Researchers to patent vulnerability search algorithm

Seek commercial partners for network security technology.
Melbourne-based researchers are looking to commercialise a search algorithm that analyses networks to identify the most easily exploitable vulnerability chains.

The algorithm was developed by Swinburne University associate professor Hai Vu to help network operators prioritise how they protect networks that are unfortunately "never 100 percent secure”.

Vu said too many vulnerabilities typically occurred in software, operating systems and other networking components for it to be financially feasible to eliminate all of them.

Hackers may exploit chains of such vulnerabilities to achieve malicious objectives, such as data theft or denial of service attacks, he warned.

While security professionals traditionally map out “attack trees” to determine vulnerability chains, the process grows increasingly difficult as the size of a network grows.

Vu and his team proposed a method of ranking the most critical vulnerability chains in terms of the likelihood and severity of attacks.

“The objective is to find the most vulnerable path,” Vu said. “What we’ve developed is very scalable.

“[The algorithm] is efficient because as it proceeds, it can eliminate vulnerabilities that it knows will not play a part in the path that has significant risk.”

Vu acknowledged that the algorithm could be used by hackers to identify the most effective attack path; however, those hackers would need intimate knowledge of the network’s topology and components.

The researchers have a provisional patent on the technology and are currently seeking venture capital to develop a prototype.

Vu expected the technology to appeal to operators of “highly secure networks” such as those in the military or run by internet service providers.

Despite discussions with US vendor Skybox Security, defence contractor Thales and the Australian Department of Innovation, the team has yet to strike a commercial partnership.

Vu suggested that the search algorithm could be applied to social networks to identify persons of interest to defence organisations.

Gartner security analyst Rob McMillan speculated that by quantifying risk, the technology could help security professionals build business cases and justify investments.

Organisations could also use it to discuss and define the scope of penetration tests when commissioning external testers, he said.

"There's definitely use for it, but it's too early to say [how effective a product may be]," McMillan said. "The trick is to turn it into a useful product ... The devil's going to be in the detail."