Query data packet processing and network scanning method and apparatus

US 7,213,154 B1
Filed: 07/09/2004
Issued: 05/01/2007
Est. Priority Date: 11/02/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method, comprising:

formatting a data field of a query data packet with a banner, the banner configured to elicit recognition by a target software;

formatting a command field of the query data packet with a command, the command configured to elicit a signature response when the command is processed by the target software;

identifying a number of keys equal to a modulus of an operating system contained on first and second computers;

encrypting the query data packet with each of the keys to produce a multitude of encrypted query data packets equal in number to the modulus and the number of keys, each of the multitude of encrypted query data packets encrypted using a different one of the keys;

storing the multitude of encrypted query data packets in a storage medium;

sending the multitude of encrypted query data packets to the first computer to determine whether the first computer contains the target software;

observing that the first computer contains the target software when at least one of the encrypted query data packets elicits the signature response on the first computer; and

scanning the second computer using the previously generated encrypted query data keys that are stored in the memory to determine whether the second computer contains the target software, the scanning occurring without generating a new query data packet and without re-encrypting the query data packet.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting within a networked computer a target vulnerability such as a Trojan Horse residing therein is disclosed, wherein the vulnerability is characterized by a signature response to an encrypted query. The method includes encrypting a plurality of query data packets in accordance with a plurality of encryption keys, each encrypted query data packet including a defined query field specific to the target vulnerability. The method further includes storing the plurality of encrypted query data packets in a memory. The method further includes thereafter scanning the networked computer for a target vulnerability residing within the networked computer by sending successive ones of the encrypted-and-stored query data packets to the host computer and analyzing responses thereto from the host computer with respect to the characteristic signature. Preferably, the encrypting is performed for substantially all of the encryption keys within a defined key space. The memory may be non-volatile memory such as a disk drive or a volatile memory such as random-access memory (RAM) or a memory configured as a cache.

Citations

16 Claims

1. A method, comprising:
- formatting a data field of a query data packet with a banner, the banner configured to elicit recognition by a target software;
  
  formatting a command field of the query data packet with a command, the command configured to elicit a signature response when the command is processed by the target software;
  
  identifying a number of keys equal to a modulus of an operating system contained on first and second computers;
  
  encrypting the query data packet with each of the keys to produce a multitude of encrypted query data packets equal in number to the modulus and the number of keys, each of the multitude of encrypted query data packets encrypted using a different one of the keys;
  
  storing the multitude of encrypted query data packets in a storage medium;
  
  sending the multitude of encrypted query data packets to the first computer to determine whether the first computer contains the target software;
  
  observing that the first computer contains the target software when at least one of the encrypted query data packets elicits the signature response on the first computer; and
  
  scanning the second computer using the previously generated encrypted query data keys that are stored in the memory to determine whether the second computer contains the target software, the scanning occurring without generating a new query data packet and without re-encrypting the query data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the encrypted query data packets used to scan the second computer are a same, unmodified representation of the encrypted query data packets sent to the first computer.
  - 3. The method of claim 1 wherein the encrypted query data packets used to scan the second computer are the same and generated at a same time as the encrypted query data packets sent to the first computer.
  - 4. The method of claim 1 wherein the target software is Trojan Horse software residing in a port of the first computer.
  - 5. The method of claim 1 further comprising:
    - repetitively reading the encrypted query data packets from the memory; and
      
      repetitively scanning other computers using the encrypted query data packets that are read from the memory without formatting the encrypted query data packets and without generating new query data packets.
  - 6. The method of claim 1 wherein the modulus is equal to the product of 1024 and a bit capability of the operating system.
  - 7. The method of claim 1 wherein the storage medium is a non-volatile memory.
  - 8. The method of claim 7 further comprising:
    - moving the non-volatile memory containing the encrypted query data packets from a first scanning device that was used to scan the second computer to a second scanning device; and
      
      scanning a third computer with the second scanning device, the scanning of the third computer performed using a same, unmodified representation of the encrypted query data packets read from the non-volatile memory.

9. An apparatus comprising:
- one or more processors for encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a Trojan Horse;
  
  a memory device for storing, at a first time, a database comprising the differently encrypted query data packets;
  
  a transmitter for scanning a port on a computer, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the computer does not require on-the-fly generation of additional encrypted query data packets; and
  
  an analyzer for analyzing whether the computer processes the signature response in response to the scanning using the database.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The apparatus of claim 9 wherein said memory device is non-volatile.
  - 11. The apparatus of claim 9 wherein said memory device is a random-access memory (RAM).
  - 12. The apparatus of claim 9 wherein said memory device is organized as a cache.
  - 13. The apparatus of claim 9 wherein the keys are equal in amount to a modulus of an operating system contained on the computer.

14. An apparatus, comprising:
- one or more processors; and
  
  a memory coupled to the processors comprising instructions executable by the processors, the processors operable when executing the instructions to;
  
  format a query data packet to elicit a signature response when the query data packet is processed by a target software;
  
  identify a plurality keys, an amount of the keys corresponding to an operating system contained on first and second computers;
  
  encrypt the query data packet with the keys to produce a multitude of encrypted query data packets equal in number to the amount of keys, each of the multitude of encrypted query data packets encrypted using a different one of the keys;
  
  store the multitude of encrypted query data packets in a storage medium;
  
  send the multitude of encrypted query data packets to the first computer to determine whether the first computer contains the target software;
  
  observe that the first computer contains the target software when at least one of the encrypted query data packets elicits the signature response on the first computer; and
  
  scan the second computer using the previously generated encrypted query data keys that are stored in the memory to determine whether the second computer contains the target software, the scanning occurring without requiring generation of a new query data packet and without requiring re-encryption of the query data packet.
- View Dependent Claims (15, 16)
- - 15. The apparatus of claim 14 wherein the amount of keys is equal to a modulus of the operating system.
  - 16. The apparatus of claim 14 wherein the encrypted query data packets used to scan the second computer are the same and generated at a same time as the encrypted query data packets sent to the first computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shinn, Michael T., Carter, Earl Thomas
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US10/888,487
Time in Patent Office

1,026 Days
Field of Search

713/188, 713/160, 713/188.M, 713/193, 726 22- 25, 726/3, 709223-224
US Class Current

713/188
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Query data packet processing and network scanning method and apparatus

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Query data packet processing and network scanning method and apparatus

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links