`
`
`
`I IIIII IIIIIIII 111111111114111,11 J1111)1911 DRUMM IIII
`
`(12) United States Patent
`Ranum et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 9,088,606 B2
`Jul. 21, 2015
`
`(54)
`
`SYSTEM AND METHOD FOR STRATEGIC
`ANTI-MALWARE MONITORING
`
`(71)
`
`Applicant: Tenable Network Security, Inc.,
`Columbia, MD (US)
`
`(72)
`
`Inventors: Marcus J. Ranum, Morrisdale, PA
`(US); Ron Gula, Marriottsville, MD
`(US)
`
`(73) Assignee: TENABLE NETWORK SECURITY,
`INC., Columbia, MD (US)
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 245 days.
`
`(21) Appl. No.: 13/692,200
`
`(22) Filed:
`
`Dec. 3, 2012
`
`(65)
`
`Prior Publication Data
`
`5,572,729 A
`5,715,391 A
`5,721,819 A
`5,838,919 A
`5,844,817 A
`6,154,775 A
`6,266,774 B1
`
`11/1996 Giordano et al.
`2/1998 Jackson et al.
`2/1998 Galles et al.
`11/1998
`Schwaller et al.
`12/1998
`Lobley et al.
`11/2000 Coss et al.
`7/2001 Sampath et al.
`(Continued)
`
`OTHER PUBLICATIONS
`
`Hoagland, James A., "Audit Log Analysis Using the Visual Audit
`Browser Toolkit", Department of Computer Science, University of
`California, Davis.
`
`(Continued)
`
`Primary Examiner — Justin T Darrow
`(74) Attorney, Agent, or Firm Muncy, Geissler, Olds &
`Lowe, P.C.
`
`US 2014/0013434 Al
`
`Jan. 9, 2014
`
`(57)
`
`ABSTRACT
`
`The system and method described herein may leverage active
`network scanning and passive network monitoring to provide
`strategic anti-malware monitoring in a network. In particular,
`the system and method described herein may remotely con-
`nect to managed hosts in a network to compute hashes or
`other signatures associated with processes running thereon
`and suspicious files hosted thereon, wherein the hashes may
`communicated to a cloud database that aggregates all known
`virus or malware signatures that various anti-virus vendors
`have catalogued to detect malware infections without requir-
`ing the hosts to have a local or resident anti-virus agent.
`Furthermore, running processes and file system activity may
`be monitored in the network to further detect malware infec-
`tions. Additionally, the network scanning and network moni-
`toring may be used to detect hosts that may potentially be
`participating in an active botnet or hosting botnet content and
`audit anti-virus strategies deployed in the network.
`
`30 Claims, 5 Drawing Sheets
`
`Related U.S. Application Data
`
`(60) Provisional application No. 61/668,278, filed on Jul. 5,
`2012.
`
`(51) Int. Cl.
`H04L 29/06
`(52) U.S. Cl.
`CPC
`
`(2006.01)
`
`H04L 63/145 (2013.01); H04L 63/1416
`(2013.01); H04L 63/1433 (2013.01)
`(58) Field of Classification Search
`H04L 63/145
`CPC
` 726/24
`USPC
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,525,599 A
`5,541,997 A
`
`6/1985 Curran et al.
`7/1996 Pappas et al.
`
`t7.711:174:7
`
`WIZ, Inc. EXHIBIT - 1093
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 9,088,606 B2
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`6,324,656 B1
