Network security system having a device profiler communicatively coupled to a traffic monitor
First Claim
1. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table; and
a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host, wherein a determined vulnerability pertains to a specific location and wherein the traffic monitor monitors for exploits of the determined vulnerability directed to the location and ignores exploits of the determined vulnerability directed to locations to which the determined vulnerability does not pertain.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attach signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.
-
Citations
18 Claims
-
1. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
-
a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table; and a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host, wherein a determined vulnerability pertains to a specific location and wherein the traffic monitor monitors for exploits of the determined vulnerability directed to the location and ignores exploits of the determined vulnerability directed to locations to which the determined vulnerability does not pertain. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
-
a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table; a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host; and a centralized correlation server, communicatively coupled with the network at a centrally accessible location, the device profiler and the traffic monitor, the centralized correlation server for receiving the determined vulnerabilities from the device profiler, identifying signatures of network traffic indicating attacks exploiting the determined vulnerabilities, and sending the signatures to the traffic monitor. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
-
a device profiler communicatively coupled with the network, the device profiler for identifying characteristics of a host from the plurality of hosts on the network and determining vulnerabilities of the host based on the characteristics according to a tree-structured vulnerability table, the device profiler including a low-level sensor for sending anomalous data packets to the host and determining the characteristics based on the host'"'"'s response to the anomalous data packets; and a traffic monitor, communicatively coupled with the network and the device profiler, and cooperative with the device profiler, for monitoring the network for traffic indicative of an attack on the host, from the plurality of hosts on the network, exploiting one of the determined vulnerabilities of the host. - View Dependent Claims (17, 18)
-
Specification