System and method for network vulnerability detection and reporting

US 8,621,060 B2
Filed: 02/15/2012
Issued: 12/31/2013
Est. Priority Date: 01/15/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method comprising:

causing a first scan to be performed that comprises sending a set of ICMP packets to a plurality of computer devices on a network and identifying a first set of responsive computer devices in the plurality of computer devices responsive to the ICMP packets, wherein the plurality of computer devices are included on a scan list;

revising the scan list to remove the first set of responsive computer devices from the scan list to create a first version of the scan list;

causing a second scan to be performed that comprises sending a set of TCP packets to the computer devices included on the first version of the scan list and identifying a second set of responsive computer devices responsive to the TCP packets;

revising the first version of the scan list to remove the second set of responsive computer devices from the first version to create a second version of the scan list;

causing a third scan to be performed that comprises sending a set of UDP packets to the computer devices included on the second version of the scan list and identifying a third set of responsive computer devices in the plurality of computer devices responsive to the UDP packets, wherein the third set of responsive computer devices are to be removed from the second version of the scan list; and

identifying vulnerabilities of computer devices included on a live list, wherein in at least one of the first, second, and third sets of responsive computer devices are to be added to the live list upon removal from the scan list.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.

269 Citations

20 Claims

1. A method comprising:
- causing a first scan to be performed that comprises sending a set of ICMP packets to a plurality of computer devices on a network and identifying a first set of responsive computer devices in the plurality of computer devices responsive to the ICMP packets, wherein the plurality of computer devices are included on a scan list;
  
  revising the scan list to remove the first set of responsive computer devices from the scan list to create a first version of the scan list;
  
  causing a second scan to be performed that comprises sending a set of TCP packets to the computer devices included on the first version of the scan list and identifying a second set of responsive computer devices responsive to the TCP packets;
  
  revising the first version of the scan list to remove the second set of responsive computer devices from the first version to create a second version of the scan list;
  
  causing a third scan to be performed that comprises sending a set of UDP packets to the computer devices included on the second version of the scan list and identifying a third set of responsive computer devices in the plurality of computer devices responsive to the UDP packets, wherein the third set of responsive computer devices are to be removed from the second version of the scan list; and
  
  identifying vulnerabilities of computer devices included on a live list, wherein in at least one of the first, second, and third sets of responsive computer devices are to be added to the live list upon removal from the scan list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the set of ICMP packets comprise ICMP echo request packets.
  - 3. The method of claim 1, wherein the set of TCP packets comprise at least one of TCP SYN packets and TCP full connect packets.
  - 4. The method of claim 1, wherein the set of TCP packets are sent to a particular subset of ports on the plurality of computer devices.
  - 5. The method of claim 4, wherein the particular subset of ports comprise a set of ports identified as most likely used in the network.
  - 6. The method of claim 1, wherein packets of at least one of the set of ICMP packets, the set of TCP packets, and the set of UDP packets are sent in parallel to at least two computer devices in the network.
  - 7. The method of claim 1, wherein the set of UDP packets are sent to a subset of ports identified as commonly used in the network.
  - 8. The method of claim 7, wherein each UDP packet sent in the set of UDP packets is tailored to a respective port in the subset of ports to which the UDP packet is sent.
  - 9. The method of claim 8, wherein the set of UDP packets is a first set of UDP packets, the subset of ports is a first subset of ports, computer devices in the plurality of computer devices not included in at least one of the first, second, and third sets of responsive computer devices are remaining computer devices, and the method further comprises sending a second set of UDP packets tailored to ports in a second subset of ports to identify responsive computer devices within the remaining computer devices.
  - 10. The method of claim 1, wherein the computer devices in the plurality of computer devices not included in at least one of the first, second, and third sets of responsive computer devices are remaining computer devices, the method further comprising re-sending at least one of the set of ICMP packets, the set of TCP packets, and the set of UDP packets to the remaining computer devices to identify responsive computer devices within the remaining computer devices.
  - 11. The method of claim 10, wherein identifying computer devices responsive to the set of UDP packets includes identifying a latency period of a corresponding target computer device and scanning the target computer device at least until the end of the identified latency period.
  - 12. The method of claim 10, further comprising determining a security score for the network based at least in part on the identified vulnerabilities.
  - 13. The method of claim 12, further comprising scanning the plurality of computer devices to discover exposures on the plurality of computer devices.
  - 15. The method of claim 1, further comprising:
    - discovering attributes of the plurality of computer devices; and
      
