System and method for network vulnerability detection and reporting

US 8,661,126 B2
Filed: 02/10/2012
Issued: 02/25/2014
Est. Priority Date: 01/15/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

identifying a particular security view from a plurality of available security views for a particular network including a plurality of computer devices;

identifying a particular set of instructions corresponding to the particular security view from a plurality of scanning instruction sets;

causing a particular scanner to utilize the particular set of instructions in a scan of the particular network, wherein the scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the particular security view and one or more exposures present on the particular network corresponding to the particular security view; and

determining a security score corresponding to the particular security view, wherein the security score is to be derived from a formula of form F=a−

V−

E, wherein F is the security score, a is a constant, V is a vulnerability loss, and E is an exposure loss, and vulnerability loss V is dependent on vulnerability risk levels of the vulnerabilities and exposure loss E is dependent on exposure risk levels of the exposures.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target parts, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.

271 Citations

22 Claims

1. A method comprising:
- identifying a particular security view from a plurality of available security views for a particular network including a plurality of computer devices;
  
  identifying a particular set of instructions corresponding to the particular security view from a plurality of scanning instruction sets;
  
  causing a particular scanner to utilize the particular set of instructions in a scan of the particular network, wherein the scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the particular security view and one or more exposures present on the particular network corresponding to the particular security view; and
  
  determining a security score corresponding to the particular security view, wherein the security score is to be derived from a formula of form F=a−
  
  V−
  
  E, wherein F is the security score, a is a constant, V is a vulnerability loss, and E is an exposure loss, and vulnerability loss V is dependent on vulnerability risk levels of the vulnerabilities and exposure loss E is dependent on exposure risk levels of the exposures.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - identifying a different, second security view of the particular network;
      
      identifying a different, second set of instructions corresponding to the second security view from the plurality of scanning instruction sets; and
      
      causing the particular scanner to utilize the second set of instructions in a second scan of the particular network, wherein the second scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the second security view and one or more exposures present on the particular network corresponding to the second security view.
  - 3. The method of claim 2, wherein the particular security view is an external security view of the particular network and the second security view is an internal security view of the particular network.
  - 4. The method of claim 2, further comprising determining a second security score corresponding to the second security view, wherein the second security score is to be derived from the formula of form F=a−
    - V−
      
      E.
  - 5. The method of claim 4, wherein the first and second sets of vulnerabilities are different.
  - 6. The method of claim 4, wherein F is the second security score, a is a constant, V is a vulnerability loss, and E is an exposure loss and vulnerability loss V for the second security score is dependent vulnerability risk levels of the vulnerabilities of the second security view and exposure loss E is dependent on exposure risk levels of the exposures of the second security view.
  - 7. The method of claim 6, whereinexposures for the external security view include open UDP ports found on the computer devices in the network, open ICMP ports found on the computer devices in the network, and non-essential services found on the computer devices in the network, andexposures for the internal security view include rogue applications found on the computer devices in the network, wireless access points found on the computer devices in the network, and backdoors found on the computer devices in the network.
  - 8. The method of claim 6, wherein vulnerability loss V is derived from a first formula for the external security view and derived from a different, second formula for the internal security view.
  - 9. The method of claim 8, wherein the first formula is of form V=min (f, Σ
    - _(y=1→
      
      n){V_w,y}), where min( . . . , . . . ) is the typical standard minimum function, Σ
      
      is a summation symbol, V_w,yis a vulnerability weight value of a computer device y, n is the number of computer devices in the network, and f is a maximum vulnerability loss value.
  - 10. The method of claim 8, wherein V, as derived from the second formula, is dependent on the number of computer devices on the network.
  - 11. The method of claim 8, wherein the second formula is of form V=min (f,(w_hV_hH_h+w_mV_mH_m+w_lV_lH_l)/n)), where min( . . . , . . . ) is a standard minimum function, V_his a number of high level vulnerabilities detected, H_his a number of computer devices on which high level vulnerabilities are detected, V_mis a number of medium level vulnerabilities detected, H_mis a number of computer devices on which medium level vulnerabilities are detected, V_lis a number of low level vulnerabilities detected, H_lis a number of computer devices on which low level vulnerabilities are detected, n is a total number of computer devices on the network, and w_h, W_m, W_lare weighted values for V_h, V_m, V_lrespectively.
  - 12. The method of claim 7, wherein exposure loss E for the external security view is derived from a formula of form:
    - E=min (E_max, Σ
      
