System, method and computer program product for risk assessment scanning based on detected anomalous events

US 6,546,493 B1
Filed: 11/30/2001
Issued: 04/08/2003
Est. Priority Date: 11/30/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for scanning a source of suspicious network communications, comprising:

monitoring network communications for violations of policies, wherein the policies are defined to detect potential attacks in the network communications;

determining whether the network communications violate at least one of the policies;

identifying a source of the network communications that violate at least one of the policies; and

automatically scanning the source of the network communications upon it being determined that the network communications violate at least one of the policies;

wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product are provided for scanning a source of suspicious network communications. Initially, network communications are monitored for violations of policies. Then, it is determined whether the network communications violate at least one of the policies. Further, a source of the network communications that violate at least one of the policies is identified. Upon it being determined that the network communications violate at least one of the policies, the source of the network communications is automatically scanned.

Citations

27 Claims

1. A method for scanning a source of suspicious network communications, comprising:
- monitoring network communications for violations of policies, wherein the policies are defined to detect potential attacks in the network communications;
  
  determining whether the network communications violate at least one of the policies;
  
  identifying a source of the network communications that violate at least one of the policies; and
  
  automatically scanning the source of the network communications upon it being determined that the network communications violate at least one of the policies;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

2. The method as recited in claim 1, and further comprising determining whether the network communications exploit at least one of a plurality of known vulnerabilities.

3. The method as recited in claim 2, and further comprising executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities.

4. The method as recited in claim 1, wherein the policies are user-defined.

5. The method as recited in claim 1, and further comprising executing a remedying event based on the risk assessment scan.

6. The method as recited in claim 5, and further comprising updating a database of known vulnerabilities based on the risk assessment scan.

7. The method as recited in claim 6, wherein the database of known vulnerabilities is utilized for determining whether the network communications exploit at least one of a plurality of the known vulnerabilities, and executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities.

8. The method as recited in claim 1, wherein the monitoring, the determining, and the identifying are executed utilizing an intrusion detection tool.

9. The method as recited in claim 1, wherein the scanning is executed utilizing a risk assessment scanning tool.

10. The method as recited in claim 1, wherein the monitoring, the determining, the identifying, and the scanning are executed utilizing a single module.

11. A computer program product for scanning a source of suspicious network communications, comprising:
- computer code for monitoring network communications for violations of policies, wherein the policies are defined to detect potential attacks in the network communications;
  
  computer code for determining whether the network communications violate at least one of the policies;
  
  computer code for identifying a source of the network communications that violate at least one of the policies; and
  
  computer code for automatically scanning the source of the network communications upon it being determined that the network communications violate at least one of the policies;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

12. The computer program product as recited in claim 11, and further comprising computer code for determining whether the network communications exploit at least one of a plurality of known vulnerabilities.

13. The computer program product as recited in claim 12, and further comprising computer code for executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities.

14. The computer program product as recited in claim 11, wherein the policies are user-defined.

15. The computer program product as recited in claim 11, and further comprising computer code for executing a remedying event based on the risk assessment scan.

16. The computer program product as recited in claim 15, and further comprising computer code for updating a database of known vulnerabilities based on the risk assessment scan.

17. The computer program product as recited in claim 16, wherein the database of known vulnerabilities is utilized for determining whether the network communications exploit at least one of a plurality of the known vulnerabilities, and executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities.

18. The computer program product as recited in claim 11, wherein the computer code segments for the monitoring, the determining, and the identifying are executed utilizing an intrusion detection tool.

19. The computer program product as recited in claim 11, wherein the computer code segment for the scanning is executed utilizing a risk assessment scanning tool.

20. The computer program product as recited in claim 11, wherein the computer code segments for the monitoring, the determining, the identifying, and the scanning are executed utilizing a single module.

