Method and system for adaptive network security using network vulnerability assessment

US 6,301,668 B1
Filed: 12/29/1998
Issued: 10/09/2001
Est. Priority Date: 12/29/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for adaptive network security comprising:

directing, by a device coupled to a network, a request onto the network;

assessing a response to the request to discover network information associated with determining at least one potential network vulnerability; and

prioritizing a plurality of analysis tasks based upon the network information, the plurality of analysis tasks to be performed on network data traffic which is monitored in order to identify attacks upon the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for adaptive network security using network vulnerability assessment is disclosed. The method comprises directing a request onto a network. A response to the request is assessed to discover network information. A plurality of analysis tasks are prioritized based upon the network information. The plurality of analysis tasks are to be performed on monitored network data traffic in order to identify attacks upon the network.

Citations

116 Claims

1. A method for adaptive network security comprising:
- directing, by a device coupled to a network, a request onto the network;
  
  assessing a response to the request to discover network information associated with determining at least one potential network vulnerability; and
  
  prioritizing a plurality of analysis tasks based upon the network information, the plurality of analysis tasks to be performed on network data traffic which is monitored in order to identify attacks upon the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the directing step comprises scanning a plurality of devices on the network.
  - 3. The method of claim 1, further comprising disabling a particular analysis task based upon an assigned priority of the particular analysis task.
  - 4. The method of claim 3, further comprising:
5. The method of claim 4, further comprising re-enabling the particular analysis task if the processor utilization drops below a second defined threshold.
6. The method of claim 3, further comprising:
- monitoring memory utilization; and
  
  performing the disabling step if the memory utilization exceeds a third defined threshold.
7. The method of claim 6, further comprising re-enabling the particular analysis task if the memory utilization drops below a fourth defined threshold.
8. The method of claim 1, wherein the prioritizing step comprises:
- determining a probable success of a particular attack upon the network based upon the network information; and
  
  assigning a priority to the particular analysis task intended to detect the particular attack.
9. The method of claim 1, wherein network information comprises:
- devices coupled to the network;
  
  operating systems running on the devices; and
  
  services available on the devices.
10. The method of claim 9, further comprising identifying potential vulnerabilities of a device coupled to the network based upon the network information.
11. The method of claim 10, further comprising confirming an identified potential vulnerability through an active exploit of the potential vulnerability.
12. The method of claim 1, further comprising maintaining the network information in a network map.
13. The method of claim 1, wherein the plurality of analysis tasks includes checksum verification.
14. The method of claim 1, wherein the plurality of analysis tasks includes IP fragment reassembly.
15. The method of claim 1, wherein the plurality of analysis tasks include TCP stream reassembly.
16. The method of claim 1, wherein the plurality of analysis tasks includes timeout calculations.
17. The method of claim 1, wherein the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures.
18. The method of claim 17, further comprising disabling a particular attack signature.
19. The method of claim 1, further comprising:
- repeating the directing step to obtain updated network information; and
  
  repeating the prioritizing step using the updated network information.
20. The method of claim 1, wherein the directing step comprises sending a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
21. The method of claim 1, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.
22. The method of claim 1, wherein the device comprises a scan engine.
23. The method of claim 1, wherein the device comprises a network security device.

24. A method for adaptive network security comprising:
- directing, by a device coupled to a network, a request onto the network;
  
  assessing a response to the request to discover network information associated with determining at least one potential network vulnerability;
  
  prioritizing a plurality of protocol analyses to be performed on network data traffic which is monitored, the protocol analyses for identifying attacks upon the network;
  
  monitoring a processor utilization of processor resources;
  
  monitoring memory utilization of memory resources;
  
  disabling a particular protocol analysis based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disabling a particular protocol analysis based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 25. The method of claim 24, wherein the network information comprises:
26. The method of claim 25, further comprising confirming each identified potential vulnerability.
27. The method of claim 24, wherein the directing step comprises scanning a plurality of devices on the network.
28. The method of claim 24, further comprising identifying potential vulnerabilities of devices coupled to the network.
29. The method of claim 24, further comprising re-enabling the particular analysis task if the processor utilization drops below a second defined threshold.
30. The method of claim 24, further comprising re-enabling the particular analysis task if the memory utilization drops below a fourth defined threshold.
31. The method of claim 24, wherein the plurality of protocol analyses includes checksum verification.
32. The method of claim 24, wherein the plurality of protocol analyses includes IP fragment reassembly.
33. The method of claim 24, wherein the plurality of protocol analyses includes TCP stream reassembly.
34. The method of claim 24, wherein the plurality of protocol analyses includes timeout calculations.
35. The method of claim 24, further comprising:
- repeating the directing step to obtain updated network information; and
  
