Network security system having a device profiler communicatively coupled to a traffic monitor

US 7,594,273 B2
Filed: 02/16/2007
Issued: 09/22/2009
Est. Priority Date: 08/25/2000
Status: Active Grant

First Claim

Patent Images

1. A method for providing security to a plurality of hosts on a network, the method comprising:

storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;

evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;

traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host;

associating the determined vulnerabilities of the host with one or more attack signatures; and

providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Citations

30 Claims

1. A method for providing security to a plurality of hosts on a network, the method comprising:
- storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
  
  evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;
  
  traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host;
  
  associating the determined vulnerabilities of the host with one or more attack signatures; and
  
  providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - storing the determined vulnerabilities at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities; and
      
      identifying attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host,wherein the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 3. The method of claim 1, wherein the evaluating comprises sending anomalous data packets to the host.
  - 4. The method of claim 3, wherein the determining comprises analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 5. The method of claim 3, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 6. The method of claim 1, wherein the evaluating comprises determining the host'"'"'s characteristics based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 7. The method of claim 6, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 8. The method of claim 1, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 9. The method of claim 1, further comprising:
    - updating the determined vulnerabilities based on detecting updated characteristics.
  - 10. The method of claim 1, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

11. A computer program product for providing security to a plurality of hosts on a network, the computer program product comprising computer program code embodied on a computer-readable medium, the computer program code for:
- storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
  
  evaluating responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host;
  
  traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host;
  
  associating the determined vulnerabilities of the host with one or more attack signatures; and
  
  providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, further comprising computer program code for:
    - storing the determined vulnerabilities at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities; and
      
      identifying attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host,wherein the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 13. The computer program product of claim 11, wherein the evaluating comprises sending anomalous data packets to the host.
  - 14. The computer program product of claim 13, wherein the determining comprises analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 15. The computer program product of claim 13, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 16. The computer program product of claim 11, wherein the evaluating comprises determining the host'"'"'s characteristics based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 17. The computer program product of claim 16, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 18. The computer program product of claim 11, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 19. The computer program product of claim 11, further comprising computer program code for:
    - updating the determined vulnerabilities based on detecting updated characteristics.
  - 20. The computer program product of claim 11, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

21. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a computer-readable medium storing potential vulnerabilities of the hosts in a tree-structured vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
  
  a device profiler communicatively coupled with the network, the device profiler configured to evaluate responses of a host of the plurality of hosts to data packets sent over the network to determine characteristics of the host, and further configured to determine vulnerabilities of the host by traversing the tree-structured vulnerability tree responsive to the determined characteristics to determine vulnerabilities of the host, and further configured to associate the determined vulnerabilities of the host with one or more attack signatures; and
  
  a traffic monitor communicatively coupled with the network, the traffic monitor configured to receive the determined vulnerabilities of the host and their corresponding attack signatures from the device profiler, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein:
    - the determined vulnerabilities are stored at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities;
      
      the device profiler is configured to identify attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host; and
      
      the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 23. The system of claim 21, wherein device profiler is configured to evaluate responses, at least in part, by sending anomalous data packets to the host.
  - 24. The system of claim 23, wherein the device profiler is configured to determine characteristics of the host, at least in part, by analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 25. The system of claim 23, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 26. The system of claim 21, wherein device profiler is configured to evaluate responses, at least in part, by determining the host'"'"'s characteristics based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 27. The system of claim 26, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 28. The system of claim 21, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 29. The system of claim 21, wherein the device profiler is further configured to update the determined vulnerabilities based on detecting updated characteristics.
  - 30. The system of claim 21, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
nCircle Network Security, Inc. (Belden Inc.)
Inventors
Quiroga, Martin A., Keanini, Timothy D., Buchanan, Brian W., Flowers, John S.
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US11/676,051
Publication Number

US 20070143852A1
Time in Patent Office

949 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links