System and method for managing network vulnerability analysis systems

US 7,926,113 B1
Filed: 06/09/2004
Issued: 04/12/2011
Est. Priority Date: 06/09/2003
Status: Active Grant

First Claim

Patent Images

1. A method for detecting one or more vulnerabilities in a network, comprising:

distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones;

scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;

actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and

actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;

forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;

building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;

sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets, and wherein sniffing the plurality of packets with the one or more passive vulnerability scanners includes the one or more passive vulnerability scanners ignoring one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high load; and

correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods to manage multiple vulnerability scanners distributed across one or more networks using a distributed security management system, herein called a Lightning Console. By distributing multiple scanners across a network, the work load of each scanner may be reduced to significantly reduce the impact on the network routing and switching infrastructure. In addition, scanners may be placed directly behind firewalls for more thorough scanning. Further, scanners may be placed closer to their scanned networks. By placing vulnerability scanners closer, the actual scanning traffic does not cross the core network switch and routing fabric, thereby avoiding potential network outages due to scanning activity. In addition, the closer distance of the scanners to the scanned targets speeds scan times by reducing the distance that the packets must traverse.

Citations

42 Claims

1. A method for detecting one or more vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones;
  
  scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;
  
  actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and
  
  actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;
  
  forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets, and wherein sniffing the plurality of packets with the one or more passive vulnerability scanners includes the one or more passive vulnerability scanners ignoring one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high load; and
  
  correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 31)
- - 2. The method of claim 1, wherein the one or more inputs to the graphical user interface place one or more of the first subset of the plurality of active vulnerability scanners or the second subset of the plurality of active vulnerability scanners behind a firewall in the network to scan one or more targets located behind the firewall.
  - 3. The method of claim 1, wherein the vulnerability management system correlates the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone using Bayesian pattern matching.
  - 4. The method of claim 1, further comprising transmitting an electronic message to at least one entity in the network in response to determining that the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
  - 5. The method of claim 1, further comprising:
    - receiving an indication that at least one of the vulnerabilities detected in the first zone or the second zone have been removed; and
      
      updating the model of the network to remove the at least one vulnerability in response to receiving the indication that the at least one vulnerability has been removed.
  - 6. The method of claim 5, wherein the indication includes information describing an action taken to remove the at least one vulnerability.
  - 7. The method of claim 5, further comprising transmitting an electronic message to at least one entity in the network, wherein the electronic message includes information describing a recommendation for removing or mitigating the at least one vulnerability.
  - 8. The method of claim 1, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners further includes the first subset of the plurality of active vulnerability scanners discovering one or more systems present in the first zone from the observed responses and the second subset of the plurality of active vulnerability scanners discovering one or more systems present in the second zone from the observed responses.
  - 9. The method of claim 8, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners further includes the first subset of the plurality of active vulnerability scanners discovering one or more services running on the systems discovered in the first zone from the observed responses and the second subset of the plurality of active vulnerability scanners discovering one or more services running on the systems discovered in the second zone from the observed responses.
  - 10. The method of claim 9, wherein at least one of the vulnerabilities detected in the first zone or the vulnerabilities detected in the second zone comprises a vulnerability associated with one or more of the services discovered in the first zone or the services discovered in the second zone.
  - 11. The method of claim 1, wherein one or more of the first subset of the plurality of active vulnerability scanners or the second subset of the plurality of active vulnerability scanners are distributed outside a firewall in the network to scan one or more targets located outside the firewall.
  - 12. The method of claim 1, wherein the first subset of the plurality of active vulnerability scanners and the second subset of the plurality of active vulnerability scanners are distributed outside a firewall in the network to scan targets located outside the firewall, and wherein the one or more passive vulnerability scanners are distributed inside the firewall to sniff the plurality of packets inside the network.
  - 13. The method of claim 1, wherein the model of the network assigns weights to the one or more vulnerabilities detected in the first zone and further assigns weights to the one or more vulnerabilities detected in the second zone.
  - 14. The method of claim 13, wherein the weights include one point for any of the detected vulnerabilities that are informational, three points for any of the detected vulnerabilities that are warnings, and ten points for any of the detected vulnerabilities that are actual holes.
  - 31. The method of claim 2, further comprising assessing one or more policies associated with the firewall, wherein assessing the one or more policies associated with the firewall includes the vulnerability management system instructing the subset of the plurality of active vulnerability scanners placed behind the firewall to scan one or more targets located outside the firewall.