`6,393,568 B1
`6,415,321 B1
`6,487,666 B1
`6,499,107 B1
`6,510,509 B1
`6,606,663 B1
`6,704,874 B1
`6,711,127 B1
`6,789,202 B1
`6,847,982 B2
`6,873,617 B1
`6,882,728 B1
`6,886,020 B1
`6,952,779 B1
`6,957,348 B1
`6,968,377 B1
`7,013,395 B1
`7,017,186 B2
`7,073,198 B1
`7,093,287 B1
`7,120,148 B1
`7,134,141 B2
`7,139,819 B1
`7,162,742 B1
`7,181,769 B1
`7,237,264 B1
`7,243,366 B2
`7,272,646 B2
`7,290,145 B2
`7,310,687 B2
`7,324,551 B1
`7,483,986 B2
`7,509,681 B2
`7,530,104 B1
`7,562,388 B2
`7,571,482 B2
`7,594,273 B2
`7,603,711 B2
`7,653,647 B2
`7,661,134 B2
`7,735,100 B1
`7,735,140 B2
`7,739,377 B2
`7,752,671 B2
`7,761,918 B2
`7,774,848 B2
`7,882,542 B2
`7,895,651 B2
`7,904,479 B2
`7,904,962 B1
`7,908,254 B2
`7,926,113 B1
`7,966,358 B2
`7,971,252 B2
`7,975,298 B1
`7,996,836 B1
`8,001,606 B1
`8,015,284 B1
`8,032,489 B2
`8,126,853 B2
`8,135,815 B2
`8,135,823 B2
`8,191,149 B2
`8,201,257 B1
`8,239,942 B2
`2001/0034847 Al
`2002/0019945 Al
`2002/0093527 Al
`2002/0100023 Al
`2002/0107841 Al
`2002/0138762 Al
`2002/0166063 Al
`2002/0199116 Al
`2003/0051026 Al
`
`11/2001 Gleichauf et al.
`5/2002 Ranger et al.
`7/2002 Gleichauf et al.
`11/2002 Shanklin et al.
`12/2002 Gleichauf et al.
`1/2003 Chopra et al.
`8/2003 Liao et al.
`3/2004 Porras et al.
`3/2004 Gorman et al.
`9/2004 Ko et al.
`1/2005 Parker et al.
`3/2005 Karras
`4/2005 Takahashi et al.
`4/2005 Zahavi et al.
`10/2005 Cohen et al.
`10/2005 Flowers et al.
`11/2005 Gleichauf et al.
`3/2006 Swiler et al.
`3/2006 Day
`7/2006 Flowers et al.
`8/2006 Gusler et al.
`10/2006 Batz et al.
`11/2006 Crosbie et al.
`11/2006 Luo et al.
`1/2007 Flowers et al.
`2/2007 Keanini et al.
`6/2007 Graham et al.
`7/2007 Medvinsky et al.
`9/2007 Cooper et al.
`10/2007 Falkenthros
`12/2007 Psounis et al.
`1/2008 Stammers
`1/2009 Hanson et al.
`3/2009 Flowers et al.
`5/2009 Thrower et al.
`7/2009 Hackenberger et al.
`8/2009 Polyakov et al.
`9/2009 Keanini et al.
`10/2009 Scheidell
`1/2010 Borthakur et al.
`2/2010 Radatti
`6/2010 Sallam
`6/2010 Datla et al.
`6/2010 Benedetti et al.
`7/2010 Kotler et al.
`7/2010 Gula et al.
`8/2010 D'Mello et al.
`2/2011 Neystadt et al.
`2/2011 Brennan
`3/2011 Zuk
`3/2011 Jajodia et al.
`3/2011 Suemondt et al.
`4/2011 Gula et al.
`6/2011 Deolalikar et al.
`6/2011 Lippmann et al.
`7/2011 Venkatasubrahmanyam
`8/2011 McCorkendale et al.
`8/2011 Spertus
`9/2011 Isenberg et al.
`10/2011 Villella et al.
`2/2012 Sakamoto
`3/2012 Mayer
`3/2012 Cole et al.
`5/2012 Yun et al.
`6/2012 Andres et al.
`8/2012 Shanklin et al.
`10/2001 Gaul, Jr.
`2/2002 Houston et al.
`7/2002 Sherlock et al.
`7/2002 Ueki et al.
`8/2002 Hellerstein et al.
`9/2002 Home
`11/2002 Lachman, III et al.
`12/2002 Hoene et al.
`3/2003 Carter et al.
`
`2003/0056116 Al
`2003/0135517 Al
`2003/0145225 Al
`2003/0196123 Al
`2003/0212779 Al
`2003/0220940 Al
`2004/0003266 Al
`2004/0015719 Al
`2004/0042470 Al
`2004/0093521 Al
`2004/0193918 Al
