System and method for managing network vulnerability analysis systems
First Claim
1. A method for detecting one or more vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones;
scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;
actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and
actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;
forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets, and wherein sniffing the plurality of packets with the one or more passive vulnerability scanners includes the one or more passive vulnerability scanners ignoring one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high load; and
correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods to manage multiple vulnerability scanners distributed across one or more networks using a distributed security management system, herein called a Lightning Console. By distributing multiple scanners across a network, the work load of each scanner may be reduced to significantly reduce the impact on the network routing and switching infrastructure. In addition, scanners may be placed directly behind firewalls for more thorough scanning. Further, scanners may be placed closer to their scanned networks. By placing vulnerability scanners closer, the actual scanning traffic does not cross the core network switch and routing fabric, thereby avoiding potential network outages due to scanning activity. In addition, the closer distance of the scanners to the scanned targets speeds scan times by reducing the distance that the packets must traverse.
-
Citations
42 Claims
-
1. A method for detecting one or more vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones; scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes; actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses; forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets, and wherein sniffing the plurality of packets with the one or more passive vulnerability scanners includes the one or more passive vulnerability scanners ignoring one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high load; and correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 31)
-
-
15. A system for detecting vulnerabilities in a network, comprising:
-
a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network; a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses; a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses; one or more passive vulnerability scanners configured to; sniff a plurality of packets observed in traffic traveling across the network; detect an intrusion event in the network from the information in the plurality of sniffed packets; and ignore one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high load a vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to; build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for detecting one or more vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface specify a first IP address range to define a first one of the plurality of zones, a first set of IP addresses and listening ports for a first subset of the plurality of active vulnerability scanners to place the first subset of the plurality of active vulnerability scanners in the first zone, a second IP address range to define a second one of the plurality of zones, and a second set of IP addresses and listening ports for a second subset of the plurality of active vulnerability scanners to place the second subset of the plurality of active vulnerability scanners in the second zone; scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes; actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners evenly dividing work associated with actively scanning the first zone in the network, sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners evenly dividing work associated with actively scanning the second zone in the network, sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses; forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets; and correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
-
-
32. A method for detecting one or more vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones; scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein the first zone contains the second zone, and wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes; actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses, and wherein the first subset of the plurality of active vulnerability scanners; only scan portions of the first zone located outside the second zone, or scan portions of the first zone located inside the second zone in response to the one or more inputs to the graphical user interface including an override for a default scan source associated with the first subset of the plurality of active vulnerability scanners; actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses; forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets; and correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
-
-
33. A system for detecting vulnerabilities in a network, comprising:
-
a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network; a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface specify a first IP address range to define the first zone in the network and a first set of IP addresses and listening ports for the first set of active vulnerability scanners to place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to evenly divide work associated with actively scanning the first zone in the network, send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses; a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface specify a second IP address range to define the second zone and a second set of IP addresses and listening ports for the second set of active vulnerability scanners to place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to evenly divide work associated with actively scanning the second zone in the network, send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses; one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from the information in the plurality of sniffed packets; and a vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to; build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
-
-
34. A system for detecting vulnerabilities in a network, comprising:
-
a network having a plurality of zones that include a first zone and a second zone, wherein one or more inputs to a graphical user interface define the plurality of zones in the network such that the first zone contains the second zone; a first set of active vulnerability scanners distributed in the first zone and configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners; only scan portions of the first zone located outside the second zone, or scan portions of the first zone located inside the second zone in response to the one or more inputs to the graphical user interface including an override for a default scan source associated with the first set of active vulnerability scanners; a second set of active vulnerability scanners distributed in the second zone and configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses, wherein the one or more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone; one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from the information in the plurality of sniffed packets; and a vulnerability management system that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to; build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
-
-
35. A system for detecting vulnerabilities in a network, comprising:
-
a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network; a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses; a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or, more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses; one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network in response to applying one or more signatures to information in the plurality of sniffed packets and recognizing one or more vulnerable service banners in at least one of the plurality of packets using the applied signatures, and wherein the one or more signatures include; one or more patterns that the passive vulnerability scanners apply to the information in the plurality of sniffed packets, one or more regular expressions the passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to the information in the plurality of sniffed packets matching the one or more patterns, and one or more macros that instruct the passive vulnerability scanners to store an evaluation from applying the one or more regular expressions to the information in the plurality of sniffed packets, and a vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to; build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone. - View Dependent Claims (36, 37, 38)
-
-
39. A method for detecting one or more vulnerabilities in a network, comprising:
-
distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones; scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes; actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses; forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network in response to applying one or more signatures to information in the plurality of sniffed packets and recognizing one or more vulnerable service banners in at least one of the plurality of packets using the applied signatures, and wherein the one or more signatures include; one or more patterns that the passive vulnerability scanners apply to the information in the plurality of sniffed packets, one or more regular expressions the passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to the information in the plurality of sniffed packets matching the one or more patterns, and one or more macros that instruct the passive vulnerability scanners to store an evaluation from applying the one or more regular expressions to the information in the plurality of sniffed packets; and correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone. - View Dependent Claims (40, 41, 42)
-
Specification