System for real-time network-based vulnerability assessment of a host/device via real-time tracking, vulnerability assessment of services and a method thereof

US 20050005169A1
Filed: 04/09/2004
Published: 01/06/2005
Est. Priority Date: 04/11/2003
Status: Active Grant

First Claim

Patent Images

1. A system for real-time vulnerability assessment of a host/device, said system comprising:

an agent running on the host/device, said agent comprising;

a first data structure for storing the status of interfaces and ports on the interfaces of the host/device, an executable agent module coupled to the first data structure to track the status of interfaces and ports on the interfaces of the host/device and to store the information, as entries in said first data structure, said executable agent module to compare the entries to determine a change in the status of interfaces and/or of ports on the interfaces of the host/device, a remote destination server, said destination server comprising, a second data structure for storing the status of interfaces and the ports on the interfaces of the host/device, an executable server module coupled to the second data structure to receive the information communicated by the agent executable module of the agent on the host/device, said executable server module to store the received information as entries in the second data structure wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as received, said executable server module to compare the entries in said data structures to determine the change in the status of interfaces and ports on the interfaces of the host/device, and said executable server module to run vulnerability assessment tests on the host/device in the event of a change in the status of interface/ports.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for real-time vulnerability assessment of a host/device, said system comprising an agent running on the host/device. The agent includes a a first data structure for storing the status of interfaces and ports on the interfaces of the host/device. An n executable agent module is coupled to the first data structure to track the status of interfaces and ports on the interfaces of the host/device and to store the information, as entries in said first data structure. The executable agent module compares the entries to determine a change in the status of interfaces and/or of ports on the interfaces of the host/device. A remote destination server is provided that includes a second data structure for storing the status of interfaces and the ports on the interfaces of the host/device. An executable server module is coupled to the second data structure to receive the information communicated by the agent executable module of the agent on the host/device. The executable server module stores the received information as entries in the second data structure wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as received. The executable server module compares the entries in said data structures to determine the change in the status of interfaces and ports on the interfaces of the host/device. The executable server module runs vulnerability assessment tests on the host/device in the event of a change in the status of interface/ports.

165 Citations

38 Claims

1. A system for real-time vulnerability assessment of a host/device, said system comprising:
- an agent running on the host/device, said agent comprising;
  
  a first data structure for storing the status of interfaces and ports on the interfaces of the host/device, an executable agent module coupled to the first data structure to track the status of interfaces and ports on the interfaces of the host/device and to store the information, as entries in said first data structure, said executable agent module to compare the entries to determine a change in the status of interfaces and/or of ports on the interfaces of the host/device, a remote destination server, said destination server comprising, a second data structure for storing the status of interfaces and the ports on the interfaces of the host/device, an executable server module coupled to the second data structure to receive the information communicated by the agent executable module of the agent on the host/device, said executable server module to store the received information as entries in the second data structure wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as received, said executable server module to compare the entries in said data structures to determine the change in the status of interfaces and ports on the interfaces of the host/device, and said executable server module to run vulnerability assessment tests on the host/device in the event of a change in the status of interface/ports.
- View Dependent Claims (2, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, further comprising:
    - an executable server module coupled to a second data structure to receive and update the vulnerability data in the destination server used by the server for vulnerability tests, whenever new vulnerabilities are discovered, and said executable server module coupled to the second data structure to test the host/device for the new vulnerabilities whenever the vulnerability database is updated with new vulnerabilities and to determine the new vulnerabilities
  - 5. The system of claims 1 and 4, wherein status of an interface is either active or inactive.
  - 6. The system of claims 1 and 4, wherein status of a port is a service listening on the port or not.
  - 7. The system of claims 1 and 4, wherein the agent tracks the change in status of ports/interface by monitoring in real-time or polling at periodic intervals for the status of ports/interfaces and storing the entries at various time intervals.
  - 8. The system of claims 1 and 4, wherein the communication protocol between the host/device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 9. The system of claims 1 and 4, wherein the server executable module compares the entries corresponding two consecutive time intervals.
  - 10. The system of claims 1 and 4, wherein the host/device is selected from a switch, a router, a device running a standard real-time operating system, a mobile device or a PDA.
  - 11. The system of claims 1 and 4, wherein the host/device is an enterprise/consumer machine running with Windows, Unix, Linux, VxWorks, Symbian or PalmOS.
  - 12. The system of claims 1 and 4, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 13. The system of claims 1 and 4, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 14. The system of claims 1 and 4, wherein plurality of hosts/devices is tracked in conjunction with one or more destination servers handling the host/devices.

