Systems and methods for real-time network-based vulnerability assessment

US 8,127,359 B2
Filed: 04/09/2004
Issued: 02/28/2012
Est. Priority Date: 04/11/2003
Status: Active Grant

First Claim

Patent Images

1. A system for real-time vulnerability assessment of a host computer or device, said system comprising:

an agent residing and running on the host computer or device, said agent comprising;

an executable agent module configured to track in real-time the status of interfaces and ports on interfaces of host computer or device by monitoring and storing the status information as information entries in a first data structure,wherein the agent tracks the status of interfaces and ports by listening to the start and stop of network services on the host computer or device in real-time;

said executable agent module configured to compare the entries to determine any change in the status of at least one of interfaces and ports on the interfaces of the host computer or device,said executable agent communicating the information entries to a remote destination server on the network;

the remote destination server comprising;

an executable server module configured to receive the information entries communicated by the executable agent module,said executable server module configured to store the received information entries in a second data structure, wherein the information entries indicate the state of each of the ports on each of the active interfaces of the host computer or device,said executable server module configured to compare the received information entries with stored information on the server to determine the change in the status of at least one of interfaces and ports on the interfaces of the host computer or device, andsaid executable server module configured to run a network based vulnerability assessment tests on the host computer or device in the event of a change in the status of at least one of interface and ports.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for real-time vulnerability assessment of a host/device, said system comprising an agent running on the host/device. The agent includes a a first data structure for storing the status of interfaces and ports on the interfaces of the host/device. An n executable agent module is coupled to the first data structure to track the status of interfaces and ports on the interfaces of the host/device and to store the information, as entries in said first data structure. The executable agent module compares the entries to determine a change in the status of interfaces and/or of ports on the interfaces of the host/device. A remote destination server is provided that includes a second data structure for storing the status of interfaces and the ports on the interfaces of the host/device. An executable server module is coupled to the second data structure to receive the information communicated by the agent executable module of the agent on the host/device. The executable server module stores the received information as entries in the second data structure wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as received. The executable server module compares the entries in said data structures to determine the change in the status of interfaces and ports on the interfaces of the host/device. The executable server module runs vulnerability assessment tests on the host/device in the event of a change in the status of interface/ports.

Citations

34 Claims

1. A system for real-time vulnerability assessment of a host computer or device, said system comprising:
- an agent residing and running on the host computer or device, said agent comprising;
  
  an executable agent module configured to track in real-time the status of interfaces and ports on interfaces of host computer or device by monitoring and storing the status information as information entries in a first data structure,wherein the agent tracks the status of interfaces and ports by listening to the start and stop of network services on the host computer or device in real-time;
  
  said executable agent module configured to compare the entries to determine any change in the status of at least one of interfaces and ports on the interfaces of the host computer or device,said executable agent communicating the information entries to a remote destination server on the network;
  
  the remote destination server comprising;
  
  an executable server module configured to receive the information entries communicated by the executable agent module,said executable server module configured to store the received information entries in a second data structure, wherein the information entries indicate the state of each of the ports on each of the active interfaces of the host computer or device,said executable server module configured to compare the received information entries with stored information on the server to determine the change in the status of at least one of interfaces and ports on the interfaces of the host computer or device, andsaid executable server module configured to run a network based vulnerability assessment tests on the host computer or device in the event of a change in the status of at least one of interface and ports.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 wherein said executable server module is configured to receive and update the vulnerability data in a vulnerability database whenever new vulnerabilities are discovered, and wherein said executable server module is configured to test the host/device for the new vulnerabilities whenever the vulnerability database is updated with new vulnerabilities, and to determine the new vulnerabilities.
  - 3. The system of claim 1, wherein status of an interface is either active or inactive.
  - 4. The system of claim 1, wherein status of a port is a service listening on the port or not.
  - 5. The system of claim 1, wherein the agent tracks the change in status of at least one of ports and interface by at least one of monitoring in real-time and polling at periodic intervals for the status of one of ports and interfaces and storing the entries.
  - 6. The system of claim 1, wherein the communication protocol between the host computer or device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 7. The system of claim 1, wherein the server executable module compares the entries corresponding two consecutive time intervals.
  - 8. The system of claim 1, wherein the host computer or device is selected from a switch, a router, a device running a standard real-time operating system, a mobile device or a PDA.
  - 9. The system of claim 1, wherein the host computer or device is an enterprise or consumer machine running with Windows, Unix, Linux, VxWorks, Symbian or PalmOS.
  - 10. The system of claim 1, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 11. The system of claim 1, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 12. The system of claim 1, wherein plurality of host computer or devices is tracked in conjunction with one or more destination servers handling the host computer or devices.

