Senior Fitness - Exercise and Nutrition for Aging Men and Women
FREE Article Feed for your website.
Home Ownership Magazine
Party Planning Information
Article Marketing Resources
Bio-Medical Research Article Database
Informative Articles on Life, Love and Happiness
Tutorials on Business to Writing
Famous Quotes from Famous People
Song Lyric Information
New US Patent Information
Comprehensive List of Content by Category
Online Auctions and Shopping Related Articles
Article Search
Most Recent Articles
Title: Communicating system, communicating method, base station, and mobile station
Patent Number: 7,436,809 Issued on 10/14/2008 to Harada,   et al.

Title: Method and apparatus for bandwidth reservations
Patent Number: 7,436,808 Issued on 10/14/2008 to Geva,   et al.

Title: Communication network
Patent Number: 7,436,807 Issued on 10/14/2008 to Hanninen,   et al.

Title: Apparatus and method for symbol mapping TFCI bits for a hard split mode in a CDMA mobile communication system
Patent Number: 7,436,806 Issued on 10/14/2008 to Hwang,   et al.

Title: Method for call establishment over a packet exchange network
Patent Number: 7,436,805 Issued on 10/14/2008 to Yokota,   et al.

Title: Methods and apparatus for using a Care of Address option
Patent Number: 7,436,804 Issued on 10/14/2008 to O'Neill

Title: Apparatus and method for determining a soft handover in a CDMA mobile communication system
Patent Number: 7,436,803 Issued on 10/14/2008 to Chae,   et al.

Title: Frequency hopping method in orthogonal frequency division multiplexing system
Patent Number: 7,436,802 Issued on 10/14/2008 to Lee,   et al.

Title: Deferred access method for uplink packet channel
Patent Number: 7,436,801 Issued on 10/14/2008 to Kanterakis

Title: Radio communication scheme
Patent Number: 7,436,800 Issued on 10/14/2008 to Toshimitsu,   et al.

Title: Method for minimizing expenditures associated with optimized backhaul networks
Patent Number: 7,436,799 Issued on 10/14/2008 to El-Sayed,   et al.

Title: Communication system, communication terminal apparatus, wireless key apparatus and program
Patent Number: 7,436,798 Issued on 10/14/2008 to Itoh,   et al.

Title: Wireless architecture and support for process control systems
Patent Number: 7,436,797 Issued on 10/14/2008 to Shepard,   et al.

Title: Mobile-unit-dedicated data delivery assistance method
Patent Number: 7,436,796 Issued on 10/14/2008 to Takeuchi,   et al.

Title: Timer based stall avoidance mechanism for high speed wireless communication system
Patent Number: 7,436,795 Issued on 10/14/2008 to Jiang

Title: Transmission power control method and apparatus for mobile communication system
Patent Number: 7,436,794 Issued on 10/14/2008 to Takahashi,   et al.

Title: System and method for effectively performing a transmit power adjustment procedure
Patent Number: 7,436,793 Issued on 10/14/2008 to Read

Title: For-fee distribution of consumer-selected content items between different satellite radio service providers
Patent Number: 7,436,792 Issued on 10/14/2008 to Diamond

Title: Methods and apparatus for providing slot reservations for slotted messages in wireless communication networks
Patent Number: 7,436,791 Issued on 10/14/2008 to Willey,   et al.

Title: Wireless access point methods and apparatus for reduced power consumption and cost
Patent Number: 7,436,790 Issued on 10/14/2008 to Todd,   et al.

Title: Ad Hoc wireless node and network
Patent Number: 7,436,789 Issued on 10/14/2008 to Caliskan,   et al.

Title: Dynamic frequency spectrum re-allocation
Patent Number: 7,436,788 Issued on 10/14/2008 to Huschke,   et al.

Title: Transceiver for full duplex communication systems
Patent Number: 7,436,787 Issued on 10/14/2008 to Huang,   et al.

Title: Telecommunications system for minimizing the effect of white noise data packets for the generation of required white noise on transmission channel utilization
Patent Number: 7,436,786 Issued on 10/14/2008 to Ban

Title: Method and system for location based subject matter teleconferencing
Patent Number: 7,436,785 Issued on 10/14/2008 to McMullen,   et al.

Title: Resilient packet ring network for realizing MAC bridging
Patent Number: 7,436,784 Issued on 10/14/2008 to Hashimoto

Title: Method and apparatus for detecting a router that improperly responds to ARP requests
Patent Number: 7,436,783 Issued on 10/14/2008 to Cheshire,   et al.

Title: Full mesh LSP and full mesh T-LDP provisioning between provider edge routers in support of Layer-2 and Layer-3 virtual private network services
Patent Number: 7,436,782 Issued on 10/14/2008 to Ngo,   et al.

Title: Method and apparatus for determining the location of a node in a wireless system
Patent Number: 7,436,781 Issued on 10/14/2008 to Niu,   et al.

Title: Method and apparatus for approximating location of node attached to a network
Patent Number: 7,436,780 Issued on 10/14/2008 to Stephens,   et al.

Title: Method and system for controlling when a radio link layer connection to a wireless terminal is released
Patent Number: 7,436,779 Issued on 10/14/2008 to Mangal,   et al.

Title: Related-packet identification
Patent Number: 7,436,778 Issued on 10/14/2008 to Iannaccone,   et al.

Title: Failed link training
Patent Number: 7,436,777 Issued on 10/14/2008 to Lesartre

Title: Communication test device
Patent Number: 7,436,776 Issued on 10/14/2008 to Koga

Title: Software configurable cluster-based router using stock personal computers as cluster nodes
Patent Number: 7,436,775 Issued on 10/14/2008 to Jordan,   et al.

Title: Communication network connection rerouting methods and systems
Patent Number: 7,436,774 Issued on 10/14/2008 to Gunther,   et al.

Title: Packet flow control in switched full duplex ethernet networks
Patent Number: 7,436,773 Issued on 10/14/2008 to Cunningham

Title: Available bandwidth estimation
Patent Number: 7,436,772 Issued on 10/14/2008 to Padhye,   et al.

Title: System for refining network utilization and data block sizes in the transfer of data over a network
Patent Number: 7,436,771 Issued on 10/14/2008 to Roberts,   et al.

Title: Metering packet flows for limiting effects of denial of service attacks
Patent Number: 7,436,770 Issued on 10/14/2008 to Sterne,   et al.

Title: Method of throttling data flow through a router
Patent Number: 7,436,769 Issued on 10/14/2008 to Loader,   et al.

Title: Method, apparatus and computer program for transmitting a packet
Patent Number: 7,436,768 Issued on 10/14/2008 to Yun

Title: Method and apparatus for controlling the transmission of cells across a network
Patent Number: 7,436,767 Issued on 10/14/2008 to Wei

Title: Telecommunication network support for service based policy in roaming configurations
Patent Number: 7,436,766 Issued on 10/14/2008 to Alfano,   et al.

