Network security system having a device profiler communicatively coupled to a traffic monitor

US 7,181,769 B1
Filed: 06/06/2003
Issued: 02/20/2007
Est. Priority Date: 08/25/2000
Status: Expired due to Term

First Claim

Patent Images

1. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:

a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table; and

a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host, wherein a determined vulnerability pertains to a specific location and wherein the traffic monitor monitors for exploits of the determined vulnerability directed to the location and ignores exploits of the determined vulnerability directed to locations to which the determined vulnerability does not pertain.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attach signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Citations

18 Claims

1. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table; and
  
  a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host, wherein a determined vulnerability pertains to a specific location and wherein the traffic monitor monitors for exploits of the determined vulnerability directed to the location and ignores exploits of the determined vulnerability directed to locations to which the determined vulnerability does not pertain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the device profiler comprises:
    - an identification subsystem for sending data packets to the host and determining the characteristics of the host based on the host'"'"'s response to the data packets.
  - 3. The system of claim 2, wherein the identification subsystem comprises:
    - an high-level sensor for sending data packets to the host and analyzing responses of the host with respect to at least one of layer 5, layer 6 and layer 7 of the Open Systems Interconnection model to determine characteristics of the host.
  - 4. The system of claim 3, wherein the determined characteristics comprise an application executing on the host.
  - 5. The system of claim 2, further comprising:
    - a control module for generating a list of vulnerabilities of the host based on the characteristics determined by the identification subsystem.
  - 6. The system of claim 5, wherein the control module is adapted to use the characteristics determined by the identification subsystem to traverse the tree-structured vulnerability table, the vulnerability table having nodes associated with the characteristics of the host, each node having an associated set of vulnerabilities.
  - 7. The system of claim 6, wherein a node representing an application further comprises an operating system weight indicative of an operating system executing on the host.
  - 8. The system of claim 6, wherein the control module is adapted to determine a set of vulnerabilities of the host by summing the vulnerabilities associated with traversed nodes.

9. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table;
  
  a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host; and
  
  a centralized correlation server, communicatively coupled with the network at a centrally accessible location, the device profiler and the traffic monitor, the centralized correlation server for receiving the determined vulnerabilities from the device profiler, identifying signatures of network traffic indicating attacks exploiting the determined vulnerabilities, and sending the signatures to the traffic monitor.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the network has a plurality of locations and each location provides a different perspective of the host, and wherein there are a plurality of device profilers coupled to the network at a network location, each device profiler determining vulnerabilities of the host from the device profiler'"'"'s perspective at the network location.
  - 11. The system of claim 10, wherein the centralized correlation server further comprises a vulnerability verification rules database for storing rules to non-intrusively verify the identified vulnerabilities.
  - 12. The system of claim 10, wherein the centralized correlation server further comprises an identified vulnerabilities module for storing a plurality of determined vulnerabilities received from the plurality of device profilers, identifying signatures of network traffic indicating attacks exploiting determined vulnerabilities, and sending the attack signatures to the traffic monitor.
  - 13. The system of claim 12, wherein one or more traffic monitors are at selected locations on the network, and wherein the centralized correlation server sends the traffic monitor attack signatures for only vulnerabilities exploitable from the perspective of the traffic monitor.
  - 14. The system of claim 9, wherein the centralized correlation server comprises:
    - an event module for, in response to receiving a notification related to one of the determined vulnerabilities, performing a set of actions to block exposure to the vulnerability.
  - 15. The system of claim 14, further comprising:
    - a firewall adapted to selectively restrict network traffic to the host, wherein the event module is adapted to configure the firewall to restrict traffic that exploits the determined vulnerability.

16. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table, the device profiler including a low-level sensor for sending anomalous data packets to the host and determining the characteristics based on the host'"'"'s response to the anomalous data packets; and
  
  a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the low-level sensor is adapted to determine the characteristics of the host by analyzing responses of the host with respect to at least one of layer 3 and layer 4 of the Open Systems Interconnection model.
  - 18. The system of claim 16, wherein the determined characteristics comprise an operating system version and patch level of the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
nCircle Network Security, Inc. (Belden Inc.)
Inventors
Quiroga, Martin A., Keanini, Timothy D., Buchanan, Brian W., Flowers, John S.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US10/456,837
Time in Patent Office

1,355 Days
Field of Search

713/200, 713/201
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links