Policy-based vulnerability assessment

US 20050010821A1
Filed: 04/29/2004
Published: 01/13/2005
Est. Priority Date: 04/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:

a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request and results in a database; and

a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a vulnerability assessment mechanism that serves to actively scan for vulnerabilities on a continuous basis and interpret the resulting traffic in context of policy is provided. Vulnerability information is presented within an enterprise manager system enabling the user to access vulnerability information, recommended remediation procedures, and associated network traffic. A studio mechanism is used to add scanners to the appropriate policies and control the scope and distribution of scans within the target network.

Citations

74 Claims

1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:
- a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request and results in a database; and
  
  a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The network security system of claim 1, further comprising any of:
    - a mechanism for configuring vulnerability scans, wherein such mechanism is fully integrated into a studio module coupled to said policy-based monitor system;
      
      a mechanism for reporting vulnerability items, wherein said reporting mechanism is fully integrated into said policy-based monitor system;
      
      a mechanism for viewing vulnerability events, wherein said mechanism is fully integrated into any of;
      
      said studio module; and
      
      an enterprise-level user interface; and
      
      a mechanism for updating a repository of known vulnerability item entries, wherein said mechanism is fully integrated into said policy-based monitor system.
  - 3. The network security system of claim 1, wherein said VA server reports on application-level vulnerabilities.
  - 4. The network security system of claim 1, wherein a vulnerability scan request comprises any of:
    - subnets and hosts to be scanned; and
      
      type of scan to be performed.
  - 5. The network security system of claim 2, wherein said VA server and VA client are monitored by said enterprise-level user interface.
  - 6. The network security system of claim 2, wherein configuration information for said VA client comprises any of:
    - target information;
      
      schedule information; and
      
      expiration interval.
  - 7. The network security system of claim 1, wherein each of said returned vulnerability scan results comprises:
    - IP address of a target host;
      
      service being exercised;
      
      type of vulnerability; and
      
      severity level of said vulnerability.
  - 8. The network security system of claim 7, wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result of said returned vulnerability scan results is mapped by a mapping function into a vulnerability network event.
  - 9. The network security system of claim 8, wherein said mapping function comprises any of:
    - a mapping function that uses an IP address of a scanning network interface in the policy-based monitor system as a source IP address and that maps said IP address into a name of a network object that represents a VA scanner;
      
      a mapping function that uses an IP address of a target host as a destination IP and that maps said IP address to an appropriate network object name;
      
      a mapping function that assigns a transport protocol to which the vulnerability applies to a service protocol and a base protocol, wherein said transport protocol'"'"'s IP protocol ID is assigned to a protocol number field and, wherein said for host-level vulnerabilities, said transport protocol is set to Host and said IP protocol ID is set to a first predetermined value;
      
      an application protocol to which vulnerability applies to a service for a mapping function that assigns network level vulnerabilities;
      
      or to a specific indicator string for vulnerabilities that apply only to a host but not to its network connection;
      
      a mapping function that assigns a port where vulnerability is discovered to a destination port, wherein for host-level vulnerabilities said destination port is set to a second predetermined value;
      
      a function that maps vulnerability into an outcome and an outcome component, wherein said outcome is one of a plurality of possible outcomes assignable to a vulnerability event;
      
      said possible outcomes comprising at least;
      
      a vulnerability outcome, wherein a vulnerability not previously reported against a target host is determined, wherein said outcome used whenever a vulnerability is first found, and wherein said outcome comprises outcome components, each with a distinct criticality level, wherein said vulnerability outcome components indicate if said vulnerability outcome is any of;
      
      severe;
      
      important; and
      
      informational;
      
      a vulnerability removed outcome, wherein a previously reported vulnerability that is no longer found in a target host is determined, wherein said outcome has a single outcome component indicating the vulnerability is cleared; and
      
      an unreachable outcome, wherein a subnet or previously scanned host cannot be reached by said scanner and has a single outcome component indicating the previously scanned host or subnet can no longer be scanned;
      
      a mapping function that assigns an event owner as owner of an outcome, service, or target network object, and in such order;
      
