Policy-based vulnerability assessment

US 7,451,488 B2
Filed: 04/29/2004
Issued: 11/11/2008
Est. Priority Date: 04/29/2003
Status: Active Grant

First Claim

Patent Images

1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:

a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request;

a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client;

a vulnerability scan result comprising;

an IP address of a target host;

a service being exercised;

a type of vulnerability; and

a security level of said vulnerability;

wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result is mapped into a vulnerability network event, said vulnerability network event being accessible to an analyzing module coupled to a studio module and being accessible to an enterprise-level user interface, said vulnerability network event being maintained for the lifetime of said vulnerability;

a module for removing all vulnerability events pertaining to a host that is unreachable for a time exceeding a specified time; and

in response to a policy file being compiled, means for a pdx compiler computing a complete set of IP addresses to be scanned and for outputting said set of IP addresses to a file as input for said VA client.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for a vulnerability assessment mechanism that serves to actively scan for vulnerabilities on a continuous basis and interpret the resulting traffic in context of policy is provided. Vulnerability information is presented within an enterprise manager system enabling the user to access vulnerability information, recommended remediation procedures, and associated network traffic. A studio mechanism is used to add scanners to the appropriate policies and control the scope and distribution of scans within the target network.

163 Citations

33 Claims

1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:
- a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request;
  
  a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client;
  
  a vulnerability scan result comprising;
  
  an IP address of a target host;
  
  a service being exercised;
  
  a type of vulnerability; and
  
  a security level of said vulnerability;
  
  wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result is mapped into a vulnerability network event, said vulnerability network event being accessible to an analyzing module coupled to a studio module and being accessible to an enterprise-level user interface, said vulnerability network event being maintained for the lifetime of said vulnerability;
  
  a module for removing all vulnerability events pertaining to a host that is unreachable for a time exceeding a specified time; and
  
  in response to a policy file being compiled, means for a pdx compiler computing a complete set of IP addresses to be scanned and for outputting said set of IP addresses to a file as input for said VA client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The network security system of claim 1, wherein said VA server reports on application-level vulnerabilities.
  - 3. The network security system of claim 1, wherein a vulnerability scan request comprises at least one of:
    - subnets and hosts to be scanned; and
      
      type of scan to be performed.
  - 4. The network security system of claim 1, wherein configuration information for said VA client comprises at least one of:
    - target information;
      
      schedule information; and
      
      expiration interval.
  - 5. The network security system of claim 1, containing a mapping function for the purpose of mapping said vulnerability scan result to said vulnerability network event, comprising at least one of:
    - a mapping function that uses an IP address of a scanning network interface in said policy-based monitor system as a source IP address and that maps said IP address into a name of a network object that represents a VA scanner;
      
      a mapping function that uses an IP address of a target host as a destination IP and that maps said IP address to an appropriate network object name;
      
      a mapping function that assigns a transport protocol to which said vulnerability applies to a service protocol and a base protocol, wherein said transport protocol'"'"'s IP protocol ID is assigned to a protocol number field and, wherein said for host-level vulnerabilities, said transport protocol is set to Host and said IP protocol ID is set to a first predetermined value;
      
      an application protocol to which vulnerability applies to a service for a mapping function that assigns network level vulnerabilities, or to a specific indicator string for vulnerabilities that apply only to a host but not to its network connection;
      
      a mapping function that assigns a port where vulnerability is discovered to a destination port, wherein for host-level vulnerabilities said destination port is set to a second predetermined value;
      
      a function that maps vulnerability into an outcome and an outcome component, wherein said outcome is one of a plurality of possible outcomes assignable to a vulnerability event, said possible outcomes comprising at least;
      
      a vulnerability outcome, wherein a vulnerability not previously reported against a target host is determined, wherein said outcome is used whenever a vulnerability is first found, and wherein said outcome comprises at least one of outcome components, each with a distinct criticality level, wherein said vulnerability outcome components indicate if said vulnerability outcome is at least one of;
      
      severe;
      
      important; and
      
      informational;
      
      a vulnerability removed outcome, wherein a previously reported vulnerability that is no longer found in a target host is determined, wherein said outcome has a single outcome component indicating said vulnerability is cleared; and
      
      an unreachable outcome, wherein a subnet or previously scanned host cannot be reached by said scanner and has a single outcome component indicating said previously scanned host or subnet can no longer be scanned;
      