Title: Method and apparatus for dynamically allocating upstream bandwidth in passive optical networks
Patent Number: 7,436,765 Issued on 10/14/2008 to Sisto,   et al.

Title: Notification of control information in wireless communication system
Patent Number: 7,436,764 Issued on 10/14/2008 to Lee,   et al.

Title: Data communication apparatus with a dual mode protection switching system
Patent Number: 7,436,763 Issued on 10/14/2008 to Phelps,   et al.

Title: Mobile communication network system for managing the location of a mobile IP terminal
Patent Number: 7,436,762 Issued on 10/14/2008 to Oka,   et al.

Title: Apparatus and method for connecting fibre channel devices via bypass buffers
Patent Number: 7,436,761 Issued on 10/14/2008 to Winter,   et al.

Title: Method for reading sensor
Patent Number: 7,436,760 Issued on 10/14/2008 to Chen

Title: Reception apparatus and method, and channel response measurement apparatus for receiving an orthogonal frequency divisional multiplexing signal
Patent Number: 7,436,759 Issued on 10/14/2008 to Hayashi,   et al.

Title: Apparatus and method for transmitting/receiving pilot pattern set to distinguish base station in orthogonal frequency division multiplexing (OFDM) communication system
Patent Number: 7,436,758 Issued on 10/14/2008 to Suh,   et al.

Title: Scattered pilot and filtering for channel estimation
Patent Number: 7,436,757 Issued on 10/14/2008 to Wilson,   et al.

Title: Record carrier and apparatus enabling seamless playback
Patent Number: 7,436,756 Issued on 10/14/2008 to Bernsen

Title: Optical information recording medium, recording and reproduction methods using the same, optical information recording device, and optical information reproduction device
Patent Number: 7,436,755 Issued on 10/14/2008 to Takamori,   et al.

Title: Information-recording medium and method
Patent Number: 7,436,754 Issued on 10/14/2008 to Kojima,   et al.

Title: Contact probe storage FET sensor
Patent Number: 7,436,753 Issued on 10/14/2008 to Mejia,   et al.

Title: Method and apparatus for signal equalization in a light storage system
Patent Number: 7,436,752 Issued on 10/14/2008 to He

Title: Disposable article with containment structure
Patent Number: 6,790,202 Issued on 09/14/2004 to Klemp,   et al.

Title: Method and apparatus for securing a computer-based game of chance
Patent Number: 6,790,139 Issued on 09/14/2004 to Walker,   et al.

Title: Compensation for power variation along patient cables
Patent Number: 6,790,206 Issued on 09/14/2004 to Panescu

Title: Methods and apparatus for recirculating air in a controlled ventilated environment
Patent Number: 6,790,136 Issued on 09/14/2004 to Sharp,   et al.

Title: Health instrument
Patent Number: 6,790,194 Issued on 09/14/2004 to Katane,   et al.

Title: Method and device for transventricular mechanical circulatory support
Patent Number: 6,790,171 Issued on 09/14/2004 to Grundeman,   et al.

Title: Gaming system with individualized centrally generated random number generator seeds
Patent Number: 6,790,143 Issued on 09/14/2004 to Crumby

Title: Adjustable striking bag training apparatus
Patent Number: 6,790,167 Issued on 09/14/2004 to Carlin,   et al.

Title: Flexible shaft plug insert
Patent Number: 6,790,144 Issued on 09/14/2004 to Talesky

Title: Apparatus for controlling vehicle drive system including engine with turbocharger, and lock-up clutch
Patent Number: 6,790,157 Issued on 09/14/2004 to Tabata

Title: Implantable prosthesis
Patent Number: 6,790,213 Issued on 09/14/2004 to Cherok,   et al.

Title: Apparatus for controlling vehicle drive system including engine with turbocharger, and lock-up clutch
Patent Number: 6,790,158 Issued on 09/14/2004 to Tabata

Title: On-vehicle display device
Patent Number: 6,795,757 Issued on 09/21/2004 to Sadahiro

Title: Fixing device controlling method, fixing device, and image forming apparatus for forming fixed images of desired glossiness
Patent Number: 6,795,681 Issued on 09/21/2004 to Onodera,   et al.

Title: Developer regulating member and developing apparatus including the same
Patent Number: 6,795,672 Issued on 09/21/2004 to Yamamoto,   et al.

Title: Safety syringe for taking blood
Patent Number: 6,911,021 Issued on 06/28/2005 to Yang,   et al.

Title: Apparatus for forming concrete foundations
Patent Number: 6,899,535 Issued on 05/31/2005 to Mihelcic,   et al.

System and method for network vulnerability detection and reporting Number:7,152,105 from the United States Patent and Trademark Office (PTO) owispatent

Home    Author Login    Submit Article    Article Search    Add Your Link    Edit Your Link    Contact Us    Advertising    Disclaimer

   

 
Web LinkGrinder.com

Top Breaking News
     Greek, Cypriot Leaders Resume Unification Talks in Nicosia by Nathan Morley
     Indonesia Tobacco Sales Grow, Raising Health Fears
     South Korea Allows Top Defector to Travel Overseas by VOA News

Title: System and method for network vulnerability detection and reporting

Abstract: A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.

Patent Number: 7,152,105 Issued on 12/19/2006 to McClure,   et al.

Inventors: McClure; Stuart C. (Ladera Ranch, CA), Kurtz; George (Coto de Caza, CA), Keir; Robin (Mission Viejo, CA), Beddoe; Marshall A. (San Clemente, CA), Morton; Michael J. (Anaheim Hills, CA), Prosise; Christopher M. (Mission Viejo, CA), Cole; David M. (Huntington Beach, CA), Abad; Christopher (San Francisco, CA)
Assignee: McAfee, Inc. (Santa Clara, CA)
Appl. No.: 10/050,675
Filed: January 15, 2002

Current U.S. Class: 709/224 ; 340/5.53; 726/25
Current International Class: G06F 15/173 (20060101); G05B 19/00 (20060101); G06F 11/00 (20060101)
Field of Search: 709/224 726/23,25 340/5.53

References Cited [Referenced By]
U.S. Patent Documents
5881236 March 1999 Dickey
5892903 April 1999 Klaus
5931946 August 1999 Terada et al.
6266774 July 2001 Sampath et al.
6282546 August 2001 Gleichauf et al.
6298445 October 2001 Shostack et al.
6301668 October 2001 Gleichauf et al.
6324656 November 2001 Gleichauf et al.
6725046 April 2004 Park
7000247 February 2006 Banzhof
2001/0034847 October 2001 Gaul, Jr.
2002/0100036 July 2002 Moshir et al.
2003/0014664 January 2003 Hentunen
2003/0101353 May 2003 Tarquini et al.
2004/0117478 June 2004 Triulzi et al.
2004/0187032 September 2004 Gels et al.