3. A system for real-time vulnerability assessment of a host/device, said system comprising:
- an agent running on the host/device, said agent comprising;
  
  a first data structure to store the status of interfaces on the host/device and the ports on the interfaces on the host/device, an executable agent module coupled to the first data structure and operable to track the status of interfaces and ports on the interfaces of the host/device to collect and store the information, as entries in the first data structure, said executable agent module coupled to the first data structure to compare the entries to determine a change in the status of interfaces and/or of ports on the interfaces of the host/device, said executable agent module to communicate said changes to a remotely located destination server on the network, and a destination server running remotely, said destination server comprising;
  
  a second data structure for storing the status of interfaces/ports on the host/device, an executable server module coupled to the second data structure to receive information communicated by the executable module on the host/device, said executable server module coupled to the second data structure to store the received information as entries in the second data structure wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as received, said executable server module coupled to the second data structure to compare the entries to determine any change in the status of interfaces and ports on the interfaces of the host/device as reported to it, said executable server module coupled to the second data structure to process the changes to determine any new interfaces active and/or any newly opened ports on any of the active interfaces on the host/device on which services are listening as reported to it, said executable server module coupled to the second data structure to run tests remotely to identify the network services running on the newly opened ports on the various active interfaces of the host/device, said executable server module coupled to the second data structure to run vulnerability assessment tests on the identified network services on the newly opened ports of the interfaces and storing the results, and said executable server module coupled to the second data structure to obtain an incremental or an overall vulnerability status report of the host/device from the results of the current vulnerability tests, and previously stored results.
- View Dependent Claims (4)
- - 4. The system of claim 3, further comprising:
    - an executable server module coupled to the second data structure to receive and update the vulnerability database in the vulnerability assessment server used by the server to do vulnerability tests, whenever new vulnerabilities are discovered publicly or elsewhere, and an executable server module coupled to the second data structure to test the host/device for the new vulnerabilities whenever the vulnerability database is updated with new vulnerabilities, and obtain results.

15. Logic encoded in media for real-time vulnerability assessment of a host/device, and operable to perform the following steps:
- a) tracking in real-time the status of interfaces and/or of the ports on a host/device, b) communicating a change in the status of the interfaces and/or the status of ports of the host/device to a remotely located destination server on the network, c) tracking in real-time the reported status of ports and interfaces of the host/device by the destination server, and d) conducting vulnerability assessment tests on the host/device by the destination server in the event of a change in the status of interfaces and/or ports of the host/device.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The logic of claims 15 and 16, wherein the status of an interface is either active or inactive.
  - 18. The logic of claims 15 and 16, wherein status of a port is a service listening on the port or not.
  - 19. The logic of claims 15 and 16, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 20. The logic of claims 15 and 16, wherein tracking consists of monitoring in real-time or polling at periodic intervals for the status of ports/interfaces on the host/device.
  - 21. The logic of claims 15 and 16, wherein the communication protocol between the host/device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 22. The logic of claims 15 and 16, wherein the host/device is selected from a switch, a router, a device running a standard real-time operating system, a mobile device or a PDA.
  - 23. The logic of claims 15 and 16, wherein the host/device is an enterprise/consumer machine running with Windows, Unix, Linux, VxWorks Symbian or PalmOS.
  - 24. The logic of claims 15 and 16, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 25. The logic of claims 15 and 16, wherein the information that is communicated from the host/device to the destination server is the names of the services.
  - 26. The logic of claims 15 and 16, wherein the information that is communicated from the host/device to the destination server is a message signaling a change in the status of interfaces and/or ports on the host/device.
  - 27. The logic of claims 15 and 16, wherein the vulnerability assessment server used by the destination server is updated with the new vulnerabilities to test the presence of vulnerabilities.
  - 28. The logic of claims 15 and 16, wherein a plurality of hosts/devices are tracked in conjunction with plurality of destination servers handling the host/devices.