  repeating the prioritizing step using the updated network information.
36. The method of claim 24, wherein the directing step comprises sending a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
37. The method of claim 24, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.
38. The method of claim 24, wherein the device comprises a scan engine.

39. A method for adaptive network security comprising:
- directing, by a device coupled to a network, a request onto the network;
  
  assessing a response to the request to discover network information associated with determining at least one potential network vulnerability;
  
  prioritizing a plurality of comparisons between network data traffic which is monitored and a plurality of attack signatures, the attack signatures for identifying attacks upon the network;
  
  monitoring a processor utilization of processor resources;
  
  monitoring memory utilization of memory resources;
  
  disabling a particular attack signature based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disabling a particular attack signature based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 40. The method of claim 39, further comprising identifying potential vulnerabilities of devices coupled to the network.
  - 41. The method of claim 39, further comprising confirming an identified potential vulnerability.
  - 42. The method of claim 39, further comprising re-enabling the particular attack signature if the processor utilization drops below a second defined threshold.
  - 43. The method of claim 39, further comprising re-enabling the particular attack signature if the memory utilization drops below a fourth defined threshold.
  - 44. The method of claim 39, further comprising maintaining the network information in a network map.
  - 45. The method of claim 39, further comprising:
46. The method of claim 39, wherein the directing step comprises sending a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
47. The method of claim 39, further comprising:
- prioritizing a plurality of system services based upon the network information; and
  
  disabling a particular system service based upon an assigned priority of the particular system service.
48. The method of claim 39, wherein the directing step comprises scanning a plurality of devices on the network.
49. The method of claim 39, wherein the prioritizing step comprises:
- determining a likelihood of success of a potential attack based upon the network information; and
  
  prioritizing an attack signature of the potential attack according to the determined likelihood of success.
50. The method of claim 39, wherein network information comprises:
- devices coupled to the network;
  
  operating systems running on the devices; and
  
  services available on the devices.
51. The method of claim 39, wherein the device comprises a scan engine.

52. A system for adaptive network security comprising:
- a scan engine coupled to a network, the scan engine for directing a request onto a network and assessing a response to the request to discover network information associated with determining at least one potential network vulnerability; and
  
  a protocol engine coupled to the network, the protocol engine for performing a plurality of protocol analyses on network data traffic to identify attacks upon the network;
  
  a signature engine coupled to the network, the signature engine for comparing the network data traffic to a plurality of attack signatures to identify attacks upon the network; and
  
  a priority engine coupled to the analysis engine, the protocol engine, and the signature engine, the priority engine for prioritizing the plurality of protocol analyses and the plurality of attack signatures based upon the network information.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 53. The system of claim 52, wherein the scan engine is operable to scan a plurality of devices on the network.
  - 54. The system of claim 52, wherein the priority engine is operable to disable a particular analysis task based upon an assigned priority of the particular analysis task.
  - 55. The system of claim 54, wherein the priority engine is further operable to re-enable the particular analysis task if the memory utilization drops below a fourth defined threshold.
  - 56. The system of claim 52, wherein the priority module is further operable to:
57. The system of claim 52, wherein the network information comprises:
- a device coupled to the network;
  
  an operating systems running on the device; and
  
  a service available on the devices.
58. The system of claim 57 wherein the network information further comprises a potential vulnerability of the device.
59. The system of claim 58, wherein the scan engine is further operable to confirm an identified potential vulnerability through an active exploit of the potential vulnerability.
60. The system of claim 52, further comprising a network map coupled to the scan engine and the priority engine;
- wherein the scan engine is operable to maintain the network information in the network map.
61. The system of claim 52, further comprising:
- a domain mapping service, coupled to the network, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to a request from the scan engine by sending the network information to a source of the request.
62. The system of claim 52, wherein the priority engine is further operable to:
- monitor a processor utilization; and
  