Other References

Graig Smith and Christopher Abad, Know Your Enemy: Passive Fingerprint, Sep. 3, 2001, pp. 1, 2 and 3. cited by examiner .
Declaration of Dan Kuykendall in Opposition to OSC Re: Preliminary Injunction, Foundstone, Inc, v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 23, 2002, pp. 3-4. cited by other .
Declaration of Micahel J. Morton in Opposition to OSC Re: Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 23, 2002, pp. 2-5. cited by other .
Declaration of Eric Caso in Opposition to OSC Re: Preliminary Injunction, Foundstone, Inc, v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 23, 2002, pp. 2-5 & Exhibits B, C and D. cited by other .
Declaration of Jassen D. Glaser in Opposition to OSC Re: Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 23, 2002, pp. 6-10 & Exhibits F, G. cited by other .
Memorandum of Points and Authorities in Support of Defendants' Opposition to Plaintiff's OSC Re: Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 23, 2002, pp. 9-10. cited by other .
Dan Kuykendall, a/k/a Seek3r, "Legal Docs: The response to their complaint", <www.kuykendall.org>, printed Oct. 25, 2002, pp. 2-4. cited by other .
Declaration of Stuart McClure in Support of Plaintiff's Application for Temporary Restraining Order and Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 4, 2002, pp. 2-5. cited by other .
Plaintiff's Memorandum of Points and Authorities in Support of Application for Temporary Restraining Order, Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 4, 2002, pp. 9-13. cited by other .
Plaintiff's Reply in Support of Motion for Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 25, 2002, pp. 5-8. cited by other .
Plaintiff Foundstone's Supplemental Reply in Support of Order to Show Cause Re: Preliminary Injunction, Foundstone, Inc. v. NT OBJECTives, Inc., Case No. 02CC15350 (Sup. Ct. Cal.), dated Oct. 28, 2002, pp. 2-3. cited by other .
Marshall Beddoe and Christopher Abad, The Siphon Project: An Implementation of Stealth Target Acquisition & Information Gathering Methodologies, Blackhat USA Conference 2001, presented Jul. 11, 2001*, available at <http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html>. cited by other .
Craig Smith and Peter Grundl, Know Your Enemy: Passive Fingerprinting, Sep. 3, 2001*, available at <http://www.project.honeynet.org/papers/finger/>. cited by other .
Fyodor, Remote OS detection via TCP/IP Stack FingerPrinting (NMAP), Oct. 18, 1998*, available at <http://www.insecure.org/nmap/nmap-fingerprinting-article.html> and <http://project.honeynet.org/papers/finger/traces.txt>. cited by other .
Fyodor, The Art of Port Scanning, Phrack Magazine, vol. 7, Issue 51, Sep. 1, 1997*, available at <http://www.insecure.org/nmap/p51-11.txt>. cited by other .
The International Search Report from PCT/US02/01093 mailed Aug. 5, 2002. cited by other .
The International Preliminary Examination Report from PCT/US02/01093 mailed Oct. 27, 2003. cited by other.

Primary Examiner: Etienne; Ario
Assistant Examiner: Sall; El Hadji M.
Attorney, Agent or Firm: Zilka-Kotab, PC Hamaty; Christopher J.
Claims


What is claimed is:

1. A system for determining an operating system of a target computer operably connected to a network, the system comprising: first and second data packets, said first and second data packets compliant with a protocol supported by said network, said first and second data packets transmitted via said network to said target computer; first and second operating system fingerprints comprising data bits stored in a computer-readable medium, said first and second operating system fingerprints associated with a first operating system; a first target computer fingerprint comprising data bits stored in a computer-readable medium, said first target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said first data packet; a second target computer fingerprint comprising data bits stored in a computer-readable medium, said second target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said second data packet; and fingerprint comparison instructions embodied in a computer readable storage medium, said instructions executable by a computer to compare said first operating system fingerprint and said first target computer fingerprint, to compare said second operating system fingerprint and said second target computer fingerprint, and to generate a result indicative of whether said first operating system was running on said target computer; wherein the first and second data packets each include TCP packets.

2. The system as described in claim 1, wherein a first range of bits of said first data packet represents a first parameter value, and wherein said first range of bits of said second data packet represents a second parameter value different from said first parameter value.

3. The system as described in claim 2, wherein said second parameter value is derived by changing one bit in said first range of bits of said first data packet.

4. The system as described in claim 2, wherein said first and second operating system fingerprints differ.

5. The system as described in claim 4, further comprising: a third data packet, said third data packet compliant with said protocol, said first range of bits of said third data packet representing a third parameter value different from said first and second parameter values, said third data packet transmitted via said network to said target computer; a third operating system fingerprint comprising clara bits stored in a computer-readable medium, said third operating system fingerprint associated with said first operating system, said third operating system fingerprint differing from said first and second operating system fingerprints; and a third target computer fingerprint comprising data bits stored in a computer-readable medium, said third target computer fingerprint including a representation of at least a portion of data received in response to said transmission of said first data packet, said comparison instructions executable by a computer to compare said third operating system fingerprint and said third target computer fingerprint before generating said result.

6. The system as described in claim 5, further comprising: fourth, fifth and sixth operating system fingerprints comprising data bits stored in a computer-readable medium, said fourth, fifth and sixth operating system fingerprints associated with a second operating system, at least one of said fourth, fifth and sixth operating system fingerprints differing from a respective one of said first, second and third operating system fingerprints; said comparison instructions executable by a computer to compare said fourth operating system fingerprint and said first target computer fingerprint, to compare said fifth operating system fingerprint and said second target computer fingerprint, to compare said sixth operating system fingerprint and said third target computer fingerprint, and to generate a second result indicative of whether said second operating system was running on said target computer.

7. The system as described in claim 5, wherein said protocol is TCP/IP and wherein said first range of bits corresponds to a packet field representing a maximum segment size.

8. The system as described in claim 5, wherein said first parameter value is obtained by setting no bits, said second parameter value is obtained by setting one bit, and said third parameter value is obtained by setting two bits.

9. The system as described in claim 5, wherein said first parameter value is 0, said second parameter value is 128, and said third parameter value is 128 plus a multiple of 256.

10. The system as described in claim 5, wherein said first range of bits represents at least two bytes, and wherein a value of said second parameter is obtained by setting the last bit in a byte, and a value for said third parameter is obtained by setting the last bit in a byte.

11. The system as described in claim 10, wherein said third parameter is obtained by setting adjacent bits in said first range of bits.

