PROTECTING A DATA PROCESSING SYSTEM FROM ATTACK BY A VANDAL WHO USES A VULNERABILITY SERVER

US 20070245421A1
Filed: 06/06/2007
Published: 10/18/2007
Est. Priority Date: 10/01/2001
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a data processing system against attack by a vandal, the method comprising the steps of:

determining, by a vulnerability scanner, a first externally visible vulnerability of the data processing system, said first externally visible vulnerability being on a list, said list appearing in a database accessed by the vulnerability scanner;

providing, by the vulnerability scanner to an observation engine, a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability;

detecting, by the observation engine, the first instance of the network flow satisfying said description;

instructing, by the observation engine, a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting; and

blocking, by the blocker, the first instance of the network flow, said blocking being in response to said instructing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for protecting a data processing system such as an Internet server from attack by a vandal who uses an offensive vulnerability scanner to find an externally visible vulnerability of the data processing system. The method includes determining an externally visible vulnerability using a defensive vulnerability scanner, configuring an intrusion detection system to detect a network flow associated with the vulnerability, and blocking that flow by a firewall or a router. The apparatus includes a defensive vulnerability scanner that finds an externally visible vulnerability and provides a description of the vulnerability, an intrusion detection system that detects a network flow that satisfies the description, and a firewall or a router that blocks the flow responsive to detection of the flow by the intrusion detection system.

20 Citations

View as Search Results

23 Claims

1. A method for protecting a data processing system against attack by a vandal, the method comprising the steps of:
- determining, by a vulnerability scanner, a first externally visible vulnerability of the data processing system, said first externally visible vulnerability being on a list, said list appearing in a database accessed by the vulnerability scanner;
  
  providing, by the vulnerability scanner to an observation engine, a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability;
  
  detecting, by the observation engine, the first instance of the network flow satisfying said description;
  
  instructing, by the observation engine, a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting; and
  
  blocking, by the blocker, the first instance of the network flow, said blocking being in response to said instructing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the vulnerability scanner accesses the list in the database through the Internet.
  - 3. The method of claim 1, wherein the vulnerability scanner is a network vulnerability scanner.
  - 4. The method of claim 1, wherein the vulnerability scanner is a host vulnerability scanner.
  - 5. The method of claim 1, wherein the vulnerability scanner is an application vulnerability scanner.
  - 6. The method of claim 1, wherein the observation engine is an intrusion detection system.
  - 7. The method of claim 1, wherein the step of blocking is performed by a firewall.
  - 8. The method of claim 1, wherein the step of blocking is performed by a router.
  - 9. The method of claim 1, wherein the step of blocking is performed by a load balancer.
  - 10. The method of claim 1, wherein the step of providing said description is performed after the step of determining the first externally visible vulnerability is performed, wherein the step of detecting is performed after the step of providing said description is performed, wherein the step of instructing is performed after the step of detecting is performed, and wherein the step of blocking is performed after the step of instructing is performed.

11. Apparatus for protecting a data processing system against attack by a vandal, the apparatus comprising:
- a vulnerability scanner for determining a first externally visible vulnerability of the data processing system and for providing to an observation engine a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability, said first externally visible vulnerability being on a list, said list appearing in a database;
  
  the observation engine for detecting the first instance of the network flow satisfying said description and for instructing a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting; and
  
  the blocker for blocking the detected first instance of the network flow, said blocking being in response to said instructing.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein the vulnerability scanner accesses the list in the database through the Internet.
  - 13. The apparatus of claim 11, wherein the vulnerability scanner is a network vulnerability scanner.
  - 14. The apparatus of claim 11, wherein the vulnerability scanner is a host vulnerability scanner.
  - 15. The apparatus of claim 11, wherein the vulnerability scanner is an application vulnerability scanner.
  - 16. The apparatus of claim 11, wherein the observation engine is an intrusion detection system.
  - 17. The apparatus of claim 11, wherein the blocker is a firewall.
  - 18. The apparatus of claim 11, wherein the blocker is a router.
  - 19. The apparatus of claim 11, wherein the step of blocking is performed by a load balancer.
  - 20. The apparatus of claim 11, wherein the vulnerability scanner provides said description to the observation engine after the vulnerability scanner determines the first externally visible vulnerability, wherein the observation engine detects the first instance of the network flow satisfying said description after the vulnerability scanner provides said description to the observation engine, wherein the observation engine instructs the blocker to block the detected first instance of the network flow after the observation engine detects the first instance of the network flow satisfying said description, and wherein the blocker blocks the detected first instance of the network flow after the observation engine instructs the blocker to block the detected first instance of the network flow.

21. Apparatus for protecting a data processing system against attack by a vandal, the apparatus comprising:
- a vulnerability scanner for determining a first externally visible vulnerability of the data processing system and for providing to an observation engine a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability, said first externally visible vulnerability being on a list, said list appearing in a database;
  
  the observation engine for detecting the first instance of the network flow satisfying said description and for instructing a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting; and
  
  the blocker for blocking the detected first instance of the network flow, said blocking being in response to said instructing, wherein the observation engine is adapted to lift a blocking of a earlier-blocked instance of the network flow, wherein the earlier-blocked instance of the network flow had been blocked due to having satisfied a description of the earlier-blocked instance provided by the vulnerability scanner responsive to the vulnerability scanner having determined a second externally visible vulnerability of the data processing system such that the earlier-blocked instance of the network flow is associated with the second externally visible vulnerability, and wherein the second externally visible vulnerability is on the list.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21, wherein the observation engine is adapted to lift the blocking of the earlier-blocked instance in response to an elapse of a specified interval of time following a last known arrival of the earlier-blocked instance at the data processing system.
  - 23. The apparatus of claim 21, wherein the observation engine is adapted to lift the blocking of the earlier-blocked instance in response to an installation of a software patch or upgrade in the data processing system in relation to the earlier externally visible vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Charles Lingafelt, Nigel Yell
Original Assignee
Charles Lingafelt, Nigel Yell
Inventors
Lingafelt, Charles, Yell, Nigel

Granted Patent

US 7,793,348 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/1433 Vulnerability analysis

PROTECTING A DATA PROCESSING SYSTEM FROM ATTACK BY A VANDAL WHO USES A VULNERABILITY SERVER

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING A DATA PROCESSING SYSTEM FROM ATTACK BY A VANDAL WHO USES A VULNERABILITY SERVER

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links