15. A system for detecting vulnerabilities in a network, comprising:
- a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network;
  
  a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses;
  
  a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses;
  
  one or more passive vulnerability scanners configured to;
  
  sniff a plurality of packets observed in traffic traveling across the network;
  
  detect an intrusion event in the network from the information in the plurality of sniffed packets; and
  
  ignore one or more sessions newly observed on the network in response to the one or more passive vulnerability scanners having a high loada vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to;
  
  build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and
  
  correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 16. The system of claim 15, wherein the one or more inputs to the graphical user interface place one or more of the first set of active vulnerability scanners or the second set of active vulnerability scanners behind a firewall in the network to scan one or more targets located behind the firewall.
  - 17. The system of claim 16, wherein the vulnerability management system is further configured to instruct the set of active vulnerability scanners placed behind the firewall to scan one or more targets located outside the firewall to assess one or more policies associated with the firewall.
  - 18. The system of claim 15, wherein the vulnerability management system correlates the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone using Bayesian pattern matching.
  - 19. The system of claim 15, wherein the vulnerability management system is further configured to transmit an electronic message to at least one entity in the network in response to determining that the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
  - 20. The system of claim 15, wherein the vulnerability management system is further configured to:
    - receive an indication that at least one of the vulnerabilities detected in the first zone or the second zone has been removed; and
      
      update the model of the network to remove the at least one vulnerability in response to receiving the indication that the at least one vulnerability has been removed.
  - 21. The system of claim 20, wherein the indication includes information describing an action taken to remove the at least one vulnerability.
  - 22. The system of claim 20, wherein the vulnerability management system is further configured to transmit an electronic message to at least one entity in the network, wherein the electronic message includes a recommendation for removing or mitigating the at least one vulnerability.
  - 23. The system of claim 15, wherein the first set of active vulnerability scanners are further configured to discover one or more systems present in the first zone from the observed responses, and wherein the second set of active vulnerability scanners are further configured to discover one or more systems present in the second zone from the observed responses.
  - 24. The system of claim 23, wherein the first set of active vulnerability scanners are further configured to discover one or more services running on the systems discovered in the first zone from the observed responses, and wherein the second set of active vulnerability scanners are further configured to discover one or more services running on the systems discovered in the second zone from the observed responses.
  - 25. The system of claim 24, wherein at least one of the vulnerabilities detected in the first zone or the vulnerabilities detected in the second zone comprises a vulnerability associated with one or more of the services discovered in the first zone or services discovered in the second zone.
  - 26. The system of claim 15, wherein one or more of the first set of active vulnerability scanners or the second set of active vulnerability scanners are distributed outside a firewall in the network to scan one or more targets located outside the firewall.
  - 27. The system of claim 15, wherein the first set of active vulnerability scanners and the second set of the active vulnerability scanners are distributed outside a firewall in the network to scan targets located outside the firewall, and wherein the one or more passive vulnerability scanners are distributed inside the firewall to sniff the plurality of packets inside the network.
  - 28. The system of claim 15, wherein the model of the network assigns weights to the one or more vulnerabilities detected in the first zone and further assigns weights to the one or more vulnerabilities detected in the second zone.
  - 29. The system of claim 28, wherein the weights include one point for any of the detected vulnerabilities that are informational, three points for any of the detected vulnerabilities that are warnings, and ten points for any of the detected vulnerabilities that are actual holes.

30. A method for detecting one or more vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface specify a first IP address range to define a first one of the plurality of zones, a first set of IP addresses and listening ports for a first subset of the plurality of active vulnerability scanners to place the first subset of the plurality of active vulnerability scanners in the first zone, a second IP address range to define a second one of the plurality of zones, and a second set of IP addresses and listening ports for a second subset of the plurality of active vulnerability scanners to place the second subset of the plurality of active vulnerability scanners in the second zone;
  
  scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;
  
  actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners evenly dividing work associated with actively scanning the first zone in the network, sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and
  
  actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners evenly dividing work associated with actively scanning the second zone in the network, sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;
  
  forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets; and
  
  correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.

32. A method for detecting one or more vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones;
  
  scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein the first zone contains the second zone, and wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;
  
  actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses, and wherein the first subset of the plurality of active vulnerability scanners;
  
  only scan portions of the first zone located outside the second zone, orscan portions of the first zone located inside the second zone in response to the one or more inputs to the graphical user interface including an override for a default scan source associated with the first subset of the plurality of active vulnerability scanners;
  
  actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;
  
  forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from information in the plurality of sniffed packets; and
  
  correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.

33. A system for detecting vulnerabilities in a network, comprising:
- a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network;
  
  a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface specify a first IP address range to define the first zone in the network and a first set of IP addresses and listening ports for the first set of active vulnerability scanners to place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to evenly divide work associated with actively scanning the first zone in the network, send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses;
  
  a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface specify a second IP address range to define the second zone and a second set of IP addresses and listening ports for the second set of active vulnerability scanners to place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to evenly divide work associated with actively scanning the second zone in the network, send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses;
  
  one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from the information in the plurality of sniffed packets; and
  
  a vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to;
  
  build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and
  
  correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.

34. A system for detecting vulnerabilities in a network, comprising:
- a network having a plurality of zones that include a first zone and a second zone, wherein one or more inputs to a graphical user interface define the plurality of zones in the network such that the first zone contains the second zone;
  
  a first set of active vulnerability scanners distributed in the first zone and configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners;
  
  only scan portions of the first zone located outside the second zone, orscan portions of the first zone located inside the second zone in response to the one or more inputs to the graphical user interface including an override for a default scan source associated with the first set of active vulnerability scanners;
  
  a second set of active vulnerability scanners distributed in the second zone and configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses, wherein the one or more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone;
  
  one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network from the information in the plurality of sniffed packets; and
  
  a vulnerability management system that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to;
  
  build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and
  
  correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.

35. A system for detecting vulnerabilities in a network, comprising:
- a network having a plurality of zones, wherein one or more inputs to a graphical user interface define the plurality of zones in the network;
  
  a first set of active vulnerability scanners distributed in a first one of the plurality of zones in the network, wherein the one or more inputs to the graphical user interface place the first set of active vulnerability scanners in the first zone, and wherein the first set of active vulnerability scanners are configured to send packets to one or more network components in the first zone to actively scan the first zone, observe responses to the packets from the one or more network components in the first zone, and detect one or more vulnerabilities in the first zone from the observed responses;
  
  a second set of active vulnerability scanners distributed in a second one of the plurality of zones in the network, wherein the one or, more inputs to the graphical user interface further place the second set of active vulnerability scanners in the second zone, and wherein the second set of active vulnerability scanners are configured to send packets to one or more network components in the second zone to actively scan the second zone, observe responses to the packets from the one or more network components in the second zone, and detect one or more vulnerabilities in the second zone from the observed responses;
  
  one or more passive vulnerability scanners configured to sniff a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network in response to applying one or more signatures to information in the plurality of sniffed packets and recognizing one or more vulnerable service banners in at least one of the plurality of packets using the applied signatures, and wherein the one or more signatures include;
  
  one or more patterns that the passive vulnerability scanners apply to the information in the plurality of sniffed packets,one or more regular expressions the passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to the information in the plurality of sniffed packets matching the one or more patterns, andone or more macros that instruct the passive vulnerability scanners to store an evaluation from applying the one or more regular expressions to the information in the plurality of sniffed packets, anda vulnerability management system, including a processor, that receives results from the first set of active vulnerability scanners scanning the first zone and the second set of active vulnerability scanners scanning the second zone, wherein the scanning results received from the first set of active vulnerability scanners and the second set of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone, and wherein the vulnerability management system is configured to;
  