12. The system as described in claim 5, wherein said first, second and third data packets are transmitted in order of lowest parameter value first.

13. A method for identifying an operating system of a target computer via a network, the method comprising the steps of: sending a first data packet to said target computer via said network, said first data packet complying with a protocol of said network and having a first pattern of bits in a first range of bits; generating a first response value representing at least a portion of data received via said network in response to said sending of said first data packet; sending a second data packet to said target computer via said network, said second data packet complying with said protocol and having a second pattern of bits in a first range of bits, said second pattern of bits different from said fir St pattern; generating a second response value representing at least a portion of data received via said network in response to said sending of said second data packet; sending a third data packet to said target computer via said network, said third data packet complying with said protocol and having a third pattern of bits in a first range of bits, said third pattern of bits different from said first or said second pattern; generating a third response value representing at least a portion of data received via said network in response to said sending of said third data packet; comparing said first response value to a first predetermined value associated with a first operating system; comparing said second response value to a second predetermined value associated with said first operating system; comparing said third response value to a third predetermined value associated with said first operating system; and generating a value indicative of a relationship between said first operating system and said target computer; wherein the first, second, and third data packets each include TCP packets.

14. The method as described in claim 13, the method comprising the further steps of: comparing said first response value to a fourth predetermined value associated with a second operating system; comparing said second response value to a fifth predetermined value associated with said second operating system; and comparing said third response value to a sixth predetermined value associated with said second operating system.

15. The method as described in claim 13, wherein no bit is set in said first pattern of bits, wherein one bit is set in said second pattern of bits, and wherein two bits are set in said third pattern of bits.

16. The method as described in claim 13, wherein the number of bytes in said second pattern of bits that have at least one bit set is greater than the number of bytes in said first pattern of bits that have at least one bit set, and wherein the number of bytes in said third pattern of bits that have at least one bit set is greater than the number of bytes in said second pattern of bits that have at least one bit set.

17. The method as described in claim 13, wherein no byte in said first pattern of bits has a least significant bit or a most significant bit that is set wherein at least one byte in said second pattern of bits has a most significant bit that is set, and wherein at least one byte in said third pattern of bits has a least significant bit that is set.

18. The system as described in claim 5, wherein the third data packet includes an RFC-compliant TCP packet.

19. The system as described in claim 1, wherein the first data packet includes a TCP SYN packet with a maximum segment size MSS option in an options field thereof set to 0.

20. The system as described in claim 1, wherein the first data packet includes a TCP SYN packet with a maximum segment size MSS option in an options field thereof set to 128.
Description


BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to network system security, and more particularly relates to systems and methods for automatic detection, monitoring and reporting of network vulnerabilities.

2. Description of the Related Art

The reliability and security of a network is essential in a world where computer networks are a key element in intra-entity and inter-entity communications and transactions. Various tools have been used by network administrators, government, security consultants, and hackers to test the vulnerabilities of target networks, such as, for example, whether any computers on a network can be accessed and controlled remotely without authorization. Through this intensive testing, a target network can be "hardened" against common vulnerabilities and esoteric attacks. Existing testing systems, however, produce inconsistent results, use techniques that are unproven or that damage the target network, fail to respond to changing network environments or to detect new vulnerabilities, and report results in difficult to understand, text-based reports.

Well-known network security tools now exist to test network paths for possible intrusion. From a testing point, simple commands such as traceroute and ping can be used to manually map a network topography, and determine roughly what network addresses are "alive" with a computer "awake" on the network (i.e., determine which computers are on and are responding to network packets). A tool such as a port scanner can be used to test an individual target computer on the target network to determine what network ports are open. If open ports are found, these ports may provide access for possible intrusion, and potentially represent a vulnerability that can be exploited by a malicious hacker.

Some suites combining various network tools attempt to follow a quasi-automated process to test target computers on a target network. These suites provide variations on the tools described above, and provide long-form text-based output based on the outcome of this testing. The output of these security tests are extremely technical, and require extensive knowledge of network communications in order to interpret and provide advice based on the results. Thus, these partially automated suites do not provide comprehensive security to an entity seeking to "harden" its network.

Further, some security suites actually risk substantial damage to the target network. For example, while the use of malformed network packets to test a target computer can provide extensive information from the target and feedback on the security of the target, these malformed packets can destabilize the target computer in unpredictable ways. This sometimes results in a short-term loss of information to the target computer or, in more serious cases, a complete crash of the target computer operating system or hardware.

In other cases, the testing method used by existing suites is not reliable. If a network port scanning method employed on a target computer is, for example, 80% accurate over time, then a complete test of all 216 ports on a single computer may result in approximately 13,000 ports incorrectly identified as potentially running vulnerable services. Over an entire target network, such "false positives" make it virtually impossible to determine the true security level of the target network.

Existing testing methods lack a standard, quantitative method for objectively comparing the security of a target network or target computer to other systems. Typically, a target network or target computer is ranked only as "high risk," "medium risk," or "low risk." However, such a three-tier system alone provides very little substantive feedback or comparative information about changes in the network over time, the relative weight of different vulnerabilities in determining the resulting risk level, or objective assessments of network security among otherwise heterogeneous network environment.

SUMMARY OF THE INVENTION

The present invention solves these problems and more through a comprehensive network vulnerability testing and reporting method and system. Specifically, the testing system features include a selected combination of: (1) a non-destructive identification of target computer operating system; (2) a multiple-tier port scanning method for determination of what network addresses are active and what ports are active at those addresses; (3) a comparison of collected information about the target network with a database of known vulnerabilities; (4) a vulnerability assessment of some vulnerabilities on identified ports of identified target computers; (5) an active assessment of vulnerabilities reusing data discovered from previously discovered target computers; (6) an application of a quantitative score to objectively and comparatively rank the security of the target network; and, (7) reduction of detailed results of the information collected into hierarchical, dynamic and graphical representations of the target network, target computers, and vulnerabilities found therein. Other features are foreseen and disclosed herein, as well.

In its preferred embodiment, the testing system operates over a modem multi-layer packet network such as a corporate intranet or the Internet. The network typically includes one or more computers, where a computer includes a desktop station running any operating system, a router, a server, and/or any other networked device capable of sending and receiving packets through standard internet protocols such as TCP/IP (Transmission Control Protocol/Internet Protocol), UDP (User Datagram Protocol), and the like. The system and method can be run remotely from a monitoring computer outside the target network, or can be run by a monitoring computer included within the target network. The target network itself is typically defined as an interconnected set of computers, bounded by a specific pre-designated sub-network address, range of IP addresses or sub-addresses, physical network boundaries, computer names or unique identifiers, presence or connection via a pre-determined network protocol, and the like. The target computers comprise all or a portion of the computers found within the target network. For example, a target computer with a simple connection to a WAN (Wide Area Network) can be tested remotely, as a single peer target network. In a more complicated example, a distributed network provider can have multiple sub-networks geographically distributed throughout the world but interconnected via an internal protocol, as a WAN target network with thousands of target computers.