      a mapping function that assigns a monitor a name of a monitor wherein the VA server and client are running;
      
      a mapping function that assigns a collection point to a monitor where the VA server and client are running;
      
      a mapping function that assigns an event time to a time at which the vulnerability was last reported; and
      
      at least one vulnerability details record comprising any of the following fields;
      
      a common identifier field, a string containing one or more identifiers from common vulnerability repositories;
      
      a description field, a string containing a detailed description of the vulnerability, wherein description is capable of containing a dynamic portion detailing an aspect of the vulnerability that is specific to the target host;
      
      a first found field, a timestamp for when the vulnerability was first detected; and
      
      a last found field, a timestamp for when the vulnerability was last detected.
  - 10. The network security system of claim 9, wherein a Nessus like security server severity of the vulnerability is mapped into one of said outcome components as follows:
    - Nessus like security server output level HIGH is mapped to Severe;
      
      Nessus like security server output level WARNING is mapped to Important; and
      
      Nessus like security server output level NOTE is mapped to Informational.
  - 11. The network security system of claim 8, wherein said vulnerability network event is stored in said policy-based monitor system database and is accessible to an analyzing module coupled to a studio module and is accessible to an enterprise-level user interface, and wherein said vulnerability network event is stored in a vulnerability event database and is maintained for a lifetime of said vulnerability.
  - 12. The network security system of claim 11, further comprising:
    - in response to a vulnerability reported by said VA Server, means for said VA client querying said vulnerability event database to determine if said vulnerability has already been reported by a previous scan, wherein if not, a vulnerability event is generated and stored in both said policy-based monitor system database and said vulnerability event database, wherein said vulnerability event is assigned a vulnerability outcome and an outcome component representing a severity of said vulnerability as reported by said VA server.
  - 13. The network security system of claim 12, further comprising:
    - means for reporting a vulnerability event having an assigned severity of a predetermined value as an alert to all configured recipients of policy-based monitor system alerts.
  - 14. The network security system of claim 11, further comprising:
    - in response to a previously reported vulnerability being cleared, means for said VA client generating a vulnerability event to indicate that said vulnerability is removed from a host, wherein said vulnerability event is then removed from said vulnerability event database.
  - 15. The network security system of claim 11, further comprising:
    - in response to a host previously detected on the network by a given VA scanner is determined not reachable in a subsequent scan, means for said VA client generating an associated vulnerability event and updating an associated status of said associated vulnerability event in said vulnerability event database.
  - 16. The network security system of claim 11, further comprising:
    - in response to a host being unreachable for a time exceeding a specified time in said expiration interval, means for removing from said vulnerability event database all vulnerability events pertaining to said host.
  - 17. The network security system of claim 2, said studio module further comprising:
    - a scanner network object for representing either of;
      
      VA capability in said policy-based monitor system; and
      
      a third party network scanner;
      
      wherein said network object is given an IP address of a network interface coupled to said policy-base monitor system used for scanning; and
      
      wherein said studio module provides capability for a user to create scanner network objects at any point during policy development.
  - 18. The network security system of claim 17 said studio module further comprising:
    - means for automatically generating a set of scanning relationships for said network object in response to said network object selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network object is classified, and wherein said scanning relationships are derived from an associated policy for said network object.
  - 19. The network security system of claim 18, wherein said means for generating a set of scanning relationships further comprises:
    - means for assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising;
      
      if an initiator in a policy relationship includes a scanner itself, then the scanning relationship has a same outcome as that of the policy relationship; and
      
      if an initiator does not include a scanner, then an outcome Probed is assigned to the scanning relationship, wherein said outcome Probed has a criticality depicting a violation of the target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.
  - 20. The network security system of claim 1, further comprising:
    - in response to a policy file being compiled, means for a pdx compiler computing a complete set of IP addresses to be scanned and for outputting said set of IP addresses to a file as input for said VA client.
  - 21. The network security system of claim 20, further comprising:
    - means for said pdx compiler defining a subset of specific IP addresses to be removed from said complete set of IP addresses, whereby said subset of specific IP addresses will not be scanned.
  - 22. The network security system of claim 2, further comprising:
    - in response to a policy file being compiled, means for a pdx compiler computing a set of IP addresses designated not to be scanned and outputting said set of IP addresses designated not to be scanned to a file as input for said VA client.
  - 23. The network security system of claim 2, further comprising:
    - means for said enterprise-level user interface viewing vulnerability events, wherein said vulnerability events are processed equivalently to other network events; and
      