16. Logic encoded in media for real-time vulnerability assessment of a host/device, and operable to perform the following steps:
- a) tracking in real-time the status of interfaces and/or ports on a host/device, b) communicating the change in the status of the interfaces and/or the status of ports to a remotely located destination server on the network, c) tracking in real-time the reported status of the ports and interfaces of the host/device by the destination server, d) processing the changes by the destination server to determine new active interfaces or newly opened ports on any of the active interfaces on the host/device on which services are listening, e) running tests to identify remotely the network services running on the newly opened ports on the various active interfaces of the host/device, f) running vulnerability assessment tests on the identified network services on the newly opened ports of the interfaces and storing the results, and g) generating an incremental and/or overall vulnerability status report of the host/device from the results of the current vulnerability tests, and storing the results classified port and interface wise

29. A computer-implemented method for real-time vulnerability assessment of a host/device, said method comprising:
- a) tracking in real-time the status of interfaces and ports on the host/device, b) collecting and storing the status as entries in a data structure, c) comparing the entries to determine any change in the status of interfaces and/or the status of ports on the interfaces of the host/device, d) communicating the changes to a remotely located destination server on the network, e) storing said changes as entries in a data structure by the destination server wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as reported, f) comparing the entries by the destination server to determine if there is any change in the status of interfaces and ports on the interfaces of the host/device as reported to it, and g) running vulnerability assessment tests on the host/device by the destination server and reporting the results.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The method of claims 29 and 30, wherein the status of an interface is either active or inactive.
  - 32. The method of claim 29 and 30, wherein the status of a port is a service listening on the port or not.
  - 33. The method of claim 29 and 30, wherein the agent tracks the change in status of ports/interface by monitoring in real-time or polling at periodic intervals for the status of ports/interfaces and storing the entries at various time intervals.
  - 34. The method of claim 29 and 30, wherein the communication protocol between the host/device and the destination server is a standard transport level utility selected from sockets or any other standard communication protocol.
  - 35. The method of claim 29 and 30, wherein the server executable module compares the entries corresponding two consecutive time intervals.
  - 36. The method of claim 29 and 30, wherein the changes that are communicated to the destination server consisting of the IP address of the interface(s) and the port numbers on which listening services have started or stopped on the particular interface(s).
  - 37. The method of claim 29 and 30, wherein the status of the port consists of separate statuses for TC and UD protocols.
  - 38. The method of claim 29 and 30, wherein plurality of hosts/devices is tracked in conjunction with one or more destination servers handling the host/devices.

30. A computer-implemented method for real-time vulnerability assessment of a host/device, said method comprising:
- a) polling the status of the ports and interfaces on the host/device, periodically at a pre-configured time interval, b) collecting the above information and storing as entries in the first data structure of an agent, c) comparing the entries to determine if there is any change in the status of interfaces and/or the status of ports on the interfaces of the host/device, d) communicating the changes to a remotely located destination server on the network, e) storing the received information as entries in the second data structure of a server by the destination server wherein the entries indicate the state of each of the ports on each of the active interfaces of the host/device as reported, f) comparing the entries by the destination server to determine if there is any change in the status of interfaces and ports on the interfaces of the host/device as reported to it, and g) running vulnerability assessment tests on the host/device by the destination server and reporting the results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Samir Gurunath Kelekar
Inventors
Kelekar, Samir Gurunath

Granted Patent

US 8,127,359 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/542   Event management; Broadcast...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

System for real-time network-based vulnerability assessment of a host/device via real-time tracking, vulnerability assessment of services and a method thereof

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

165 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

System for real-time network-based vulnerability assessment of a host/device via real-time tracking, vulnerability assessment of services and a method thereof

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

165 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links