Network security system having a device profiler communicatively coupled to a traffic monitor

US 8,020,211 B2
Filed: 09/01/2009
Issued: 09/13/2011
Est. Priority Date: 08/25/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing security to a plurality of hosts on a network, the method comprising:

receiving determined characteristics of the host;

accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;

determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree;

associating the determined vulnerabilities of the host with one or more attack signatures; and

providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

78 Citations

View as Search Results

30 Claims

1. A method for providing security to a plurality of hosts on a network, the method comprising:
- receiving determined characteristics of the host;
  
  accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
  
  determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree;
  
  associating the determined vulnerabilities of the host with one or more attack signatures; and
  
  providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - storing the determined vulnerabilities at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities; and
      
      identifying attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host,wherein the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 3. The method of claim 1, wherein the characteristics of the host are determined by evaluating responses of a host of the plurality of hosts to anomalous data packets sent over the network to the host.
  - 4. The method of claim 3, wherein the characteristics of the host are determined further by analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 5. The method of claim 3, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 6. The method of claim 1, wherein the characteristics of the host are determined based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 7. The method of claim 6, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 8. The method of claim 1, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 9. The method of claim 1, further comprising:
    - updating the determined vulnerabilities based on detecting updated characteristics.
  - 10. The method of claim 1, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

11. A computer program product for providing security to a plurality of hosts on a network, the computer program product comprising a non-transitory computer readable medium storing computer program code including instructions for:
- receiving determined characteristics of the host;
  
  accessing vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes;
  
  determining one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree;
  
  associating the determined vulnerabilities of the host with one or more attack signatures; and
  
  providing the determined vulnerabilities of the host and their corresponding attack signatures to a traffic monitor, the traffic monitor configured to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer program product of claim 11, further comprising computer program code for:
    - storing the determined vulnerabilities at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities; and
      
      identifying attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host,wherein the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 13. The computer program product of claim 11, wherein the characteristics of the host are determined by evaluating responses of a host of the plurality of hosts to anomalous data packets sent over the network to the host.
  - 14. The computer program product of claim 13, wherein the characteristics of the host are determined further by analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 15. The computer program product of claim 13, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 16. The computer program product of claim 11, wherein the characteristics of the host are determined based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 17. The computer program product of claim 16, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 18. The computer program product of claim 11, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 19. The computer program product of claim 11, further comprising computer program code for:
    - updating the determined vulnerabilities based on detecting updated characteristics.
  - 20. The computer program product of claim 11, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

21. A distributed computer network security system for detecting an attack on a host on a network having a plurality of hosts, the system comprising:
- a device profiler communicatively coupled with the network, the device profiler configured to received determined characteristics of the host, to access vulnerabilities of the hosts stored in a vulnerability tree having nodes representative of characteristics of the host and a set of potential vulnerabilities associated with ones of the nodes, to determine one or more vulnerabilities of the host corresponding to the determined characteristics of the host in the vulnerability tree, and to associate the determined vulnerabilities of the host with one or more attack signatures; and
  
  a traffic monitor communicatively coupled with the network, the traffic monitor configured to receive the determined vulnerabilities of the host and their corresponding attack signatures from the device profiler, and to monitor the network for traffic indicative of attacks exploiting one or more of the determined vulnerabilities of the host.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein:
    - the determined vulnerabilities are stored at a location on the network centrally accessible to evaluating and monitoring hosts for vulnerabilities;
      
      the device profiler is configured to identify attack signatures of network traffic indicating attacks exploiting the determined vulnerabilities of the host; and
      
      the traffic monitor is configured to monitor the network traffic for the attack signatures at a monitoring location having access to the centrally accessible location.
  - 23. The system of claim 21, wherein device profiler is configured to determine the characteristics of the host by evaluating responses of a host of the plurality of hosts to anomalous data packets sent over the network to the host.
  - 24. The system of claim 23, wherein the device profiler is configured to determine the characteristics of the host further by analyzing responses of the host to the anomalous data packets with respect to at least one of layer 3 or layer 4 of the Open Systems Interconnection model to determine characteristics of the host.
  - 25. The system of claim 23, wherein the determined characteristics comprise an operating system version and patch level of the host.
  - 26. The system of claim 21, wherein the device profiler is configured to determine the characteristics of the host based on analyzing the host'"'"'s responses to data packets with respect to at least one of layer 5, layer 6 or layer 7 of the Open Systems Interconnection model.
  - 27. The system of claim 26, wherein the determined characteristics comprise an application version and patch level executing on the host.
  - 28. The system of claim 21, wherein the traffic monitor is configured to monitor only for determined vulnerabilities exploitable from a monitoring location on the network.
  - 29. The system of claim 21, wherein the device profiler is further configured to update the determined vulnerabilities based on detecting updated characteristics.
  - 30. The system of claim 21, wherein the traffic monitor is configured to selectively restrict network traffic to the host responsive to receiving a notification related to one of the determined vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
nCircle Network Security, Inc. (Belden Inc.)
Inventors
Keanini, Timothy D., Quiroga, Martin A., Buchanan, Brian W., Flowers, John S.
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US12/552,264
Publication Number

US 20090320138A1
Time in Patent Office

742 Days
Field of Search

726/25, 726/3, 726/23, 713/151, 713/153, 713/166, 713/177, 713/188, 709/224, 714/4.1, 714/47.1, 714/48
US Class Current

726/25
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Network security system having a device profiler communicatively coupled to a traffic monitor

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others