      means for said enterprise-level user interface viewing vulnerability alerts, wherein said vulnerability alerts are indistinguishable from other network events, and wherein all alert management functions in said enterprise-level user interface are applicable to vulnerability alerts.
  - 24. The network security system of claim 2, wherein said enterprise-level user interface comprises:
    - a live data page, wherein all vulnerability events generated during a specified query interval are collated under a pseudo reporting element.
  - 25. The network security system of claim 2, further comprising:
    - means for said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to the hosts scanned by said VA Server.
  - 26. The network security system of claim 2, said enterprise-level user interface further comprising:
    - means for specifying configuration information;
      
      means for ascertaining status of processes of said VA client and said VA server; and
      
      means for managing an update process for security scanner updates.
  - 27. The network security system of claim 1, further comprising:
    - means for automatically merging a host policy and a scanner policy.
  - 28. The network security system of claim 27, wherein said merged policy comprises any of:
    - outcomes per host policy, wherein host policy applies to scanner as client host; and
      
      probed outcomes, wherein host policy does not apply to scanner as client host.
  - 29. The network security system of claim 1, further comprising any of:
    - means for said policy-based monitor system monitoring a scanner; and
      
      means for a scanner exercising a network for said policy-based monitor system.
  - 30. The network security system of claim 1, further comprising:
    - means for determining vulnerable state information of a network using a continuous scanning technique.
  - 31. The network security system of claim 30, wherein said vulnerable state information comprises information indicating any of:
    - which vulnerabilities are new;
      
      how long each vulnerability persists; and
      
      which vulnerabilities have been resolved.
  - 32. The network security system of claim 30, further comprising:
    - means for mapping a new vulnerability to an emitted monitored event with outcome vulnerability; and
      
      means for mapping a resolved vulnerability to an emitted monitored event with outcome vulnerability resolved.
  - 33. The network security system of claim 30, further comprising:
    - means for determining when new vulnerability data is received at state new and emitting a monitored event, wherein if such vulnerability data are seen again, then for assigning a state to persistent, and if said data are not seen again, then assigning a state to almost resolved;
      
      means for determining if a machine on which vulnerability is detected is no longer visible on said network and for assigning state inaccessible and emitting a monitored event;
      
      from a persistent state, means for determining if vulnerability is detected again and for keeping state at persistent;
      
      from an almost resolved state, means for determining if vulnerability is seen again and for changing state to persistent, and if said vulnerability is not seen after a predetermined amount of time, for assigning state to resolved and emitting a monitored event;
      
      means for determining if vulnerability is from a machine which ceases to be visible on said network and for assigning state to inaccessible; and
      
      from an inaccessible state, means for determining if a machine returns from being invisible from an almost resolved state and for returning state to said almost resolved state, and for determining if a machine returns from being invisible from a persistent state and returning the state to persistent.
  - 34. The network security system of claim 30, further comprising:
    - means for using a scanner to determine existence of new hosts and hosts which left a subnet in a policy, and wherein;
      
      if a network host appears and an IP address is not represented by a record in said vulnerable state information, a Host found event is emitted; and
      
      if a network host is covered by said record in said vulnerable state information but is not seen by the scanner, a. Host unreachable event is emitted.
  - 35. The network security system of claim 30, further comprising:
    - means for using a scanner to derive new hosts, as well as hosts which have left said network in a policy using said determined vulnerable state information.
  - 36. The network security system of claim 30, wherein said vulnerable state information comprises any of:
    - new;
      
      persistent;
      
      inaccessible;
      
      almost resolved; and
      
      resolved.
  - 37. The network security system of claim 1, further comprising:
    - a network security policy for detecting presence of a running scanner and for monitoring said network, wherein scanner events are not presented as a security attack on said network.

38. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
- providing a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request and results in a database; and
  
  providing a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 39. The network security method of claim 38, further comprising any of the steps of:
    - providing a mechanism for configuring vulnerability scans, wherein such mechanism is fully integrated into a studio module coupled to said policy-based monitor system;
      
      providing a mechanism for reporting vulnerability items, wherein said reporting mechanism is fully integrated into said policy-based monitor system;
      
      providing a mechanism for viewing vulnerability events, wherein said mechanism is fully integrated into any of;
      
      said studio module; and
      
      an enterprise-level user interface; and
      
      providing a mechanism for updating a repository of known vulnerability item entries, wherein said mechanism is fully integrated into said policy-based monitor system.
  - 40. The network security method of claim 38, wherein said VA server reports on application-level vulnerabilities.
  - 41. The network security method of claim 38, wherein a vulnerability scan request comprises any of:
    - subnets and hosts to be scanned; and
      
      type of scan to be performed.
  - 42. The network security method of claim 39, wherein said VA server and VA client are monitored by said enterprise-level user interface.
  - 43. The network security method of claim 39, wherein configuration information for said VA client comprises any of:
    - target information;
      
      schedule information; and
      
      expiration interval.
  - 44. The network security method of claim 38, wherein each of said returned vulnerability scan results comprises:
    - IP address of a target host;
      
      service being exercised;
      
      type of vulnerability; and
      
      severity level of said vulnerability.
  - 45. The network security method of claim 44, wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result of said returned vulnerability scan results is mapped by a mapping function into a vulnerability network event.
  - 46. The network security method of claim 45, wherein said mapping function comprises any of:
    - a mapping function that uses an IP address of a scanning network interface in the policy-based monitor system as a source IP address and that maps said IP address into a name of a network object that represents a VA scanner;
      
      a mapping function that uses an IP address of a target host as a destination IP and that maps said IP address to an appropriate network object name;
      
      a mapping function that assigns a transport protocol to which the vulnerability applies to a service protocol and a base protocol, wherein said transport protocol'"'"'s IP protocol ID is assigned to a protocol number field and, wherein said for host-level vulnerabilities, said transport protocol is set to Host and said IP protocol. ID is set to a first predetermined value;
      
      an application protocol to which vulnerability applies to a service for a mapping function that assigns network level vulnerabilities;
      
      or to a specific indicator string for vulnerabilities that apply only to a host but not to its network connection;
      
      a mapping function that assigns a port where vulnerability is discovered to a destination port, wherein for host-level vulnerabilities said destination port is set to a second predetermined value;
      
      a function that maps vulnerability into an outcome and an outcome component, wherein said outcome is one of a plurality of possible outcomes assignable to a vulnerability event;
      
      said possible outcomes comprising at least;
      
      a vulnerability outcome, wherein a vulnerability not previously reported against a target host is determined, wherein said outcome used whenever a vulnerability is first found, and wherein said outcome comprises outcome components, each with a distinct criticality level, wherein said vulnerability outcome components indicate if said vulnerability outcome is any of;
      
      severe;
      
      important; and
      
      informational;
      
      a vulnerability removed outcome, wherein a previously reported vulnerability that is no longer found in a target host is determined, wherein said outcome has a single outcome component indicating the vulnerability is cleared; and
      
      an unreachable outcome, wherein a subnet or previously scanned host cannot be reached by said scanner and has a single outcome component indicating the previously scanned host or subnet can no longer be scanned;
      
      a mapping function that assigns an event owner as owner of an outcome, service, or target network object, and in such order;
      
      a mapping function that assigns a monitor a name of a monitor wherein the VA server and client are running;
      
      a mapping function that assigns a collection point to a monitor where the VA server and client are running;
      
      a mapping function that assigns an event time to a time at which the vulnerability was last reported; and
      
      at least one vulnerability details record comprising any of the following fields;
      
      a common identifier field, a string containing one or more identifiers from common vulnerability repositories;
      
      a description field, a string containing a detailed description of the vulnerability, wherein description is capable of containing a dynamic portion detailing an aspect of the vulnerability that is specific to the target host;
      
      a first found field, a timestamp for when the vulnerability was first detected; and
      
      a last found field, a timestamp for when the vulnerability was last detected.
  - 47. The network security method of claim 46, wherein a Nessus like security server severity of the vulnerability is mapped into one of said outcome components as follows:
    - Nessus like security server output level HIGH is mapped to Severe;
      