A target network typically runs on one or more IP-based network protocols. Most commonly, the protocol will be TCP/IP and UDP. Similarly, the testing system is typically indifferent to the physical layer structure and topology of the target network. Only structural elements such as firewalls or routers that block, reroute, or change packets will affect the testing system. The testing system, however, attempts to adapt to these structural elements and generally provides accurate results regardless of physical implementation.

TCP/IP is a fundamental protocol used for packet-based network communications on local area networks, wide area networks, and global telecommunications networks such as the Internet. A sample configuration of a TCP/IP SYN (synchronization) packet is shown in Table 1.

TABLE-US-00001 TABLE 1 Typical TCP SYN packet Source Port Destination Port Sequence Number Acknowledgement Number Data Offset Reserved Data Flags Window Checksum Urgent Pointer Options Padding Data

A computer typically runs on one or more operating systems. More commonly, these operating systems include those provided by Microsoft.RTM., such as the Microsoft Windows.RTM. family of operating systems, MacOS.RTM. from Apple.RTM., various flavors of UNIX including Linux.RTM., NetBSD, FreeBSD, Solaris.RTM., and the like. Additionally, devices on the target network may include router operating systems, mobile communication device operating systems, palmtop or handheld operating systems, appliance operating systems, set-top box operating systems, gaming operating systems, digital rights management systems, surveillance systems, smart card transaction systems, transportation management systems, and the like, that assign unique or temporary network addresses and are capable of sending and/or receiving traffic from the target network.

Target computers, in one embodiment, are identified by a unique or temporarily unique IP (Internet Protocol) address, typically in the form A.B.C.D, where each of A, B, C and D represent the Class A, Class B, Class C and Class D sub-networks and each has a value between 0 and 255. Typically, the target network is defined by one or more ranges of IP addresses controlled by the target network, but may contain additional target computers or target sub-networks connected to the target network topographically but not part of the predetermined IP range or ranges.

UDP (User Datagram Protocol) is an alternative "connectionless" communications protocol that runs above IP (Internet Protocol). UDP lacks the error correction and receipt acknowledgment features of connection-based protocols such as TCP. ICMP (Internet Control Message Protocol) is another extension of IP which permits control communications (most commonly through a ICMP PING request) between hosts on an IP network.

Another aspect of the invention includes non-destructive and relatively non-intrusive identification of the target operating system of a target computer.

Another aspect of the invention includes parallel testing of multiple target computers on a target network.

Another aspect of the invention includes an improved testing method to determine whether particular target computers on a target network are alive.

Another aspect of the invention includes an improved method for determining whether a set of commonly used ports are open on a target computer.

Another aspect of the invention includes an improved method for reliably determining whether a set of commonly used UDP ports are open or closed on a target computer.

Another aspect of the invention includes a method for associating the ports found open on a target computer with a known set of vulnerabilities.

Another aspect of the invention includes parallel testing of multiple ports and multiple target computers simultaneously.

Another aspect of the invention includes active assessment of some known set of vulnerabilities at a target computer.

Yet another aspect of the invention includes application of an objective quantitative score to the vulnerabilities found on a target network.

Still another aspect of the invention includes compilation of a dynamic, graphical report representing the network topology, network computers, and network vulnerabilities in a hierarchical report including both overview and detail documents.

In one embodiment, the present invention is a system for determining an operating system of a target computer operably connected to a network. The system comprises (1) first and second data packets, the first and second data packets compliant with a protocol supported by the network, the first and second data packets transmitted via the network to the target computer; (2) first and second operating system fingerprints comprising data bits stored in a computer-readable medium, the first and second operating system fingerprints associated with a first operating system; (3) a first target computer fingerprint comprising data bits stored in a computer-readable medium, the first target computer fingerprint including a representation of at least a portion of data received in response to the transmission of the first data packet; (4) a second target computer fingerprint comprising data bits stored in a computer-readable medium, the second target computer fingerprint including a representation of at least a portion of data received in response to the transmission of the second data packet; and (5) fingerprint comparison instructions executable by a computer to compare the first operating system fingerprint and the first target computer fingerprint, to compare the second operating system fingerprint and the second target computer fingerprint, and to generate a result indicative of whether the first operating system was running on the target computer. In a preferred aspect, the invention further comprises: (6) a third data packet, the third data packet compliant with the protocol, the first range of bits of the third data packet representing a third parameter value different from the first and second parameter values, the third data packet transmitted via the network to the target computer; (7) a third operating system fingerprint comprising data bits stored in a computer-readable medium, the third operating system fingerprint associated with the first operating system, the third operating system fingerprint differing from the first and second operating system fingerprints; and (8) a third target computer fingerprint comprising data bits stored in a computer-readable medium, the third target computer fingerprint including a representation of at least a portion of data received in response to the transmission of the first data packet, the comparison instructions executable by a computer to compare the third operating system fingerprint and the third target computer fingerprint before generating the result. In a further preferred aspect, the invention further comprises: (9) fourth, fifth and sixth operating system fingerprints comprising data bits stored in a computer-readable medium, the fourth, fifth and sixth operating system fingerprints associated with a second operating system, at least one of the fourth, fifth and sixth operating system fingerprints differing from a respective one of the first, second and third operating system fingerprints; the comparison instructions executable by a computer to compare the fourth operating system fingerprint and the first target computer fingerprint, to compare the fifth operating system fingerprint and the second target computer fingerprint, to compare the sixth operating system fingerprint and the third target computer fingerprint, and to generate a second result indicative of whether the second operating system was running on the target computer. Preferred aspects of this embodiment are ones wherein (10) the first parameter value is obtained by setting no bits, the second parameter value is obtained by setting one bit, and the third parameter value is obtained by setting two bits, or (11) wherein the first parameter value is 0, the second parameter value is 128, and the third parameter value is 128 plus a multiple of 256.

In another embodiment, the present invention is a system for determining an operating system of a target computer accessible via a network. The system comprises: (1) a plurality of data packets compliant with a protocol supported by the network, the plurality of data packets transmitted via the network to the target computer; (2) a first plurality of operating system fingerprints, each comprising data bits stored in a computer-readable medium, each associated with a first operating system; (3) a plurality of target computer fingerprints, each comprising data bits stored in a computer-readable medium, each including a representation of at least a portion of data received in response to the transmission of the plurality of data packets; and (4) fingerprint comparison instructions executable by a computer to compare the first plurality of the operating system fingerprint and the plurality of the target computer fingerprints, and to generate a result indicative of whether the first operating system was running on the target computer. A preferred aspect of the embodiment is one wherein the protocol is TCP/IP. Another preferred aspect of the embodiment further comprises (5) a second plurality of operating system fingerprints, each comprising data bits stored in a computer-readable medium, each associated with a second operating system, the fingerprint comparison instructions comparing the second plurality of the operating system fingerprints and the plurality of the target computer fingerprints to generate a second result indicative of whether the second operating system was running on the target computer.