13. Logic encoded in a program stored in a computer readable storage device for real-time vulnerability assessment of a host computer or device, and said program when executed by a computer causes the computer to perform the following steps:
- an agent residing and running on the host computer or device, said agent,tracking in real-time the status of at least one of interfaces and ports on a host computer or device by monitoring and storing the status information as information entries in a first data structure,wherein the agent tracks the status of interfaces and ports by listening to the start and stop of network services on the host computer or device in real-time;
  
  comparing the entries to determine any change in the status of at least one of interfaces and ports on the interfaces of the host computer or device,communicating the change in the status of at least one of the interfaces and ports of the host computer or device to a remotely located destination server on the network,tracking, by the remote destination server, in real-time the status of ports and interfaces of the host computer or device communicated by the agent, andconducting, by the remote destination server, a network based vulnerability assessment tests on the host computer or device in the event of a change in the status of at least one of interfaces and ports of the host computer or device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 14. The logic of claim 13, wherein the status of an interface is either active or inactive.
  - 15. The logic of claim 13, wherein status of a port is a service listening on the port or not.
  - 16. The logic of claim 13, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 17. The logic of claim 13, wherein tracking consists of the agent tracking the change in status of at least one of ports and interface by at least one of monitoring in real-time and polling at periodic intervals for the status of at least one of ports and interfaces on the host computer or device.
  - 18. The logic of claim 15, wherein the communication protocol between the host computer or device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 19. The logic of claim 13, wherein the host computer or device is selected from a switch, a router, a device running a standard real-time operating system, a mobile device or a PDA.
  - 20. The logic of claim 13, wherein the host computer or device is an enterprise or consumer machine running with Windows, Unix, Linux. VxWorks Symbian or PalmOS.
  - 21. The logic of claim 13, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 22. The logic of claim 13, wherein the information that is communicated from the host computer or device to the destination server is the names of the services.
  - 23. The logic of claim 13, wherein the information that is communicated from the host computer or device to the destination server is a message signaling a change in the status at least one of interfaces and ports on the host computer or device.
  - 24. The logic of claim 13, wherein the vulnerability assessment server used by the destination server is updated with the new vulnerabilities to test the presence of vulnerabilities.
  - 25. The logic of claim 13, wherein a plurality of host computer or devices are tracked in conjunction with plurality of destination servers handling the host computer or devices.

26. A computer-implemented method for real-time vulnerability assessment of a host computer or device, said method comprising:
- tracking, by the agent residing and running on the host computer or device, in real-time the status of interfaces and ports on the host computer or device,wherein the agent tracks the status of interfaces and ports by listening to the start and stop of network services the host computer or device in real-time;
  
  collecting and storing the status as information entries in a first data structure on the host computer or device;
  
  comparing the entries to determine any change in the status of at least one of interfaces and the status of ports on the interfaces of the host computer or device;
  
  communicating the changes in the status of interfaces and the status of ports to a remotely located remote destination server on the network;
  
  storing said changes as entries in a second data structure in the remote destination server wherein the entries indicate the state of each of the ports on each of the active interfaces of the host computer or device communicated by the agent;
  
  comparing, by the remote destination server, the entries stored at the remote destination server to determine it there is any change in the status of interfaces and ports on the interfaces of the host computer or device; and
  
  running, by the remote destination server, a network based vulnerability assessment tests on the host computer or device and reporting the results.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34)
- - 27. The method of claim 26, wherein the status of an interface is either active or inactive.
  - 28. The method of claim 26, wherein the status of a port is a service listening on the port or not.
  - 29. The method of claim 26, wherein the agent tracks the change in status of at least one of ports and interface by at least one of monitoring in real-time and polling at periodic intervals for the status of at least one of ports and interfaces and storing the entries.
  - 30. The method of claim 26, wherein the communication protocol between the host computer or device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 31. The method of claim 26, wherein the server executable module compares the entries corresponding two consecutive time intervals.
  - 32. The method of claim 26, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 33. The method of claim 26, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 34. The method of claim 26, wherein the plurality of host computer or devices is tracked in conjunction with one or more destination servers handling the host computer or devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Praveer Gupta, Samir Gurunath Kelekar
Inventors
Kelekar, Samir Gurunath
Primary Examiner(s)
Gergiso, Techane
Assistant Examiner(s)
Gelagay, Shewaye

Application Number

US10/820,790
Publication Number

US 20050005169A1
Time in Patent Office

2,881 Days
Field of Search

726/25, 726/22, 713/151, 709/224, 370/241
US Class Current

726/25
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/542   Event management; Broadcast...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Systems and methods for real-time network-based vulnerability assessment

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for real-time network-based vulnerability assessment

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links