QUERY DATA PACKET PROCESSING AND NETWORK SCANNING METHOD AND APPARATUS

US 20070162965A1
Filed: 03/20/2007
Published: 07/12/2007
Est. Priority Date: 11/02/1999
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

means for encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software;

means for storing, at a first time, a database comprising the differently encrypted query data packets;

means for scanning a port on a computer, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the computer does not require on-the-fly generation of additional encrypted query data packets; and

means for analyzing whether the computer processes the signature response in response to the scanning using the database.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting within a networked computer a target vulnerability such as a Trojan Horse residing therein is disclosed, wherein the vulnerability is characterized by a signature response to an encrypted query. The method includes encrypting a plurality of query data packets in accordance with a plurality of encryption keys, each encrypted query data packet including a defined query field specific to the target vulnerability. The method further includes storing the plurality of encrypted query data packets in a memory. The method further includes thereafter scanning the networked computer for a target vulnerability residing within the networked computer by sending successive ones of the encrypted-and-stored query data packets to the host computer and analyzing responses thereto from the host computer with respect to the characteristic signature. Preferably, the encrypting is performed for substantially all of the encryption keys within a defined key space. The memory may be non-volatile memory such as a disk drive or a volatile memory such as random-access memory (RAM) or a memory configured as a cache.

13 Citations

View as Search Results

20 Claims

1. A system comprising:
- means for encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software;
  
  means for storing, at a first time, a database comprising the differently encrypted query data packets;
  
  means for scanning a port on a computer, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the computer does not require on-the-fly generation of additional encrypted query data packets; and
  
  means for analyzing whether the computer processes the signature response in response to the scanning using the database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the keys are equal in amount to a modulus of an operating system contained on the computer.
  - 3. The system of claim 1 wherein the processors are further operable to deny the computer access to one or more networks when the computer processes the signature response.
  - 4. The system of claim 1 wherein the processors are further operable to notify the computer when the computer processes the signature response.
  - 5. The system of claim 1 wherein the processors are further operable to log an identification of the port and the computer when the computer processes the signature response.
  - 6. The system of claim 1 wherein the fields include magic data fields and command fields.
  - 7. The system of claim 6 wherein the magic data fields include banners recognizable by the target software.
  - 8. The system of claim 1 wherein the target software is a Trojan Horse.

9. An apparatus comprising:
- one or more processors; and
  
  a memory coupled to the processors comprising instructions executable by the processors, the processors operable when executing the instructions to;
  
  encrypt a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software;
  
  store, at a first time, a database comprising the differently encrypted query data packets;
  
  scan at least a portion of a network using the database that was stored at the first time, the scanning occurring at a second time that is later than the first time such that the scanning of the network does not require on-the-fly generation of additional encrypted query data packets; and
  
  analyze whether the computer processes the signature response in response to the scanning using the database.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9 wherein the processors are further operable to periodically automatically scan the portion of the network.
  - 11. The apparatus of claim 10 wherein the processors are further operable to scan every port on at least one computer in the network using the differently encrypted query data packets during each of the periodic scannings.
  - 12. The apparatus of claim 9 wherein the processors are further operable to periodically scan ports of computers on the network.
  - 13. The apparatus of claim 9 wherein the keys are equal in amount to a modulus of an operating system contained on at least one computer in the network.
  - 14. The apparatus of claim 9 wherein the target software is a software bug capable of bringing down a port on a computer in the network.
  - 15. The apparatus of claim 9 wherein the amount of keys is equal to a key space length of an operating system used on at least one computer in the network.

16. A method comprising:
- encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software;
  
  storing, at a first time, a database comprising the differently encrypted query data packets;
  
  scanning a remote computer over a network, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the remote computer does not require on-the-fly generation of additional encrypted query data packets; and
  
  determining whether the remote computer processes the signature response.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein the amount of keys is equal to a modulus of the operating system.
  - 18. The method of claim 16 further comprising blocking the remote computer access to one or more networks when the remote computer processes the signature response.
  - 19. The method of claim 16 further comprising notifying the remote computer when the remote computer processes the signature response.
  - 20. The method of claim 16 further comprising logging an identification the remote computer and one or more compromised ports when the computer processes the signature response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Carter, Earl, Shinn, Michael

Granted Patent

US 7,734,931 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

QUERY DATA PACKET PROCESSING AND NETWORK SCANNING METHOD AND APPARATUS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

QUERY DATA PACKET PROCESSING AND NETWORK SCANNING METHOD AND APPARATUS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others