System and Method for Network Security Scanning

US 20030212779A1
Filed: 04/29/2003
Published: 11/13/2003
Est. Priority Date: 04/30/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for scanning network nodes for detection and reporting of security vulnerabilities, comprising the steps of:

scanning all network host nodes within designated address ranges for determining all active hosts;

scanning all ports in each active host for determining all open ports;

scanning each port of each active host for detecting security vulnerabilities;

notifying a user of all open ports and detected security vulnerabilities; and

repeating the scanning and notifying steps above in an iterative manner.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network appliance for scanning network nodes to determine open ports and vulnerabilities to attack by unauthorized users. A user initializes the system and method by remotely configuring the network scanner, initiating a new job by defining IP address ranges to be scanned, and iteratively assessing the vulnerabilities of assigned active network nodes. The vulnerability assessment comprises scanning all host network nodes within a user specified range of IP addresses, scanning all ports of host network nodes found to be active to determine open ports, and scanning all ports to assess vulnerabilities to unauthorized access using vulnerability scanner plug-ins. The vulnerability plug-in modules may be downloaded into a scanner on an “as required” basis. A user may access and configure the network scanner and define ranges of IP addresses to be protected from a remote client workstation.

203 Citations

29 Claims

1. A method for scanning network nodes for detection and reporting of security vulnerabilities, comprising the steps of:
- scanning all network host nodes within designated address ranges for determining all active hosts;
  
  scanning all ports in each active host for determining all open ports;
  
  scanning each port of each active host for detecting security vulnerabilities;
  
  notifying a user of all open ports and detected security vulnerabilities; and
  
  repeating the scanning and notifying steps above in an iterative manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising the steps of:
    - initiating a new scan job by entering a new set of address ranges by a user into a control database; and
      
      executing an initial high priority port scan based on detecting an active host having an address within the new set of address ranges.
  - 3. The method of claim 1, wherein the step of scanning all network nodes within designated address ranges further comprises the steps of:
    - accessing a control database for determining designated address ranges;
      
      storing the status of each active host and inactive host in the control database; and
      
      removing a host designated as inactive from the control database if the host remains inactive for a predetermined number of scan cycles.
  - 4. The method of claim 3, wherein the step of removing a host designated as active comprises removing a host designated as inactive from the control database if the host remains inactive for a predetermined time period.
  - 5. The method of claim 3, further comprising the steps of:
    - adding a new host designated as active to the control database when first detected; and
      
      executing an initial high priority port scan based on detecting a new active host.
  - 6. The method of claim 1, wherein the step of scanning all ports comprises the steps of:
    - simultaneously scanning each port using a User Datagram Protocol bind attempt and a Transmission Control Protocol connection attempt;
      
      determining the state of the User Datagram Protocol bind upon completion of the Transmission Control Protocol connection attempt;
      
      confirming a closed state of a port upon failure of either the User Datagram Protocol bind attempt or the Transmission Control Protocol connection attempt;
      
      confirming an open state of a port if both the User Datagram Protocol bind remains valid and the Transmission Control Protocol connection attempt was successful; and
      
      determining a rate limiting of the target host and the round trip time of the network connection to that host.
  - 7. The method of claim 6, further comprising the step of tracking port status changes over time for reporting the changes to a user.
  - 8. The method of claim 1, wherein the step of scanning all ports comprises the steps of:
    - accessing a control database for determining a designated highest priority active host;
      
      scanning all ports on the designated active host for determining open ports;
      
      storing the status of each open port and each closed port in the control database; and
      
      removing a port designated as closed from the control database if the port remains closed for a predetermined number of scan cycles.
  - 9. The method of claim 8, wherein the step of removing a port designated as closed comprises removing a port designated as closed from the control database if the port remains closed for a predetermined time period.
  - 10. The method of claim 8, further comprising the step of adding a new port designated as open to the control database when first detected.
  - 11. The method of claim 1, wherein the step of scanning each port of each node comprises the steps of:
    - accessing a control database for determining a designated highest priority group of active hosts;
      
      for each host in the group of designated active hosts, checking the dependency criteria for each vulnerability plug-in module in a plug-ins database;
      
      running a vulnerability plug-in module against each host and port combination that meets the dependency criteria of each plug-in module;
      
      storing the status of each vulnerability found in the control database;
      
      removing a vulnerability designated as closed from the control database if the vulnerability remains closed for a predetermined number of scan cycles; and
      
