System and method for scanning a network

US 20050229255A1
Filed: 12/21/2004
Published: 10/13/2005
Est. Priority Date: 04/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method for passively scanning a network, comprising:

sniffing a plurality of packets traveling across the network;

building a topology of network devices and services that are active on the network from information in the plurality of packets;

analyzing the plurality of packets to detect vulnerabilities in network devices and services; and

preparing a report containing the detected vulnerabilities and the topology.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods to passively scan a network are disclosed herein. The passive scanner sniffs a plurality of packets traveling across the network. The passive scanner analyzes information from the sniffed packets to build a topology of network devices and services that are active on the network. In addition, the passive scanner analyzes the information to detect vulnerabilities in network devices and services. Finally, the passive scanner prepares a report containing the detected vulnerabilities and the topology when it observes a minimum number of sessions. Because the passive scanner operates passively, it may operate continuously without burdening the network. Similarly, it also may obtain information regarding client-side and server side vulnerabilities.

184 Citations

20 Claims

1. A method for passively scanning a network, comprising:
- sniffing a plurality of packets traveling across the network;
  
  building a topology of network devices and services that are active on the network from information in the plurality of packets;
  
  analyzing the plurality of packets to detect vulnerabilities in network devices and services; and
  
  preparing a report containing the detected vulnerabilities and the topology.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein analyzing includes applying signatures to at least one of the plurality of packets to recognize vulnerable service banners.
  - 3. The method of claim 1, wherein building includes analyzing a SYN-ACK packet of the plurality of packets.
  - 4. The method of claim 1, wherein the report is prepared when a minimum number of network sessions are observed by the scanner, the minimum number being determined by a user.
  - 5. The method of claim 1, wherein the method is performed continuously and has substantially no impact on the network.
  - 6. The method of claim 1, further comprising selectively emitting a TCP-Reset switch when a particular vulnerability in the vulnerability information or application in the topology is detected.
  - 7. The method of claim 1, wherein the report further includes a cross-reference identification number for integrating the detected vulnerabilities with output from an active scanner.

8. A method for detecting vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners across a network;
  
  distributing a plurality of passive vulnerability scanners across the network;
  
  scanning the network with the plurality of active vulnerability scanners at a first instance, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
  
  scanning the network with the plurality of active vulnerability scanners at a second instance after the first instance, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
  
  scanning the network with the plurality of passive vulnerability scanners for a continuous interval between the first instance and the second instance, wherein each of the plurality of passive vulnerability scanners scans a portion of the network; and
  
  forwarding scanned results from each of the plurality of active and passive vulnerability scanners to a centralized vulnerability management system.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the centralized vulnerability management system prepares a topology of detected network devices and services from the scanned results.
  - 10. The method of claim 8, wherein the centralized vulnerability management system prepares a list of vulnerabilities from the scanned results.
  - 11. The method of claim 8, wherein each of the passive scanners sniffs packets in the network and detects vulnerabilities by applying banner analysis to the packets sniffed.

12. A method for detecting vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners across a network;
  
  distributing a plurality of passive vulnerability scanners across the network;
  
  scanning the network with the plurality of active vulnerability scanners, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
  
  scanning the network with the plurality of passive vulnerability scanners during at least a portion of an interval between the first instance and the second instance, wherein each of the plurality of passive vulnerability scanners scans a portion of the network;
  
  forwarding scanned results from each of the plurality of active and passive vulnerability scanners to a centralized vulnerability management system;
  
  building a network model that maps vulnerabilities in hosts, systems and services in the network from the scanned results;
  
  detecting intrusion events with a network intrusion detection system; and
  
  correlating the intrusion events with the vulnerabilities to determine whether the intrusion events target the vulnerabilities.

13. A passive scanner for passively scanning a network, comprising:
- a packet sniffer for sniffing a plurality of packets traveling across the network for topology information and for vulnerability information;
  
  a topology builder for building a topology of network devices and services that are active on the network from the topology information;
  
  a vulnerability processor for analyzing the vulnerability information to detect vulnerabilities in network devices and services, and determining which detected vulnerabilities contain new information that has not been previously stored and which contain duplicative information;
  
  a memory for storing detected vulnerabilities that contain new information that has not been previously stored at the passive scanner; and
  
  a report generator for preparing a report containing stored detected vulnerabilities and the topology.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The passive scanner of claim 13, wherein the vulnerability processor applies signatures to at least one of the plurality of packets to recognize vulnerable service banners.
  - 15. The passive scanner of claim 13, wherein the topology builder analyzes a SYN-ACK packet of the plurality of packets.
  - 16. The passive scanner of claim 13, wherein the report generator prepares the report when a minimum number of network sessions with a user are observed.
  - 17. The passive scanner of claim 13, wherein the passive scanner operates continuously and has substantially no impact on the network.
  - 18. The passive scanner of claim 13, further comprising transmitter for selectively emitting a TCP-Reset switch when a particular vulnerability in the vulnerability information or application in the topology is detected.
  - 19. The passive scanner of claim 13, wherein the report further includes a cross-reference identification number for integrating the detected vulnerabilities with output from an active scanner.
  - 20. The passive scanner of claim 13, wherein the report generator includes topology information that has not been previously reported.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Deraison, Renaud Marie Maurice, Hayton, Matthew Todd, Gula, Ronald Joseph

Granted Patent

US 7,761,918 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1433 Vulnerability analysis

System and method for scanning a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for scanning a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links