A further embodiment of the present invention is a method for determining an operating system of a target computer accessible via a network. The method comprises the steps of (1) transmitting to the target computer a plurality of data packets compliant with a protocol supported by the network; (2) generating a plurality of target computer fingerprints, each including at least a portion of data received via the network in response to the transmission of the plurality of data packets; (3) comparing the plurality of target computer fingerprints to a first set of predetermined operating system fingerprints, each of the first set of predetermined operating system fingerprints associated with a first operating system; and (4) generating a result indicative of whether the first operating system was running on the target computer. In a preferred aspect the embodiment comprises the further steps of (5) comparing the plurality of target computer fingerprints to a second set of predetermined operating system fingerprints, each of the second set of a predetermined operating system fingerprints associated with a second operating system; and (6) generating a result indicative of whether the second operating system was running on the target computer. One preferred aspect of that embodiment is one wherein the protocol is TCP/IP and wherein the value of the MSS option of two of the plurality of data packets is divisible by 128. Another preferred aspect of that embodiment is one wherein a first of the plurality of data packets has a maximum segment size option of 0, wherein a second of the plurality of data packets has a maximum segment size option of 128, and wherein a third of the plurality of data packets has a maximum segment size option of 384.

A still further embodiment of the invention is a method for identifying an operating system of a target computer via a network, the method comprising the steps of: (1) sending a first data packet to the target computer via the network, the first data packet complying with a protocol of the network and having a first pattern of bits in a first range of bits; (2) generating a first response value representing at least a portion of data received via the network in response to the sending of the first data packet; (3) sending a second data packet to the target computer via the network, the second data packet complying with the protocol and having a second pattern of bits in a first range of bits, the second pattern of bits different from the first pattern; (4) generating a second response value representing at least a portion of data received via the network in response to the sending of the second data packet; (5) sending a third data packet to the target computer via the network, the third data packet complying with the protocol and having a third pattern of bits in a first range of bits, the third pattern of bits different from the first or the second pattern; (6) generating a third response value representing at least a portion of data received via the network in response to the sending of the third data packet; (7) comparing the first response value to a first predetermined value associated with a first operating system; (8) comparing the second response value to a second predetermined value associated with the first operating system; (9) comparing the third response value to a third predetermined value associated with the first operating system; and (10) generating a value indicative of a relationship between the first operating system and the target computer. A preferred aspect of the embodiment comprises the further steps of: (11) comparing the first response value to a fourth predetermined value associated with a second operating system; (12) comparing the second response value to a fifth predetermined value associated with the second operating system; and (13) comparing the third response value to a sixth predetermined value associated with the second operating system. A preferred aspect of that embodiment is one wherein no bit is set in the first pattern of bits, wherein one bit is set in the second pattern of bits, and wherein two bits are set in the third pattern of bits. Another preferred aspect of that embodiment is one wherein the number of bytes in the second pattern of bits that have at least one bit set is greater than the number of bytes in the first pattern of bits that have at least one bit set, and wherein the number of bytes in the third pattern of bits that have at least one bit set is greater than the number of bytes in the second pattern of bits that have at least one bit set.

Yet another embodiment of the present invention is a system for determining whether a target computer is on a network, the system comprising: (1) a first set of port identifiers stored in a computer-readable medium, each of the first set of port identifiers representing a port used by computers to receive data packets compliant with a first protocol of the network, each of the first set of port identifiers representing a port associated with known network services; (2) a first set of data packets, each directed to a port represented by at least one of the first set of port identifiers, each of the first set of data packets compliant with the first protocol and transmitted to the target computer via the network; (3) a first set of acknowledgement packets received via the network in response to the transmission of the first set of data packets, and (4) a list of host identifiers, each host identifier representing a computer on the network that transmits data in response to a packet sent to the respective computer, a host identifier representing the target computer added to the list of host identifiers if the first set of acknowledgment packets indicates a responsiveness of the target computer. An alternative preferred aspect of the embodiment further comprises: (5a) a second set of port identifiers stored in a computer-readable medium, each of the second set of port identifiers representing a port used by computers to receive data packets compliant with a second protocol of the network, each of the second set of port identifiers representing a port associated with known network services; (6a) a second set of data packets, each directed to a port represented by at least one of the second set of port identifiers, each of the second set of data packets compliant with the second protocol and transmitted to the target computer via the network, at least one of the second set of data packets including data associated with the known network services; (7a) a second set of acknowledgement packets received via the network in response to the transmission of the second set of data packets; and (8a) a host identifier representing the target computer added to the list of host identifiers if the second set of acknowledgment packets indicates a responsiveness of the target computer. A preferred aspect of that embodiment is one wherein the first protocol is TCP, wherein the second protocol is UDP, wherein the second set of acknowledgment packets is a nonzero set of UDP data response packets. Another alternative preferred aspect of the embodiment further comprises: (5b) a second set of port identifiers stored in a computer-readable medium, each of the second set of port identifiers representing a port used by computers to receive data packets compliant with a second protocol of the network, each of the second set of port identifiers representing a port associated with known network services; (6b) a second set of data packets, each directed to a port represented by at least one of the second set of port identifiers, each of the second set of data packets compliant with the second protocol and transmitted to the target computer via the network, at least one of the second set of data packets including data associated with the known network services; (7b) a second set of acknowledgement packets received via the network in response to the transmission of the second set of data packets; and (8b) a host identifier representing the target computer added to a second list of host identifiers if the second set of acknowledgment packets does not indicate an unresponsiveness of the target computer, each of the second list of host identifiers representing a computer not known to be unresponsive. A preferred aspect of that embodiment is one wherein the first protocol is TCP, wherein the second protocol is UDP, wherein the second set of acknowledgment packets is an empty set of ICMP error packets. A further preferred aspect of either alternative embodiment further comprises: (9) a third set of data packets, each directed to a port represented by at least one of the second set of port identifiers, each compliant with the second protocol, the third set of data packets transmitted to the target computer throughout a predetermined maximum latency period; (10) a first response received first in time in response to the transmission of the third set of data packets; (11) a second response received second in time in response to the transmission of the third set of data packets, a time duration between the receipt of the first response and the receipt of the second response defining a target computer latency period. A further preferred aspect of the embodiment is one wherein each of the second set of data packets is transmitted continuously to the target computer for the duration of the target computer latency period.

A still further embodiment of the present invention is a system for testing the accessibility of a target computer via a network. The system comprises: (1) a set of port identifiers stored in a computer-readable medium, each of the set of port identifiers representing a UDP-compliant port, at least one of the port identifiers representing a port associated with known network services; (2) a set of UDP-compliant data packets, each associated with a port represented by at least one of the set of port identifiers, each of the UDP-compliant data packets transmitted continuously to the target computer for a duration approximately the same as the latency period of the target computer, at least one of the UDP-compliant data packets including data associated with the known network services; (3) a first list representing computers accessible via the network, the first list including the target computer if a nonzero set of UDP data response packets is received in response to the transmission of the data packets; and (4) a second list representing computers not known to be inaccessible via the network, the second list including the target computer if an empty set of ICMP error packets is received in response to the transmission of the data packets.

Another embodiment of the present invention is a method for determining whether a target computer is accessible via a network. The method comprises the steps of: (1) identifying TCP ports; (2) sending first data packets to the TCP ports of the target computer, each of the first data packets compliant with TCP; (3) receiving first acknowledgment packets in response to the sending of the first data packets; and (4) adding a representation of the target computer to a list representing accessible computers if the first acknowledgment packets are nonzero. A preferred aspect of the embodiment comprises the further steps of: (5) identifying UDP ports associated with network services; (6) sending second data packets to the UDP ports of the target computer, at least one of the second data packets sent continuously to the target computer throughout a latency period of the target computer; (7) receiving second acknowledgment packets in response to the sending of the second data packets; and (8) adding a representation of the target computer to a list representing accessible computers if the second acknowledgment packets are nonzero UDP data response packets. A further preferred aspect of the embodiment comprises the further step of: (9) determining the latency period of the target computer by measuring the time between responses received in response to packets transmitted to the target computer. A further preferred aspect of the embodiment comprises the further step of: (10) adding a representation of the target computer to a list representing computers not known to be inaccessible via the network, the adding performed if the second acknowledgment packets comprise an empty set of ICMP error packets.

An additional embodiment of the present invention is a method for assessing the vulnerability of a target computer via a network. The method comprising the steps of: (1) discovering a set of responsive computers on a network by transmitting a set of ICMP packets, a set of TCP packets and a set of UDP packets to a group of computers on a network; (2) detecting services on each of the set of responsive computers by transmitting TCP packets to first ports of each of the set of responsive computers and by transmitting UDP packets to second ports of each of the set of responsive computers, the first and second ports commonly used by computers to receive data packets over a network, the TCP packets including data associated with at least one computer-based service known to use one of the first ports, the UDP packets including data associated with at least one computer-based service known to use one of the second ports; and (3) generating a list of responsive ports using responses received in response to the transmission of the TCP packets and the UDP packets. A preferred aspect of the embodiment comprises the further step of: (4) determining an operating system used by each of the set of responsive computers by comparing predetermined values with portions of responses received from each of the set of responsive computers in response to transmission of a plurality of TCP-compliant packets to each of the set of responsive computers. A further preferred aspect of the embodiment comprises the further step of: (5) confirming the presence of vulnerabilities on the network by applying an automated vulnerability script to each responsive port represented in the list of responsive ports, each of the automated vulnerability scripts testing a vulnerability known to be associated with a computer configuration comprising a particular responsive port and a particular operating system. A still further preferred aspect of the embodiment comprises the further step of: (6) calculating an objective indicia of security of the network, the calculation based on a weighted summation of confirmed vulnerabilities. A preferred aspect of the embodiment comprises the farther step of: (7) determining a topology of the network, the topology determination made by transmitting a set of ICMP packets with varying time to live (TTL) settings and by transmitting a set of TCP packets with varying TTL settings. Another preferred aspect of the embodiment comprises the further step of: (8) producing a graphical representation of the network, the representation including a topological map of the network, a color-based representation of weighted confirmed vulnerabilities, and an association between the graphical representation and information descriptive of confirmed vulnerabilities and computers on the network.

Another embodiment of the present invention is a method for creating a topological representation of a network. The method comprises the steps of: (1) identifying responsive computers on the network; (2) obtaining a plurality of sequences of IP addresses by sending to each responsive computer a sequence of packets having increasing TTL values, each sequence of IP addresses representing nodes in the network between a source computer and one of the responsive computers, adjacent IP addresses in each sequence representing connected nodes, each of the nodes comprising a computer or a router; (3) generating a list of node structures, each of the node structures including data representing a node and data indicative of other nodes to which it directly connects, the list representing all IP addresses in the plurality of sequences; (4) determining for each IP address a distance count, the distance count representing a number of nodes between a node having the IP address and a source node; (5) creating a router structure for each node structure that represents a node comprising a router; (6) associating with each of the router structures connection data representative of each connecting node that connects to no other node except the router represented by the respective router structure; (7) for each router structure, visually depicting a graphical shape spatially related to one or more graphical shapes corresponding to connecting nodes represented by the connection data of the respective router structure; and (8) for each router structure, visually depicting a connection between a graphical shape associated with the respective router structure and another graphical shape associated with a different router structure when distance counts associated with the IP addresses of routers represented by the respective router structure and the different router structure indicate a direct connection. A preferred aspect of the embodiment comprises the further step of: (9) testing whether a router represented by a router structure and a connecting node represented in connection data comprise two network connections of one node. A further preferred aspect of this embodiment is one wherein the graphical shape representing a router is a sphere, and wherein each of the spatially related graphical shapes is a sphere orbiting the sphere representing the router.

Yet another embodiment of the present invention is a method for calculating an objective security score for a network. The method comprising the steps of: (1) determining a vulnerability value numerically representing a combination of known vulnerabilities of a network; (2) determining an exposure value numerically representing a combination of accessible ports of computers on the network; and (3) deriving a score by combining the vulnerability value and the exposure value. A preferred aspect of this embodiment is one wherein the combination of known vulnerabilities is a summation of weighted numeric expressions of particular vulnerabilities, the weighting based on an ease of exploitation ranking and on an access granted ranking for each vulnerability.

Still another embodiment of the present invention is a method for conducting an automated network vulnerability attack, the method comprising the steps of: (1) selecting a set of vulnerability attacks for each responsive computer on a network, each selected vulnerability attack for each responsive computer designed to expose a vulnerability associated with ports of the respective computer known to be accessible and also associated with an operating system used by the respective computer; (2) encoding the set of vulnerability attacks such that each is represented in a database by a unique identifier; (3) representing each of the set of vulnerability attacks using instructions of an automated scripting language; and (4) executing the vulnerability attacks by processing the instructions with a computer.