`2004/0250169 Al
`2005/0044390 Al
`2005/0068928 Al
`2005/0097199 Al
`2005/0108578 Al
`2005/0128988 Al
`2005/0188419 Al
`2005/0203886 Al
`2005/0203921 Al
`2005/0229255 Al
`2006/0010245 Al
`2006/0018466 Al
`2006/0031476 Al
`2006/0117091 Al
`2006/0130144 Al
`2006/0184682 Al
`2007/0028110 Al
`2007/0028302 Al
`2007/0028304 Al
`2007/0169190 Al
`2007/0240220 Al
`2007/0271598 Al
`2007/0277238 Al
`2008/0002725 Al
`2008/0022400 Al
`2008/0046393 Al
`2008/0047009 Al
`2008/0072285 Al
`2008/0086772 Al *
`2008/0155084 Al
`2009/00 13 14 1 Al
`2009/0044024 Al
`2009/0049016 Al
`2009/0077666 Al
`2009/0177782 Al
`2010/0030780 Al
`2010/0043066 Al
`2010/0058431 Al
`2010/0058456 Al
`2010/0077479 Al
`2010/0083381 Al
`2010/0114842 Al
`2010/0138925 Al
`2010/0169975 Al
`2010/0174921 Al
`20 10/0 175 106 Al
`20 10/0 175 134 Al
`2010/0175135 Al
`2010/0262688 Al
`2010/0281539 Al
`2010/0281543 Al
`2010/0332593 Al
`2011/0029772 Al
`2011/0047597 Al
`2011/0061104 Al
`2011/0099620 Al
`2011/0126287 Al
`2011/0162070 Al
`2011/0185055 Al
`2011/0185431 Al
`2011/0191854 Al
`20 11/023 1934 Al
`2011/0231935 Al
`2011/0277034 Al
`20 11/03 14245 Al
`2012/0011590 Al
`2012/0158725 Al
`2012/0233700 Al
`
`Bunker, V et al.
`3/2003
`Kauffman
`7/2003
`Bruton, III et al.
`7/2003
`Rowland et al.
`10/2003
`11/2003 Boyter et al.
`11/2003 Futoransky et al.
`1/2004 Moshir et al.
`1/2004 Lee et al.
`3/2004 Cooper et al.
`5/2004 Hamadeh et al.
`9/2004 Green et al.
`12/2004 Takemori et al.
`2/2005 Trostle
`3/2005 Smith et al.
`5/2005 Woodard et al.
`5/2005 Tajalli et al.
`6/2005 Simpson et al.
`8/2005 Dadhia et al.
`9/2005 Wong
`9/2005 Newman et al.
`10/2005 Gula et al.
`1/2006 Carnahan
`1/2006 Adelstein et al.
`2/2006 Mathes et al.
`6/2006 Justin
`6/2006 Wernicke
`8/2006 Suchowski et al.
`2/2007 Brennan
`2/2007 Brennan et al.
`2/2007 Brennan
`7/2007 Kolton et al.
`10/2007 Tuvell et al.
`11/2007 Chen et al.
`11/2007 Margalit et al.
`1/2008 Alicherry et al.
`1/2008 Cohen et al.
`2/2008 Jajodia et al.
`2/2008 Overcash et al.
`3/2008 Sankaran et al.
`4/2008 Chesla
`6/2008 Yu et al.
`1/2009 Kinoshita
`2/2009 Oberheide et al.
`2/2009 Sakamoto
`3/2009 Chen et al.
`7/2009 Blatherwick et al.
`2/2010 Eshghi et al.
`2/2010 Miliefsky
`3/2010 McCorkendale et al.
`3/2010 Jajodia et al.
`3/2010 Viljoen
`4/2010 Khosravi et al.
`5/2010 Forman et al.
`6/2010 Barai et al.
`7/2010 Stefanidakis et al.
`7/2010 Abzarian et al.
`7/2010 Diebler et al.
`7/2010 Ali-Ahmad et al.
`7/2010 Kandek et al.
`10/2010 Hussain et al.
`11/2010 Bums et al.
`11/2010 Golomb et al.
`12/2010 Barash et al.
`2/2011 Fanton et al.
`2/2011 Mahaffey et al.
`3/2011 Sarraute Yamada et al.
`4/2011 Stavrou et al.
`5/2011 Yoo
`6/2011 Krasser et al.
`7/2011 Nappier et al.
`7/2011 Deraison
`8/2011 Giakouminakis et al.
`9/2011 Davis et al.
`9/2011 Gula et al.
`11/2011 Hanson
`12/2011 Hanes et al.
`1/2012 Donovan
`6/2012 Molloy et al.
`9/2012 Ali-Ahmad et al.
`
`726/23
`
`

