The present invention relates to methods and apparatus for network analysis. More specifically, the present invention relates to methods and apparatus for determining vulnerability of a network (e.g. hosts, applications, data) to threats. Still more specifically, various embodiments of the present invention determination of vulnerabilities, prioritization of vulnerabilities of a network, visualization of vulnerabilities of a network to threats based upon incomplete configuration data (including vulnerabilities of hosts) of network devices. In various embodiments of the present invention, reference to a network and network configuration data includes not only network hardware and software, but also includes application host servers, and any other device forming part of a network, as well as software operating thereon.
Determination of threats to a network has been described in application Ser. No. 11/335,052 filed on Jan. 18, 2006, and herein by incorporated by reference for all purposes. In that application, one of the named inventors of the present application described determining a software model of the network based upon configuration data of “network devices” in the network. The “network devices” included routers, firewalls, host application servers, and other devices in the network. Based upon the software model, the previous application described determining potentially harmful traffic paths in the network by simulating the software model.
The inventors of the present application explicitly consider and address the problems of what happens if some or all configuration data (and host vulnerabilities) from the network, e.g. firewall, router, one or more host application servers, or the like, are incomplete, i.e. unavailable, not gathered, or the like. Problems such as how to determine threats based on incomplete data, how to prioritize threats that are determined based on incomplete data, how to provide visualization of threats determined based upon incomplete data, and the like are considered by the inventors.
The inventors of the present invention have determined that it would be advantageous to be provide such information to users such as network administrators even in cases where configuration data (and host vulnerabilities) from one or more host application servers is unavailable, incomplete, not gathered, or the like.