US20050097199A1 - Method and system for scanning network devices - Google Patents
Method and system for scanning network devices Download PDFInfo
- Publication number
- US20050097199A1 US20050097199A1 US10/683,564 US68356403A US2005097199A1 US 20050097199 A1 US20050097199 A1 US 20050097199A1 US 68356403 A US68356403 A US 68356403A US 2005097199 A1 US2005097199 A1 US 2005097199A1
- Authority
- US
- United States
- Prior art keywords
- network device
- network
- scanning
- module
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
- H04L67/125—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
Definitions
- the present invention relates to scanning one or more network devices. More specifically, the present invention relates to performing scans of network devices upon detecting their connection to the network.
- a network security policy is often employed to ensure that each device communicating on the network is configured with specific and accepted security standards.
- a corporation may have a security policy that states that all computers using the corporation's network must have a functioning virus scanner.
- This security policy may also specify the virus scanner that each device must have, such as by specifying that each device have Norton AntiVirus (manufactured by Symantec of Cupertino, Calif.).
- a security administrator or auditor uses a scanning application to scan a computer.
- the scanning application may be installed on each device communicating on the network to examine the device.
- This local scanning introduces numerous problems.
- each individual device has the scanning application installed on the device. This may result in different devices having different versions of the scanning application.
- the initiation of the scanning ordinarily occurs on the device itself. This may require a separate initiation sequence for each device.
- the time required to deploy the scanning application on each device in the network is often too burdensome of a task to implement. Thus, local scanning is often too onerous to initiate and maintain.
- a scanning application may instead periodically scan the networked computers remotely to locate any devices that do not follow the security policy.
- This scanning technique One drawback is that the scan may not be comprehensive because some devices may have, for some reason, been turned off at the time of the scan and, consequently, may not have been scanned.
- Another shortcoming with periodic scanning is that there may be a significant delay between the time that a device attaches, or connects, to the network and the time that the scan occurs during the next scheduled scan. This time lag may result in a network being infected before a scan has occurred. Therefore, the periodic scanning, by its nature, does not enforce the security policy at all times.
- a third weakness is that the periodic scan does not work well with computers that ordinarily connect to the network using transient means, such as with a virtual private network connection or using a wireless access point.
- the device may not be available at the time that the scan occurs because of the transient nature of the connection.
- the present invention addresses the weaknesses of the scanning techniques described above and enables enforcement of a network security policy in a more robust and comprehensive manner.
- the present invention also increases scalability, coverage, and responsiveness of scanning while decreasing the implementation time.
- the invention includes a method for scanning network devices connected to a network by detecting connection of a first network device to the network and performing remote, agentless scanning of the first network device in response to detection of the first network device.
- the detecting module detects connection of the first network device by inspecting data packets communicated over the network.
- the detecting module can also detect connection of the first network device by querying a database.
- the detecting module can continuously broadcast pings over the network, continuously examine address resolution protocol (ARP) tables, continuously monitor event logs, transmit a Lightweight Directory Access Protocol (LDAP) query (e.g., poll an LDAP server or execute a persistent LDAP search), and/or transmit a Domain Name System (DNS) query.
- ARP address resolution protocol
- LDAP Lightweight Directory Access Protocol
- DNS Domain Name System
- the method can also include determining whether the first network device is connecting to the network via wireless access, determining whether the first network device is connecting to the network via a Virtual Private Network (VPN), and/or determining whether the first network device is plugged into a wall socket.
- VPN Virtual Private Network
- the remote agentless scanning step includes the steps of finding properties (e.g., credentials) associated with the first network device and determining the identity (e.g., type) of the first network device. Further, determining the identity of the first network device can include querying a database where the identity (e.g., type) has been determined, examining network traffic, analyzing network behavior, probing the first network device for signature responses, attempting to log into the device using a series of protocols, logging into the first network device and/or querying data within the device.
- the remote agentless scanning also includes scanning, on the first network device, one or more of a configuration, a file, data, a software version, a patch, inventory, hardware, and/or a security vulnerability. The scanning step can also include updating one or more of these items, such as installing a software patch on the first network device.
- the scanning step can also include installing anti-virus software on the first network device and/or determining if the first network device is part of a windows domain.
- the method includes the step of comparing a security setting of the first network device with a predetermined security setting. In yet another embodiment, the method includes the step of enabling the first network device to have additional access to the network, denying the first network device some or all access to the network, notifying another (e.g., authorities) about the first network device based on results of the scan, and/or quarantining the first network device.
- another e.g., authorities
- the method also includes the steps of setting a security policy on the first network device, auditing the security policy of the first network device, ensuring compliance with a predetermined security policy, and/or reporting results (e.g., of a scan).
- an apparatus for remote agentless scanning of network devices connected to a network includes a detecting module that detects connection of a first network device to the network and a scanning module that performs remote agentless scanning of the first network device in response to the detection of the first network device.
- the detecting module continuously polls a database for data corresponding to newly attached (connected) network devices. Further, the scanning module remotely scans the first network device upon detecting data corresponding to the first network device in the database.
- the apparatus can also include a history database to store scan results of a scan.
- the scanning module can enable the first network device to have additional access to the network, can deny the first network device some or all access to the network, can notify another (e.g., authorities) about the first network device based on results of the scan, and/or can quarantine the first network device.
- the apparatus can also include a security policy management module for setting a security policy on the first network device, auditing the security policy of the first network device, ensuring compliance with a predetermined security policy, and/or reporting results (e.g., of a scan).
- a security policy management module for setting a security policy on the first network device, auditing the security policy of the first network device, ensuring compliance with a predetermined security policy, and/or reporting results (e.g., of a scan).
- a method for examining a first network device connected to a network includes querying a database for data representing connection of network devices to a network, determining connection of a first network device to the network by locating data about the first network device in the database, determining properties (e.g., credentials, identity) of the first network device, determining the items to scan based on the properties (e.g., based on the identity of the first network device), and performing remote scanning of the first network device in response to the determination of the connection of the first network device to the network.
- properties e.g., credentials, identity
- the properties of the first network device include credentials of the first network device and/or the identity of the first network device.
- the identity of the first network device can include the type of the first network device.
- the network device's type can be determined by querying a database where the type has already been determined, by examining network traffic, by analyzing network behavior, by probing the first network device for signature responses, and/or by logging into and querying the first network device.
- a set of security policy settings can be selected for an audit.
- a method for scanning network devices connected to a network includes detecting connection of a first network device to the network and performing remote scanning of the first network device in response to detection of the first network device.
- FIG. 1 is a block diagram of an embodiment of a security system having a detecting module and a scanning module constructed in accordance with the invention.
- FIG. 2 is a more detailed block diagram of an embodiment of the detecting module and the scanning module of FIG. 1 .
- FIG. 3 is a block diagram illustrating an embodiment of a security policy management module.
- FIG. 4 is a flow diagram illustrating an embodiment of the steps performed by the detecting module and the scanning module of FIG. 1 .
- FIG. 1 illustrates a block diagram of an embodiment of a security system 100 .
- the security system 100 includes a first network device 110 communicating with a server 115 .
- the first network device 110 can be any personal computer, smart or dumb terminal, network computer, wireless device (e.g., cellular telephone or personal digital assistant), information appliance, workstation, minicomputer, mainframe computer or other computing device.
- the first network device 110 can also include a network infrastructure device, such as a router, switch, or firewall.
- the first network device 110 is in communication with the server 115 over a first network device-server communication channel 120 .
- Example embodiments of the communication channel 120 include standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections.
- the connections over the communication channel 120 can be established using a variety of communication protocols (e.g., HTTP, HTTPS, TCP/IP, IPX, SPX, NetBIOS, Ethernet, RS232, messaging application programming interface (MAPI) protocol, real-time streaming protocol (RTSP), real-time streaming protocol used for user datagram protocol scheme (RTSPU), the Progressive Networks Multimedia (PNM) protocol developed by RealNetworks, Inc. of Seattle, Wash., manufacturing message specification (MMS) protocol, and direct asynchronous connections).
- HTTP HyperText Transfer Protocol
- HTTPS Transmission Control Protocol
- TCP/IP IPX
- SPX IPX
- NetBIOS NetBIOS
- Ethernet RS232
- the first network device-server communication channel 120 is established over a network 125 .
- the network 125 include the World Wide Web (i.e., “web”), the Internet, and a Virtual Private Network (VPN).
- the first network device 110 includes a web browser 128 , such as INTERNET EXPLORER developed by Microsoft Corporation of Redmond, Wash., to connect to the network 125 .
- the security system 100 can include any number of network devices, such as the first network device 110 and a second network device 110 ′. Although described above and below with respect to the first network device 110 , the description also applies to the second network device 110 ′.
- the server 115 can be any of the devices (e.g., wireless device, personal computer, etc.) described above for the first network device 110 .
- the server 115 includes a detecting module 130 and a scanning module 135 .
- modules 130 , 135 may also execute on another device that is separate from the server 115 .
- the detecting module 130 can execute on another device (not shown) and communicate with the scanning module 135 on the server 115 .
- the detecting module 130 and the scanning module 135 are incorporated into a single software module, such as a network examining module 137 .
- the detecting module 130 and the scanning module 135 can be plug-in modules or stand-alone modules. Further, the detecting module 130 and/or the scanning module 135 can be downloaded to the server 115 over the web (e.g., from a web site), can be installed via portable means (e.g., disk, CD-ROM, etc.), can be received in an email (e.g., an email attachment), and the like.
- the server 115 can be installed via portable means (e.g., disk, CD-ROM, etc.), can be received in an email (e.g., an email attachment), and the like.
- the detecting module 130 detects connection of the first network device 110 to the network 125 when the first network device 110 connects to the network 125 .
- attachment (or connection) to the network 125 occurs when the first network device 110 communicates with any other device or node of the network 125 .
- the scanning module 135 performs remote scanning of the first network device 110 in response to the detection of the first network device 110 .
- the scanning module 135 performs remote, agentless scanning of the first network device 110 . Therefore, the scanning module 135 scans the first network device 110 without the use of software loaded on the first network device 110 .
- the remote agentless scan can include a vulnerability scan and/or an audit scan.
- a vulnerability scan includes, for instance, a port scan and/or probing the first network device 110 against a large list of known vulnerabilities.
- An audit scan can include comparing current settings to a security policy or group of expected results.
- the scanning module 135 takes an inventory of the first network device 110 . For example, the scanning module 135 can determine which software is loaded onto or executing on the first network device 110 , how frequently each software module or program executes or is accessed, the first network device's security policy, and the like.
- the server 115 is a member of a server farm 140 , or server network, which is a logical group of one or more servers that are administered as a single entity.
- a server farm 140 includes multiple servers 115 , 115 ′, 115 ′′ (generally 115 ).
- the server farm 140 can have any number of servers.
- the server farm 140 is a protected network that is inaccessible by unauthorized individuals, such as corporate Intranet, VPN, or secure extranet.
- the servers 115 making up the server farm 140 may communicate over any of the networks described above (e.g., WAN, LAN) using any of the protocols discussed.
- the detecting module 130 and/or the scanning module 135 can alternatively be implemented in any type of network (e.g., peer-to-peer network).
- FIG. 2 shows a more detailed block diagram of the detecting module 130 and the scanning module 135 .
- the detecting module 130 includes a detection action module 210 that performs one or more actions to detect when the first network device 110 attaches to the network 125 .
- the scanning module 135 includes a scanning action module 215 that performs one or more actions upon the detection of the first network device's connection to the network 125 .
- the detection action module 210 can, for instance, continuously poll a database for data about connections to the network 125 .
- continuous polling of the database can be an unending repetition of checking the database at an extremely short frequency.
- the first network device 110 registers with a database (e.g., a registration database) when the first network device 110 connects to the network 125 .
- Registration includes, for instance, sending particular data (e.g., network address) about the first network device 110 to the registration database when the first network device 110 connects to the network 125 .
- the detection action module 210 continuously polls a LDAP server (e.g., a Directory System Agent (DSA)) in order to determine when the first network device 110 attaches to the network.
- a LDAP server e.g., a Directory System Agent (DSA)
- the registration database e.g., on a DSA
- the registration database is triggered (e.g., using a Structured Query Language trigger) when a new network device (e.g., the first network device 110 ) registers with the database.
- the detection action module 210 can communicate with the registration database when the database is triggered.
- the detection action module 210 can communicate with a browser service to detect when the first network device 110 connects to the network 125 . In yet another embodiment, the detection action module 210 communicates with a DNS server to determine when the first network device 110 connects to the network 125 . The detection action module 210 can also perform indirect queries, such as using an LDAP persistent search, to detect the first network device 110 when the device connects to the network 110 .
- the detection action module 210 determines that the first network device 110 has connected to the network 125 , the detection action module 210 notifies the scanning module 135 of the new attachment. The scanning module 135 then automatically and remotely scans the first network device 110 without using an agent (i.e., agentless).
- agent i.e., agentless
- the scanning module 135 can take an inventory of the first network device 110 .
- the scanning action module 215 scans the first network device 110 for all software programs loaded on and/or executing on the first network device 110 .
- the scanning action module 215 can also scan the first network device 110 for particular software programs (e.g., programs loaded before a specific date, programs created by a particular developer, a specific virus (e.g., Blaster worm), etc.).
- the scanning action module 215 can also interrogate the first network device 110 with a query about a particular item (e.g., program).
- the scanning module 135 can scan the first network device 110 for the latest patches, to determine if anti-virus software is installed, to determine whether firewall software is installed (and what kind), to determine if the first network device 110 belongs to an appropriate windows domain, and/or the privileges of the users of the first network device 110 (e.g., which users have administrative privileges).
- the scanning module 135 can also scan the first network device 110 to determine how the first network device 110 communicates with the network 125 and/or how the first network device 110 receives power (e.g., whether the first network device 110 is plugged into a wall socket (e.g., if the first network device 110 is a laptop), if the first network device 110 connects to the network 125 via a wireless access, or connects to the network 125 via a VPN).
- power e.g., whether the first network device 110 is plugged into a wall socket (e.g., if the first network device 110 is a laptop), if the first network device 110 connects to the network 125 via a wireless access, or connects to the network 125 via a VPN).
- the scanning module 135 can also perform maintenance, such as by fixing/updating software on the first network device 110 .
- the scanning module 135 can perform these fixes automatically (e.g., periodically), as part of a manually invoked scan, or through a scheduled scan.
- the scanning module 135 can assign priority to items and fix individual items, groups of items, or global problems in the security policy.
- the scanning module 135 can fix deviations in the security policy of the first network device 110 relative to a predetermined security policy.
- the scanning module 135 applies a software patch to the first network device 110 .
- the scanning module 135 can apply this patch automatically, can first notify the first network device 110 and wait for the device's response, can only notify the first network device 110 that the particular patch is needed to update the first network device's software, etc. Additionally, the scanning module 135 can also enable a rollback of the fix if the fix causes unexpected side effects.
- the scanning module 135 can also detect anomalies. For example, if the first network device 110 is a server that always services requests from other devices, an anomaly occurs when the server begins making requests. If the scanning module 135 determines that this is occurring, the server is likely a security risk and/or infected with a virus. The scanning action module 215 can then perform one or more of the actions described above or below (e.g., quarantine the first network device 110 , report the anomaly, ensure compliance with a security policy, etc.). Another example of an anomaly that warrants maintenance is if the first network device 110 maintains and has maintained (e.g., for years) a particular load (e.g., 5% load) and then unexpectedly maintains a load of approximately 95%. This load increase can be a sign of an infected device that may need to be quarantined or fixed.
- a particular load e.g., 5% load
- the scanning module 135 enables a user to view the scans (i.e., scan results) in real-time for substantially immediate feedback and early detection and response planning.
- the scanning module 135 saves scans to one or more files or databases for offline analysis and reporting.
- the scanning module 135 can follow a schedule for the timing of its scans.
- the scanning module 135 can also scan the first network device 110 as the first network device 110 attaches to a quarantined network. The first network device 110 can then switch to the corporate network if the first network device 110 passes an agentless scan.
- the scanning module 135 archives the results of scans in a history database.
- the history database can be part of the scanning module 135 or may communicate with the scanning module 135 .
- the scanning module 135 can also cache the type of device that the scanning module 135 scanned.
- the scanning module 135 quarantines (or enables quarantining of) software on the first network device 110 . For example, if the scanning module 135 locates a particular virus within a program on the first network device 110 , the scanning module 135 may quarantine the program having the virus or the first network device 110 . The scanning module 135 can quarantine the program to enable subsequent analysis of the program, such as to enable the disinfecting of the program, in a “closed” environment (i.e., not connected to a network).
- the quarantining of the software program having a virus bolsters security by further ensuring that the virus does not affect other network devices (e.g., the second network device 110 ′) or other programs executing or loaded onto the first network device 110 (e.g., other user's software executing on the first network device 110 ).
- the scanning module 135 can also quarantine the first network device 110 that failed a scan by turning off the router port for the first network device 110 (e.g., at the switch).
- the scanning module 135 may also perform security functions for the first network device 110 .
- the detection action module 210 and/or the scanning action module 215 can be incorporated into the detecting module 130 and/or the scanning module 135 .
- the scanning module 135 and the detecting module 130 can be incorporated into a single module.
- the scanning module 135 includes a security policy management module 305 .
- the security policy management module 305 performs security policy management functions to the security policy of the first network device 110 .
- the security policy management module 305 can set the security policy of the first network device 110 (step 310 ).
- the security policy management module 305 sets the first network device's security policy as a security policy that is an industry standard, such as, for example, a security policy developed by Microsoft Corporation of Redmond, Wash., System Administration, Networking, and Security (SANS) Institute, National Security Agency (NSA), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and the Department of U.S. Navy.
- the security policy management module 305 can also enable customization of the security policy. This customization can be, for instance, expression based.
- the security policy management module 305 can also audit the security of the first network device 110 (step 315 ).
- the auditing step includes a data collection process that gathers data from each device (e.g., the first network device 110 ) over the network 125 .
- the security policy management module 305 stores the collected data in, e.g., a database.
- the amount of and type of data that the security policy management module 305 collects can vary depending on, for example, the function of the first network device 110 (e.g., if the first network device 110 is a web server, a database, a file server, etc.) and the platform of the first network device 110 (e.g., UNIX (developed by Bell Laboratories of Murray Hill, N.J.) or WindowsXP® (developed by Microsoft Corporation of Redmond, Wash.)).
- the function of the first network device 110 e.g., if the first network device 110 is a web server, a database, a file server, etc.
- the platform of the first network device 110 e.g., UNIX (developed by Bell Laboratories of Murray Hill, N.J.) or WindowsXP® (developed by Microsoft Corporation of Redmond, Wash.)).
- the security policy management module 305 enables multiple levels of settings, multiple patches (e.g., for applications and the operating system), software and/or hardware inventory, complete and/or sparse audits, and can also enable a user (e.g., an auditor) to view their rights and/or responsibilities. These rights/responsibilities are associated with the user's role and scope of the project. The rights/responsibilities can be associated with the first network device 110 , specific security policy files, scanning, and the like. Moreover, the security policy management module 305 can also audit a group of devices (e.g., the first and second network devices 110 , 110 ′), can fix security settings on the first network device 110 (or any number of additional network devices), and/or can audit on-demand or on a schedule.
- a group of devices e.g., the first and second network devices 110 , 110 ′
- the security policy management module 305 can also identify missing patches and identify unauthorized software (e.g., software with back doors), delete unlicensed or unauthorized software, identify unauthorized hardware (e.g., modems, wireless access points), eliminate unused system administration passwords on distributed systems, and/or provide control of external auditors' rights and responsibilities.
- unauthorized software e.g., software with back doors
- identify unauthorized hardware e.g., modems, wireless access points
- the security policy management module 305 can also automatically ensure that the first network device 110 complies with the requisite security policy (previously set) (step 320 ). For example, the security policy management module 305 can configure the first network device 110 with the correct security settings, can identify, manage, and/or update patches that the first network device 110 needs or has, and/or can add/delete software and/or hardware.
- the security policy management module 305 can verify and/or change, for instance, passwords, system level settings, users, groups, rights, account policies, key permissions, file permissions, registry settings, and/or weak passwords. Moreover, the security policy management module 305 can detect, for example, an operating system, software inventory, the version level of the software, hardware devices, and/or unauthorized modems. Additionally, the security policy management module 305 can be scalable to any device or enterprise and enables remote, agentless auditing and reporting. In other embodiments, the security policy management module 305 restores any or all system settings, files, or file attributes of the first network device 110 .
- the security policy management module 305 can also address additional security vulnerabilities of the first network device 110 . Particular examples include assuring password compliance, discovering and configuring unauthorized modems, managing licensed software and revisions, and/or verifying virus detection software and updates.
- the security policy management module 305 can also report the security policy information (step 325 ) or transmit the report to the first network device 110 (or any other device).
- the report can include detailed reports, such as reports with item-by-item and device-by-device listings, roll-up reports with device summaries for finding problem areas, executive summary reports with overall status reporting and high level charts, and trend reports that can be used to graph progress over time.
- the functions that the security policy management module 305 performs can occur in any order and at any time. Further, these steps can be implemented in any of the modules (e.g., scanning module 135 ) described above and below.
- the detecting module 130 detects the first network device 110 when the first network device 110 connects to the network 125 (step 410 ). In one embodiment, the detecting module 130 intercepts data packets transmitted by the first network device 110 to detect the first network device 110 (step 415 ). The detecting module 130 may also inspect data packets that are communicated over the network 125 for any data packets associated with the first network device 110 (step 420 ).
- the detecting module 130 can perform one or more of a Network Basic Input/Output System (NetBios) broadcast, an ARP request or broadcast, a dynamic DNS registration, a Dynamic Host Configuration Protocol (DHCP) request, a Bootstrap Protocol (BOOTP) request, a Windows Domain Registration, a DNS query, and a “first packet seen” determination.
- the detection step 410 can also include port authentication.
- the detection step 410 can also include continuous queries of, for example, a data source such as a database. These include broadcasting pings (step 425 ) to all network devices connected to the network 125 to detect any network devices that have not yet been detected, querying one or more ARP tables of one or more network communication devices (e.g., router and/or switch) to determine if an address associated with a new network device (e.g., the first network device 110 ) is located on the table (step 430 ), monitoring event log/syslog (step 435 ), a Simple Network Management Protocol (SNMP) query (e.g., to a router), LDAP query (e.g., to an Active Directory) (step 440 ), DNS query (step 440 ), switch port or Virtual Local Area Network (VLAN) status, and/or “sniffing” the network 125 .
- SNMP Simple Network Management Protocol
- LDAP e.g., to an Active Directory
- DNS query step 440
- the scanning module 135 In response to detecting the first network device 110 , the scanning module 135 remotely scans the first network device 110 . In one embodiment, the detecting module 130 communicates the detection to the scanning module 135 upon the detection of the first network device 110 .
- the scanning module 135 can determine properties (e.g., credentials) associated with the first network device 110 (step 445 ) so that the scanning module 135 can perform the scan on the first network device 110 .
- the properties can come from a database (e.g., a “credentials store”), or the properties of the process performing the scan may enable a scan.
- the properties can include, for instance, a user name and password to log into the first network device 110 .
- the scanning module 135 determines the identity (e.g., type) of the first network device 110 (step 450 ).
- the scanning module 135 determines the identity of the first network device 110 to determine the protocols and/or application program interfaces (APIs) to use in the scanning of the first network device 110 .
- APIs application program interfaces
- the scanning module 135 can query a database where the identity has already been determined (e.g., querying an Active Directory or Structured Query Language (SQL) Server), examine network traffic, analyze network behavior, probe the device 110 for “signature” responses (i.e., responses known to be unique to that type of device 110 ), and/or attempt to log into the first network device 110 using a series of protocols (e.g., Windows Networking Protocol (developed by Microsoft of Redmond, Wash.), Secure Shell (SSH) logged in, the scanning module 135 can query the first network device 110 for data, such as by looking for the presence of the file/etc/passwd to deduce a UNIX computer, or perform a Registry query on a Windows computer. Further, the determination of the properties of the first network device can also include the determining of the identity of the first network device 110 (i.e., steps 445 and 450 can be combined into a single step).
- SQL Structured Query Language
- the scanning module 135 determines what to scan (step 455 ). As described above and depending on the identity of device 110 and user preferences, the scanning module 135 can determine which policy settings to audit. For example, on a Microsoft Windows computer 110 , the scanning module 135 may scan for missing Windows Hotfixes. On a Solaris® computer (developed by Sun Microsystems, Inc. of Santa Clara, Calif.), the scanning module 135 can scan for missing Solaris® patches.
- the scanning module 135 can also execute and/or remove software from the first network device 110 as part of its scan.
- the scanning module 135 can additionally compare security settings of the first network device 110 with predefined security settings to, e.g., ensure compliance with the predefined security settings. For instance, a template may be followed for a group security policy. In one embodiment, if the scanning module 135 determines that three settings in the first network device's policy are different than the template, the scanning module 135 may change the settings to match the template or may take another action as a result of the difference. Alternatively, the scanning module 135 reports the difference as a result of the comparison.
- the scanning module 135 enables the first network device 110 to have additional access to the network 125 or denies the first network device's access to the network 125 .
- enabling additional access to the network 125 includes enabling access to new areas of the network 125 , such as if the network 125 is segmented by firewalls or filtering routers (e.g., it is in a limited quarantine).
- the scanning module 135 may also notify another (e.g., the authorities) when data obtained from the scan poses a security threat. For example, the scanning module 135 can compare the scan results to a list of predetermined security terms and notify the authorities if a match is found.
- the scanning module 135 and/or the detecting module 130 can notify the customer (e.g., the user of the first network device 110 ) when a security setting changes. This notification can be with a phone call, e-mail, or directly with another software application.
- the scanning module 135 is integrated into a software application's help desk software so that a help desk ticket is automatically opened when a failed scan occurs. The help desk ticket can result in a network administrator visiting the first network device 110 to interrogate the device 110 .
- the detecting module 130 and/or the scanning module 135 can perform any combination of these steps in any order.
Abstract
Description
- The present invention relates to scanning one or more network devices. More specifically, the present invention relates to performing scans of network devices upon detecting their connection to the network.
- The use of a computer to communicate over a network has become mainstream over the past decade. As a result, organizations and individuals typically rely on their networks to conduct business, communicate with others, and search for and retrieve data. In addition to helping businesses and individuals communicate and conduct business over a greater distance, the increased use of networks has also put computers at a greater risk. For example, the data stored on a computer communicating over a network such as the World Wide Web is vulnerable to viruses infecting the computer and destroying its data. Consequently, network security has become an item of paramount importance to organizations and individuals alike.
- When configuring a network, a network security policy is often employed to ensure that each device communicating on the network is configured with specific and accepted security standards. For example, a corporation may have a security policy that states that all computers using the corporation's network must have a functioning virus scanner. This security policy may also specify the virus scanner that each device must have, such as by specifying that each device have Norton AntiVirus (manufactured by Symantec of Cupertino, Calif.).
- As the number of devices communicating on the network increases, it usually becomes more difficult to make sure that each device communicating on the network meets the required security policy. Further, a breach in the security of the network may have a crippling effect, possibly resulting in down-time, computer repairs, and large costs to fix.
- Traditionally, to lessen the risk of a security breach and ensure compliance with the security policy (e.g., having a functioning virus scanner), a security administrator or auditor uses a scanning application to scan a computer. The scanning application may be installed on each device communicating on the network to examine the device. This local scanning, however, introduces numerous problems. First, each individual device has the scanning application installed on the device. This may result in different devices having different versions of the scanning application. Moreover, the initiation of the scanning ordinarily occurs on the device itself. This may require a separate initiation sequence for each device. Further, the time required to deploy the scanning application on each device in the network is often too burdensome of a task to implement. Thus, local scanning is often too onerous to initiate and maintain.
- Rather than using agent software to scan a device locally, a scanning application may instead periodically scan the networked computers remotely to locate any devices that do not follow the security policy. There are, however, numerous drawbacks associated with this scanning technique. One drawback is that the scan may not be comprehensive because some devices may have, for some reason, been turned off at the time of the scan and, consequently, may not have been scanned. Another shortcoming with periodic scanning is that there may be a significant delay between the time that a device attaches, or connects, to the network and the time that the scan occurs during the next scheduled scan. This time lag may result in a network being infected before a scan has occurred. Therefore, the periodic scanning, by its nature, does not enforce the security policy at all times.
- A third weakness is that the periodic scan does not work well with computers that ordinarily connect to the network using transient means, such as with a virtual private network connection or using a wireless access point. In particular, the device may not be available at the time that the scan occurs because of the transient nature of the connection.
- The present invention addresses the weaknesses of the scanning techniques described above and enables enforcement of a network security policy in a more robust and comprehensive manner. The present invention also increases scalability, coverage, and responsiveness of scanning while decreasing the implementation time. In one aspect, the invention includes a method for scanning network devices connected to a network by detecting connection of a first network device to the network and performing remote, agentless scanning of the first network device in response to detection of the first network device.
- In one embodiment, the detecting module detects connection of the first network device by inspecting data packets communicated over the network. The detecting module can also detect connection of the first network device by querying a database. For example, the detecting module can continuously broadcast pings over the network, continuously examine address resolution protocol (ARP) tables, continuously monitor event logs, transmit a Lightweight Directory Access Protocol (LDAP) query (e.g., poll an LDAP server or execute a persistent LDAP search), and/or transmit a Domain Name System (DNS) query.
- The method can also include determining whether the first network device is connecting to the network via wireless access, determining whether the first network device is connecting to the network via a Virtual Private Network (VPN), and/or determining whether the first network device is plugged into a wall socket.
- In another embodiment, the remote agentless scanning step includes the steps of finding properties (e.g., credentials) associated with the first network device and determining the identity (e.g., type) of the first network device. Further, determining the identity of the first network device can include querying a database where the identity (e.g., type) has been determined, examining network traffic, analyzing network behavior, probing the first network device for signature responses, attempting to log into the device using a series of protocols, logging into the first network device and/or querying data within the device. In another embodiment, the remote agentless scanning also includes scanning, on the first network device, one or more of a configuration, a file, data, a software version, a patch, inventory, hardware, and/or a security vulnerability. The scanning step can also include updating one or more of these items, such as installing a software patch on the first network device. The scanning step can also include installing anti-virus software on the first network device and/or determining if the first network device is part of a windows domain.
- In another embodiment, the method includes the step of comparing a security setting of the first network device with a predetermined security setting. In yet another embodiment, the method includes the step of enabling the first network device to have additional access to the network, denying the first network device some or all access to the network, notifying another (e.g., authorities) about the first network device based on results of the scan, and/or quarantining the first network device.
- In another embodiment, the method also includes the steps of setting a security policy on the first network device, auditing the security policy of the first network device, ensuring compliance with a predetermined security policy, and/or reporting results (e.g., of a scan).
- In another aspect, an apparatus for remote agentless scanning of network devices connected to a network includes a detecting module that detects connection of a first network device to the network and a scanning module that performs remote agentless scanning of the first network device in response to the detection of the first network device.
- In one embodiment, the detecting module continuously polls a database for data corresponding to newly attached (connected) network devices. Further, the scanning module remotely scans the first network device upon detecting data corresponding to the first network device in the database. The apparatus can also include a history database to store scan results of a scan. In another embodiment, the scanning module can enable the first network device to have additional access to the network, can deny the first network device some or all access to the network, can notify another (e.g., authorities) about the first network device based on results of the scan, and/or can quarantine the first network device.
- The apparatus can also include a security policy management module for setting a security policy on the first network device, auditing the security policy of the first network device, ensuring compliance with a predetermined security policy, and/or reporting results (e.g., of a scan).
- In yet another aspect, a method for examining a first network device connected to a network includes querying a database for data representing connection of network devices to a network, determining connection of a first network device to the network by locating data about the first network device in the database, determining properties (e.g., credentials, identity) of the first network device, determining the items to scan based on the properties (e.g., based on the identity of the first network device), and performing remote scanning of the first network device in response to the determination of the connection of the first network device to the network.
- In one embodiment, the properties of the first network device include credentials of the first network device and/or the identity of the first network device. The identity of the first network device can include the type of the first network device. In one embodiment, the network device's type can be determined by querying a database where the type has already been determined, by examining network traffic, by analyzing network behavior, by probing the first network device for signature responses, and/or by logging into and querying the first network device. Moreover, a set of security policy settings can be selected for an audit.
- In yet another aspect, a method for scanning network devices connected to a network includes detecting connection of a first network device to the network and performing remote scanning of the first network device in response to detection of the first network device.
- The advantages of the invention described above, together with further advantages, may be better understood by referring to the following description taken in conjunction with the accompanying drawings. In the drawings, like reference characters generally refer to the same parts throughout the different views. Also, the drawings are not necessarily to scale, emphasis instead generally being placed upon illustrating the principles of the invention.
-
FIG. 1 is a block diagram of an embodiment of a security system having a detecting module and a scanning module constructed in accordance with the invention. -
FIG. 2 is a more detailed block diagram of an embodiment of the detecting module and the scanning module ofFIG. 1 . -
FIG. 3 is a block diagram illustrating an embodiment of a security policy management module. -
FIG. 4 is a flow diagram illustrating an embodiment of the steps performed by the detecting module and the scanning module ofFIG. 1 . -
FIG. 1 illustrates a block diagram of an embodiment of asecurity system 100. Thesecurity system 100 includes afirst network device 110 communicating with aserver 115. Thefirst network device 110 can be any personal computer, smart or dumb terminal, network computer, wireless device (e.g., cellular telephone or personal digital assistant), information appliance, workstation, minicomputer, mainframe computer or other computing device. Thefirst network device 110 can also include a network infrastructure device, such as a router, switch, or firewall. - The
first network device 110 is in communication with theserver 115 over a first network device-server communication channel 120. Example embodiments of thecommunication channel 120 include standard telephone lines, LAN or WAN links (e.g., T1, T3, 56 kb, X.25), broadband connections (ISDN, Frame Relay, ATM), and wireless connections. The connections over thecommunication channel 120 can be established using a variety of communication protocols (e.g., HTTP, HTTPS, TCP/IP, IPX, SPX, NetBIOS, Ethernet, RS232, messaging application programming interface (MAPI) protocol, real-time streaming protocol (RTSP), real-time streaming protocol used for user datagram protocol scheme (RTSPU), the Progressive Networks Multimedia (PNM) protocol developed by RealNetworks, Inc. of Seattle, Wash., manufacturing message specification (MMS) protocol, and direct asynchronous connections). - In one embodiment, the first network device-
server communication channel 120 is established over anetwork 125. Exemplary embodiments of thenetwork 125 include the World Wide Web (i.e., “web”), the Internet, and a Virtual Private Network (VPN). In one embodiment, thefirst network device 110 includes aweb browser 128, such as INTERNET EXPLORER developed by Microsoft Corporation of Redmond, Wash., to connect to thenetwork 125. Moreover, thesecurity system 100 can include any number of network devices, such as thefirst network device 110 and asecond network device 110′. Although described above and below with respect to thefirst network device 110, the description also applies to thesecond network device 110′. - The
server 115 can be any of the devices (e.g., wireless device, personal computer, etc.) described above for thefirst network device 110. Theserver 115 includes a detectingmodule 130 and ascanning module 135. Although shown asmodules server 115, one or both of themodules server 115. For example, the detectingmodule 130 can execute on another device (not shown) and communicate with thescanning module 135 on theserver 115. In another embodiment, the detectingmodule 130 and thescanning module 135 are incorporated into a single software module, such as anetwork examining module 137. - The detecting
module 130 and thescanning module 135 can be plug-in modules or stand-alone modules. Further, the detectingmodule 130 and/or thescanning module 135 can be downloaded to theserver 115 over the web (e.g., from a web site), can be installed via portable means (e.g., disk, CD-ROM, etc.), can be received in an email (e.g., an email attachment), and the like. - The detecting
module 130 detects connection of thefirst network device 110 to thenetwork 125 when thefirst network device 110 connects to thenetwork 125. In one embodiment, attachment (or connection) to thenetwork 125 occurs when thefirst network device 110 communicates with any other device or node of thenetwork 125. Thescanning module 135 performs remote scanning of thefirst network device 110 in response to the detection of thefirst network device 110. In particular, thescanning module 135 performs remote, agentless scanning of thefirst network device 110. Therefore, thescanning module 135 scans thefirst network device 110 without the use of software loaded on thefirst network device 110. The remote agentless scan can include a vulnerability scan and/or an audit scan. A vulnerability scan includes, for instance, a port scan and/or probing thefirst network device 110 against a large list of known vulnerabilities. An audit scan can include comparing current settings to a security policy or group of expected results. In one embodiment, thescanning module 135 takes an inventory of thefirst network device 110. For example, thescanning module 135 can determine which software is loaded onto or executing on thefirst network device 110, how frequently each software module or program executes or is accessed, the first network device's security policy, and the like. - In a further embodiment, the
server 115 is a member of aserver farm 140, or server network, which is a logical group of one or more servers that are administered as a single entity. In one embodiment, aserver farm 140 includesmultiple servers FIG. 1 has threeservers 115, theserver farm 140 can have any number of servers. In other embodiments, theserver farm 140 is a protected network that is inaccessible by unauthorized individuals, such as corporate Intranet, VPN, or secure extranet. Additionally, theservers 115 making up theserver farm 140 may communicate over any of the networks described above (e.g., WAN, LAN) using any of the protocols discussed. Although described above and below as operating within a client-server network 125, the detectingmodule 130 and/or thescanning module 135 can alternatively be implemented in any type of network (e.g., peer-to-peer network). -
FIG. 2 shows a more detailed block diagram of the detectingmodule 130 and thescanning module 135. The detectingmodule 130 includes adetection action module 210 that performs one or more actions to detect when thefirst network device 110 attaches to thenetwork 125. Thescanning module 135 includes ascanning action module 215 that performs one or more actions upon the detection of the first network device's connection to thenetwork 125. - To detect the first network device's connection to the
network 125, thedetection action module 210 can, for instance, continuously poll a database for data about connections to thenetwork 125. In one embodiment, continuous polling of the database can be an unending repetition of checking the database at an extremely short frequency. In one embodiment, thefirst network device 110 registers with a database (e.g., a registration database) when thefirst network device 110 connects to thenetwork 125. Registration includes, for instance, sending particular data (e.g., network address) about thefirst network device 110 to the registration database when thefirst network device 110 connects to thenetwork 125. In one embodiment, thedetection action module 210 continuously polls a LDAP server (e.g., a Directory System Agent (DSA)) in order to determine when thefirst network device 110 attaches to the network. In another embodiment, the registration database (e.g., on a DSA) is triggered (e.g., using a Structured Query Language trigger) when a new network device (e.g., the first network device 110) registers with the database. Thedetection action module 210 can communicate with the registration database when the database is triggered. - In another embodiment, the
detection action module 210 can communicate with a browser service to detect when thefirst network device 110 connects to thenetwork 125. In yet another embodiment, thedetection action module 210 communicates with a DNS server to determine when thefirst network device 110 connects to thenetwork 125. Thedetection action module 210 can also perform indirect queries, such as using an LDAP persistent search, to detect thefirst network device 110 when the device connects to thenetwork 110. - When the
detection action module 210 determines that thefirst network device 110 has connected to thenetwork 125, thedetection action module 210 notifies thescanning module 135 of the new attachment. Thescanning module 135 then automatically and remotely scans thefirst network device 110 without using an agent (i.e., agentless). - The
scanning module 135 can take an inventory of thefirst network device 110. In one embodiment, thescanning action module 215 scans thefirst network device 110 for all software programs loaded on and/or executing on thefirst network device 110. Thescanning action module 215 can also scan thefirst network device 110 for particular software programs (e.g., programs loaded before a specific date, programs created by a particular developer, a specific virus (e.g., Blaster worm), etc.). Moreover, thescanning action module 215 can also interrogate thefirst network device 110 with a query about a particular item (e.g., program). - For example, the
scanning module 135 can scan thefirst network device 110 for the latest patches, to determine if anti-virus software is installed, to determine whether firewall software is installed (and what kind), to determine if thefirst network device 110 belongs to an appropriate windows domain, and/or the privileges of the users of the first network device 110 (e.g., which users have administrative privileges). Thescanning module 135 can also scan thefirst network device 110 to determine how thefirst network device 110 communicates with thenetwork 125 and/or how thefirst network device 110 receives power (e.g., whether thefirst network device 110 is plugged into a wall socket (e.g., if thefirst network device 110 is a laptop), if thefirst network device 110 connects to thenetwork 125 via a wireless access, or connects to thenetwork 125 via a VPN). - The
scanning module 135 can also perform maintenance, such as by fixing/updating software on thefirst network device 110. Thescanning module 135 can perform these fixes automatically (e.g., periodically), as part of a manually invoked scan, or through a scheduled scan. With respect to the first network device's security policy, for example, thescanning module 135 can assign priority to items and fix individual items, groups of items, or global problems in the security policy. For example, thescanning module 135 can fix deviations in the security policy of thefirst network device 110 relative to a predetermined security policy. In another embodiment, thescanning module 135 applies a software patch to thefirst network device 110. Thescanning module 135 can apply this patch automatically, can first notify thefirst network device 110 and wait for the device's response, can only notify thefirst network device 110 that the particular patch is needed to update the first network device's software, etc. Additionally, thescanning module 135 can also enable a rollback of the fix if the fix causes unexpected side effects. - The
scanning module 135 can also detect anomalies. For example, if thefirst network device 110 is a server that always services requests from other devices, an anomaly occurs when the server begins making requests. If thescanning module 135 determines that this is occurring, the server is likely a security risk and/or infected with a virus. Thescanning action module 215 can then perform one or more of the actions described above or below (e.g., quarantine thefirst network device 110, report the anomaly, ensure compliance with a security policy, etc.). Another example of an anomaly that warrants maintenance is if thefirst network device 110 maintains and has maintained (e.g., for years) a particular load (e.g., 5% load) and then unexpectedly maintains a load of approximately 95%. This load increase can be a sign of an infected device that may need to be quarantined or fixed. - In further embodiments, the
scanning module 135 enables a user to view the scans (i.e., scan results) in real-time for substantially immediate feedback and early detection and response planning. Alternatively, thescanning module 135 saves scans to one or more files or databases for offline analysis and reporting. Moreover, thescanning module 135 can follow a schedule for the timing of its scans. Thescanning module 135 can also scan thefirst network device 110 as thefirst network device 110 attaches to a quarantined network. Thefirst network device 110 can then switch to the corporate network if thefirst network device 110 passes an agentless scan. - In one embodiment, the
scanning module 135 archives the results of scans in a history database. The history database can be part of thescanning module 135 or may communicate with thescanning module 135. Thescanning module 135 can also cache the type of device that thescanning module 135 scanned. - In some embodiments, the
scanning module 135 quarantines (or enables quarantining of) software on thefirst network device 110. For example, if thescanning module 135 locates a particular virus within a program on thefirst network device 110, thescanning module 135 may quarantine the program having the virus or thefirst network device 110. Thescanning module 135 can quarantine the program to enable subsequent analysis of the program, such as to enable the disinfecting of the program, in a “closed” environment (i.e., not connected to a network). Moreover, the quarantining of the software program having a virus bolsters security by further ensuring that the virus does not affect other network devices (e.g., thesecond network device 110′) or other programs executing or loaded onto the first network device 110 (e.g., other user's software executing on the first network device 110). Thescanning module 135 can also quarantine thefirst network device 110 that failed a scan by turning off the router port for the first network device 110 (e.g., at the switch). Thescanning module 135 may also perform security functions for thefirst network device 110. - Although shown as
separate modules detection action module 210 and/or thescanning action module 215 can be incorporated into the detectingmodule 130 and/or thescanning module 135. Moreover, thescanning module 135 and the detectingmodule 130 can be incorporated into a single module. - In one embodiment and referring to
FIG. 3 , thescanning module 135 includes a securitypolicy management module 305. The securitypolicy management module 305 performs security policy management functions to the security policy of thefirst network device 110. For example, the securitypolicy management module 305 can set the security policy of the first network device 110 (step 310). In one embodiment, the securitypolicy management module 305 sets the first network device's security policy as a security policy that is an industry standard, such as, for example, a security policy developed by Microsoft Corporation of Redmond, Wash., System Administration, Networking, and Security (SANS) Institute, National Security Agency (NSA), National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), and the Department of U.S. Navy. Additionally, the securitypolicy management module 305 can also enable customization of the security policy. This customization can be, for instance, expression based. - The security
policy management module 305 can also audit the security of the first network device 110 (step 315). In one embodiment, the auditing step includes a data collection process that gathers data from each device (e.g., the first network device 110) over thenetwork 125. The securitypolicy management module 305 stores the collected data in, e.g., a database. The amount of and type of data that the securitypolicy management module 305 collects can vary depending on, for example, the function of the first network device 110 (e.g., if thefirst network device 110 is a web server, a database, a file server, etc.) and the platform of the first network device 110 (e.g., UNIX (developed by Bell Laboratories of Murray Hill, N.J.) or WindowsXP® (developed by Microsoft Corporation of Redmond, Wash.)). - In one embodiment, the security
policy management module 305 enables multiple levels of settings, multiple patches (e.g., for applications and the operating system), software and/or hardware inventory, complete and/or sparse audits, and can also enable a user (e.g., an auditor) to view their rights and/or responsibilities. These rights/responsibilities are associated with the user's role and scope of the project. The rights/responsibilities can be associated with thefirst network device 110, specific security policy files, scanning, and the like. Moreover, the securitypolicy management module 305 can also audit a group of devices (e.g., the first andsecond network devices - The security
policy management module 305 can also identify missing patches and identify unauthorized software (e.g., software with back doors), delete unlicensed or unauthorized software, identify unauthorized hardware (e.g., modems, wireless access points), eliminate unused system administration passwords on distributed systems, and/or provide control of external auditors' rights and responsibilities. - The security
policy management module 305 can also automatically ensure that thefirst network device 110 complies with the requisite security policy (previously set) (step 320). For example, the securitypolicy management module 305 can configure thefirst network device 110 with the correct security settings, can identify, manage, and/or update patches that thefirst network device 110 needs or has, and/or can add/delete software and/or hardware. - In more detail, the security
policy management module 305 can verify and/or change, for instance, passwords, system level settings, users, groups, rights, account policies, key permissions, file permissions, registry settings, and/or weak passwords. Moreover, the securitypolicy management module 305 can detect, for example, an operating system, software inventory, the version level of the software, hardware devices, and/or unauthorized modems. Additionally, the securitypolicy management module 305 can be scalable to any device or enterprise and enables remote, agentless auditing and reporting. In other embodiments, the securitypolicy management module 305 restores any or all system settings, files, or file attributes of thefirst network device 110. - The security
policy management module 305 can also address additional security vulnerabilities of thefirst network device 110. Particular examples include assuring password compliance, discovering and configuring unauthorized modems, managing licensed software and revisions, and/or verifying virus detection software and updates. - The security
policy management module 305 can also report the security policy information (step 325) or transmit the report to the first network device 110 (or any other device). The report can include detailed reports, such as reports with item-by-item and device-by-device listings, roll-up reports with device summaries for finding problem areas, executive summary reports with overall status reporting and high level charts, and trend reports that can be used to graph progress over time. - Although described above with a particular order (e.g.,
step 310,step 315, etc.), the functions that the securitypolicy management module 305 performs can occur in any order and at any time. Further, these steps can be implemented in any of the modules (e.g., scanning module 135) described above and below. - Referring to
FIG. 4 , the detectingmodule 130 detects thefirst network device 110 when thefirst network device 110 connects to the network 125 (step 410). In one embodiment, the detectingmodule 130 intercepts data packets transmitted by thefirst network device 110 to detect the first network device 110 (step 415). The detectingmodule 130 may also inspect data packets that are communicated over thenetwork 125 for any data packets associated with the first network device 110 (step 420). - As part of the interception (step 415) and/or inspection (step 420) of data packets over the
network 125, the detectingmodule 130 can perform one or more of a Network Basic Input/Output System (NetBios) broadcast, an ARP request or broadcast, a dynamic DNS registration, a Dynamic Host Configuration Protocol (DHCP) request, a Bootstrap Protocol (BOOTP) request, a Windows Domain Registration, a DNS query, and a “first packet seen” determination. Thedetection step 410 can also include port authentication. - The
detection step 410 can also include continuous queries of, for example, a data source such as a database. These include broadcasting pings (step 425) to all network devices connected to thenetwork 125 to detect any network devices that have not yet been detected, querying one or more ARP tables of one or more network communication devices (e.g., router and/or switch) to determine if an address associated with a new network device (e.g., the first network device 110) is located on the table (step 430), monitoring event log/syslog (step 435), a Simple Network Management Protocol (SNMP) query (e.g., to a router), LDAP query (e.g., to an Active Directory) (step 440), DNS query (step 440), switch port or Virtual Local Area Network (VLAN) status, and/or “sniffing” thenetwork 125. - In response to detecting the
first network device 110, thescanning module 135 remotely scans thefirst network device 110. In one embodiment, the detectingmodule 130 communicates the detection to thescanning module 135 upon the detection of thefirst network device 110. - To scan the
first network device 110, thescanning module 135 can determine properties (e.g., credentials) associated with the first network device 110 (step 445) so that thescanning module 135 can perform the scan on thefirst network device 110. The properties can come from a database (e.g., a “credentials store”), or the properties of the process performing the scan may enable a scan. The properties can include, for instance, a user name and password to log into thefirst network device 110. - In one embodiment, the
scanning module 135 then determines the identity (e.g., type) of the first network device 110 (step 450). Thescanning module 135 determines the identity of thefirst network device 110 to determine the protocols and/or application program interfaces (APIs) to use in the scanning of thefirst network device 110. To determine the identity of thefirst network device 110, thescanning module 135 can query a database where the identity has already been determined (e.g., querying an Active Directory or Structured Query Language (SQL) Server), examine network traffic, analyze network behavior, probe thedevice 110 for “signature” responses (i.e., responses known to be unique to that type of device 110), and/or attempt to log into thefirst network device 110 using a series of protocols (e.g., Windows Networking Protocol (developed by Microsoft of Redmond, Wash.), Secure Shell (SSH) logged in, thescanning module 135 can query thefirst network device 110 for data, such as by looking for the presence of the file/etc/passwd to deduce a UNIX computer, or perform a Registry query on a Windows computer. Further, the determination of the properties of the first network device can also include the determining of the identity of the first network device 110 (i.e., steps 445 and 450 can be combined into a single step). - The
scanning module 135 then determines what to scan (step 455). As described above and depending on the identity ofdevice 110 and user preferences, thescanning module 135 can determine which policy settings to audit. For example, on aMicrosoft Windows computer 110, thescanning module 135 may scan for missing Windows Hotfixes. On a Solaris® computer (developed by Sun Microsystems, Inc. of Santa Clara, Calif.), thescanning module 135 can scan for missing Solaris® patches. - The
scanning module 135 can also execute and/or remove software from thefirst network device 110 as part of its scan. Thescanning module 135 can additionally compare security settings of thefirst network device 110 with predefined security settings to, e.g., ensure compliance with the predefined security settings. For instance, a template may be followed for a group security policy. In one embodiment, if thescanning module 135 determines that three settings in the first network device's policy are different than the template, thescanning module 135 may change the settings to match the template or may take another action as a result of the difference. Alternatively, thescanning module 135 reports the difference as a result of the comparison. - In some embodiments, the
scanning module 135 enables thefirst network device 110 to have additional access to thenetwork 125 or denies the first network device's access to thenetwork 125. In one embodiment, enabling additional access to thenetwork 125 includes enabling access to new areas of thenetwork 125, such as if thenetwork 125 is segmented by firewalls or filtering routers (e.g., it is in a limited quarantine). Further, thescanning module 135 may also notify another (e.g., the authorities) when data obtained from the scan poses a security threat. For example, thescanning module 135 can compare the scan results to a list of predetermined security terms and notify the authorities if a match is found. - In one embodiment, the
scanning module 135 and/or the detectingmodule 130 can notify the customer (e.g., the user of the first network device 110) when a security setting changes. This notification can be with a phone call, e-mail, or directly with another software application. In another embodiment, thescanning module 135 is integrated into a software application's help desk software so that a help desk ticket is automatically opened when a failed scan occurs. The help desk ticket can result in a network administrator visiting thefirst network device 110 to interrogate thedevice 110. Although illustrated with particular steps (e.g., steps 415-460), the detectingmodule 130 and/or thescanning module 135 can perform any combination of these steps in any order. - Although the present invention has been described with reference to specific details, it is not intended that such details should be regarded as limitations upon the scope of the invention, except as and to the extent that they are included in the accompanying claims.
Claims (26)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/683,564 US20050097199A1 (en) | 2003-10-10 | 2003-10-10 | Method and system for scanning network devices |
PCT/US2004/033286 WO2005036360A2 (en) | 2003-10-10 | 2004-10-07 | Method and system for scanning network devices |
US11/862,990 US8281019B1 (en) | 2003-10-10 | 2007-09-27 | Method and system for scanning network devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/683,564 US20050097199A1 (en) | 2003-10-10 | 2003-10-10 | Method and system for scanning network devices |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/862,990 Continuation US8281019B1 (en) | 2003-10-10 | 2007-09-27 | Method and system for scanning network devices |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050097199A1 true US20050097199A1 (en) | 2005-05-05 |
Family
ID=34435396
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/683,564 Abandoned US20050097199A1 (en) | 2003-10-10 | 2003-10-10 | Method and system for scanning network devices |
US11/862,990 Active 2026-01-03 US8281019B1 (en) | 2003-10-10 | 2007-09-27 | Method and system for scanning network devices |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/862,990 Active 2026-01-03 US8281019B1 (en) | 2003-10-10 | 2007-09-27 | Method and system for scanning network devices |
Country Status (2)
Country | Link |
---|---|
US (2) | US20050097199A1 (en) |
WO (1) | WO2005036360A2 (en) |
Cited By (74)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050125526A1 (en) * | 2003-12-09 | 2005-06-09 | Tsun-Sheng Chou | Method, apparatus and system of anti-virus software implementation |
US20050149480A1 (en) * | 2004-01-06 | 2005-07-07 | Sachin Deshpande | Intelligent discovery of shares |
US20050262559A1 (en) * | 2004-05-19 | 2005-11-24 | Huddleston David E | Method and systems for computer security |
US20060004830A1 (en) * | 2004-06-07 | 2006-01-05 | Lora Brian M | Agent-less systems, methods and computer program products for managing a plurality of remotely located data storage systems |
US20060026686A1 (en) * | 2004-07-30 | 2006-02-02 | Trueba Luis R Z | System and method for restricting access to an enterprise network |
US20060026283A1 (en) * | 2004-07-30 | 2006-02-02 | Trueba Luis Ruben Z | System and method for updating software on a computer |
US20060041534A1 (en) * | 2004-05-24 | 2006-02-23 | Atwell Micah E | Remote infrastructure management |
US20060069805A1 (en) * | 2004-07-30 | 2006-03-30 | Microsoft Corporation | Network system role determination |
US20060075128A1 (en) * | 2004-10-04 | 2006-04-06 | Promisec Ltd. | Method and device for questioning a plurality of computerized devices |
US20060101409A1 (en) * | 2004-10-21 | 2006-05-11 | Bemmel Jeroen V | Method, apparatus and network architecture for enforcing security policies using an isolated subnet |
US20060112427A1 (en) * | 2002-08-27 | 2006-05-25 | Trust Digital, Llc | Enterprise-wide security system for computer devices |
US20060149408A1 (en) * | 2003-10-10 | 2006-07-06 | Speeter Thomas H | Agent-less discovery of software components |
US20060195566A1 (en) * | 2005-02-25 | 2006-08-31 | Hurley Mark E | Method and system for taking remote inventory in a network |
US20060224742A1 (en) * | 2005-02-28 | 2006-10-05 | Trust Digital | Mobile data security system and methods |
US20070004406A1 (en) * | 2005-06-30 | 2007-01-04 | Nokia Corporation | System coordinated WLAN scanning |
US20070028302A1 (en) * | 2005-07-29 | 2007-02-01 | Bit 9, Inc. | Distributed meta-information query in a network |
US20070043674A1 (en) * | 2005-08-09 | 2007-02-22 | Tripwire, Inc. | Information technology governance and controls methods and apparatuses |
US20070143824A1 (en) * | 2003-12-23 | 2007-06-21 | Majid Shahbazi | System and method for enforcing a security policy on mobile devices using dynamically generated security profiles |
US20070150559A1 (en) * | 2005-12-28 | 2007-06-28 | Intel Corporation | Method and apparatus for dynamic provisioning of an access control policy in a controller hub |
US20070250932A1 (en) * | 2006-04-20 | 2007-10-25 | Pravin Kothari | Integrated enterprise-level compliance and risk management system |
US20080137593A1 (en) * | 2006-10-23 | 2008-06-12 | Trust Digital | System and method for controlling mobile device access to a network |
US20080148407A1 (en) * | 2006-12-18 | 2008-06-19 | Cat Computer Services Pvt Ltd | Virus Detection in Mobile Devices Having Insufficient Resources to Execute Virus Detection Software |
US20080244063A1 (en) * | 2007-03-26 | 2008-10-02 | Vinayak Risbud | Automatically detecting managed servers in a network |
US20090031403A1 (en) * | 2006-03-31 | 2009-01-29 | Huang Evan S | Methods and Apparatuses for Securely Operating Shared Host Computers With Portable Apparatuses |
US20090083439A1 (en) * | 2007-09-20 | 2009-03-26 | Konica Minolta Business Technologies, Inc. | Data transmission device, data transmission system and address registration method |
US20090092126A1 (en) * | 2007-10-03 | 2009-04-09 | Verizon Data Services Inc. | Method and system for retrieving log messages from customer premise equipment |
US20090106828A1 (en) * | 2007-10-12 | 2009-04-23 | Konica Minolta Business Technologies, Inc. | Device administration apparatus, device administration method and recording medium |
US20100005107A1 (en) * | 2008-07-03 | 2010-01-07 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US20100115582A1 (en) * | 2008-11-06 | 2010-05-06 | Trust Digital | System, method, and device for mediating connections between policy source servers, corporate respositories, and mobile devices |
US7720031B1 (en) | 2004-10-15 | 2010-05-18 | Cisco Technology, Inc. | Methods and devices to support mobility of a client across VLANs and subnets, while preserving the client's assigned IP address |
US20100218235A1 (en) * | 2009-02-25 | 2010-08-26 | Ganot Asaf | Method and system for temporarily removing group policy restrictions remotely |
US7793338B1 (en) * | 2004-10-21 | 2010-09-07 | Mcafee, Inc. | System and method of network endpoint security |
US20100333199A1 (en) * | 2009-06-25 | 2010-12-30 | Accenture Global Services Gmbh | Method and system for scanning a computer system for sensitive content |
US20110055381A1 (en) * | 2009-09-03 | 2011-03-03 | Mcafee, Inc. | Host information collection |
US20110078108A1 (en) * | 2009-09-29 | 2011-03-31 | Oracle International Corporation | Agentless data collection |
US20110093954A1 (en) * | 2009-10-19 | 2011-04-21 | Electronics And Telecommunications Research Institute | Apparatus and method for remotely diagnosing security vulnerabilities |
US20110191817A1 (en) * | 2010-02-01 | 2011-08-04 | Samsung Electronics Co., Ltd. | Host apparatus, image forming apparatus, and method of managing security settings |
US8065712B1 (en) * | 2005-02-16 | 2011-11-22 | Cisco Technology, Inc. | Methods and devices for qualifying a client machine to access a network |
US20120030757A1 (en) * | 2010-07-28 | 2012-02-02 | Bank Of America Corporation | Login initiated scanning of computing devices |
US8244761B1 (en) | 2007-10-18 | 2012-08-14 | United Services Automobile Association (Usaa) | Systems and methods for restricting access to internal data of an organization by external entity |
US20120221752A1 (en) * | 2010-03-17 | 2012-08-30 | Hisashi Ishihara | Device management apparatus, device management system, information management method, information management program and recording medium storing the program therein |
US8272058B2 (en) * | 2005-07-29 | 2012-09-18 | Bit 9, Inc. | Centralized timed analysis in a network security system |
US20120278866A1 (en) * | 2008-07-28 | 2012-11-01 | Huang Evan S | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US20130152196A1 (en) * | 2011-12-08 | 2013-06-13 | Microsoft Corporation | Throttling of rogue entities to push notification servers |
WO2013101386A1 (en) * | 2011-12-29 | 2013-07-04 | Mcafee, Inc. | System and method for cloud based scanning for computer vulnerabilities in a network environment |
US8484725B1 (en) * | 2005-10-26 | 2013-07-09 | Mcafee, Inc. | System, method and computer program product for utilizing a threat scanner for performing non-threat-related processing |
US20130246621A1 (en) * | 2008-07-30 | 2013-09-19 | Efrain Ortiz, Jr. | System, method, and computer program product for managing a connection between a device and a network |
WO2013155236A1 (en) * | 2012-04-10 | 2013-10-17 | Mcafee, Inc. | Opportunistic system scanning |
TWI415419B (en) * | 2009-01-17 | 2013-11-11 | Chunghwa Telecom Co Ltd | System and method for detecting and fixing faults of network connection apparatus |
US20140244839A1 (en) * | 2013-02-28 | 2014-08-28 | Samsung Electronics Co., Ltd. | Method and apparatus for monitoring internet connection status in wireless communication system |
WO2014160204A1 (en) * | 2013-03-14 | 2014-10-02 | Amazon Technologies, Inc. | Inferring application inventory |
US8862730B1 (en) * | 2006-03-28 | 2014-10-14 | Symantec Corporation | Enabling NAC reassessment based on fingerprint change |
US8935384B2 (en) | 2010-05-06 | 2015-01-13 | Mcafee Inc. | Distributed data revocation using data commands |
US20150033351A1 (en) * | 2003-07-01 | 2015-01-29 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9043920B2 (en) | 2012-06-27 | 2015-05-26 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
US9088606B2 (en) | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9117069B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Real-time vulnerability monitoring |
CN104869020A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | Method of monitoring cloud server network port |
US20150264059A1 (en) * | 2009-04-09 | 2015-09-17 | George Mason Research Foundation, Inc. | Malware detector |
US9209996B2 (en) | 2005-03-31 | 2015-12-08 | Tripwire, Inc. | Data processing environment change management methods and apparatuses |
US9225686B2 (en) | 2003-07-01 | 2015-12-29 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9467464B2 (en) | 2013-03-15 | 2016-10-11 | Tenable Network Security, Inc. | System and method for correlating log data to discover network vulnerabilities and assets |
US9489652B1 (en) * | 2012-05-30 | 2016-11-08 | Crimson Corporation | Obtaining and running a local query on a computing device |
US9602538B1 (en) * | 2006-03-21 | 2017-03-21 | Trend Micro Incorporated | Network security policy enforcement integrated with DNS server |
US9680872B1 (en) | 2014-03-25 | 2017-06-13 | Amazon Technologies, Inc. | Trusted-code generated requests |
US20170180410A1 (en) * | 2014-09-12 | 2017-06-22 | Salesforce.Com, Inc. | Cloud-based security profiling, threat analysis and intelligence |
US9854001B1 (en) * | 2014-03-25 | 2017-12-26 | Amazon Technologies, Inc. | Transparent policies |
US10318894B2 (en) | 2005-08-16 | 2019-06-11 | Tripwire, Inc. | Conformance authority reconciliation |
CN110086812A (en) * | 2019-04-29 | 2019-08-02 | 广州大学 | A kind of safely controllable intranet security patrol police's system and method |
US20200007570A1 (en) * | 2018-06-29 | 2020-01-02 | Forescout Technologies, Inc. | Visibility and scanning of a variety of entities |
US10803437B2 (en) * | 2015-08-28 | 2020-10-13 | Ncr Corporation | Self-service terminal technical state monitoring and alerting |
US10974139B2 (en) * | 2017-11-09 | 2021-04-13 | Disney Enterprises, Inc. | Persistent progress over a connected device network and interactive and continuous storytelling via data input from connected devices |
US20220150217A1 (en) * | 2017-02-27 | 2022-05-12 | Alireza Shameli-Sendi | Firewall rule set composition and decomposition |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8234393B2 (en) * | 2007-11-16 | 2012-07-31 | Red Hat, Inc. | Generic network protocol scripting |
US8463758B2 (en) * | 2011-05-13 | 2013-06-11 | Piriform Ltd. | Network registry and file cleaner |
US9032520B2 (en) | 2012-02-22 | 2015-05-12 | iScanOnline, Inc. | Remote security self-assessment framework |
US9571372B1 (en) * | 2013-01-24 | 2017-02-14 | Symantec Corporation | Systems and methods for estimating ages of network devices |
US9798749B2 (en) | 2013-03-29 | 2017-10-24 | Piriform Ltd. | Multiple user profile cleaner |
US9256625B2 (en) | 2013-04-24 | 2016-02-09 | Piriform Ltd. | Cleaner with computer monitoring |
US9262464B2 (en) | 2013-04-24 | 2016-02-16 | Piriform Ltd. | Cleaner with browser monitoring |
CN104427518A (en) * | 2013-08-19 | 2015-03-18 | 中兴通讯股份有限公司 | Router and method |
US9626277B2 (en) | 2015-04-01 | 2017-04-18 | Microsoft Technology Licensing, Llc | Anomaly analysis for software distribution |
RU2636700C1 (en) * | 2016-03-18 | 2017-11-27 | Акционерное общество "Лаборатория Касперского" | Method for eliminating vulnerabilities of devices having access to internet |
US11188655B2 (en) | 2016-05-18 | 2021-11-30 | Micro Focus Llc | Scanning information technology (IT) components for compliance |
US10949533B2 (en) * | 2017-03-24 | 2021-03-16 | DISH Technologies L.L.C. | Systems and methods for a virus scanning router |
CN114070575A (en) * | 2020-08-07 | 2022-02-18 | 奇安信科技集团股份有限公司 | Device detection processing method, device, electronic device, storage medium, and program |
Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6324656B1 (en) * | 1998-06-30 | 2001-11-27 | Cisco Technology, Inc. | System and method for rules-driven multi-phase network vulnerability assessment |
US20010047407A1 (en) * | 2000-04-24 | 2001-11-29 | Moore Timothy M. | Systems and methods for determining the physical location of a computer's network interfaces |
US20020046260A1 (en) * | 1996-03-27 | 2002-04-18 | Michael D. Day Ii | Managing networked directory services with auto field population |
US20020161908A1 (en) * | 2000-11-06 | 2002-10-31 | Benitez Manuel Enrique | Intelligent network streaming and execution system for conventionally coded applications |
US20020174010A1 (en) * | 1999-09-08 | 2002-11-21 | Rice James L. | System and method of permissive data flow and application transfer |
US20030065936A1 (en) * | 2001-08-22 | 2003-04-03 | Wray Michael John | Method of performing a data processing operation |
US6546493B1 (en) * | 2001-11-30 | 2003-04-08 | Networks Associates Technology, Inc. | System, method and computer program product for risk assessment scanning based on detected anomalous events |
US20030182414A1 (en) * | 2003-05-13 | 2003-09-25 | O'neill Patrick J. | System and method for updating and distributing information |
US20030212779A1 (en) * | 2002-04-30 | 2003-11-13 | Boyter Brian A. | System and Method for Network Security Scanning |
US20040039827A1 (en) * | 2001-11-02 | 2004-02-26 | Neoteris, Inc. | Method and system for providing secure access to private networks with client redirection |
US20040193918A1 (en) * | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
US6802009B1 (en) * | 1999-12-17 | 2004-10-05 | International Business Machines Corporation | Operating system security checking system, method, and program |
US20040234056A1 (en) * | 2001-07-17 | 2004-11-25 | Securelogix Corporation | Telephony security system |
US20040268145A1 (en) * | 2003-06-24 | 2004-12-30 | Nokia, Inc. | Apparatus, and method for implementing remote client integrity verification |
US20040264435A1 (en) * | 2003-06-24 | 2004-12-30 | Amalavoyal Chari | Method of wireless accessing |
US20050015760A1 (en) * | 2003-07-16 | 2005-01-20 | Oleg Ivanov | Automatic detection and patching of vulnerable files |
US20050050335A1 (en) * | 2003-08-29 | 2005-03-03 | Trend Micro Incorporated, A Japanese Corporation | Automatic registration of a virus/worm monitor in a distributed network |
US20060010492A9 (en) * | 2001-07-30 | 2006-01-12 | Axcelerant, Inc. | Method and apparatus for monitoring computer network security enforcement |
US6993448B2 (en) * | 2000-08-09 | 2006-01-31 | Telos Corporation | System, method and medium for certifying and accrediting requirements compliance |
US20070094378A1 (en) * | 2001-10-05 | 2007-04-26 | Baldwin Duane M | Storage Area Network Methods and Apparatus with Centralized Management |
US20070162965A1 (en) * | 1999-11-02 | 2007-07-12 | Cisco Technology, Inc. | Query data packet processing and network scanning method and apparatus |
US20070261121A1 (en) * | 1998-06-25 | 2007-11-08 | Jacobson Andrea M | Network Policy Management And Effectiveness System |
US20090320135A1 (en) * | 2003-04-12 | 2009-12-24 | Deep Nines, Inc. | System and method for network edge data protection |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5675637A (en) | 1995-05-16 | 1997-10-07 | Inventions, Inc. | Method for automatically obtaining and presenting data from multiple data sources |
US6108492A (en) | 1997-02-14 | 2000-08-22 | Toshiba America Information Systems | Remote monitoring system |
US6058426A (en) | 1997-07-14 | 2000-05-02 | International Business Machines Corporation | System and method for automatically managing computing resources in a distributed computing environment |
GB2332288A (en) | 1997-12-10 | 1999-06-16 | Northern Telecom Ltd | agent enabling technology |
US6381640B1 (en) | 1998-09-11 | 2002-04-30 | Genesys Telecommunications Laboratories, Inc. | Method and apparatus for automated personalization and presentation of workload assignments to agents within a multimedia communication center |
US6360255B1 (en) * | 1998-06-25 | 2002-03-19 | Cisco Technology, Inc. | Automatically integrating an external network with a network management system |
US6564216B2 (en) * | 1998-10-29 | 2003-05-13 | Nortel Networks Limited | Server manager |
US6789101B2 (en) | 1999-12-08 | 2004-09-07 | International Business Machines Corporation | Automation system uses resource manager and resource agents to automatically start and stop programs in a computer network |
US7007301B2 (en) * | 2000-06-12 | 2006-02-28 | Hewlett-Packard Development Company, L.P. | Computer architecture for an intrusion detection system |
US20020188693A1 (en) * | 2001-06-04 | 2002-12-12 | Simpson Shell S. | System and method for requesting service for imaging data to a web service |
US7085808B2 (en) * | 2001-06-07 | 2006-08-01 | Nokia Corporation | Method for distinguishing clients in a communication system, a communication system; and a communication device |
US20030005092A1 (en) * | 2001-06-28 | 2003-01-02 | Nelson Dean S. | Method for locating and recovering devices which are connected to the internet or to an internet-connected network |
US7633942B2 (en) * | 2001-10-15 | 2009-12-15 | Avaya Inc. | Network traffic generation and monitoring systems and methods for their use in testing frameworks for determining suitability of a network for target applications |
US7152105B2 (en) * | 2002-01-15 | 2006-12-19 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US7284062B2 (en) * | 2002-12-06 | 2007-10-16 | Microsoft Corporation | Increasing the level of automation when provisioning a computer system to access a network |
US20050204032A1 (en) * | 2003-07-17 | 2005-09-15 | Attaullah Mirza-Baig | Remote device management of software only solution |
US7324473B2 (en) * | 2003-10-07 | 2008-01-29 | Accenture Global Services Gmbh | Connector gateway |
-
2003
- 2003-10-10 US US10/683,564 patent/US20050097199A1/en not_active Abandoned
-
2004
- 2004-10-07 WO PCT/US2004/033286 patent/WO2005036360A2/en active Application Filing
-
2007
- 2007-09-27 US US11/862,990 patent/US8281019B1/en active Active
Patent Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020046260A1 (en) * | 1996-03-27 | 2002-04-18 | Michael D. Day Ii | Managing networked directory services with auto field population |
US20070261121A1 (en) * | 1998-06-25 | 2007-11-08 | Jacobson Andrea M | Network Policy Management And Effectiveness System |
US6324656B1 (en) * | 1998-06-30 | 2001-11-27 | Cisco Technology, Inc. | System and method for rules-driven multi-phase network vulnerability assessment |
US20020174010A1 (en) * | 1999-09-08 | 2002-11-21 | Rice James L. | System and method of permissive data flow and application transfer |
US20070162965A1 (en) * | 1999-11-02 | 2007-07-12 | Cisco Technology, Inc. | Query data packet processing and network scanning method and apparatus |
US6802009B1 (en) * | 1999-12-17 | 2004-10-05 | International Business Machines Corporation | Operating system security checking system, method, and program |
US20010047407A1 (en) * | 2000-04-24 | 2001-11-29 | Moore Timothy M. | Systems and methods for determining the physical location of a computer's network interfaces |
US6993448B2 (en) * | 2000-08-09 | 2006-01-31 | Telos Corporation | System, method and medium for certifying and accrediting requirements compliance |
US20020161908A1 (en) * | 2000-11-06 | 2002-10-31 | Benitez Manuel Enrique | Intelligent network streaming and execution system for conventionally coded applications |
US20040234056A1 (en) * | 2001-07-17 | 2004-11-25 | Securelogix Corporation | Telephony security system |
US20060010492A9 (en) * | 2001-07-30 | 2006-01-12 | Axcelerant, Inc. | Method and apparatus for monitoring computer network security enforcement |
US20030065936A1 (en) * | 2001-08-22 | 2003-04-03 | Wray Michael John | Method of performing a data processing operation |
US20070094378A1 (en) * | 2001-10-05 | 2007-04-26 | Baldwin Duane M | Storage Area Network Methods and Apparatus with Centralized Management |
US20040039827A1 (en) * | 2001-11-02 | 2004-02-26 | Neoteris, Inc. | Method and system for providing secure access to private networks with client redirection |
US6546493B1 (en) * | 2001-11-30 | 2003-04-08 | Networks Associates Technology, Inc. | System, method and computer program product for risk assessment scanning based on detected anomalous events |
US20030212779A1 (en) * | 2002-04-30 | 2003-11-13 | Boyter Brian A. | System and Method for Network Security Scanning |
US20040193918A1 (en) * | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
US20090320135A1 (en) * | 2003-04-12 | 2009-12-24 | Deep Nines, Inc. | System and method for network edge data protection |
US20030182414A1 (en) * | 2003-05-13 | 2003-09-25 | O'neill Patrick J. | System and method for updating and distributing information |
US20040264435A1 (en) * | 2003-06-24 | 2004-12-30 | Amalavoyal Chari | Method of wireless accessing |
US20040268145A1 (en) * | 2003-06-24 | 2004-12-30 | Nokia, Inc. | Apparatus, and method for implementing remote client integrity verification |
US20050015760A1 (en) * | 2003-07-16 | 2005-01-20 | Oleg Ivanov | Automatic detection and patching of vulnerable files |
US20050050335A1 (en) * | 2003-08-29 | 2005-03-03 | Trend Micro Incorporated, A Japanese Corporation | Automatic registration of a virus/worm monitor in a distributed network |
Cited By (166)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8341693B2 (en) | 2002-08-27 | 2012-12-25 | Mcafee, Inc. | Enterprise-wide security system for computer devices |
US7865938B2 (en) | 2002-08-27 | 2011-01-04 | Mcafee, Inc. | Enterprise-wide security system for computer devices |
US20110162049A1 (en) * | 2002-08-27 | 2011-06-30 | Mcafee, Inc., A Delaware Corporation | Enterprise-wide security system for computer devices |
US7669237B2 (en) | 2002-08-27 | 2010-02-23 | Trust Digital, Llc | Enterprise-wide security system for computer devices |
US8850530B2 (en) | 2002-08-27 | 2014-09-30 | Mcafee, Inc. | Enterprise-wide security system for computer devices |
US9998478B2 (en) | 2002-08-27 | 2018-06-12 | Mcafee, Llc | Enterprise-wide security for computer devices |
US20060112427A1 (en) * | 2002-08-27 | 2006-05-25 | Trust Digital, Llc | Enterprise-wide security system for computer devices |
US9225686B2 (en) | 2003-07-01 | 2015-12-29 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US9118708B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Multi-path remediation |
US9117069B2 (en) | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Real-time vulnerability monitoring |
US9118709B2 (en) * | 2003-07-01 | 2015-08-25 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US20150033351A1 (en) * | 2003-07-01 | 2015-01-29 | Securityprofiling, Llc | Anti-vulnerability system, method, and computer program product |
US20060149408A1 (en) * | 2003-10-10 | 2006-07-06 | Speeter Thomas H | Agent-less discovery of software components |
US7730481B2 (en) * | 2003-12-09 | 2010-06-01 | Trend Micro Incorporated | Method, apparatus and system of anti-virus software implementation |
US20050125526A1 (en) * | 2003-12-09 | 2005-06-09 | Tsun-Sheng Chou | Method, apparatus and system of anti-virus software implementation |
US8635661B2 (en) | 2003-12-23 | 2014-01-21 | Mcafee, Inc. | System and method for enforcing a security policy on mobile devices using dynamically generated security profiles |
US20070143824A1 (en) * | 2003-12-23 | 2007-06-21 | Majid Shahbazi | System and method for enforcing a security policy on mobile devices using dynamically generated security profiles |
US20050149480A1 (en) * | 2004-01-06 | 2005-07-07 | Sachin Deshpande | Intelligent discovery of shares |
US7487136B2 (en) * | 2004-01-06 | 2009-02-03 | Sharp Laboratories Of America | Intelligent discovery of shares |
US8006301B2 (en) * | 2004-05-19 | 2011-08-23 | Computer Associates Think, Inc. | Method and systems for computer security |
US8590043B2 (en) | 2004-05-19 | 2013-11-19 | Ca, Inc. | Method and systems for computer security |
US20050262559A1 (en) * | 2004-05-19 | 2005-11-24 | Huddleston David E | Method and systems for computer security |
US20060041534A1 (en) * | 2004-05-24 | 2006-02-23 | Atwell Micah E | Remote infrastructure management |
US20060004830A1 (en) * | 2004-06-07 | 2006-01-05 | Lora Brian M | Agent-less systems, methods and computer program products for managing a plurality of remotely located data storage systems |
US7912940B2 (en) * | 2004-07-30 | 2011-03-22 | Microsoft Corporation | Network system role determination |
US8434152B2 (en) | 2004-07-30 | 2013-04-30 | Hewlett-Packard Development Company, L.P. | System and method for restricting access to an enterprise network |
US7509676B2 (en) * | 2004-07-30 | 2009-03-24 | Electronic Data Systems Corporation | System and method for restricting access to an enterprise network |
US20060069805A1 (en) * | 2004-07-30 | 2006-03-30 | Microsoft Corporation | Network system role determination |
US8146072B2 (en) | 2004-07-30 | 2012-03-27 | Hewlett-Packard Development Company, L.P. | System and method for updating software on a computer |
US20060026283A1 (en) * | 2004-07-30 | 2006-02-02 | Trueba Luis Ruben Z | System and method for updating software on a computer |
US20090183233A1 (en) * | 2004-07-30 | 2009-07-16 | Electronic Data Systems Corporation | System and Method for Restricting Access to an Enterprise Network |
US20060026686A1 (en) * | 2004-07-30 | 2006-02-02 | Trueba Luis R Z | System and method for restricting access to an enterprise network |
US20060075128A1 (en) * | 2004-10-04 | 2006-04-06 | Promisec Ltd. | Method and device for questioning a plurality of computerized devices |
US20060184682A1 (en) * | 2004-10-04 | 2006-08-17 | Promisec Ltd. | Method and device for scanning a plurality of computerized devices connected to a network |
US8566939B2 (en) * | 2004-10-04 | 2013-10-22 | Promisec Ltd. | Method and device for scanning a plurality of computerized devices connected to a network |
US8544099B2 (en) * | 2004-10-04 | 2013-09-24 | Promisec Ltd. | Method and device for questioning a plurality of computerized devices |
US7752671B2 (en) * | 2004-10-04 | 2010-07-06 | Promisec Ltd. | Method and device for questioning a plurality of computerized devices |
US20100235920A1 (en) * | 2004-10-04 | 2010-09-16 | Promisec Ltd. | Method and device for questioning a plurality of computerized devices |
US7720031B1 (en) | 2004-10-15 | 2010-05-18 | Cisco Technology, Inc. | Methods and devices to support mobility of a client across VLANs and subnets, while preserving the client's assigned IP address |
US20100195620A1 (en) * | 2004-10-15 | 2010-08-05 | Wen-Chun Cheng | Methods and devices to support mobility of a client across vlans and subnets, while preserving the client's assigned ip address |
US8005049B2 (en) | 2004-10-15 | 2011-08-23 | Cisco Technology, Inc. | Methods and devices to support mobility of a client across VLANs and subnets, while preserving the client's assigned IP address |
US7793338B1 (en) * | 2004-10-21 | 2010-09-07 | Mcafee, Inc. | System and method of network endpoint security |
US20060101409A1 (en) * | 2004-10-21 | 2006-05-11 | Bemmel Jeroen V | Method, apparatus and network architecture for enforcing security policies using an isolated subnet |
US7877786B2 (en) * | 2004-10-21 | 2011-01-25 | Alcatel-Lucent Usa Inc. | Method, apparatus and network architecture for enforcing security policies using an isolated subnet |
US8065712B1 (en) * | 2005-02-16 | 2011-11-22 | Cisco Technology, Inc. | Methods and devices for qualifying a client machine to access a network |
US20060195566A1 (en) * | 2005-02-25 | 2006-08-31 | Hurley Mark E | Method and system for taking remote inventory in a network |
US20060224742A1 (en) * | 2005-02-28 | 2006-10-05 | Trust Digital | Mobile data security system and methods |
US8495700B2 (en) | 2005-02-28 | 2013-07-23 | Mcafee, Inc. | Mobile data security system and methods |
US9209996B2 (en) | 2005-03-31 | 2015-12-08 | Tripwire, Inc. | Data processing environment change management methods and apparatuses |
US10728855B2 (en) | 2005-06-30 | 2020-07-28 | Nokia Technologies Oy | System coordinated WLAN scanning |
US9554327B2 (en) | 2005-06-30 | 2017-01-24 | Nokia Technologies Oy | System coordinated WLAN scanning |
US8856311B2 (en) * | 2005-06-30 | 2014-10-07 | Nokia Corporation | System coordinated WLAN scanning |
US11057835B2 (en) | 2005-06-30 | 2021-07-06 | Nokia Technologies Oy | System coordinated WLAN scanning |
US9516586B2 (en) | 2005-06-30 | 2016-12-06 | Nokia Technologies Oy | System coordinated WLAN scanning |
US20070004406A1 (en) * | 2005-06-30 | 2007-01-04 | Nokia Corporation | System coordinated WLAN scanning |
US20070028302A1 (en) * | 2005-07-29 | 2007-02-01 | Bit 9, Inc. | Distributed meta-information query in a network |
US8272058B2 (en) * | 2005-07-29 | 2012-09-18 | Bit 9, Inc. | Centralized timed analysis in a network security system |
US10264022B2 (en) | 2005-08-09 | 2019-04-16 | Tripwire, Inc. | Information technology governance and controls methods and apparatuses |
US9256841B2 (en) | 2005-08-09 | 2016-02-09 | Tripwire, Inc. | Information technology governance and controls methods and apparatuses |
US8176158B2 (en) * | 2005-08-09 | 2012-05-08 | Tripwire, Inc. | Information technology governance and controls methods and apparatuses |
US20070043674A1 (en) * | 2005-08-09 | 2007-02-22 | Tripwire, Inc. | Information technology governance and controls methods and apparatuses |
US10318894B2 (en) | 2005-08-16 | 2019-06-11 | Tripwire, Inc. | Conformance authority reconciliation |
US8484725B1 (en) * | 2005-10-26 | 2013-07-09 | Mcafee, Inc. | System, method and computer program product for utilizing a threat scanner for performing non-threat-related processing |
US8745224B2 (en) * | 2005-12-28 | 2014-06-03 | Intel Corporation | Method and apparatus for dynamic provisioning of an access control policy in a controller hub |
US20070150559A1 (en) * | 2005-12-28 | 2007-06-28 | Intel Corporation | Method and apparatus for dynamic provisioning of an access control policy in a controller hub |
US9602538B1 (en) * | 2006-03-21 | 2017-03-21 | Trend Micro Incorporated | Network security policy enforcement integrated with DNS server |
US8862730B1 (en) * | 2006-03-28 | 2014-10-14 | Symantec Corporation | Enabling NAC reassessment based on fingerprint change |
US10356086B1 (en) | 2006-03-31 | 2019-07-16 | Evan Huang | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US8245293B2 (en) | 2006-03-31 | 2012-08-14 | Huang Evan S | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US20090031403A1 (en) * | 2006-03-31 | 2009-01-29 | Huang Evan S | Methods and Apparatuses for Securely Operating Shared Host Computers With Portable Apparatuses |
US9197633B1 (en) | 2006-03-31 | 2015-11-24 | Evan S. Huang | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US20070250932A1 (en) * | 2006-04-20 | 2007-10-25 | Pravin Kothari | Integrated enterprise-level compliance and risk management system |
US8259568B2 (en) | 2006-10-23 | 2012-09-04 | Mcafee, Inc. | System and method for controlling mobile device access to a network |
US11096054B2 (en) | 2006-10-23 | 2021-08-17 | Mcafee, Llc | System and method for controlling mobile device access to a network |
US8750108B2 (en) | 2006-10-23 | 2014-06-10 | Mcafee, Inc. | System and method for controlling mobile device access to a network |
US20080137593A1 (en) * | 2006-10-23 | 2008-06-12 | Trust Digital | System and method for controlling mobile device access to a network |
US20080148407A1 (en) * | 2006-12-18 | 2008-06-19 | Cat Computer Services Pvt Ltd | Virus Detection in Mobile Devices Having Insufficient Resources to Execute Virus Detection Software |
US7945955B2 (en) | 2006-12-18 | 2011-05-17 | Quick Heal Technologies Private Limited | Virus detection in mobile devices having insufficient resources to execute virus detection software |
US20080244063A1 (en) * | 2007-03-26 | 2008-10-02 | Vinayak Risbud | Automatically detecting managed servers in a network |
US20090083439A1 (en) * | 2007-09-20 | 2009-03-26 | Konica Minolta Business Technologies, Inc. | Data transmission device, data transmission system and address registration method |
US8180850B2 (en) * | 2007-09-20 | 2012-05-15 | Konica Minolta Business Technologies, Inc. | Data transmission device, data transmission system and address registration method |
US8369312B2 (en) * | 2007-10-03 | 2013-02-05 | Verizon Patent And Licensing Inc. | Method and system for retrieving log messages from customer premise equipment |
US20090092126A1 (en) * | 2007-10-03 | 2009-04-09 | Verizon Data Services Inc. | Method and system for retrieving log messages from customer premise equipment |
US20090106828A1 (en) * | 2007-10-12 | 2009-04-23 | Konica Minolta Business Technologies, Inc. | Device administration apparatus, device administration method and recording medium |
US9705860B2 (en) * | 2007-10-12 | 2017-07-11 | Konica Minolta Business Technologies, Inc. | Device administration apparatus, device administration method and recording medium |
US8244761B1 (en) | 2007-10-18 | 2012-08-14 | United Services Automobile Association (Usaa) | Systems and methods for restricting access to internal data of an organization by external entity |
US11487705B1 (en) | 2008-07-03 | 2022-11-01 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US10013420B1 (en) | 2008-07-03 | 2018-07-03 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US8914341B2 (en) | 2008-07-03 | 2014-12-16 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US10795855B1 (en) | 2008-07-03 | 2020-10-06 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US20100005107A1 (en) * | 2008-07-03 | 2010-01-07 | Tripwire, Inc. | Method and apparatus for continuous compliance assessment |
US9027084B2 (en) | 2008-07-28 | 2015-05-05 | Evan S. Huang | Methods and apparatuses for securely operating shared host devices with portable apparatuses |
US10097535B1 (en) | 2008-07-28 | 2018-10-09 | Evan S. Huang | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US20120278866A1 (en) * | 2008-07-28 | 2012-11-01 | Huang Evan S | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US8931063B2 (en) * | 2008-07-28 | 2015-01-06 | Evan S. Huang | Methods and apparatuses for securely operating shared host computers with portable apparatuses |
US10887399B2 (en) * | 2008-07-30 | 2021-01-05 | Mcafee, Llc | System, method, and computer program product for managing a connection between a device and a network |
US20130246621A1 (en) * | 2008-07-30 | 2013-09-19 | Efrain Ortiz, Jr. | System, method, and computer program product for managing a connection between a device and a network |
US11936738B2 (en) | 2008-07-30 | 2024-03-19 | Mcafee, Llc | System, method, and computer program product for managing a connection between a device and a network |
US8565726B2 (en) | 2008-11-06 | 2013-10-22 | Mcafee, Inc. | System, method and device for mediating connections between policy source servers, corporate repositories, and mobile devices |
US8572676B2 (en) | 2008-11-06 | 2013-10-29 | Mcafee, Inc. | System, method, and device for mediating connections between policy source servers, corporate repositories, and mobile devices |
US20100115582A1 (en) * | 2008-11-06 | 2010-05-06 | Trust Digital | System, method, and device for mediating connections between policy source servers, corporate respositories, and mobile devices |
TWI415419B (en) * | 2009-01-17 | 2013-11-11 | Chunghwa Telecom Co Ltd | System and method for detecting and fixing faults of network connection apparatus |
US20100218235A1 (en) * | 2009-02-25 | 2010-08-26 | Ganot Asaf | Method and system for temporarily removing group policy restrictions remotely |
US11330000B2 (en) | 2009-04-09 | 2022-05-10 | George Mason Research Foundation, Inc. | Malware detector |
US11916933B2 (en) * | 2009-04-09 | 2024-02-27 | George Mason Research Foundation, Inc. | Malware detector |
US9531747B2 (en) * | 2009-04-09 | 2016-12-27 | George Mason Research Foundation, Inc. | Malware detector |
US20220278998A1 (en) * | 2009-04-09 | 2022-09-01 | George Mason Research Foundation, Inc. | Malware detector |
US10243975B2 (en) | 2009-04-09 | 2019-03-26 | George Mason Research Foundation, Inc. | Malware detector |
US20150264059A1 (en) * | 2009-04-09 | 2015-09-17 | George Mason Research Foundation, Inc. | Malware detector |
US20100333199A1 (en) * | 2009-06-25 | 2010-12-30 | Accenture Global Services Gmbh | Method and system for scanning a computer system for sensitive content |
US8898774B2 (en) * | 2009-06-25 | 2014-11-25 | Accenture Global Services Limited | Method and system for scanning a computer system for sensitive content |
US8583792B2 (en) | 2009-09-03 | 2013-11-12 | Mcafee, Inc. | Probe election in failover configuration |
US20110055580A1 (en) * | 2009-09-03 | 2011-03-03 | Mcafee, Inc. | Nonce generation |
US20110055381A1 (en) * | 2009-09-03 | 2011-03-03 | Mcafee, Inc. | Host information collection |
US9049118B2 (en) | 2009-09-03 | 2015-06-02 | Mcafee, Inc. | Probe election in failover configuration |
US8671181B2 (en) | 2009-09-03 | 2014-03-11 | Mcafee, Inc. | Host entry synchronization |
US8881234B2 (en) * | 2009-09-03 | 2014-11-04 | Mcafee, Inc. | Host state monitoring |
US9391858B2 (en) | 2009-09-03 | 2016-07-12 | Mcafee, Inc. | Host information collection |
US20110055382A1 (en) * | 2009-09-03 | 2011-03-03 | Mcafee, Inc. | Host entry synchronization |
US20110055907A1 (en) * | 2009-09-03 | 2011-03-03 | Mcafee, Inc. | Host state monitoring |
US8924721B2 (en) | 2009-09-03 | 2014-12-30 | Mcafee, Inc. | Nonce generation |
US20110078108A1 (en) * | 2009-09-29 | 2011-03-31 | Oracle International Corporation | Agentless data collection |
US9514024B2 (en) | 2009-09-29 | 2016-12-06 | Oracle International Corporation | Agentless data collection |
US20110093954A1 (en) * | 2009-10-19 | 2011-04-21 | Electronics And Telecommunications Research Institute | Apparatus and method for remotely diagnosing security vulnerabilities |
US20110191817A1 (en) * | 2010-02-01 | 2011-08-04 | Samsung Electronics Co., Ltd. | Host apparatus, image forming apparatus, and method of managing security settings |
US8949482B2 (en) * | 2010-03-17 | 2015-02-03 | Ricoh Company, Ltd. | Device management apparatus, device management system, information management method, information management program and recording medium storing the program therein |
US20120221752A1 (en) * | 2010-03-17 | 2012-08-30 | Hisashi Ishihara | Device management apparatus, device management system, information management method, information management program and recording medium storing the program therein |
US8935384B2 (en) | 2010-05-06 | 2015-01-13 | Mcafee Inc. | Distributed data revocation using data commands |
US8695099B2 (en) * | 2010-07-28 | 2014-04-08 | Bank Of America Corporation | Login initiated scanning of computing devices |
US8590046B2 (en) * | 2010-07-28 | 2013-11-19 | Bank Of America Corporation | Login initiated scanning of computing devices |
US20120030757A1 (en) * | 2010-07-28 | 2012-02-02 | Bank Of America Corporation | Login initiated scanning of computing devices |
US20130091569A1 (en) * | 2010-07-28 | 2013-04-11 | Bank Of America Corporation | Login initiated scanning of computing devices |
US20130152196A1 (en) * | 2011-12-08 | 2013-06-13 | Microsoft Corporation | Throttling of rogue entities to push notification servers |
US8595822B2 (en) | 2011-12-29 | 2013-11-26 | Mcafee, Inc. | System and method for cloud based scanning for computer vulnerabilities in a network environment |
WO2013101386A1 (en) * | 2011-12-29 | 2013-07-04 | Mcafee, Inc. | System and method for cloud based scanning for computer vulnerabilities in a network environment |
WO2013155236A1 (en) * | 2012-04-10 | 2013-10-17 | Mcafee, Inc. | Opportunistic system scanning |
US9516451B2 (en) | 2012-04-10 | 2016-12-06 | Mcafee, Inc. | Opportunistic system scanning |
US9489652B1 (en) * | 2012-05-30 | 2016-11-08 | Crimson Corporation | Obtaining and running a local query on a computing device |
US9043920B2 (en) | 2012-06-27 | 2015-05-26 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
US9860265B2 (en) | 2012-06-27 | 2018-01-02 | Tenable Network Security, Inc. | System and method for identifying exploitable weak points in a network |
US10171490B2 (en) | 2012-07-05 | 2019-01-01 | Tenable, Inc. | System and method for strategic anti-malware monitoring |
US20210344686A1 (en) * | 2012-07-05 | 2021-11-04 | Tenable, Inc. | System and method for strategic anti-malware monitoring |
US9088606B2 (en) | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
US20140244839A1 (en) * | 2013-02-28 | 2014-08-28 | Samsung Electronics Co., Ltd. | Method and apparatus for monitoring internet connection status in wireless communication system |
US20190090171A1 (en) * | 2013-02-28 | 2019-03-21 | Samsung Electronics Co., Ltd. | Method and apparatus for monitoring internet connection status in wireless communication system |
US10136376B2 (en) * | 2013-02-28 | 2018-11-20 | Samsung Electronics Co., Ltd. | Method and apparatus for monitoring internet connection status in wireless communication system |
US10791492B2 (en) * | 2013-02-28 | 2020-09-29 | Samsung Electronics Co., Ltd. | Method and apparatus for monitoring internet connection status in wireless communication system |
US9473355B2 (en) | 2013-03-14 | 2016-10-18 | Amazon Technologies, Inc. | Inferring application inventory |
WO2014160204A1 (en) * | 2013-03-14 | 2014-10-02 | Amazon Technologies, Inc. | Inferring application inventory |
US9467464B2 (en) | 2013-03-15 | 2016-10-11 | Tenable Network Security, Inc. | System and method for correlating log data to discover network vulnerabilities and assets |
US9680872B1 (en) | 2014-03-25 | 2017-06-13 | Amazon Technologies, Inc. | Trusted-code generated requests |
US10666684B2 (en) | 2014-03-25 | 2020-05-26 | Amazon Technologies, Inc. | Security policies with probabilistic actions |
US10511633B2 (en) | 2014-03-25 | 2019-12-17 | Amazon Technologies, Inc. | Trusted-code generated requests |
US9854001B1 (en) * | 2014-03-25 | 2017-12-26 | Amazon Technologies, Inc. | Transparent policies |
US11870816B1 (en) | 2014-03-25 | 2024-01-09 | Amazon Technologies, Inc. | Trusted-code generated requests |
US11489874B2 (en) | 2014-03-25 | 2022-11-01 | Amazon Technologies, Inc. | Trusted-code generated requests |
US9900339B2 (en) * | 2014-09-12 | 2018-02-20 | Salesforce.Com, Inc. | Cloud-based security profiling, threat analysis and intelligence |
US20170180410A1 (en) * | 2014-09-12 | 2017-06-22 | Salesforce.Com, Inc. | Cloud-based security profiling, threat analysis and intelligence |
CN104869020A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | Method of monitoring cloud server network port |
US10803437B2 (en) * | 2015-08-28 | 2020-10-13 | Ncr Corporation | Self-service terminal technical state monitoring and alerting |
US20220150217A1 (en) * | 2017-02-27 | 2022-05-12 | Alireza Shameli-Sendi | Firewall rule set composition and decomposition |
US10974139B2 (en) * | 2017-11-09 | 2021-04-13 | Disney Enterprises, Inc. | Persistent progress over a connected device network and interactive and continuous storytelling via data input from connected devices |
US20200007570A1 (en) * | 2018-06-29 | 2020-01-02 | Forescout Technologies, Inc. | Visibility and scanning of a variety of entities |
US11848955B2 (en) | 2018-06-29 | 2023-12-19 | Forescout Technologies, Inc. | Visibility and scanning of a variety of entities |
US11122071B2 (en) * | 2018-06-29 | 2021-09-14 | Forescout Technologies, Inc. | Visibility and scanning of a variety of entities |
CN110086812A (en) * | 2019-04-29 | 2019-08-02 | 广州大学 | A kind of safely controllable intranet security patrol police's system and method |
Also Published As
Publication number | Publication date |
---|---|
WO2005036360A2 (en) | 2005-04-21 |
WO2005036360A3 (en) | 2005-11-03 |
US8281019B1 (en) | 2012-10-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8281019B1 (en) | Method and system for scanning network devices | |
US20230362189A1 (en) | System and method for strategic anti-malware monitoring | |
US9473528B2 (en) | Identification of malware sites using unknown URL sites and newly registered DNS addresses | |
US7761918B2 (en) | System and method for scanning a network | |
US8230505B1 (en) | Method for cooperative intrusion prevention through collaborative inference | |
Yen et al. | Traffic aggregation for malware detection | |
US9436820B1 (en) | Controlling access to resources in a network | |
Scarfone et al. | Guide to intrusion detection and prevention systems (idps) | |
US20050044418A1 (en) | Proactive network security system to protect against hackers | |
US20060010485A1 (en) | Network security method | |
Klein et al. | Internet-wide study of DNS cache injections | |
US20070192867A1 (en) | Security appliances | |
US20040193943A1 (en) | Multiparameter network fault detection system using probabilistic and aggregation analysis | |
US20060161816A1 (en) | System and method for managing events | |
US20030188189A1 (en) | Multi-level and multi-platform intrusion detection and response system | |
US20050246767A1 (en) | Method and apparatus for network security based on device security status | |
WO2003051018A1 (en) | Detecting intrusions in a network | |
Scarfone et al. | Sp 800-94. guide to intrusion detection and prevention systems (idps) | |
US9961091B2 (en) | Apparatus and method for characterizing the risk of a user contracting malicious software | |
USRE48043E1 (en) | System, method and computer program product for sending unwanted activity information to a central system | |
Deri et al. | Using cyberscore for network traffic monitoring | |
Mohammed et al. | Enhancing Network Security in Linux Environment | |
Cardoso et al. | Security vulnerabilities and exposures in internet systems and services | |
Ashe | A vulnerability assessment of the East Tennessee State University administrative computer network | |
Lindqvist et al. | Correlated attack Modelling (CAM) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: PEDESTAL SOFTWARE, INC., MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WOODARD, KEITH;TRIAS, FERNANDO;REEL/FRAME:014791/0853 Effective date: 20031112 |
|
AS | Assignment |
Owner name: SYMANTEC CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PEDESTAL SOFTWARE, INC.;REEL/FRAME:019772/0715 Effective date: 20070828 |
|
AS | Assignment |
Owner name: SYMANTEC CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PEDESTAL SOFTWARE, INC.;REEL/FRAME:019790/0082 Effective date: 20070905 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |
|
AS | Assignment |
Owner name: CA, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SYMANTEC CORPORATION;REEL/FRAME:052700/0638 Effective date: 20191104 |