NETWORK SECURITY SYSTEM HAVING A DEVICE PROFILER COMMUNICATIVELY COUPLED TO A TRAFFIC MONITOR
First Claim
1. A method for providing security to a plurality of hosts on a network, the method comprising:
- receiving determined characteristics of the host;
accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree;
associating the determined vulnerabilities of the host with one or more attack signatures; and
providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.
-
Citations
30 Claims
-
1. A method for providing security to a plurality of hosts on a network, the method comprising:
-
receiving determined characteristics of the host; accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes; determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree; associating the determined vulnerabilities of the host with one or more attack signatures; and providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product for providing security to a plurality of hosts on a network, the computer program product comprising computer program code embodied on a computer-readable medium, the computer program code for:
-
receiving determined characteristics of the host; accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes; determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree; associating the determined vulnerabilities of the host with one or more attack signatures; and providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
-
a device profiler communicatively coupled with the network, the device profiler configured to received determined characteristics of the host, to access vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes, to determine one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree, and to associate the determined vulnerabilities of the host with one or more attack signatures; and a traffic monitor communicatively coupled with the network, the traffic monitor configured to receive the determined vulnerabilities of the host and their corresponding attack signatures from the device profiler, and to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification