mazebolt Technologies Ltd. | Non-disruptive diagnostic and attack testing methods and systems |
Also Published As
Publication number | Publication date |
---|---|
US7509675B2 (en) | 2009-03-24 |
US20090044277A1 (en) | 2009-02-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7509675B2 (en) | Non-invasive monitoring of the effectiveness of electronic security services | |
Shafiq et al. | The rise of “Internet of Things”: review and open research issues related to detection and prevention of IoT-based security attacks | |
Specht et al. | Taxonomies of distributed denial of service networks, attacks, tools and countermeasures | |
Kesh et al. | A framework for analyzing e‐commerce security | |
Sharma et al. | Analysis of security data from a large computing organization | |
Govil et al. | Criminology of botnets and their detection and defense methods | |
Shandilya et al. | Cyber attack evaluation dataset for deep packet inspection and analysis | |
Govil | Examining the criminology of bot zoo | |
Nikoi et al. | Enhancing the Design of a Secured Campus Network using Demilitarized Zone and Honeypot at Uew-kumasi Campus | |
Sheikh | Certified Ethical Hacker (CEH) Preparation Guide | |
Zhai et al. | Research on applications of honeypot in Campus Network security | |
Karamagi | Comptia Security+ Practice Exams | |
Garg et al. | Security of Modern Networks and Its Challenges | |
Xiong et al. | Overview of the evasion resilience testing technology for network based intrusion protecting devices | |
Wang | The observation of smart camera security | |
Chen et al. | An overview of electronic attacks | |
Sørensen et al. | An Approach to Detect and Prevent Cybercrime in Large Complex Networks | |
Sarvepalli | Designing Network Security Labs | |
Harrison et al. | A protocol layer survey of network security | |
Trockel | Recognition of Attackers in the Context of Honeypots | |
Zafar et al. | Network security: a survey of modern approaches | |
Ayala et al. | How hackers gain access to a healthcare facility or hospital network | |
Pandya | The enemy (The intruder’s Genesis) | |
Srivastava et al. | Detection of Distributed Denial of Service Attack (DDoS) Against a Web Server | |
Palani et al. | Network security testing using discovery rechniques |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: AT&T INTELLECTUAL PROPERTY I, L.P., NEW JERSEY Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AARON, JEFFREY A.;REEL/FRAME:022296/0736 Effective date: 20020529 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: RPX CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AT&T INTELLECTUAL PROPERTY I, L.P.;REEL/FRAME:034313/0180 Effective date: 20141110 |