Protecting a data processing system from attack by a vandal who uses a vulnerability scanner
First Claim
1. A method for protecting a data processing system against attack by a vandal, the method comprising the steps of:
- determining, by a vulnerability scanner, a first externally visible vulnerability of the data processing system, said first externally visible vulnerability being on a list, said list appearing in a database accessed by the vulnerability scanner;
providing, by the vulnerability scanner to an observation engine, a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability;
detecting, by the observation engine, the first instance of the network flow satisfying said description;
instructing, by the observation engine, a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting;
blocking, by the blocker, the first instance of the network flow, said blocking being in response to said instructing; and
lifting, by the observation engine, a blocking of a earlier-blocked instance of the network flow, wherein the earlier-blocked instance of the network flow had been blocked due to having satisfied a description of the earlier-blocked instance provided by the vulnerability scanner responsive to the vulnerability scanner having detennined a second externally visible vulnerability of the data processing system such that the earlier-blocked instance of the network flow is associated with the second externally visible vulnerability, and wherein the second externally visible vulnerability is on the list.
2 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus for protecting a data processing system such as an Internet server from attack by a vandal who uses an offensive vulnerability scanner to find an externally visible vulnerability of the data processing system. The method includes determining an externally visible vulnerability using a defensive vulnerability scanner, configuring an intrusion detection system to detect a network flow associated with the vulnerability, and blocking that flow by a firewall or a router. The apparatus includes a defensive vulnerability scanner that finds an externally visible vulnerability and provides a description of the vulnerability, an intrusion detection system that detects a network flow that satisfies the description, and a firewall or a router that blocks the flow responsive to detection of the flow by the intrusion detection system.
-
Citations
3 Claims
-
1. A method for protecting a data processing system against attack by a vandal, the method comprising the steps of:
-
determining, by a vulnerability scanner, a first externally visible vulnerability of the data processing system, said first externally visible vulnerability being on a list, said list appearing in a database accessed by the vulnerability scanner; providing, by the vulnerability scanner to an observation engine, a description of a first instance of a network flow to the data processing system such that the first instance of the network flow is associated with the first externally visible vulnerability; detecting, by the observation engine, the first instance of the network flow satisfying said description; instructing, by the observation engine, a blocker to block the detected first instance of the network flow, said instructing being in response to said detecting; blocking, by the blocker, the first instance of the network flow, said blocking being in response to said instructing; and lifting, by the observation engine, a blocking of a earlier-blocked instance of the network flow, wherein the earlier-blocked instance of the network flow had been blocked due to having satisfied a description of the earlier-blocked instance provided by the vulnerability scanner responsive to the vulnerability scanner having detennined a second externally visible vulnerability of the data processing system such that the earlier-blocked instance of the network flow is associated with the second externally visible vulnerability, and wherein the second externally visible vulnerability is on the list. - View Dependent Claims (2, 3)
-
Specification