      Nessus like security server output level WARNING is mapped to Important; and
      
      Nessus like security server output level NOTE is mapped to Informational.
  - 48. The network security method of claim 45, wherein said vulnerability network event is stored in said policy-based monitor system database and is accessible to an analyzing module coupled to a studio module and is accessible to an enterprise-level user interface, and wherein said vulnerability network event is stored in a vulnerability event database and is maintained for a lifetime of said vulnerability.
  - 49. The network security method of claim 48, further comprising the step of:
    - in response to a vulnerability reported by said VA Server, said VA client querying said vulnerability event database to determine if said vulnerability has already been reported by a previous scan, wherein if not, a vulnerability event is generated and stored in both said policy-based monitor system database and said vulnerability event database, wherein said vulnerability event is assigned a vulnerability outcome and an outcome component representing a severity of said vulnerability as reported by said VA server.
  - 50. The network security method of claim 49, further comprising the step of:
    - reporting a vulnerability event having an assigned severity of a predetermined value as an alert to all configured recipients of policy-based monitor system alerts.
  - 51. The network security method of claim 48, further comprising the step of:
    - in response to a previously reported vulnerability being cleared, said VA client generating a vulnerability event to indicate that said vulnerability is removed from a host, wherein said vulnerability event is then removed from said vulnerability event database.
  - 52. The network security method of claim 48, further comprising the step of:
    - in response to a host previously detected on the network by a given VA scanner is determined not reachable in a subsequent scan, said VA client generating an associated vulnerability event and updating an associated status of said associated vulnerability event in said vulnerability event database.
  - 53. The network security method of claim 48, further comprising the step of:
    - in response to a host being unreachable for a time exceeding a specified time in said expiration interval, removing from said vulnerability event database all vulnerability events pertaining to said host.
  - 54. The network security method of claim 39, said studio module further comprising the step of:
    - providing a scanner network object for representing either of;
      
      VA capability in said policy-based monitor system; and
      
      a third party network scanner;
      
      wherein said network object is given an IP address of a network interface coupled to said policy-base monitor system used for scanning; and
      
      wherein said studio module provides capability for a user to create scanner network objects at any point during policy development.
  - 55. The network security method of claim 54 said studio module further comprising the step of:
    - automatically generating a set of scanning relationships for said network object in response to said network object selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network object is classified, and wherein said scanning relationships are derived from an associated policy for said network object.
  - 56. The network security method of claim 55, wherein said generating a set of scanning relationships further comprises the step of:
    - assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising;
      
      if an initiator in a policy relationship includes a scanner itself, then the scanning relationship has a same outcome as that of the policy relationship; and
      
      if an initiator does not include a scanner, then an outcome Probed is assigned to the scanning relationship, wherein said outcome Probed has a criticality depicting a violation of the target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.
  - 57. The network security method of claim 39, further comprising the step of:
    - in response to a policy file being compiled, a pdx compiler computing a complete set of IP addresses to be scanned and outputting said set of IP addresses to a file as input for said VA client.
  - 58. The network security method of claim 57, further comprising the step of:
    - said pdx compiler defining a subset of specific IP addresses to be removed from said complete set of IP addresses, whereby said subset of specific IP addresses will not be scanned.
  - 59. The network security method of claim 39, further comprising the step of:
    - in response to a policy file being compiled, a pdx compiler computing a set of IP addresses designated not to be scanned and outputting said set of IP addresses designated not to be scanned to a file as input for said VA client.
  - 60. The network security method of claim 39, further comprising the steps of:
    - said enterprise-level user interface viewing vulnerability events, wherein said vulnerability events are processed equivalently to other network events; and
      
