Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Device for quantifying vulnerability of system and method therefor
US9692779B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9692779-B2 |
| Application number | US-201314779435-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 21, 2013 |
| Priority date | Mar 26, 2013 |
| Publication date | Jun 27, 2017 |
| Grant date | Jun 27, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method and apparatus for quantifying the vulnerability of a system. The apparatus includes a vulnerability calculation unit, a target organization security level calculation unit, a network separation status calculation unit, an interim calculation unit, and a final score calculation unit. The vulnerability calculation unit converts each of the vulnerability identification results of the system into a vulnerability score. The target organization security level calculation unit calculates a target organization security level score based on a technology-field security level score and a management-field security level score. The network separation status calculation unit converts the status of the separation of the local network of the system into a network separation score. The interim calculation unit calculates an interim score. The final score calculation unit quantifies the vulnerability of the system by finally calculating a composite score using the interim score and a simulated intrusion success level.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method of quantifying vulnerability of a system, comprising: converting each of a plurality of vulnerability identification results of the system into a vulnerability score so that corresponding vulnerability identification results of the system can be applied to calculation of scores; calculating a target organization security level score corresponding to the system based on a technology-field security level score and a management-field security level score among the vulnerability scores; converting status of a local network of the system being separated from an external network into a network separation score; calculating an interim score based on the target organization security level score and the network separation score; and quantifying the vulnerability of the system by finally calculating a composite score of the system using the interim score and a simulated intrusion success level, wherein calculating the target organization security level score includes: converting technology-related vulnerability results, selected from among the plurality of vulnerability identification results of the system, into the technology-field security level score; and converting management-related vulnerability results, selected from among the vulnerability identification results of the system, into the management-field security level score, and wherein converting technology-related vulnerability results into the technology-field security level score is performed using a sum of scores corresponding to the technology-related vulnerability results and a sum of the vulnerability scores. 2. The method of claim 1 , wherein calculating the target organization security level score includes calculating the target organization security level score by adding the technology-field security level score and the management-field security level score based on set rates, respectively. 3. The method of claim 1 , wherein converting management-related vulnerability results into the management-field security level score is performed using a sum of scores corresponding to the management-related vulnerability results and a sum of the vulnerability scores. 4. The method of claim 1 , further comprising, before calculating the composite score of the system: combining vulnerability results corresponding to the vulnerability identification results of the system, and attempting simulated intrusions along a plurality of paths based on the, combined vulnerability results; and calculating the simulated intrusion success level according to an intrusion attempt location and intrusion results of a successful simulated intrusion. 5. The method of claim 1 , wherein quantifying the vulnerability of the system includes calculating the composite score by applying a weight to the interim score according to the simulated intrusion success level. 6. An apparatus for quantifying vulnerability of a system, comprising: a vulnerability calculation unit configured to convert each of a plurality of vulnerability identification results of the system into a vulnerability score so that corresponding vulnerability identification results of the system can be applied to calculation of scores; a target organization security level calculation unit configured to calculate a target organization security level score corresponding to the system based on a technology-field security level score and a management-field security level score among the vulnerability scores; a network separation status calculation unit configured to convert status of a local network of the system being separated from an external network into a network separation score; an interim calculation unit configured to calculate an interim score based on the target organization security level score and the network separation score; a final score calculation unit configured to quantify the vulnerability of the system by finally calculating a composite score of the system using the interim score and a simulated intrusion success level; a technology-field security level calculation unit configured to convert technology-related vulnerability results, selected from among the vulnerability identification results of the system, into the technology-field security level score; and a management-field security level calculation unit configured to convert management-related vulnerability results, selected from among the vulnerability identification results of the system, into the management-field security level score, wherein the technology-field security level calculation unit converts technology-related vulnerability results, selected from among the plurality of vulnerability identification results of the system, into the technology-field security level score by using a sum of scores corresponding to the technology-related vulnerability results and a sum of the vulnerability scores. 7. The apparatus of claim 6 , wherein the target organization security level calculation unit calculates the target organization security level score by adding the technology-field security level score and the management-field security level score based on set rates, respectively. 8. The apparatus of claim 6 , further comprising a level management unit configured to combine vulnerability results corresponding to respective vulnerability identification results of the system, to attempt simulated intrusions along a plurality of paths based on the combined vulnerability results, and to calculate the simulated intrusion success level according to an intrusion attempt location and intrusion results of a successful simulated intrusion. 9. The apparatus of claim 6 , wherein the final score calculation unit calculates the composite score by applying a weight to the interim score according to the simulated intrusion success level.
Assignees
Inventors
Classifications
Design optimisation, verification or simulation (optimisation, verification or simulation of circuit designs G06F30/30) · CPC title
Assessing vulnerabilities and evaluating computer system security · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
- H04L63/1433Primary
Vulnerability analysis · CPC title
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9692779B2 cover?
- A method and apparatus for quantifying the vulnerability of a system. The apparatus includes a vulnerability calculation unit, a target organization security level calculation unit, a network separation status calculation unit, an interim calculation unit, and a final score calculation unit. The vulnerability calculation unit converts each of the vulnerability identification results of the syst…
- Who is the assignee on this patent?
- Electronics & Telecommunications Res Inst
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 27 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).