      identifying a set of vulnerabilities related to the discovered attributes.
  - 16. The method of claim 15, wherein identifying vulnerabilities of computer devices included in at least one of the first, second, and third sets of responsive computer devices includes scanning the responsive computer devices for vulnerabilities included in the set of vulnerabilities.
  - 17. The method of claim 15, wherein the attributes include at least one of services of the respective computer device and an operating system of the respective computer device.
  - 18. The method of claim 15, wherein attributes of computer devices in the plurality of computer devices are discovered, at least in part, based on responses of the respective computer device to at least one of the set of TCP packets and the set of UDP packets.

14. The method of 13, wherein the security score is further based, at least in part, on the discovered exposures.

19. At least one non-transitory, machine-accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- perform a first scan comprising sending a set of ICMP packets to a plurality of computer devices on a network and identifying a first set of responsive computer devices in the plurality of computer devices responsive to the ICMP packets, wherein the plurality of computer devices are included on a scan list;
  
  revise the scan list to remove the first set of responsive computer devices from the scan list to create a first version of the scan list;
  
  perform a second scan comprising sending a set of TCP packets to the computer devices included on the first version of the scan list and identifying a second set of responsive computer devices responsive to the TCP packets;
  
  revise the first version of the scan list to remove the second set of responsive computer devices from the first version to create a second version of the scan list;
  
  perform a third scan comprising sending a set of UDP packets to the computer devices included on the second version of the scan list and identifying a third set of responsive computer devices in the plurality of computer devices responsive to the UDP packets, wherein the third set of responsive computer devices are to be removed from the second version of the scan list; and
  
  identify vulnerabilities of computer devices included on a live list, wherein in at least one of the first, second, and third sets of responsive computer devices are to be added to the live list upon removal from the scan list.

20. A system comprising:
- at least one processor device;
  
  at least one memory element; and
  
  a network security engine, adapted when executed by the at least one processor device to;
  
  send a set of ICMP packets to a plurality of computer devices on a network;
  
  identify a first set of responsive computer devices in the plurality of computer devices responsive to the ICMP packets;
  
  revise the scan list to remove the first set of responsive computer devices from the scan list to create a first version of the scan list;
  
  send a set of TCP packets to the computer devices included on the first version of the scan list;
  
  identify a second set of responsive computer devices responsive to the TCP packets;
  
  revise the first version of the scan list to remove the second set of responsive computer devices from the first version to create a second version of the scan list;
  
  send a set of UDP packets to the computer devices included on the second version of the scan list;
  
  identify a third set of responsive computer devices in the plurality of computer devices responsive to the UDP packets, wherein the third set of responsive computer devices are to be removed from the second version of the scan list; and
  
  identify vulnerabilities of computer devices included on a live list, wherein in at least one of the first, second, and third sets of responsive computer devices are to be added to the live list upon removal from the scan list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McClure, Stuart C., Kurtz, George, Keir, Robin, Beddoe, Marshall A., Morton, Michael J., Prosise, Christopher M., Cole, David M., Abad, Christopher
Primary Examiner(s)
SALL, EL HADJI MALICK

Application Number

US13/397,560
Publication Number

US 20120151595A1
Time in Patent Office

685 Days
Field of Search

709/224, 709/200, 726/23, 726/25
US Class Current

709/223
CPC Class Codes

G02B 2006/12097   Ridge, rib or the like

G02B 2006/12116   Polariser; Birefringent

G02B 6/105   having optical polarisation...

G02B 6/12011   characterised by the arraye...

G02B 6/12023   characterised by means for ...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for network vulnerability detection and reporting

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network vulnerability detection and reporting

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links