`

`US 9,088,606 B2
`Page 3
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`OTHER PUBLICATIONS
`
`Tenable Network Security, "Log Correlation Engine 4.0 High Per-
`formance Configuration Guide", Jul. 10, 2012, Revision 2.
`Tenable Network Security, "Log Correlation Engine Best Practices",
`Mar. 2, 2012, Revision 2.
`Gula, Ron, "Tenable Event Correlation", Tenable Network Security,
`Mar. 1, 2012, Revision 1.
`FortiAnalyzer TM, Administration Guide, Version 4.0 MR2, Mar. 21,
`2011, Revision 13.
`Wack, John, et al., NIST Special Publication 800-42, "Guideline on
`Network Security Testing", Computer Security Division, National
`Institute of Standards and Technology, Oct. 2003, pp. 1-92.
`Deraison, Renaud, et al., "Passive Vulnerability Scanning Introduc-
`tion to NeVo", Revision 9, Tenable Network Security, Aug. 2003, pp.
`1-13.
`Deraison, Renaud, et al., "Unified Security Monitoring (USM); Real-
`Time Situational Awareness of Network Vulnerabilities, Events and
`
`Configurations", Revision 2, Tenable Network Security, Jan. 27,
`2009, 12 pages.
`Zhang, Yin, et al., "Detecting Backdoors", Proceedings of the 9th
`USENIX Security Symposium, Denver, Colorado, Aug. 2000, 11
`pages.
`"Basic Cryptanalysis", Department of the Army, Field Manual No.
`34-40-2, Sep. 13, 1990, 363 pages.
`Kim, Gene H., et al., "The Design and Implementation of Tripwire: A
`File System Integrity Checker", Proceedings of the 2nd ACM Con-
`ference on Computer and Communications Security, 1994, (Purdue
`Technical Report CSD-TR-93-071), 18 pages.
`Oline, Adam, et al., "Exploring Three-Dimensional Visualization for
`Intrusion Detection", Workshop on Visualization for Computer Secu-
`rity, IEEE, Oct. 26, 2005, 9 pages.
`Gula, Ron, "Predicting Attack Paths: Leveraging active and passive
`vulnerability discovery to identify trusted exploitable weak points in
`your network", Tenable Network Security, Inc, Mar. 20, 2012, Revi-
`sion 2.
`"Strategic Anti-malware Monitoring with Nessus, PVS, & LCE",
`Tenable Network Security, Inc, May 29, 2012, Revision 1.
`
`* cited by examiner
`
`

`

`lualud °S n
`
`S Jo 1 WIN
`
`Zll 909'880'6 Sfl
`
`FIG.
`
`SCANNER
`ACTIVE
`
`110
`
`SCANNER
`ACTIVE
`
`II°
`
`SCANNER
`ACTIVE
`
`130
`
`140
`
`ROUTER
`
`110
`
`SCANNER
`ACTIVE
`
`MANAGEMENT
`
`CONSOLE
`
`1 30
`
`INTERNET
`
`160
`
`ROUTER
`
`140
`
`120
`
`ROUTER
`
`140
`
`120
`
`140
`
`ROUTER
`
`130
`
`140
`
`ROUTER
`
`110
`
`100
`
`130
`
`SCANNER
`ACTIVE
`
`310.
`
`

`

`lualud °S n
`
`S Jo Z WIN
`
`Zll 909'880'6 Sfl
`
`FIG. 2
`
`210
`
`SCANNER
`ACTIVE
`
`fi
`
`INTERNET
`
`260
`
`1 FIREINALL
`,(-284 EXTERNAL
`
`RO' TE'
`
`240
`
`290
`
`AGGREGATOR
`
`LOG
`
`,-280 INTERNAL
`
`FIREWALL
`
`230
`
`200
`
`,-210
`
`SCANNER
`ACTIVE
`
`220
`
`215
`
`IDS SENSOR
`
`250
`
`MANAGEMENT
`
`CONSOLE
`
`ICS SENSOR
`
`215
`
`

`

`U.S. Patent
`
`Jul. 21, 2015
`
`Sheet 3 of 5
`
`US 9,088,606 B2
`
`300
`
`Index Trusted File Systems
`
`Remotely Scan Network Hosts
`
`310
`
`320
`
`3401
`
`3501_
`
`Monitor Network Activity
`
`Remediate Network Compromise
`
`Yes
`
`Compromise
`Detected ?
`
`330
`
`No
`
`
`
`360
`
`Audit Malware Defenses
`
`FIG. 3
`
`

`

`U.S. Patent
`
`Jul. 21, 2015
`
`Sheet 4 of 5
`
`US 9,088,606 B2
`
`400
`
`Monitor Network Activity and
`Correlate Network Events
`
`
`
`440
`
`No
`
`Potential Malware
`Behavior Detected ?
`
`445
`
`Yes
`
`Report Potential Malware Behavior
`
`H-50
`
`Compare Scanned File Systems
`With Host Baseline Profiles
`
`Enumerate Running Processes and
`Generate Corresponding Hashes
`
`Query Malware Cloud Database
`
`410
`
`420
`
`430
`
`1
`
`435
`
`Yes
`
`Malware Detected ?
`
`Isolate Malware Infection and
`Assess Malware Propagation
`
`H.60
`
`0
`
` 470
`
`Audit and Harden Malware Defenses
`
` 480
`
`Update Host Baseline Profiles
`
`FIG. 4
`
`

