Method and apparatus for detecting vulnerability status of a target

US 9,537,876 B2
Filed: 01/14/2012
Issued: 01/03/2017
Est. Priority Date: 04/11/2003
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving at a server from a target, a notification of detection, in real time, of an event on the target, the event on the target comprisingat least one of a change in status of;

a network interface from active to inactive or vice versa,a client network service from start to stop or vice versa,a server network service from start to stop or vice versa, ora port from open to close or vice versa;

determining, at the server, in response to the notification, that a change has occurred in the status of at least one of the network interface, the client network service, the server network service, or the port;

when the notification indicates that the status of the port has changed, determining services running on the port, and based on the determined services, determining that security status of a network comprising the target is vulnerable; and

determining based on the determination of the change of status, that the security status of the network comprising the target is vulnerable,wherein, the detection at the target is implemented by at least one of an operating system (OS) service, an OS command, a hook, or an API.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method for detecting vulnerability status of a target having interfaces and ports is provided. The method comprises tracking the occurrence of an event including at least one of a network interface becoming active and/or inactive, start and/or stop of a client network service using a port on an active network interface, start and/or stop of a server network service running on a port on an active network interface, and start and/or stop of a network service that does not entail the use of any port. A notification is generated that a possible vulnerability status altering event has occurred. Tracking the occurrence of the event includes tracking using at least one of an operating system (OS) service, an OS command, a hook, and an API.

Citations

23 Claims

1. A computer implemented method comprising:
- receiving at a server from a target, a notification of detection, in real time, of an event on the target, the event on the target comprisingat least one of a change in status of;
  
  a network interface from active to inactive or vice versa,a client network service from start to stop or vice versa,a server network service from start to stop or vice versa, ora port from open to close or vice versa;
  
  determining, at the server, in response to the notification, that a change has occurred in the status of at least one of the network interface, the client network service, the server network service, or the port;
  
  when the notification indicates that the status of the port has changed, determining services running on the port, and based on the determined services, determining that security status of a network comprising the target is vulnerable; and
  
  determining based on the determination of the change of status, that the security status of the network comprising the target is vulnerable,wherein, the detection at the target is implemented by at least one of an operating system (OS) service, an OS command, a hook, or an API.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the detecting in response to the notification further comprises monitoring at least one of a status of open ports on active interfaces on the target, or a status of interfaces on the target.
  - 3. The method of claim 2, wherein the monitoring comprises comparing at least two status of the at least one of the network interface or the port, and determining a change in the status of the at least one of the network interface or the port.
  - 4. The method of claim 2, wherein the monitoring comprises determining at least one of a change in the status of the interface of the target, or a change in status of ports on an active interface of the target, wherein possible states of the interface includes being active, and not active, and wherein possible states of the port includes being open, and not open.
  - 5. The method of claim 1, wherein the detecting in response to the notification further comprises monitoring status of interfaces on the target, possible states of the interface includes being active, and not active, and monitoring start or stop of network services on an active interface of the target.
  - 6. The method of claim 5, wherein the monitoring comprises generating a list of network services started on the active network interface of the target, comparing at least two status from the list, determining a change in at least one of the status of the at least one of the server network service or the client network service or the status of network interface.
  - 7. The method of claim 1, wherein the detecting in response to the notification further comprises monitoring at least one of a change in the status of network services on an active network interface, or a change in the status of the network interface.
  - 8. The method of claim 7, wherein the network interface is denoted by an IP address.
  - 9. The method of claim 1, further comprising conducting a vulnerability assessment on at least one of a service running on an open port of an active interface of the target, or a service not entailing the use of a port.
  - 10. The method of claim 9, further comprising determining at least one of start or stop of services, or a change in the status of a network interface.
  - 11. The method of claim 9, wherein vulnerability assessment test is run on ports or services that are newly started, and an overall vulnerability assessment report is generated by appropriately concatenating a previous report and a current report.
  - 12. The method of claim 9, wherein a vulnerability assessment is conducted in response to the determination that the security status of the network comprising the target is vulnerable.
  - 13. The method of claim 9, further comprisingidentifying new vulnerabilities,generating test scripts for new vulnerabilities,conducting vulnerability assessment tests to determine presence of the new vulnerabilities on the target.
  - 14. The method of claim 1, further comprisingconducting a test to determine at least one of start or stop of a service on an open port,conducting a vulnerability assessment test on the service on the open port, and conducting a vulnerability assessment test on a service that does not entail a use of ports.
  - 15. The method of claim 1, further comprising:
    - recording the detection of the event; and
      
      providing the event to a network scanner at periodic intervals.
  - 16. The method of claim 15, wherein an agent on the target detects the event.

17. An apparatus comprising:
- at least one processor; and
  
  a memory comprising executable instructions, which when executed via the at least one processor implement a method comprising;
  
  receiving at a server from a target, a notification of detection, in real time, of an event on the target, the event on the target comprisingat least one of a change in status of;
  
  a network interface from active to inactive or vice versa,a client network service from start to stop or vice versa,a server network service from start to stop or vice versa, ora port from open to close or vice versa,determining, at the server, in response to the notification, that a change has occurred in the status of at least one of the network interface, the client network service, the server network service, or the port,when the notification indicates that the status of the port has changed, determining services running on the port, and based on the determined services, determining that security status of a network comprising the target is vulnerable; and
  
  determining based on the determination of the change of status, that the security status of the network comprising the target is vulnerable,wherein, the detection at the target is implemented by at least one of an operating system (OS) service, an OS command, a hook, or an API.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The apparatus of claim 17, the server communicably coupled to the target locally or through a network.
  - 19. The apparatus of claim 18, wherein the server conducts a vulnerability assessment test on the target based on the notification received from the target.
  - 20. The apparatus of claim 19, wherein the server determines at least one of start or stop of the server network service or the client network service, or a change in the status of the network interface.
  - 21. The apparatus of claim 18, wherein the server is configured toreceive test scripts for new vulnerabilities, andconduct vulnerability assessment tests to determine presence of the new vulnerabilities on the target.
  - 22. The apparatus of claim 17, wherein the target includes at least one of a switch, a router, a mobile device, an enterprise or a consumer computer, or a device running a standard real-time operating system.

23. A non-transitory computer readable storage medium stored thereon processor executable instructions, which when executed by at least one processor, implement a method comprising:
- receiving at a server from a target, a notification of detection, in real time, of an event on the target, the event on the target comprisingat least one of a change in status of;
  
  a network interface from active to inactive or vice versa,a client network service from start to stop or vice versa,a server network service from start to stop or vice versa, ora port from open to close or vice versa,determining, at the server, in response to the notification, that a change has occurred in the status of at least one of the network interface, the client network service, the server network service, or the port,when the notification indicates that the status of the port has changed, determining services running on the port, and based on the determined services, determining that security status of a network comprising the target is vulnerable; and
  
  determining based on the determination of the change of status, that the security status of the network comprising the target is vulnerable,wherein, the detection at the target is implemented by at least one of an operating system (OS) service, an OS command, a hook, or an API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Zeno Security Corporation
Inventors
Kelekar, Samir Gurunath
Primary Examiner(s)
Abyaneh, Ali

Application Number

US13/350,738
Publication Number

US 20120304299A1
Time in Patent Office

1,816 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/542   Event management; Broadcast...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Method and apparatus for detecting vulnerability status of a target

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting vulnerability status of a target

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links