Network Security System Having a Device Profiler Communicatively Coupled to a Traffic Monitor
First Claim
1. A method for providing security to a plurality of hosts on a network, the method comprising:
- storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;
traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host; and
providing the determined vulnerabilities of the host to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.
-
Citations
30 Claims
-
1. A method for providing security to a plurality of hosts on a network, the method comprising:
-
storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;
traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host; and
providing the determined vulnerabilities of the host to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for providing security to a plurality of hosts on a network, the computer program product comprising computer program code embodied on a computer-readable medium, the computer program code for:
-
storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;
traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host; and
providing the determined vulnerabilities of the host to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
-
a device profiler communicatively coupled with the network, the device profiler configured to evaluate responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host, and further configured to determine vulnerabilities of the host by traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host, the tree storing potential vulnerabilities of the hosts and having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes; and
a traffic monitor communicatively coupled with the network, the traffic monitor configured to receive the determined vulnerabilities of the host from the device profiler, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification