Systems and methods for determining characteristics of a network and analyzing vulnerabilities

US 7,716,742 B1
Filed: 05/12/2004
Issued: 05/11/2010
Est. Priority Date: 05/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method for passively and automatically assigning a vulnerability to a network device on a network, comprising:

predefining a vulnerability of an operating system in a vulnerability data structure that lists vulnerabilities mapped to one record for each corresponding operating system and lists operating system fingerprints mapped to the one record for the each corresponding operating system;

passively determining that the network device is using one of plural operating systems by reading a packet transmitted on the network, decoding the packet, first mapping the operating system fingerprint based on fields in the decoded packet to the plural operating systems listed in the vulnerability data structure, and then second mapping each of the plural operating systems listed in the vulnerability data structure to a corresponding vulnerability listed in the vulnerability data structure, wherein the second mapping is responsive to the first mapping, wherein the packet is in traffic passively moving across the network; and

assigning the corresponding vulnerabilities of the plural operating systems from the vulnerability data structure to the network device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

165 Citations

20 Claims

1. A method for passively and automatically assigning a vulnerability to a network device on a network, comprising:
- predefining a vulnerability of an operating system in a vulnerability data structure that lists vulnerabilities mapped to one record for each corresponding operating system and lists operating system fingerprints mapped to the one record for the each corresponding operating system;
  
  passively determining that the network device is using one of plural operating systems by reading a packet transmitted on the network, decoding the packet, first mapping the operating system fingerprint based on fields in the decoded packet to the plural operating systems listed in the vulnerability data structure, and then second mapping each of the plural operating systems listed in the vulnerability data structure to a corresponding vulnerability listed in the vulnerability data structure, wherein the second mapping is responsive to the first mapping, wherein the packet is in traffic passively moving across the network; and
  
  assigning the corresponding vulnerabilities of the plural operating systems from the vulnerability data structure to the network device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein predefining the vulnerability of the operating system comprises reading a rule from an intrusion detection system.
  - 3. The method of claim 1, wherein assigning the vulnerabilities of the plural operating systems to the network device comprises recording the vulnerability in a host representative data structure of the network device.
  - 4. The method of claim 1, further comprising reporting the vulnerabilities assigned to the network device, to a network reporting mechanism.
  - 5. The method of claim 4, wherein the network reporting mechanism comprises one or more of an intrusion detection system and a network management system.
  - 6. The method of claim 1, further comprising actively scanning the network device using the vulnerability after the vulnerability is assigned to the network device.

7. A method for passively and automatically assigning a vulnerability to a network device on a network, comprising:
- predefining a vulnerability of a service in a vulnerability data structure that lists vulnerabilities mapped to one record for each corresponding service and lists service fingerprints mapped to the one record for the each corresponding service;
  
  passively determining that the network device is running one of plural services by reading one or more packets transmitted on the network, decoding the one or more packets, first mapping the service fingerprint based on fields in the decoded packets to the plural services listed in the vulnerability data structure, and then second mapping each of the plural services listed in the vulnerability data structure to a corresponding vulnerability listed in the vulnerability data structure, wherein the second mapping is responsive to the first mapping, wherein the packet is in traffic passively moving across the network; and
  
  assigning the corresponding vulnerabilities of the plural services from the vulnerability data structure to the network device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein predefining the vulnerability of the service comprises reading a rule from an intrusion detection system.
  - 9. The method of claim 7, wherein assigning the vulnerabilities of the plural services to the network device comprises recording the vulnerabilities in a host representative data structure of the network device.
  - 10. The method of claim 7, further comprising reporting the vulnerabilities assigned to the network device, to a network reporting mechanism.
  - 11. The method of claim 10, wherein the network reporting mechanism comprises one or more of an intrusion detection system and a network management system.
  - 12. The method of claim 7, further comprising actively scanning the network device using the vulnerability after the vulnerability is assigned to the network device.

13. A method for creating a normalized vulnerabilities database for use in a passive network detection system, comprising:
- gathering a list of predefined vulnerabilities, wherein each vulnerability comprises one or more of an operating system name and a service name;
  
  creating one or more operating system groups from the list, wherein each one or more operating system groups comprises one or more vulnerabilities that comprise one or more operating system names that identify a same unique operating system;
  
  assigning a single operating system identifier to the each one or more operating system groups;
  
  providing lookup from the passive network detection system to the each one or more operating system groups by the single operating system identifier;
  
  mapping an operating system fingerprint from fields in a passively received packet to plural operating systems;
  
  assigning the corresponding vulnerabilities of the plural operating systems from the operating system groups as the operating-system-vulnerabilities for a host that generated the packet;
  
  creating one or more service groups from the list, wherein each one or more service groups comprises one or more vulnerabilities that comprise one or more service names that identify a unique service;
  
  assigning a single service identifier to the each one or more service groups;
  
  providing lookup from the passive network detection system to the each one or more service groups by the single service identifier;
  
  mapping a service fingerprint from the fields in the passively received packet to plural services;
  
  assigning the corresponding vulnerabilities of the plural services from the service groups as the service-vulnerabilities for the host that generated the packet; and
  
  eliminating, as possible vulnerabilities for the host that generated the packet, vulnerabilities which are not assigned as both the operating-system-vulnerabilities and the service-vulnerabilities.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, further comprising providing lookup from the passive network detection system to the intersection of the each one or more operating system groups and the each one or more service groups by the single operating system identifier and the single service identifier.
  - 15. The method of claim 13, wherein gathering the list of predefined vulnerabilities comprises reading one or more rules from an intrusion detection system.
  - 16. The method of claim 13, wherein the single service identifier comprises one or more of a service type, a regular expression of a service product name, a vendor name, and a version.
  - 17. The method of claim 13, wherein the single operating system identifier comprises one or more of a regular expression of an operating system product name, a vendor name, and a version.
  - 18. The method of claim 13, wherein the lookup from the passive network detection system to the each one or more operating system groups by the single operating system identifier is performed by the passive network detection system when an operating system matching the single operating system identifier is detected.
  - 19. The method of claim 13, wherein the lookup from the passive network detection system to the each one or more service groups by the single service identifier is performed by the passive network detection system when a service matching the single service identifier is detected.
  - 20. The method of claim 13, further comprising providing lookup to a list of one or more single operating system identifiers, wherein a single operating system identifier from the list of one or more single operating system identifiers is manually selected for assignment to a network device detected by the passive network detection system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Inventors
Watchinski, Matt, Vogel, William Andrew III, Roesch, Martin
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/843,353
Time in Patent Office

2,190 Days
Field of Search

726/22, 726/23, 726/25, 726/26
US Class Current

726/25
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 67/125 involving control of end-de...

Systems and methods for determining characteristics of a network and analyzing vulnerabilities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

165 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining characteristics of a network and analyzing vulnerabilities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

165 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links