Query data packet processing and network scanning method and apparatus
First Claim
1. An article of manufacture including a processor readable medium having instructions stored thereon that, if executed by a processing device, cause the processing device to perform a method comprising:
- encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software;
storing, at a first time, a database comprising the differently encrypted query data packets;
scanning a port on a network device, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the network device does not require on-the-fly generation of additional encrypted query data packets; and
analyzing whether the network device processes the signature response in response to the scanning using the database.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting within a networked computer a target vulnerability such as a Trojan Horse residing therein is disclosed, wherein the vulnerability is characterized by a signature response to an encrypted query. The method includes encrypting a plurality of query data packets in accordance with a plurality of encryption keys, each encrypted query data packet including a defined query field specific to the target vulnerability. The method further includes storing the plurality of encrypted query data packets in a memory. The method further includes thereafter scanning the networked computer for a target vulnerability residing within the networked computer by sending successive ones of the encrypted-and-stored query data packets to the host computer and analyzing responses thereto from the host computer with respect to the characteristic signature. Preferably, the encrypting is performed for substantially all of the encryption keys within a defined key space. The memory may be non-volatile memory such as a disk drive or a volatile memory such as random-access memory (RAM) or a memory configured as a cache.
-
Citations
20 Claims
-
1. An article of manufacture including a processor readable medium having instructions stored thereon that, if executed by a processing device, cause the processing device to perform a method comprising:
-
encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software; storing, at a first time, a database comprising the differently encrypted query data packets; scanning a port on a network device, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the network device does not require on-the-fly generation of additional encrypted query data packets; and analyzing whether the network device processes the signature response in response to the scanning using the database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
one or more processors; and a memory coupled to the processors comprising instructions executable by the processors, the processors operable when executing the instructions to; encrypt a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software; store, at a first time, a database comprising the differently encrypted query data packets; scan at least a portion of a network using the database that was stored at the first time, the scanning occurring at a second time that is later than the first time such that the scanning of the network does not require on-the-fly generation of additional encrypted query data packets; and analyze whether the network processes the signature response in response to the scanning using the database. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
encrypting a query data packet in accordance with a plurality of different keys to generate a plurality of differently encrypted query data packets, the differently encrypted query data packets including one or more fields configured to elicit a signature response from a target software; storing, at a first time, a database comprising the differently encrypted query data packets; scanning a remote network device over a network, the scanning occurring at a second time that is later than the first time, the scanning using the database that was stored at the first time such that the scanning of the remote network device does not require on-the-fly generation of additional encrypted query data packets; and determining whether the remote network device processes the signature response. - View Dependent Claims (17, 18, 19, 20)
-
Specification