System and method for scanning a network
First Claim
1. A method for passively scanning a network, comprising:
- sniffing a plurality of packets traveling across the network;
building a topology of network devices and services that are active on the network from information in the plurality of packets;
analyzing the plurality of packets to detect vulnerabilities in network devices and services; and
preparing a report containing the detected vulnerabilities and the topology.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods to passively scan a network are disclosed herein. The passive scanner sniffs a plurality of packets traveling across the network. The passive scanner analyzes information from the sniffed packets to build a topology of network devices and services that are active on the network. In addition, the passive scanner analyzes the information to detect vulnerabilities in network devices and services. Finally, the passive scanner prepares a report containing the detected vulnerabilities and the topology when it observes a minimum number of sessions. Because the passive scanner operates passively, it may operate continuously without burdening the network. Similarly, it also may obtain information regarding client-side and server side vulnerabilities.
184 Citations
20 Claims
-
1. A method for passively scanning a network, comprising:
-
sniffing a plurality of packets traveling across the network;
building a topology of network devices and services that are active on the network from information in the plurality of packets;
analyzing the plurality of packets to detect vulnerabilities in network devices and services; and
preparing a report containing the detected vulnerabilities and the topology. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners across a network;
distributing a plurality of passive vulnerability scanners across the network;
scanning the network with the plurality of active vulnerability scanners at a first instance, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
scanning the network with the plurality of active vulnerability scanners at a second instance after the first instance, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
scanning the network with the plurality of passive vulnerability scanners for a continuous interval between the first instance and the second instance, wherein each of the plurality of passive vulnerability scanners scans a portion of the network; and
forwarding scanned results from each of the plurality of active and passive vulnerability scanners to a centralized vulnerability management system. - View Dependent Claims (9, 10, 11)
-
-
12. A method for detecting vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners across a network;
distributing a plurality of passive vulnerability scanners across the network;
scanning the network with the plurality of active vulnerability scanners, wherein each of the plurality of active vulnerability scanners scans a portion of the network;
scanning the network with the plurality of passive vulnerability scanners during at least a portion of an interval between the first instance and the second instance, wherein each of the plurality of passive vulnerability scanners scans a portion of the network;
forwarding scanned results from each of the plurality of active and passive vulnerability scanners to a centralized vulnerability management system;
building a network model that maps vulnerabilities in hosts, systems and services in the network from the scanned results;
detecting intrusion events with a network intrusion detection system; and
correlating the intrusion events with the vulnerabilities to determine whether the intrusion events target the vulnerabilities.
-
-
13. A passive scanner for passively scanning a network, comprising:
-
a packet sniffer for sniffing a plurality of packets traveling across the network for topology information and for vulnerability information;
a topology builder for building a topology of network devices and services that are active on the network from the topology information;
a vulnerability processor for analyzing the vulnerability information to detect vulnerabilities in network devices and services, and determining which detected vulnerabilities contain new information that has not been previously stored and which contain duplicative information;
a memory for storing detected vulnerabilities that contain new information that has not been previously stored at the passive scanner; and
a report generator for preparing a report containing stored detected vulnerabilities and the topology. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification