Policy-based vulnerability assessment
First Claim
Patent Images
1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:
- a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request;
a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client;
a vulnerability scan result comprising;
an IP address of a target host;
a service being exercised;
a type of vulnerability; and
a security level of said vulnerability;
wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result is mapped into a vulnerability network event, said vulnerability network event being accessible to an analyzing module coupled to a studio module and being accessible to an enterprise-level user interface, said vulnerability network event being maintained for the lifetime of said vulnerability;
a module for removing all vulnerability events pertaining to a host that is unreachable for a time exceeding a specified time; and
in response to a policy file being compiled, means for a pdx compiler computing a complete set of IP addresses to be scanned and for outputting said set of IP addresses to a file as input for said VA client.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for a vulnerability assessment mechanism that serves to actively scan for vulnerabilities on a continuous basis and interpret the resulting traffic in context of policy is provided. Vulnerability information is presented within an enterprise manager system enabling the user to access vulnerability information, recommended remediation procedures, and associated network traffic. A studio mechanism is used to add scanners to the appropriate policies and control the scope and distribution of scans within the target network.
163 Citations
33 Claims
-
1. In a policy-based monitor system, a network security system for vulnerability assessment (VA) comprising:
-
a VA client for requesting vulnerability scans, for processing returned results, and for storing relevant data coupled to said request; a VA server for receiving said VA client request for vulnerability scans, for performing said vulnerability scans, and for returning scan results to said VA client; a vulnerability scan result comprising; an IP address of a target host; a service being exercised; a type of vulnerability; and a security level of said vulnerability; wherein responsive to, and dependent on, an associated vulnerability state, at least one returned vulnerability scan result is mapped into a vulnerability network event, said vulnerability network event being accessible to an analyzing module coupled to a studio module and being accessible to an enterprise-level user interface, said vulnerability network event being maintained for the lifetime of said vulnerability; a module for removing all vulnerability events pertaining to a host that is unreachable for a time exceeding a specified time; and in response to a policy file being compiled, means for a pdx compiler computing a complete set of IP addresses to be scanned and for outputting said set of IP addresses to a file as input for said VA client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. In a policy-based monitor system, a studio module comprising at least one of:
-
a scanner network object comprising at least one of; VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and a third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning; wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and means for automatically generating a set of scanning relationships in said policy of said policy based monitoring system for one or more of said network objects selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network objects is classified, and wherein said scanning relationships are derived from an associated policy for said network object; wherein said means for generating a set of scanning relationships further comprises a means for assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising; if an initiator in a policy relationship includes a scanner itself, then said scanning relationship has a same outcome as that of said policy relationship; and if an initiator does not include a scanner, then an outcome Probed is assigned to said scanning relationship, wherein said outcome Probed has a criticality depicting a violation of said target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.
-
-
24. In a policy-based monitor system, a studio module comprising at least one of:
-
a scanner network object comprising at least one of; VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning, and a third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning; wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and means for said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to hosts scanned by said VA Server.
-
-
25. In a policy-based monitor system, a studio module comprising at least one of:
-
a scanner network object comprising at least one of; VA capability in said policy-based monitor system, wherein said scanner network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and a third-party network scanner, wherein said scanner network object is given an IP address of said third-party scanner used for scanning; means for automatically merging a host policy and a scanner policy; wherein said studio module provides capability for a user to create scanner network objects at any point during policy development, said scanner objects representing in said policy activity on said network generated by a vulnerability scanner scanning said network; and wherein said merged policy comprises at least one of; outcomes per host policy, wherein host policy applies to scanner as client host; and probed outcomes, wherein host policy does not apply to scanner as client host.