      reducing the number of vulnerability tests using the current knowledge of the target host and service.
  - 12. The method of claim 11, wherein the step of removing a vulnerability designated as closed comprises removing a vulnerability designated as closed from the control database if the vulnerability remains closed for a predetermined time period.
  - 13. The method of claim 11, further comprising the step of adding a new vulnerability designated as open to the control database when first detected.
  - 14. The method of claim 11, further comprising the step of tracking vulnerability status changes over time for reporting the changes to a user.
  - 15. The method of claim 11, further comprising the steps of:
    - periodically checking a central application server for new versions of plug-in modules;
      
      retrieving plug-in modules from the central application server that have later versions than the corresponding plug-in modules stored in the plug-ins database;
      
      storing the latest updated version plug-in modules in the plug-ins database;
      
      reading the dependency criteria of each updated plug-in module and generating a priority list of hosts that match the criteria;
      
      setting a highest priority for vulnerability scanning to the hosts on the priority list; and
      
      performing a vulnerability assessment on each host on the priority list by scanning the hosts.
  - 16. The method of claim 1, wherein the step of notifying a user comprises transmitting all host, port, and vulnerability status to a graphical user interface on a client workstation via a user interface gateway and a communications network.
  - 17. The method of claim 1, wherein the step of notifying a user comprises a snapshot having a periodicity determined by the user.
  - 18. A computer-readable medium containing instructions for controlling a computer system to implement the method of claim 1.

19. A system for scanning network nodes for detection and reporting of security vulnerabilities, comprising:
- means for scanning all network host nodes within designated address ranges for determining all active hosts;
  
  means for scanning all ports in each active host for determining all open ports;
  
  means for scanning each port of each active host for detecting security vulnerabilities; and
  
  means for notifying a user of all open ports and detected security vulnerabilities.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The system of claim 19, further comprising:
    - a graphical user interface connected to a control database via a user interface gateway and a communications network for initiating a new scan job by entering a new set of address ranges by a user into a control database; and
      
      a daemon supervisor and a high priority port scanner daemon for executing an initial high priority port scan based on detecting an active host having an address within the new set of address ranges.
  - 21. The system of claim 19, wherein the means for scanning all network nodes within designated address ranges comprises a host scanner daemon for accessing a control database, for storing the status of each active host and inactive host in the control database, for removing a host designated as inactive from the control database, and adding a new host designated as active to the control database when first detected.
  - 22. The system of claim 19, further comprising a high priority port scanner daemon for executing an initial high priority port scan based on detecting a new active host.
  - 23. The system of claim 19, wherein the means for scanning all ports comprises a port scanner daemon for determining the open or closed status of each port of each host node.
  - 24. The system of claim 19, wherein the means for scanning all ports comprises a port scanner daemon for accessing a control database, scanning all ports on a designated active host, storing the status of each open port and each closed port in the control database, and removing a port designated as closed from the control database.
  - 25. The system of claim 19, wherein the means for scanning each port of each active host comprises a vulnerability scanner daemon for accessing a control database, checking the dependency criteria for each vulnerability plug-in module in a plug-ins database, running a vulnerability plug-in module against each host and port combination that meets the dependency criteria of each plug-in module, storing the status of each vulnerability found in the control database, and removing a vulnerability designated as closed from the control database.
  - 26. The system of claim 19, further comprising a plug-in delivery facility for periodically updating plug-in modules in a plug-ins database used for detecting vulnerabilities.
  - 27. The system of claim 19, wherein the means for notifying a user comprises a graphical user interface on a client workstation connected to a control database via a communications network and a user interface gateway for receiving all host, port, and vulnerability status.
  - 28. The system of claim 19, further comprising means for collecting snapshots of current system status as determined by the user.

29. A system for scanning network nodes for detection and reporting of security vulnerabilities, comprising:
- a user interface on a client workstation connected to a network scanner via a communications network and a user interface gateway for configuring and initializing the scanner, defining scan jobs, and receiving results of security assessments of designated host nodes within a network; and
  
  the network scanner system including a daemon supervisor, a host scanner daemon, an operating system daemon, a port scanner daemon, a vulnerability scanner daemon, a control database, and a plug-in database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatguard, Inc.
Original Assignee
Threatguard, Inc.
Inventors
Boyter, Brian A., Engelbach, R. Gunnar, Taylor, Randal S.

Application Number

US10/249,666
Publication Number

US 20030212779A1
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 43/50   Testing arrangements

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

System and Method for Network Security Scanning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

System and Method for Network Security Scanning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others