      said enterprise-level user interface viewing vulnerability alerts, wherein said vulnerability alerts are indistinguishable from other network events, and wherein all alert management functions in said enterprise-level user interface are applicable to vulnerability alerts.
  - 61. The network security method of claim 39, wherein said enterprise-level user interface comprises:
    - a live data page, wherein all vulnerability events generated during a specified query interval are collated under a pseudo reporting element.
  - 62. The network security method of claim 39, further comprising the step of:
    - said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to the hosts scanned by said VA Server.
  - 63. The network security method of claim 39, said enterprise-level user interface further comprising the steps of:
    - specifying configuration information;
      
      ascertaining status of processes of said VA client and said VA server; and
      
      managing an update process for security scanner updates.
  - 64. The network security method of claim 38, further comprising the step of:
    - automatically merging a host policy and a scanner policy.
  - 65. The network security method of claim 64, wherein said merged policy comprises any of:
    - outcomes per host policy, wherein host policy applies to scanner as client host; and
      
      probed outcomes, wherein host policy does not apply to scanner as client host.
  - 66. The network security method of claim 38, further comprising any of the step of:
    - said policy-based monitor system monitoring a scanner; and
      
      a scanner exercising a network for said policy-based monitor system.
  - 67. The network security method of claim 38, further comprising the step of:
    - determining vulnerable state information of a network using a continuous scanning technique.
  - 68. The network security method of claim 67, wherein said vulnerable state information comprises information indicating any of:
    - which vulnerabilities are new;
      
      how long each vulnerability persists; and
      
      which vulnerabilities have been resolved.
  - 69. The network security method of claim 67, further comprising the step of:
    - mapping a new vulnerability to an emitted monitored event with outcome vulnerability; and
      
      mapping a resolved vulnerability to an emitted monitored event with outcome vulnerability resolved.
  - 70. The network security method of claim 67, further comprising the steps of:
    - determining when new vulnerability data is received at state new and emitting a monitored event, wherein if such vulnerability data are seen again, then assigning a state to persistent, and if said data are not seen again, then assigning a state to almost resolved;
      
      determining if a machine on which vulnerability is detected is no longer visible on said network and assigning state inaccessible and emitting a monitored event;
      
      from a persistent state, determining if vulnerability is detected again and keeping state at persistent;
      
      from an almost resolved state, determining if vulnerability is seen again and changing state to persistent, and if said vulnerability is not seen after a predetermined amount of time, assigning state to resolved and emitting a monitored event;
      
      determining if vulnerability is from a machine which ceases to be visible on said network and assigning state to inaccessible; and
      
      from an inaccessible state, determining if a machine returns from being invisible from an almost resolved state and returning state to said almost resolved state, and determining if a machine returns from being invisible from a persistent state and returning the state to persistent.
  - 71. The network security method of claim 67, further comprising the step of:
    - using a scanner to determine existence of new hosts and hosts which left a subnet in a policy, and wherein;
      
      if a network host appears and an IP address is not represented by a record in said vulnerable state information, a Host found event is emitted; and
      
      if a network host is covered by said record in said vulnerable state information but is not seen by the scanner, a Host unreachable event is emitted.
  - 72. The network security method of claim 67, further comprising the step of:
    - using a scanner to derive new hosts, as well as hosts which have left said network in a policy using said determined vulnerable state information.
  - 73. The network security method of claim 67, wherein said vulnerable state information comprises any of:
    - new;
      
      persistent;
      
      inaccessible;
      
      almost resolved; and
      
      resolved.
  - 74. The network security method of claim 38, further comprising the step of:
    - providing a network security policy for detecting presence of a running scanner and for monitoring said network, wherein scanner events are not presented as a security attack on said network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Secure Computing LLC (McAfee, LLC)
Inventors
Cooper, Geoffrey, Pearcy, Derek P., Pereira Valente, Luis Filipe, Richardson, Harry Alexander

Granted Patent

US 7,451,488 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1433 Vulnerability analysis

Policy-based vulnerability assessment

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

74 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based vulnerability assessment

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

74 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links