One more embodiment of the present invention is a hierarchical network vulnerability report. The report comprises: (1) a first report level comprising: (a) an objective score representing the security of the network; and (b) a graphical representation of a network topology, including a graphical representation of computers accessible via the network and a color-based graphical representation of the vulnerability of at least some of the computers; and (2) a second report level comprising: (a) a textual list describing the computers and their associated vulnerabilities; and (b) an exposure report describing accessible ports and services of the computers.

An additional embodiment of the present invention is a vulnerability assessment language. The vulnerability assessment language comprises: (1) a set of programming language statements used to create executable scripts, the scripts executed in a thread-safe execution architecture wherein all variables are stack variables and wherein a parse tree is treated as a read-only data structure; (2) a set of special scalar data types interchangeable with an integer data type in expressions, each of the set of special scalar data types having a set of constant values configured to support vulnerability assessment operations embodied in scripts; (3) a set of native objects declared in a metascope owning a script scope to make available the native objects to executable scripts, the native objects facilitating network communication, providing callable member functions for building lists of unique ports and directing script execution to certain hosts, and providing IP addresses for scripts; and (4) a vulnerability object behaving to copy itself into a global data area where other scripts may access its information to compromise another machine, facilitating the use by one script of vulnerability data discovered by a different script.

A further embodiment of the present invention is a method for automated application of a known vulnerability on a target computer. The method comprises the steps of: (1) providing a database of known vulnerabilities, the database including a data object; (2) providing an executable script, the executable script associated with the data object; (3) applying the executable script to the target computer, the script performing the known vulnerability on a port of the target computer; and (4) returning a value representing at least one of the success, failure or other outcome of the executable script.

A still further embodiment of the present invention is a method for automated application of known vulnerabilities to target computers of a network. The method comprises the steps of: (1) providing a database of known vulnerabilities; (2) providing a set of executable scripts, each executable to apply a known vulnerability to a specified target computer; (3) executing first executable scripts to apply vulnerabilities on specified target computers; (4) monitoring return values representing a success, failure or other outcome of each of the first executable scripts; and (5) generating a report using the return values, the report representing a security level of the network. One preferred aspect of this embodiment comprises the further step of: (6) identifying execution time intervals wherein execution of the first executable scripts commences at the beginning of each of the time intervals and pauses at the end of each of the time intervals, until all of the first executable scripts have executed. A preferred aspect of the embodiment comprises the further step of: (7) automatically repeating the execution of the first executable scripts when the execution of the first executable scripts is completed. Another preferred aspect of the embodiment comprises the further steps of: (8) generating a report upon each completed execution of the first executable scripts; and (9) calculating a security trend for the network by comparing a plurality of the reports. An alternative preferred aspect of the embodiment comprises the further step of: (10) executing second executable scripts to apply vulnerabilities to a second network of computers during the execution of the first executable scripts. Another preferred aspect of the embodiment is one wherein the second network is a subset of the network. Still another preferred aspect of the embodiment is one wherein the first executable scripts are configured to apply vulnerabilities to a first port of all of the target computers before applying vulnerabilities to a second port of all of the target computers. An additional preferred aspect of the embodiment comprises the further step of allocating a plurality of packet slots, each packet slot permitting asynchronous transmission of a packet by one of the executable scripts.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the present invention are described below in connection with the attached drawings in which:

FIG. 1 illustrates one embodiment of a target network;

FIG. 2 illustrates one embodiment of a target computer on the target network;

FIG. 3 illustrates one embodiment of a comprehensive testing method;

FIG. 4 illustrates one embodiment of the operating system identification method;

FIG. 5 illustrates one example embodiment of the TCP SYN packet used in the operating system identification method of FIG. 3;

FIG. 6 illustrates one embodiment of first phase scanning to determine what target computers are alive;

FIG. 7 illustrates one embodiment of second phase scanning to determine what ports are open on a target computer;

FIG. 8 illustrates one embodiment of active assessment of a vulnerability of a target computer on a target network;

FIG. 9 illustrates one embodiment of a methodology for determining the security score for a target network;

FIG. 10 illustrates one embodiment of a hierarchical security report, including a graphical representation of network topology and network vulnerabilities; and

FIG. 11 illustrates a second embodiment of a hierarchical security report in greater detail.

FIG. 12 illustrates a second embodiment of the comprehensive testing method.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

I. Basic Implementation, Structure and Control Language

FIG. 1 illustrates one embodiment of a target network. The network security system 100 of the present invention is, in one embodiment, at least one Intel-based server running on a Windows 2000 operating system, although any computer system or operating system capable of handling an IP network and capable of large-scale data processing can be used. The network security system 100 may be outside the target network 102 or inside the target network (not shown). In either case, the system 100 is connected to the target network 102 through a network such as the Internet, via one or more nodes 104. The target network 102, in one example, consists of an intranet with a central intranet hub 106. The target network 102 further includes a firewall 108 which blocks some incoming traffic to or outgoing network traffic leaving the target network 102. The target network further comprises a number of hosts 110, defined as within a predetermined range of Internet Protocol (IP) addresses. In some cases, external hosts 112 may lie outside the target network but may nonetheless be connected to the target network 102.

FIG. 2 illustrates one embodiment of a target computer on the target network. In general, a host IP address represents a target computer, as more generally defined below, if the address is in use by the target network. In a simplified representation of a target computer 200 at a host 110, the target computer 200 is running an operating system 202. The operating system preferably contains at least one network TCP/IP stack 204 to provide packet transport, preferably including an interface to provide raw socket 206 connections between the target computer 200 and the network. The physical connection to the network 208 is provided, in one embodiment, by


Free Web Sudoku Puzzles.
Solve with your browser.
    6 2 5        
2           7 8  
  3   4     9    
4         1   2  
      3   6      
  7   9         5
    3     5   7  
  1 8           9
        9 3 4    
What is it?



Add Your Site · Terms Of Service · Privacy Policy


DISCLAIMER
Linkgrinder is a free service that searches the Internet and indexes all files found so that you may search quickly and easily for shared files. These files are created and made available individually by users whose identity we are not aware of and who we have no control over. In essence we function like a search engine tool; these files ARE NOT STORED OR SERVED BY OUR NETWORK. We are not responsible for any materials obtained by using our service. We do not monitor any of the contents of these files. These files may contain viruses, illegal materials, materials inappropriate for minors, offensive files and the like. BY USING OUR SERVICE, YOU ASSUME FULL RESPONSIBILITY FOR DOWNLOADING THESE MATERIALS AND WILL INDEMNIFY US FOR ANY DAMAGES THAT MAY BE INCURRED.

For More Specific Information VIEW OUR TERMS OF SERVICE.

Thank you and Enjoy!