  disable the particular analysis task if the processor utilization exceeds a first defined threshold.
63. The system of claim 52, wherein the priority engine is further operable to:
- monitor a processor utilization; and
  
  disable the particular analysis task if the processor utilization exceeds a first defined threshold.
64. The system of claim 62, wherein the priority engine is further operable to re-enable the particular analysis task if the processor utilization drops below a second defined threshold.
65. The system of claim 52, wherein the priority engine is further operable to:
- monitor memory utilization; and
  
  disable the particular analysis task if the memory utilization exceeds a third defined threshold.

66. A system for adaptive network security comprising:
- software embodied in system-readable storage and operable to;
  
  direct, by a device coupled to a network, a request onto the network;
  
  assess a response to the request to discover network information associated with determining at least one potential network vulnerability; and
  
  prioritize a plurality of analysis tasks based upon the network information, the plurality of analysis tasks to be performed on network data traffic which is monitored in order to identify attacks upon the network.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87)
- - 67. The system of claim 66, wherein the software is further operable to scan a plurality of devices on the network.
  - 68. The system of claim 66, wherein the software is further operable to disable a particular analysis task based upon an assigned priority of the particular analysis task.
  - 69. The system of claim 68, wherein the software is further operable to:
70. The system of claim 69, wherein the software is further operable to re-enable the particular analysis task if the processor utilization drops below a second defined threshold.
71. The system of claim 68, wherein the software is further operable to:
- monitor memory utilization; and
  
  perform the disabling step if the memory utilization exceeds a third defined threshold.
72. The system of claim 71, wherein the software is further operable to re-enable the particular analysis task if the memory utilization drops below a fourth defined threshold.
73. The system of claim 66, wherein the software is further operable to:
- determine a probable success of a particular attack upon the network based upon the network information; and
  
  assign a priority to the particular analysis task intended to detect the particular attack.
74. The system of claim 66, wherein network information comprises:
- devices coupled to the network;
  
  operating systems running on the devices; and
  
  services available on the devices.
75. The system of claim 74, wherein the software is further operable to identify potential vulnerabilities of a device coupled to the network based upon the network information.
76. The system of claim 75, wherein the software is further operable to confirm an identified potential vulnerability through an active exploit of the potential vulnerability.
77. The system of claim 66, wherein the software is further operable to maintain the network information in a network map.
78. The system of claim 66, wherein the plurality of analysis tasks includes checksum verification.
79. The system of claim 66, wherein the plurality of analysis tasks includes IP fragment reassembly.
80. The system of claim 66, wherein the plurality of analysis tasks include TCP stream reassembly.
81. The system of claim 66, wherein the plurality of analysis tasks includes timeout calculations.
82. The system of claim 66, wherein the plurality of analysis tasks includes a plurality of comparisons between the monitored network data traffic and a plurality of attack signatures.
83. The system of claim 82, wherein the software is further operable to disable a particular attack signature.
84. The system of claim 66, wherein the software is further operable to:
- repeat the directing step to obtain updated network information; and
  
  repeat the prioritizing step using the updated network information.
85. The system of claim 66, wherein the software is further operable to send a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
86. The system of claim 66, wherein the software is further operable to:
- prioritize a plurality of system services based upon the network information; and
  
  disable a particular system service based upon an assigned priority of the particular system service.
87. The system of claim 66, wherein the device comprises a scan engine.

88. A system for adaptive network security comprising:
- software embodied in system-readable storage and operable to;
  
  direct, by a device coupled to a network, a request onto the network;
  
  assess a response to the request to discover network information associated with determining at least one potential network vulnerability;
  
  prioritize a plurality of protocol analyses to be performed on network data traffic which is monitored, the protocol analyses for identifying attacks upon the network;
  
  monitor a processor utilization of processor resources;
  
  monitor memory utilization of memory resources;
  