21. A system for scanning a source of suspicious network communications, comprising:
- means for monitoring network communications for violations of policies, wherein the policies are defined to detect potential attacks in the network communications;
  
  means for determining whether the network communications violate at least one of the policies;
  
  means for identifying a source of the network communications that violate at least one of the policies; and
  
  means for automatically scanning the source of the network communications upon it being determined that the network communications violate at least one of the policies;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

22. A system for scanning a source of suspicious network communications, comprising:
- logic for monitoring network communications for violations of policies, wherein the policies are defined to detect potential attacks in the network communications;
  
  logic for determining whether the network communications violate at least one of the policies;
  
  logic for identifying a source of the network communications that violate at least one of the policies; and
  
  logic for automatically scanning the source of the network communications upon it being determined that the network communications violate at least one of the policies;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

23. A system for scanning a source of suspicious network communications, comprising:
- an intrusion detection tool for determining whether network communications violate at least one of a plurality of policies, wherein the policies are defined to detect potential attacks in the network communications; and
  
  a risk assessment scanning tool coupled to the intrusion detection tool, the risk assessment scanning tool adapted for scanning a source of the network communications that violate the at least one policy in response to a command from the intrusion detection tool;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

24. A scanning method, comprising:
- determining whether network communications exploit at least one of a plurality of known vulnerabilities;
  
  executing a remedying event if it is determined that the network communications exploit at least one of the known vulnerabilities;
  
  determining whether the network communications violate at least one of a plurality of policies, wherein the policies are defined to detect potential attacks in the network communications; and
  
  automatically scanning at least one of a source and destination of the network communications upon it being determined that the network communications violate at least one of the policies;
  
  wherein the scanning includes a risk assessment scan for identifying vulnerabilities.

25. A method for scanning a source of suspicious network communications, comprising:
- (a) receiving a plurality of known vulnerabilities and a plurality of user-defined policies from a database, wherein the policies are defined to detect potential attacks in the network communications;
  
  (b) monitoring network communications utilizing an intrusion detection tool;
  
  (c) identifying a source of the network communications utilizing the intrusion detection tool;
  
  (d) determining whether the network communications exploit at least one of the known vulnerabilities utilizing the intrusion detection tool;
  
  (e) executing a remedying event utilizing the intrusion detection tool if it is determined that the network communications exploit at least one of the known vulnerabilities;
  
  (f) determining whether the network communications violate at least one of the policies;
  
  (g) performing, a risk assessment scan on the source of the network communications utilizing a risk assessment scanning tool if it is determined that the network communications violate at least one of the policies, the risk assessment scan adapted for identifying vulnerabilities on the source;
  
  (h) executing a remedying event based on the risk assessment scan; and
  
  (i) updating the known vulnerabilities in the database based on the risk assessment scan.

26. A method for identifying a vulnerability of a network device, comprising:
- receiving a list of known vulnerabilities over a network;
  
  identifying a network device;
  
  probing the identified network device utilizing a risk assessment scanner capable of simulating a security event;
  
  generating a result of the probing;
  
  comparing the result against the list of known vulnerabilities;
  
  identifying a vulnerability of the network device based on the comparison;
  
  reporting the identified vulnerability to a user;
  
  testing a user password for security compliance; and
  
  updating the list of known vulnerabilities with a vulnerability identified by the risk assessment scanner;
  
  wherein the receiving, the identifying, the probing, the generating, the comparing, the identifying, the reporting, the testing, and the updating are executed utilizing a single module.

27. The method as recited in claim 26, and further comprising initiating a remedying event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Networks Associates Technology, Inc. (McAfee, LLC)
Inventors
McDonald, John R., Rahmanovic, Tarik, Magdych, James S., Tellier, Brock E.
Primary Examiner(s)
Wright, Norman M.

Application Number

US10/006,550
Time in Patent Office

494 Days
Field of Search

713/202, 713/201, 713/200, 709/224, 709/227
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

System, method and computer program product for risk assessment scanning based on detected anomalous events

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and computer program product for risk assessment scanning based on detected anomalous events

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links