Interoperability of vulnerability and intrusion detection systems

US 6,957,348 B1
Filed: 01/10/2001
Issued: 10/18/2005
Est. Priority Date: 01/10/2000
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented system for protecting a network, comprising:

a vulnerability detection system (VDS) for gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and

an intrusion detection system (IDS), cooperative with the VDS, for examining network traffic responsive to the vulnerabilities of the host from the plurality of hosts as determined by the VDS to detect traffic indicative of malicious activity.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition both the VDS and IDS use rules in performing their respective analyses that are query-based and that are easy to construct. In particular these rules are based on a set of templates, which represent various entities or processes on the network.

246 Citations

33 Claims

1. A computer-implemented system for protecting a network, comprising:
- a vulnerability detection system (VDS) for gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and
  
  an intrusion detection system (IDS), cooperative with the VDS, for examining network traffic responsive to the vulnerabilities of the host from the plurality of hosts as determined by the VDS to detect traffic indicative of malicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the VDS is adapted to gather information about the network by sending data to the plurality of hosts and receiving responsive data form the plurality of hosts.
  - 3. The system of claim 1, wherein the VDS is adapted to gather information automatically provided by the plurality of hosts.
  - 4. The system of claim 1, further comprising:
    - a vulnerabilities rules database, in communication with the VDS, for storing rules describing vulnerabilities of the plurality of hosts, wherein the VDS is adapted to analyze the gathered information with the rules to determine the vulnerabilities of the plurality of hosts.
  - 5. The system of claim 4, wherein the VDS is adapted to analyze the gathered information with the rules to identify operating systems on the plurality of hosts and determine the vulnerabilities responsive to the respective operating systems.
  - 6. The system of claim 4, wherein the VDS is adapted to analyze the gathered information with the rules to identify open ports on the plurality of hosts and determine the vulnerabilities based on the open ports.
  - 7. The system of claim 4, wherein the VDS is adapted to analyze the gathered information with the rules to identify applications executing on the plurality of hosts and determine the vulnerabilities based on the application.
  - 8. The system of claim 1, further comprising:
    - an intrusion rules database, in communications with the IDS, for storing rules describing malicious activity, wherein the IDS is adapted to analyze the network traffic with the rules to detect network traffic indicative of exploitations of the determined vulnerabilities.
  - 9. The system of claim 1, wherein the IDS is adapted to detect traffic indicative of exploitations of only the determined vulnerabilities.
  - 10. The system of claim 1, wherein the VDS is adapted to update the determined vulnerabilities, and wherein the IDS is adapted to detect traffic indicative of malicious activity in response to the update.
  - 11. The system of claim 10, wherein the VDS is adapted to update the determined vulnerabilities in response to a change in the network.

12. A computer-implemented method for protecting a network comprising:
- gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and
  
  cooperative with the step of gathering information, examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts to detect network traffic indicative of malicious activity.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein gathering information comprises sending data to plurality of hosts on the network and receiving responsive data from the plurality of hosts.
  - 14. The method of claim 12, wherein gathering information comprises receiving data automatically provided by the plurality of hosts on the network.
  - 15. The method of claim 12, further comprising:
    - storing rules to describe vulnerabilities of the plurality of hosts, wherein determining vulnerabilities includes analyzing the gathered information with the rules.
  - 16. The method of claim 15, wherein determining vulnerabilities comprises analyzing the gathered information with the rules to identify operating systems on the plurality of hosts.
  - 17. The method of claim 15, wherein determining vulnerabilities comprises analyzing the gathered information with the rules to identify open ports on the plurality of hosts.
  - 18. The method of claim 15, wherein determining vulnerabilities comprises comparing the gathered information against the rules to identify applications on the plurality of hosts.
  - 19. The method of claim 12, further comprising:
    - storing rules describing malicious activity, wherein detecting network traffic indicative of malicious activity comprises analyzing the network traffic with the rules to detect traffic indicative of exploitation of the determined vulnerabilities.
  - 20. The method of claim 12, wherein examining network traffic consists of detecting traffic indicative of exploitations of only the determined vulnerabilities.
  - 21. The method of claim 12, further comprising:
    - updating the determined vulnerabilities and detecting traffic indicative of malicious activity in response to the update.
  - 22. The method of claim 21, wherein the updating is responsive to a change in the network.

23. A computer program product, comprising:
- a computer-readable medium having computer program logic embodied therein for protecting a network, the computer logic;
  
  gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and
  
  cooperative with the step of gathering information, examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts to detect network traffic indicative of malicious activity.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer program product of claim 23, wherein gathering information comprises sending data to plurality of hosts on the network and receiving responsive data from the plurality of hosts.
  - 25. The computer program product of claim 23, wherein gathering information comprises receiving data automatically provided by the plurality of hosts on the network.
  - 26. The computer program product of claim 23, further comprising:
    - storing rules to describe vulnerabilities of the plurality of hosts, wherein determining vulnerabilities includes analyzing the gathered information with the rules.
  - 27. The computer program product of claim 26, wherein determining vulnerabilities comprises analyzing the gathered information with the rules to identify operating systems on the plurality of hosts.
  - 28. The computer program product of claim 26, wherein determining vulnerabilities comprises analyzing the gathered information with the rules to identify open ports on the plurality of hosts.
  - 29. The computer program product of claim 26, wherein determining vulnerabilities comprises comparing the gathered information against the rules to identify applications on the plurality of hosts.
  - 30. The computer program product of claim 23, further comprising:
    - storing rules describing malicious activity;
      
      wherein detecting network traffic indicative of malicious activity comprises analyzing the network traffic with the rules to detect traffic indicative of exploitations of the determined vulnerabilities.
  - 31. The computer program product of claim 23, wherein examining network traffic consists of detecting traffic indicative of exploitations of only the verified vulnerabilities.
  - 32. The computer program product of claim 23, further comprising:
    - updating the determined vulnerabilities; and
      
      detecting traffic indicative of malicious activity in response to the update.
  - 33. The computer program product of claim 32, wherein the updating is responsive to a change in the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
nCircle Network Security, Inc. (Belden Inc.)
Inventors
Flowers, John S., Stracener, Thomas C.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
MOORTHY, ARAVIND K

Application Number

US09/757,963
Time in Patent Office

1,742 Days
Field of Search

713/201, 713/200, 709/223, 709/224, 370/229, 370/230, 370/241, 370/254, 370/255
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6236   between heterogeneous systems

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Interoperability of vulnerability and intrusion detection systems

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

246 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Interoperability of vulnerability and intrusion detection systems

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

246 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links