      _y=1→
      
      n{w_a*U_y+W_b* I_y+w_c*N_y+w_d*M_y}), where min( . . . , . . . ) is the typical standard minimum function, Σ
      
      is a summation symbol, U_yis the number of open UDP ports found on the yth computer device, I_yis the number of open ICMP ports found on the yth computer device, N_yis the number of non-essential services found on the yth computer device, M_yis a penalty score assigned when the yth computer device is found to include no essential services, n is the number of computer devices in the particular network, E_maxis a maximum exposure loss score, and w_a, w_b, w_c, w_dare weighted values for U_y, I_y, N_y, M_yrespectively.
  - 13. The method of claim 7, wherein exposure loss E for the internal security view is derived from a formula of form E=min (E_max, Σ
    - _y=1→
      
      n{w_a*R_y+w_b* W_y+w_c*T_y}), where min( . . . , . . . ) is the typical standard minimum function, Σ
      
      is a summation symbol, R_yis the number of rogue applications found on the yth computer device, W_yis the number of wireless access points found on the yth computer device, T_yis the number of backdoors found on the yth computer device, n is the number of computer devices in the particular network, E_maxis a maximum exposure loss score, and w_a, w_b, w_care weighted values for R_y, W_y, N_y, T_yrespectively.
  - 14. The method of claim 7, wherein the particular set of instructions is operable to cause the particular scanner to scan for exposures for the external security view and the second set of instructions is operable to cause the particular scanner to scan for exposures for the internal security view.
  - 15. The method of claim 1, wherein the security score is determined for at least one computer device in the particular network.
  - 16. The method of claim 15, wherein an aggregate security score is determined for the particular network.
  - 17. The method of claim 1, wherein the vulnerability risk levels are assigned values for each of the vulnerabilities based at least in part on the particular security view and the exposure risk levels are assigned values for each of exposures found on the network based at least in part on the particular security view.
  - 18. The method of claim 1, wherein identifying the particular security view is based at least in part on a user selection of the particular security view from the plurality of security views.

19. At least one machine accessible, non-transitory storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- identify a particular security view for a particular network including a plurality of computer devices;
  
  identify a particular set of instructions corresponding to the particular security view from a plurality of scanning instruction sets;
  
  cause a particular scanner to utilize the particular set of instructions in a scan of the particular network, wherein the scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the particular security view and one or more exposures present on the particular network corresponding to the particular security view; and
  
  determine a security score corresponding to the particular security view, wherein the security score is to be derived from a formula of form F=a−
  
  V−
  
  E, wherein F is the security score, a is a constant, V is a vulnerability loss, and E is an exposure loss, and vulnerability loss V is dependent on vulnerability risk levels of the vulnerabilities and exposure loss E is dependent on exposure risk levels of the exposures.
- View Dependent Claims (20)
- - 20. The medium of claim 19, wherein the instructions, when executed, further cause the machine to:
    - identifying a different, second security view of the particular network;
      
      identifying a different, second set of instructions corresponding to the second security view from the plurality of scanning instruction sets; and
      
      causing the particular scanner to utilize the second set of instructions in a second scan of the particular network, wherein the second scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the second security view and one or more exposures present on the particular network corresponding to the second security view.

21. A system comprising:
- one or more processor devices;
  
  at least one memory element;
  
  a vulnerability scanner, adapted when executed by the at least one of the one or more processor devices to;
  
  identify a particular security view from a plurality of available security views for a particular network including a plurality of computer devices;
  
  identify a particular set of instructions corresponding to the particular security view from a plurality of scanning instruction sets;
  
  utilize the particular set of instructions in a scan of the particular network, wherein the scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the particular security view and one or more exposures present on the particular network corresponding to the particular security view; and
  
  a scoring module, adapted when executed by at least one of the one or more processor devices to determine a security score corresponding to the particular security view, wherein the security score is to be derived from a formula of form F=a−
  
  V−
  
  E, wherein F is the security score, a is a constant, V is a vulnerability loss, and E is an exposure loss, and vulnerability loss V is dependent on vulnerability risk levels of the vulnerabilities and exposure loss E is dependent on exposure risk levels of the exposures.
- View Dependent Claims (22)
- - 22. The system of claim 21, wherein the vulnerability scanner is further adapted to:
    - identify a different, second security view of the particular network;
      
      identify a different, second set of instructions corresponding to the second security view from the plurality of scanning instruction sets; and
      
      utilize the second set of instructions in a second scan of the particular network, wherein the second scan of the particular network identifies one or more vulnerabilities present on the particular network corresponding to the second security view and one or more exposures present on the particular network corresponding to the second security view.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Cole, David M., Hanzlik, Dennis J., Caso, Erik
Primary Examiner(s)
SALAD, ABDULLAHI ELMI

Application Number

US13/371,378
Publication Number

US 20120144494A1
Time in Patent Office

746 Days
Field of Search

709224-225, 726 23- 25
US Class Current

709/224
CPC Class Codes

G02B 2006/12097   Ridge, rib or the like

G02B 2006/12116   Polariser; Birefringent

G02B 5/3083   Birefringent or phase retar...

G02B 6/105   having optical polarisation...

G02B 6/12011   characterised by the arraye...

G02B 6/12023   characterised by means for ...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 63/0218   Distributed architectures, ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for network vulnerability detection and reporting

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

271 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network vulnerability detection and reporting

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

271 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links