      a mapping function that assigns an event owner as owner of an outcome, service, or target network object, and in such order;
      
      a mapping function that assigns a monitor a name of a monitor wherein said VA server and client are running;
      
      a mapping function that assigns a collection point to a monitor where said VA server and client are running;
      
      a mapping function that assigns an event time to a time at which said vulnerability was last reported; and
      
      at least one vulnerability details record comprising at least one of the following fields;
      
      a common identifier field, a string containing one or more identifiers from common vulnerability repositories;
      
      a description field, a string containing a detailed description of said vulnerability, wherein description is capable of containing a dynamic portion detailing an aspect of said vulnerability that is specific to said target host;
      
      a first found field, a timestamp for when said vulnerability was first detected; and
      
      a last found field, a timestamp for when said vulnerability was last detected.
  - 6. The network security system of claim 5,wherein a Nessus like security server severity of said vulnerability is mapped into one of said outcome components as follows:
    - Nessus like security server output level HIGH is mapped to Severe;
      
      Nessus like security server output level WARNING is mapped to Important; and
      
      Nessus like security server output level NOTE is mapped to Informational.
  - 7. The network security system of claim 1, further comprising:
    - in response to a vulnerability reported by said VA Server, means for said VA client querying said vulnerability event database to determine if said vulnerability has already been reported by a previous scan, wherein if not, a vulnerability event is generated and stored in both said policy-based monitor system database and said vulnerability event database, wherein said vulnerability event is assigned a vulnerability outcome and an outcome component representing a severity of said vulnerability as reported by said VA server.
  - 8. The network security system of claim 7, further comprising:
    - means for reporting a vulnerability event having an assigned severity of a predetermined value as an alert to all configured recipients of policy-based monitor system alerts.
  - 9. The network security system of claim 1, further comprising:
    - in response to a previously reported vulnerability being cleared, means for said VA client generating a vulnerability event to indicate that said vulnerability is removed from a host, wherein said vulnerability event is then removed from said vulnerability event database.
  - 10. The network security system of claim 1, further comprising:
    - in response to a host previously detected on said network by a given VA scanner is determined not reachable in a subsequent scan, means for said VA client generating an associated vulnerability event and updating an associated status of said associated vulnerability event in said vulnerability event database.
  - 11. The network security system of claim 1, further comprising:
    - means for said pdx compiler defining a subset of specific IP addresses to be removed from said complete set of IP addresses, whereby said subset of specific IP addresses will not be scanned.
  - 12. The network security system of claim 1, further comprising:
    - in response to a policy file being compiled, means for said pdx compiler computing a set of IP addresses designated not to be scanned and outputting said set of IP addresses designated not to be scanned to a file as input for said VA client.
  - 13. The network security system of claim 1, said enterprise-level user interface further comprising:
    - means for specifying configuration information;
      
      means for ascertaining status of processes of said VA client and said VA server; and
      
      means for managing an update process for security scanner updates.
  - 14. The network security system of claim 1, further comprising at least one of:
    - means for said policy-based monitor system monitoring a scanner; and
      
      means for a scanner exercising a network for said policy-based monitor system.
  - 15. The network security system of claim 1, further comprising:
    - means for determining vulnerability state information of a network using a continuous scanning technique.
  - 16. The network security system of claim 15, wherein said vulnerability state information comprises information indicating at least one of:
    - which vulnerabilities are new;
      
      how long each vulnerability persists; and
      
      which vulnerabilities have been resolved.
  - 17. The network security system of claim 15, further comprising:
    - means for mapping a new vulnerability to an emitted monitored event with outcome vulnerability; and
      
      means for mapping a resolved vulnerability to an emitted monitored event with outcome vulnerability resolved.
  - 18. The network security system of claim 15, further comprising:
    - means for determining when new vulnerability data is received at state new and emitting a monitored event, wherein if such vulnerability data are seen again, then for assigning a state to persistent, and if said data are not seen again, then assigning a state to almost resolved;
      
      means for determining if a machine on which vulnerability is detected is no longer visible on said network and for assigning state inaccessible and emitting a monitored event;
      
      from a persistent state, means for determining if vulnerability is detected again and for keeping state at persistent;
      
      from an almost resolved state, means for determining if vulnerability is seen again and for changing state to persistent, and if said vulnerability is not seen after a predetermined amount of time, for assigning state to resolved and emitting a monitored event;
      
