Interoperability of vulnerability and intrusion detection systems

US 7,162,742 B1
Filed: 11/12/2004
Issued: 01/09/2007
Est. Priority Date: 01/10/2000
Status: Expired due to Term

First Claim

Patent Images

1. A computer-based system for protecting a network, comprising:

means for gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and

cooperative with the means for gathering information, means for examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts, the means for examining configured to detect network traffic indicative of malicious activity.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition both the VDS and IDS use rules in performing their respective analyses that are query-based and that are easy to construct. In particular these rules are based on a set of templates, which represent various entities or processes on the network.

115 Citations

View as Search Results

17 Claims

1. A computer-based system for protecting a network, comprising:
- means for gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network; and
  
  cooperative with the means for gathering information, means for examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts, the means for examining configured to detect network traffic indicative of malicious activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the means for gathering information further comprises:
    - means for sending data to plurality of hosts on the network; and
      
      means for receiving responsive data from the plurality of hosts.
  - 3. The system of claim 1, wherein the means for gathering information comprises means for receiving data automatically provided by the plurality of hosts on the network.
  - 4. The system of claim 1, further comprising:
    - means for storing rules to describe vulnerabilities of the plurality of hosts,wherein the means for gathering is configured to determine vulnerabilities by analyzing the gathered information with the rules in the means for storing.
  - 5. The system of claim 4, wherein the means for gathering information is further configured to determine vulnerabilities by analyzing the gathered information with the rules stored in the means for storing to identify operating systems on the plurality of hosts.
  - 6. The system of claim 4, wherein the means for gathering information is further configured to determine vulnerabilities by analyzing gathered information with the rules stored in the means for storing to identify open ports on the plurality of hosts.
  - 7. The system of claim 4, wherein the means for gathering information is further configured to determine vulnerabilities by comparing gathered information against the rules to identify applications on the plurality of hosts.
  - 8. The system of claim 1, further comprising:
    - means for storing rules describing malicious activity,wherein the means for examining is further configured to detect network traffic indicative of malicious activity by analyzing the network traffic with the rules in the means for storing to detect traffic indicative of exploitations of determined vulnerabilities.
  - 9. The system of claim 1, wherein the means for examining network traffic is further configured to detect traffic indicative of exploitations of only the determined vulnerabilities.
  - 10. The system of claim 1, further comprising:
    - means for updating the determined vulnerabilities,wherein the means for examining is further configured to detect traffic indicative of malicious activity in response to an update from the means for updating.
  - 11. The system of claim 10, wherein the means for updating is configured to update the determined vulnerabilities in response to a change in the network.
  - 12. The system of claim 1, wherein the means for examining automatically cooperate with the means for gathering information without further manual intervention.
  - 13. The system of claim 1, wherein the means for examining forward to the host network traffic indicative of malicious activity that does not correspond to the determined vulnerabilities of the host.
  - 14. The system of claim 1, wherein the means for examining forward network traffic indicative of malicious activity that corresponds to the determined vulnerabilities of the host, but is not directed to the host.
  - 15. The system of claim 1, wherein, responsive to a new host joining the plurality of hosts on the network, the means for gathering information gather information about the new host to determine vulnerabilities of the new host and the means for examining examine network traffic directed to the new host responsive to the determined vulnerabilities of the new host to detect network traffic indicative of malicious activity.

16. A computer-implemented method for protecting a network, comprising:
- gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network;
  
  cooperative with the step of gathering information, examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts to detect network traffic indicative of malicious activity; and
  
  forwarding to the host network traffic indicative of malicious activity that does not correspond to the determined vulnerabilities of the host.

17. A computer-implemented method for protecting a network, comprising:
- gathering information about the network to determine vulnerabilities of a host from a plurality of hosts on the network;
  
  cooperative with the step of gathering information, examining network traffic responsive to the determined vulnerabilities of the host from the plurality of hosts to detect network traffic indicative of malicious activity;
  
  responsive to a new host joining the plurality of hosts on the network, gathering information about the new host to determine vulnerabilities of the new host; and
  
  examining network traffic directed to the new host responsive to the determined vulnerabilities of the new host to detect network traffic indicative of malicious activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
nCircle Network Security, Inc. (Belden Inc.)
Inventors
Flowers, John S., Stracener, Thomas C.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/987,988
Time in Patent Office

788 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6236   between heterogeneous systems

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Interoperability of vulnerability and intrusion detection systems

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Interoperability of vulnerability and intrusion detection systems

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links