  build a model of the network from the scanning results received at the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone; and
  
  correlate the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
- View Dependent Claims (36, 37, 38)
- - 36. The system of claim 35, wherein the one or more passive vulnerability scanners apply the one or more patterns to the information in consecutive packets within the plurality of sniffed packets.
  - 37. The system of claim 35, wherein the one or more patterns include one or more of a binary pattern providing a string that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets.
  - 38. The system of claim 35, wherein the one or more patterns include a time dependent pattern having a first pattern that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets and a second pattern that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to determining that the information in the plurality of sniffed packets matches the first pattern in accordance with a predetermined time dependency.

39. A method for detecting one or more vulnerabilities in a network, comprising:
- distributing a plurality of active vulnerability scanners on a network having a plurality of zones defined in one or more inputs to a graphical user interface, wherein the one or more inputs to the graphical user interface place a first subset of the plurality of active vulnerability scanners in a first one of the plurality of zones, and wherein the one or more inputs to the graphical user interface further place a second subset of the plurality of active vulnerability scanners in a second one of the plurality of zones;
  
  scanning the plurality of zones in the network with the plurality of active vulnerability scanners, wherein scanning the plurality of zones in the network with the plurality of active vulnerability scanners includes;
  
  actively scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners, wherein scanning the first zone in the network with the first subset of the plurality of active vulnerability scanners includes the first subset of the plurality of active vulnerability scanners sending packets to one or more network components in the first zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the first zone from the observed responses; and
  
  actively scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners, wherein scanning the second zone in the network with the second subset of the plurality of active vulnerability scanners includes the second subset of the plurality of active vulnerability scanners sending packets to one or more network components in the second zone, observing responses to the packets from the one or more network components, and detecting one or more vulnerabilities in the second zone from the observed responses;
  
  forwarding results from scanning the plurality of zones in the network with the plurality of active vulnerability scanners to a vulnerability management system, wherein the scanning results forwarded from the plurality of active vulnerability scanners include information describing the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  building a model of the network from the scanning results forwarded to the vulnerability management system, wherein the model of the network maps the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone;
  
  sniffing, with one or more passive vulnerability scanners further distributed on the network, a plurality of packets observed in traffic traveling across the network, wherein the one or more passive vulnerability scanners detect an intrusion event in the network in response to applying one or more signatures to information in the plurality of sniffed packets and recognizing one or more vulnerable service banners in at least one of the plurality of packets using the applied signatures, and wherein the one or more signatures include;
  
  one or more patterns that the passive vulnerability scanners apply to the information in the plurality of sniffed packets,one or more regular expressions the passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to the information in the plurality of sniffed packets matching the one or more patterns, andone or more macros that instruct the passive vulnerability scanners to store an evaluation from applying the one or more regular expressions to the information in the plurality of sniffed packets; and
  
  correlating the detected intrusion event with the one or more vulnerabilities detected in the first zone and the one or more vulnerabilities detected in the second zone to determine whether the detected intrusion event targets any of the vulnerabilities detected in the first zone or the second zone.
- View Dependent Claims (40, 41, 42)
- - 40. The method of claim 39, wherein the one or more passive vulnerability scanners apply the one or more patterns to the information in consecutive packets within the plurality of sniffed packets.
  - 41. The method of claim 39, wherein the one or more patterns include one or more of a binary pattern providing a string that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets.
  - 42. The method of claim 39, wherein the one or more patterns include a time dependent pattern having a first pattern that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets and a second pattern that the one or more passive vulnerability scanners apply to the information in the plurality of sniffed packets in response to determining that the information in the plurality of sniffed packets matches the first pattern in accordance with a predetermined time dependency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Deraison, Renaud Marie Maurice, Hayton, Matthew Todd, Gula, Ronald Joseph
Primary Examiner(s)
Lanier; Benjamin E
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/863,238
Time in Patent Office

2,498 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 41/22 comprising specially adapte...

H04L 63/1425 Traffic logging, e.g. anoma...

System and method for managing network vulnerability analysis systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing network vulnerability analysis systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links