Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system
First Claim
1. A system for detecting a security vulnerability in open network communications comprising:
- an internet protocol (IP) spoofing attack generator for generating an IP spoofing attack on a target computer coupled to an open network to determine whether said target computer is vulnerable to an IP spoofing attack which emulates communication from another computer on said open network;
a service command message generator for generating a service command to be executed by a service coupled to a port on said target computer; and
said IP spoofing attack generator transmitting said service command to said target computer to generate a response in said target computer that provides a compromise indication without altering system operational parameters of said target computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method is disclosed for detecting security vulnerabilities in a computer network. The system includes an IP spoofing attack detector, a stealth port service map generator, a source port verifier, source routing verifier, an RPC service detector and a Socks configuration verifier. Each of these verifiers may be operated separately or as a group to detect security vulnerabilities on a network. Each verifier may be programmed to exhaustively test all ports of all computers on a network to detect susceptibility to IP spoofing attacks, access to services with little or no authorization checks or misconfigured routers or Socks servers. The detected vulnerabilities or the location of services having little or no authorization checks may be stored in a table for reference by a network administrator. The service map generated by the stealth service map generator may be used to identify all service ports on a network to facilitate the operation of the other verifiers which send service command messages to service ports to detect their accessibility. A graphic user interface (GUI) may be used to provide input and control by a user to the security verifiers and to present options and display information to the user.
756 Citations
41 Claims
-
1. A system for detecting a security vulnerability in open network communications comprising:
-
an internet protocol (IP) spoofing attack generator for generating an IP spoofing attack on a target computer coupled to an open network to determine whether said target computer is vulnerable to an IP spoofing attack which emulates communication from another computer on said open network; a service command message generator for generating a service command to be executed by a service coupled to a port on said target computer; and said IP spoofing attack generator transmitting said service command to said target computer to generate a response in said target computer that provides a compromise indication without altering system operational parameters of said target computer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for generating a service topology map for each computer on an open network without completing a communication connection with any computer on the open network comprising:
-
a communication initiation message generator for generating communication initiation messages, said communication initiation messages being transmitted to ports on a computer on an open network; and a response message evaluator for determining from response messages received from said ports receiving said communication initiation messages whether services exist on said ports receiving said communication initiation messages, said response messages not completing communication connections with said ports so that services coupled to said ports may be detected without completing communication connection with said ports. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A system for detecting vulnerability of ports coupled to remote procedure call (RPC) services on a computer of an open network comprising:
-
a remote procedure call (RPC) message generator for generating and sending RPC service commands to ports on a computer on an open network; and a response message evaluator for evaluating response messages from said ports of said computer receiving said RPC service commands, said response messages indicating whether said RPC service commands were executed by an RPC service coupled to said ports of said computer receiving said RPC service commands without establishing a communication connection with said ports. - View Dependent Claims (15)
-
-
16. A system for detecting vulnerabilities in routers comprising:
-
a communication message generator for generating and sending service commands from a computer external to an open network to ports on computers coupled to said open network through a router; and a response message evaluator for evaluating response messages received from said ports on computers of said open network in response to said service commands sent from said communication message generator external to said open network whereby access to said computers on said open network through said router may be determined without referencing configuration files of said router. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method for detecting a security vulnerability in an open network comprised of the steps of:
-
attempting an Internet Protocol (IP) spoofing attack against a target computer and open network; generating a service command message; and sending said service command message to said target computer following said IP spoofing attack to determine whether said target computer has been compromised, said service command message generating an indicator of the success of the IP spoofing attack without altering the operational parameters of the target computer. - View Dependent Claims (28, 29, 30, 31)
-
-
32. A method for generating a service topology map of an open network comprising the steps of:
-
generating a communication command initiation message; sending said communication command initiation message to a port on a computer on an open network; receiving a message from said port in response to said communication initiation message being received at said port; and evaluating said message received from said port to determine whether a service is coupled to said port without establishing a communication connection with said port. - View Dependent Claims (33)
-
-
34. A method for detecting availability of a service on a port of a computer on an open network comprising the steps of:
-
generating a service command message; sending said generated service command message to a port of a computer on said open network; receiving a message from said port in response to said port receiving said generated service command message; and evaluating said message received from said port to determine whether a service coupled to said port executed said service command message, without establishing a communication connection with said ports. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
-
Specification