Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
1998-06-30
2001-11-27
Iqbal, Nadeem (Department: 2785)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C713S152000
Reexamination Certificate
active
06324656
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
The present invention relates in general to network vulnerability assessment and, more particularly, to a system and method for rules-driven multi-phase network vulnerability assessment.
BACKGROUND OF THE INVENTION
Network vulnerability assessment involves the detection of potential unauthorized uses and associated exploits (collectively “vulnerabilities”) as they relate to computer networks, the devices that connect to such networks, and/or the subsystems that make up those devices. Network types can include, for example, the Internet, FDDI, token ring, etc. Devices can include routers, switches, workstations, personal computers, printers, and other devices. Subsystems can include, for example, hardware types, operating systems, application programs, etc.
Network vulnerability assessment can be highly complex because the vulnerabilities in a given network can depend upon the version and configuration of the network and upon the devices and subsystems coupled to the network. Additionally, networks can possess atomic as well as composite vulnerabilities. An atomic vulnerability can be a particular application running on a specific device port, for example SMTP. A composite vulnerability can result, among other reasons, because of the combination of two particular subsystems. For example, an operating system, such as WINDOWS NT 3.5, with a collection of certain subordinate applications can present composite vulnerabilities.
Another difficulty for vulnerability assessment stems from the highly dynamic nature of network environments. Devices of known or unknown type can be added and removed from the network at any time. Additionally, different versions and types of subsystems can be introduced to the network. Each change or upgrade includes the potential for new or changed vulnerabilities to exist on that network.
There are a number of conventional systems that attempt to assess the vulnerability of computer systems but are deficient for a variety of reasons. For example, Computer Oracle and Password System (COPS) is designed to probe for vulnerabilities on a host system. However, COPS does not maintain information across an entire network and can predict vulnerabilities only on a single host. Other conventional systems include System Administrator Tool for Analyzing Networks (SATAN Suite) and Internet Security Scanner (ISS). These products can scan computer systems for vulnerabilities by active probing, analyze the collected data for vulnerabilities, and display the results. However, several disadvantages are associated with these products. For example, data collection and analysis are implemented as a single process. Such a methodology creates a prohibitively time consuming process. Furthermore, as new vulnerabilities are discovered or a network is changed, it is not possible to recreate a previous network configuration in order to test for the newly-discovered potential vulnerabilities.
Additional problems with conventional systems include the fact that the analysis process can take a prohibitive amount of computing power as the network grows; as such, potential vulnerabilities can be missed. A further problem is that such conventional systems scan for live Internet Protocol (IP) addresses on a network; therefore, vulnerabilities that exist on services that are not active during a scan can be missed.
SUMMARY OF THE INVENTION
In accordance with the present invention, a system and method for rules-driven multi-phase network vulnerability assessment are disclosed that provide significant advantages over prior developed systems.
According to one aspect of the present invention, a method for network vulnerability assessment includes pinging devices on a network to discover devices with a connection to the network. Port scans are then performed on the discovered devices, and banners are collected as a result of the port scans. Information from the collected banners is stored as entries in a first database. Analysis is performed on the entries in the first database by comparing the entries with a rule set to determine potential vulnerabilities. The results of the analysis are then stored in a second database.
In one embodiment, the method for network vulnerability assessment also includes performing host nudges on the devices and storing information from data received as entries in the first database. In another embodiment, the method can include performing active data collection on the devices.
In a further embodiment, the method for network vulnerability assessment can include comparing an entry to a rule to determine an operating system represented by the entry. The entry and the operating system can then be compared to a second rule to determine a service. The entry and the service can be compared to a third rule to determine a potential vulnerability.
According to another aspect of the present invention, a system is provided for network vulnerability assessment. The system includes an execution module operable to ping devices on a network to discover devices with a connection to the network. The execution module is further operable to perform port scans on the discovered devices and collect banners sent as a result of the port scans. The execution module is coupled to a first database and is operable to store information from the collected banners as entries in the first database. The execution module is also coupled to a rule set and is operable to perform analysis of the entries in the first database by comparing the entries with the rule set to determine potential vulnerabilities. The execution module is coupled to a second database for storing results of the analysis.
It is a technical advantage of the present invention that the dimensionality of a network can be deduced from the perspective of its core attributes, such as device types, operating systems, services, and potential vulnerabilities.
It is another technical advantage that a network configuration, once discovered, can be retained as a snapshot such that multiple rule sets can be run against that single configuration.
It is a further technical advantage of the present invention that each host potentially connected to the network can be identified, and the appropriate vulnerabilities can be assessed.
It is also a technical advantage that, once identified, potential vulnerabilities can be confirmed.
It is another technical advantage of the present invention that the rule set can be implemented with an ASCII based prepositional logic system which allows ease of modification and extension.
Other technical advantages should be apparent to one of ordinary skill in the art in view of the specification, claims, and drawings.
REFERENCES:
patent: 4956769 (1990-09-01), Smith
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5101402 (1992-03-01), Chiu et al.
patent: 5278901 (1994-01-01), Shieh et al.
patent: 5414833 (1995-05-01), Hershey et al.
patent: 5448724 (1995-09-01), Hayashi
patent: 5488715 (1996-01-01), Wainwright
patent: 5524238 (1996-06-01), Miller et al.
patent: 5557742 (1996-09-01), Smaha et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5621889 (1997-04-01), Lermuzeaux et al.
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5727061 (1998-03-01), Johnson et al.
patent: 5727146 (1998-03-01), Savoldi et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5796942 (1998-08-01), Esbensen
patent: 5798706 (1998-08-01), Kraemer et al.
patent: 5805801 (1998-09-01), Holloway et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5892903 (1999-04-01), Klaus
patent: 5903882 (1999-05-01), Asay et al.
patent: 5919257 (1999-07-01), Trostle
patent: 5925126 (1999-07-01), Hsieh
patent: 5926463 (1999-07-01), Ahearn et al.
patent: 5931946 (1999-08-01), Terada et al.
patent: 5991881 (1999-11-01), Conklin et al.
“Preliminary Report on Advanced Security Audit Trail Analysis on UNIX,” N. Habra et al., pp. 1-34 (found at http://www.cs.purdue.edu/coast/archive/data/categ24.html), Sep. 1994.
“IDIOT-Users Guide,” M. Crosbie, et al., pp. 1-63, (found at http://www.cs.purdue.edu/coast/archive/data/c
Gleichauf Robert
Shanklin Steven
Waddell Scott
Ziese Kevin
Baker & Botts L.L.P.
Cisco Technology Inc.
Iqbal Nadeem
LandOfFree
System and method for rules-driven multi-phase network... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for rules-driven multi-phase network..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for rules-driven multi-phase network... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2598353