As will be described below, server 280 is a location from which a system administrator will initially launch one or more attacks to model a threat. The location of server 280 is arbitrary and may represent any server within network 200 or a server outside network 200 (e.g. the internet). In various embodiments, the attack may be any type of network threat such as a virus, a worm, a Denial of Service attack, key logger, spyware, or the like. Such threats are commonly profiled in publicly available threat or vulnerability reference libraries compiled by Computer Associates, McAfee, Cisco, the National Vulnerability Database, or the like.
Determination of threats to a network has been described in application Ser. No. 11/335,052 filed on Jan. 18, 2006, and herein by incorporated by reference for all purposes. In that application, one of the named inventors of the present application described determining a software model of the network based upon configuration data of “network devices” in the network. The “network devices” included routers, firewalls, host application servers, and other devices in the network. Based upon the software model, the previous application described determining potentially harmful traffic paths in the network by simulating the software model.
The inventors of the present application explicitly consider and address the problems of what happens if some or all configuration data (and host vulnerabilities) from the network, e.g. firewall, router, one or more host application servers, or the like, are incomplete, i.e. unavailable, not gathered, or the like. Problems such as how to determine threats based on incomplete data, how to prioritize threats that are determined based on incomplete data, how to provide visualization of threats determined based upon incomplete data, and the like are considered by the inventors.
The inventors of the present invention have determined that it would be advantageous to be provide such information to users such as network administrators even in cases where configuration data (and host vulnerabilities) from one or more host application servers is unavailable, incomplete, not gathered, or the like.