      means for determining if vulnerability is from a machine which ceases to be visible on said network and for assigning state to inaccessible; and
      
      from an inaccessible state, means for determining if a machine returns from being invisible from an almost resolved state and for returning state to said almost resolved state, and for determining if a machine returns from being invisible from a persistent state and returning said state to persistent.
  - 19. The network security system of claim 15, further comprising:
    - means for using a scanner to determine existence of new hosts and hosts which are no longer present in a subnet in the policy of said policy-based monitoring system, and wherein;
      
      if a network host appears and an IP address is not represented by a record in said vulnerability state information, a Host found event is emitted; and
      
      if a network host is covered by said record in said vulnerability state information but is not seen by said scanner, a Host unreachable event is emitted.
  - 20. The network security system of claim 15, further comprising:
    - means for using a scanner to derive new hosts, as well as hosts which are no longer present in said network in said policy of said policy-based monitoring system using said determined vulnerability state information.
  - 21. The network security system of claim 15, wherein said vulnerability state information comprises at least one of:
    - new;
      
      persistent;
      
      inaccessible;
      
      almost resolved; and
      
      resolved.
  - 22. The network security system of claim 1, further comprising:
    - a network security policy for detecting presence of a running scanner and for monitoring said network, wherein scanner events are not presented as a security attack on said network.

23. In a policy-based monitor system, a studio module comprising at least one of:
- a scanner network object comprising at least one of;
  
  VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and
  
  a third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning;
  
  wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and
  
  means for automatically generating a set of scanning relationships in said policy of said policy based monitoring system for one or more of said network objects selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network objects is classified, and wherein said scanning relationships are derived from an associated policy for said network object;
  
  wherein said means for generating a set of scanning relationships further comprises a means for assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising;
  
  if an initiator in a policy relationship includes a scanner itself, then said scanning relationship has a same outcome as that of said policy relationship; and
  
  if an initiator does not include a scanner, then an outcome Probed is assigned to said scanning relationship, wherein said outcome Probed has a criticality depicting a violation of said target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.

24. In a policy-based monitor system, a studio module comprising at least one of:
- a scanner network object comprising at least one of;
  
  VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning, anda third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning;
  
  wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and
  
  means for said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to hosts scanned by said VA Server.

25. In a policy-based monitor system, a studio module comprising at least one of:
- a scanner network object comprising at least one of;
  
  VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and
  
  a third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning;
  
  means for automatically merging a host policy and a scanner policy;
  
  wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and
  
  wherein said merged policy comprises at least one of;
  
  outcomes per host policy, wherein host policy applies to scanner as client host; and
  
  probed outcomes, wherein host policy does not apply to scanner as client host.

26. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
- requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module;
  
  receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client;
  
  returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerabilitycontaining a mapping function for mapping said vulnerability scan result to said vulnerability network event, comprising at least one of;
  
  a mapping function that uses an IP address of a scanning network interface in said policy-based monitor system as a source IP address and that maps said IP address into a name of a network object that represents a VA scanner;
  
  a mapping function that uses an IP address of a target host as a destination IP and that maps said IP address to an appropriate network object name;
  
  a mapping function that assigns a transport protocol to which said vulnerability applies to a service protocol and a base protocol, wherein said transport protocol'"'"'s IP protocol ID is assigned to a protocol number field and, wherein said for host-level vulnerabilities, said transport protocol is set to Host and said IP protocol ID is set to a first predetermined value;
  
  an application protocol to which vulnerability applies to a service for a mapping function that assigns network level vulnerabilities, or to a specific indicator string for vulnerabilities that apply only to a host but not to its network connection;
  
  a mapping function that assigns a port where vulnerability is discovered to a destination port, wherein for host-level vulnerabilities said destination port is set to a second predetermined value;
  
  a function that maps vulnerability into an outcome and an outcome component, wherein said outcome is one of a plurality of possible outcomes assignable to a vulnerability event;
  
  said possible outcomes comprising at least;
  
  a vulnerability outcome, wherein a vulnerability not previously reported against a target host is determined, wherein said outcome is used whenever a vulnerability is first found, and wherein said outcome comprises outcome components, each with a distinct criticality level, wherein said vulnerability outcome components indicate if said vulnerability outcome is at least one of;
  
  severe;
  
  important; and
  
  informational;
  