  disable a particular protocol analysis based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disable a particular protocol analysis based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102)
- - 89. The system of claim 88, wherein the software is further operable to scan a plurality of devices on the network.
  - 90. The system of claim 88, wherein the network information comprises:
91. The system of claim 90, wherein the software is further operable to confirm each identified potential vulnerability.
92. The system of claim 88, wherein the software is further operable to identify potential vulnerabilities of devices coupled to the network.
93. The system of claim 88, wherein the software is further operable to re-enable the particular analysis task if the processor utilization drops below a second defined threshold.
94. The system of claim 88, wherein the software is further operable to re-enable the particular analysis task if the memory utilization drops below a fourth defined threshold.
95. The system of claim 88, wherein the plurality of protocol analyses includes checksum verification.
96. The system of claim 88, wherein the plurality of protocol analyses includes IP fragment reassembly.
97. The system of claim 88, wherein the plurality of protocol analyses includes TCP stream reassembly.
98. The system of claim 88, wherein the plurality of protocol analyses includes timeout calculations.
99. The system of claim 88, wherein the software is further operable to:
- repeat the directing step to obtain updated network information; and
  
  repeat the prioritizing step using the updated network information.
100. The system of claim 88, wherein the software is further operable to send a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
101. The system of claim 88, wherein the software is further operable to:
- prioritize a plurality of system services based upon the network information; and
  
  disable a particular system service based upon an assigned priority of the particular system service.
102. The system of claim 88, wherein the device comprises a scan engine.

103. A system for adaptive network security comprising:
- software embodied in system-readable storage and operable to;
  
  direct, by a device coupled to a network, a request onto the network;
  
  assess a response to the request to discover network information associated with determining at least one potential network vulnerability;
  
  prioritize a plurality of comparisons between network data traffic which is monitored and a plurality of attack signatures, the attack signatures for identifying attacks upon the network;
  
  monitor a processor utilization of processor resources;
  
  monitor memory utilization of memory resources;
  
  disable a particular attack signature based upon an assigned priority if the processor utilization exceeds a first defined threshold; and
  
  disable a particular attack signature based upon an assigned priority if the memory utilization exceeds a third defined threshold.
- View Dependent Claims (104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115)
- - 104. The system of claim 103, wherein the software is further operable to scan a plurality of devices on the network.
  - 105. The system of claim 103, wherein the software is further operable to:
106. The system of claim 103, wherein network information comprises:
- devices coupled to the network;
  
  operating systems running on the devices; and
  
  services available on the devices.
107. The system of claim 103, wherein the software is further operable to identify potential vulnerabilities of devices coupled to the network.
108. The system of claim 103, wherein the software is further operable to confirm an identified potential vulnerability.
109. The system of claim 103, wherein the software is further operable to re-enable the particular attack signature if the processor utilization drops below a second defined threshold.
110. The system of claim 103, wherein the software is further operable to re-enable the particular attack signature if the memory utilization drops below a fourth defined threshold.
111. The system of claim 103, wherein the software is further operable to maintain the network information in a network map.
112. The system of claim 103, wherein the software is further operable to:
- repeat the directing step to obtain updated network information; and
  
  repeat the prioritizing step using the updated network information.
113. The system of claim 103, wherein the software is further operable to send a query to a domain mapping service, wherein the domain mapping service maintains a compilation of network information, and further wherein the domain mapping service is operable to respond to such a request by sending the network information to a source of the request.
114. The system of claim 103, wherein the software is further operable to:
- prioritize a plurality of system services based upon the network information; and
  
  disable a particular system service based upon an assigned priority of the particular system service.
115. The system of claim 103, wherein the device comprises a scan engine.

116. A system for adaptive network security comprising:
- means for directing, by a device coupled to a network, a request onto the network;
  
  means for assessing a response to the request to discover network information associated with determining at least one potential network vulnerability; and
  
  means for prioritizing a plurality of analysis tasks based upon the network information, the plurality of analysis tasks to be performed on network data traffic which is monitored in order to identify attacks upon the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Randall, William A., Teal, Daniel M., Gleichauf, Robert E., Ziese, Kevin J., Waddell, Scott V.
Primary Examiner(s)
Heckler, Thomas M.

Application Number

US09/222,414
Time in Patent Office

1,015 Days
Field of Search

713/201, 709/223, 709/225
US Class Current

726/25
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method and system for adaptive network security using network vulnerability assessment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

116 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for adaptive network security using network vulnerability assessment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

116 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links