-
-
26. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
-
requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module; receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client; returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerability containing a mapping function for mapping said vulnerability scan result to said vulnerability network event, comprising at least one of; a mapping function that uses an IP address of a scanning network interface in said policy-based monitor system as a source IP address and that maps said IP address into a name of a network object that represents a VA scanner; a mapping function that uses an IP address of a target host as a destination IP and that maps said IP address to an appropriate network object name; a mapping function that assigns a transport protocol to which said vulnerability applies to a service protocol and a base protocol, wherein said transport protocol'"'"'s IP protocol ID is assigned to a protocol number field and, wherein said for host-level vulnerabilities, said transport protocol is set to Host and said IP protocol ID is set to a first predetermined value; an application protocol to which vulnerability applies to a service for a mapping function that assigns network level vulnerabilities, or to a specific indicator string for vulnerabilities that apply only to a host but not to its network connection; a mapping function that assigns a port where vulnerability is discovered to a destination port, wherein for host-level vulnerabilities said destination port is set to a second predetermined value; a function that maps vulnerability into an outcome and an outcome component, wherein said outcome is one of a plurality of possible outcomes assignable to a vulnerability event;
said possible outcomes comprising at least;a vulnerability outcome, wherein a vulnerability not previously reported against a target host is determined, wherein said outcome is used whenever a vulnerability is first found, and wherein said outcome comprises outcome components, each with a distinct criticality level, wherein said vulnerability outcome components indicate if said vulnerability outcome is at least one of; severe; important; and informational; a vulnerability removed outcome, wherein a previously reported vulnerability that is no longer found in a target host is determined, wherein said outcome has a single outcome component indicating said vulnerability is cleared; and an unreachable outcome, wherein a subnet or previously scanned host cannot be reached by said scanner and has a single outcome component indicating said previously scanned host or subnet can no longer be scanned; a mapping function that assigns an event owner as owner of an outcome, service, or target network object, and in such order; a mapping function that assigns a monitor a name of a monitor wherein said VA server and client are running; a mapping function that assigns a collection point to a monitor where said VA server and client are running; a mapping function that assigns an event time to a time at which said vulnerability was last reported; and at least one vulnerability details record comprising at least one of the following fields; a common identifier field, a string containing one or more identifiers from common vulnerability repositories; a description field, a string containing a detailed description of said vulnerability, wherein description is capable of containing a dynamic portion detailing an aspect of said vulnerability that is specific to said target host; a first found field, a timestamp for when said vulnerability was first detected; and a last found field, a timestamp for when the said vulnerability was last detected. - View Dependent Claims (27)
-
-
28. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
-
VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning; and automatically generating a set of scanning relationships for said network object in response to said network object selected as a scanning target, wherein said scanning relationships determine how traffic from an associated scanner to said network object is classified, wherein said scanning relationships are derived from an associated policy for said network object, and wherein said generating a set of scanning relationships further comprises the step of assigning at least one of two outcomes associated with said scanning relationship if a given service is offered in said network object'"'"'s policy, said two outcomes comprising; if an initiator in a policy relationship includes a scanner itself, then said scanning relationship has a same outcome as that of said policy relationship; and if an initiator does not include a scanner, then an outcome Probed is assigned to said scanning relationship, wherein said outcome Probed has a criticality depicting a violation of said target network object'"'"'s policy associated with all of its outcome components that denote a successful connection or two-way exchange of connectionless data.
-
-
29. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
-
requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module; receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client; and returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerability state; said pdx compiler defining a subset of specific IP addresses to be removed from said complete set of IP addresses, whereby said subset of specific IP addresses will not be scanned. - View Dependent Claims (30)
-
-
31. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
-
VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; and a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning; said enterprise-level user interface accessing a policy description document generated as part of a policy update process, wherein said policy description document comprises a network object page, comprising a link to vulnerability information pertaining to said network object, wherein said policy description document provides a view of vulnerability information for an entire policy domain, and wherein a policy description document accessed through said policy-based monitor system provides visibility only to the hosts scanned by said VA Server.
-
-
32. For a policy-based monitor method, a method for creating scanner network objects associated with at least one of:
-
VA capability in said policy-based monitor system, wherein said network object is given an IP address of a network interface coupled to said policy-based monitor system used for scanning; a third-party network scanner, wherein said network object is given an IP address of said third-party scanner used for scanning; and automatically merging a host policy and a scanner policy; wherein said merged policy comprises at least one of; outcomes per host policy, wherein host policy applies to scanner as client host; and probed outcomes, wherein host policy does not apply to scanner as client host.
-
-
33. For a policy-based monitor method, a method for network security for vulnerability assessment (VA) comprising the steps of:
-
requesting vulnerability scans, processing returned results, and storing relevant data coupled to said request and results in a module; receiving said request for vulnerability scans, performing said vulnerability scans, and transmitting scan results to a VA client; returning vulnerability scan results that are mapped into a vulnerability network event responsive to, and dependent on, an associated vulnerability state; determining vulnerability state information of a network using a continuous scanning technique; determining when new vulnerability data is received at state new and emitting a monitored event, wherein if such vulnerability data are seen again, then assigning a state to persistent, and if said data are not seen again, then assigning a state to almost resolved; determining if a machine on which vulnerability is detected is no longer visible on said network and assigning state inaccessible and emitting a monitored event; from a persistent state, determining if vulnerability is detected again and keeping state at persistent; from an almost resolved state, determining if vulnerability is seen again and changing state to persistent, and if said vulnerability is not seen after a predetermined amount of time, assigning state to resolved and emitting a monitored event; determining if vulnerability is from a machine which ceases to be visible on said network and assigning state to inaccessible; and from an inaccessible state, determining if a machine returns from being invisible from an almost resolved state and returning state to said almost resolved state, and determining if a machine returns from being invisible from a persistent state and returning said state to persistent.
-
Specification