  a vulnerability removed outcome, wherein a previously reported vulnerability that is no longer found in a target host is determined, wherein said outcome has a single outcome component indicating said vulnerability is cleared; and
  
  an unreachable outcome, wherein a subnet or previously scanned host cannot be reached by said scanner and has a single outcome component indicating said previously scanned host or subnet can no longer be scanned;
  
  a mapping function that assigns an event owner as owner of an outcome, service, or target network object, and in such order;
  
  a mapping function that assigns a monitor a name of a monitor wherein said VA server and client are running;
  
  a mapping function that assigns a collection point to a monitor where said VA server and client are running;
  
  a mapping function that assigns an event time to a time at which said vulnerability was last reported; and
  
  at least one vulnerability details record comprising at least one of the following fields;
  
  a common identifier field, a string containing one or more identifiers from common vulnerability repositories;
  
  a description field, a string containing a detailed description of said vulnerability, wherein description is capable of containing a dynamic portion detailing an aspect of said vulnerability that is specific to said target host;
  
  a first found field, a timestamp for when said vulnerability was first detected; and
  
  a last found field, a timestamp for when the said vulnerability was last detected.
- View Dependent Claims (27)
- - 27. The network security method of claim 26,wherein a Nessus like security server severity of said vulnerability is mapped into one of said outcome components as follows:
    - Nessus like security server output level HIGH is mapped to Severe;
      
      Nessus like security server output level WARNING is mapped to Important; and
      
      Nessus like security server output level NOTE is mapped to Informational.

28. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
- VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning;
  
  a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning; and
  
  automatically generating a set of scanning relationships for said network object in response to said network object selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network object is classified, wherein said scanning relationships are derived from an associated policy for said network object, and wherein said generating a set of scanning relationships further comprises the step of assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising;
  
  if an initiator in a policy relationship includes a scanner itself, then said scanning relationship has a same outcome as that of said policy relationship; and
  
  if an initiator does not include a scanner, then an outcome Probed is assigned to said scanning relationship, wherein said outcome Probed has a criticality depicting a violation of said target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.

29. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
- requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module;
  
  receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client; and
  
  returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerability state;
  
  said pdx compiler defining a subset of specific IP addresses to be removed from said complete set of IP addresses, whereby said subset of specific IP addresses will not be scanned.
- View Dependent Claims (30)
- - 30. The network security method of claim 29, further comprising the step of:
    - in response to a policy file being compiled, a pdx compiler computing a set of IP addresses designated not to be scanned and outputting said set of IP addresses designated not to be scanned to a file as input for said VA client.

31. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
- VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and
  
  a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning;
  
  said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to the hosts scanned by said VA Server.

32. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
- VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning;
  
  a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning; and
  
  automatically merging a host policy and a scanner policy;
  
  wherein said merged policy comprises at least one of;
  
  outcomes per host policy, wherein host policy applies to scanner as client host; and
  
  probed outcomes, wherein host policy does not apply to scanner as client host.

33. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
- requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module;
  
  receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client;
  
  returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerability state;
  
  determining vulnerability state information of a network using a continuous scanning technique;
  
  determining when new vulnerability data is received at state new and emitting a monitored event, wherein if such vulnerability data are seen again, then assigning a state to persistent, and if said data are not seen again, then assigning a state to almost resolved;
  
  determining if a machine on which vulnerability is detected is no longer visible on said network and assigning state inaccessible and emitting a monitored event;
  
  from a persistent state, determining if vulnerability is detected again and keeping state at persistent;
  
  from an almost resolved state, determining if vulnerability is seen again and changing state to persistent, and if said vulnerability is not seen after a predetermined amount of time, assigning state to resolved and emitting a monitored event;
  
  determining if vulnerability is from a machine which ceases to be visible on said network and assigning state to inaccessible; and
  
  from an inaccessible state, determining if a machine returns from being invisible from an almost resolved state and returning state to said almost resolved state, and determining if a machine returns from being invisible from a persistent state and returning said state to persistent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Securify, Inc. (McAfee, LLC)
Inventors
Cooper, Geoffrey, Pearcy, Derek P., Valente, Luis Filipe Pereira, Richardson, Harry Alexander
Primary Examiner(s)
Smithers; Matthew B

Application Number

US10/835,687
Publication Number

US 20050010821A1
Time in Patent Office

1,657 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1433 Vulnerability analysis

Policy-based vulnerability assessment

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based vulnerability assessment

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links