`

`U.S. Patent
`
`Jul. 21, 2015
`
`Sheet 5 of 5
`
`US 9,088,606 B2
`
`500
`
` 540
`
`Monitor Network Activity and
`Correlate Network Events
`
`No
`
`Potential Botnet
`Behavior Detected ?
`
`545
`
`Yes
`
`Report Potential Botnet Behavior
`
`F5)0
`
`510
`
`520
`
`530
`
`Scan Host Network Configurations
`
`Enumerate Active Inbound
`and Outbound Connections
`
`Scan External Network
`Addresses and Hosted Content
`
`535
`
`Yes
`
`Botnet Detected ?
`
`Isolate Botnet Participants and
`Report Botnet Connectivity
`
`560
`
`No
`
`
`
`570
`
`Update Botnet Data Feeds
`
`FIG. 5
`
`

`

`1
`SYSTEM AND METHOD FOR STRATEGIC
`ANTI-MALWARE MONITORING
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`The present application claims priority under 35 U.S.C.
`§119(e) to U.S. Provisional Patent Application Ser. No.
`61/668,278, entitled "System and Method for Strategic Anti-
`Malware Monitoring," filed Jul. 5, 2012, the contents of
`which are hereby incorporated by reference in their entirety.
`
`FIELD OF THE INVENTION
`
`The invention generally relates to a system and method for
`strategic anti-malware monitoring in a network, and in par-
`ticular, to leveraging active network scanning and passive
`network monitoring and cloud databases to determine
`whether any hosts in the network are running processes or
`hosting content that match known virus or malware signa-
`tures that various different anti-virus vendors have catalogued
`to detect malware infections without requiring the hosts to
`have a local or resident anti-virus agent, detect hosts that may
`potentially be participating in an active botnet or hosting
`botnet content, and audit anti-virus strategies deployed in the
`network.
`
`BACKGROUND OF THE INVENTION
`
`In many network environments, illegal or unauthorized
`users may exploit vulnerabilities in the network to gain
`access, deny access, or otherwise attack systems in the net-
`work. As such, to detect and remediate such network vulner-
`abilities, existing network security systems typically conduct
`vulnerability analysis in the network through manual inspec-
`tion or network scans. For example, conventional network
`scanners (or "active vulnerability scanners") typically send
`packets or other messages to various devices in the network
`and then audit the network with information contained in any
`response packets or messages received from the devices in the
`network. Accordingly, physical limitations associated with
`the network typically limit the effectiveness for active vul-
`nerability scanners because only devices that can communi-
`cate with the active vulnerability scanners can be audited,
`while actively scanning networks distributed over large areas
`or having large numbers of devices may take long amounts of
`time. For example, in a network that includes multiple rout-
`ers, hosts, and other network devices, an active vulnerability
`scanner would typically have to send packets that traverse
`several routers to scan the hosts and other network devices,
`some of which may be inactive and therefore inaccessible to
`the active vulnerability scanner. Further, in scenarios where
`one or more of the routers have firewalls that screen or oth-
`erwise filter incoming and outgoing traffic, the active vulner-
`ability scanner may generate incomplete results because the
`firewalls may prevent the active vulnerability scanner from
`auditing hosts or other devices behind the firewalls.
`Furthermore, active vulnerability scanners typically create
`audit results that become stale over time because the audit
`results describe a static state for the network at a particular
`point in time. Thus, an active vulnerability scanner would
`likely fail to detect that hosts have been added or removed
`from the network following a particular active scan, whereby
`the audit results that active vulnerability scanners create tend
`to steadily decrease in value over time as changes to the
`network occur. Furthermore, active vulnerability scanners
`can have the tendency to cause network disruptions during an
`
`US 9,088,606 B2
`
`2
`audit. For example, probing network hosts or other devices
`during an audit performed by an active vulnerability scanner
`may result in communication bottlenecks, processing over-
`head, and instability, among other potential problems in the
`5 network. Thus, deployment locations, configurations, and
`other factors employed to manage networks can often inter-
`fere with obtaining suitable network auditing results using
`only active vulnerability scanners.
`As such, existing systems that tend to rely entirely on active
`10 vulnerability scanners typically prevent the active vulnerabil-
`ity scanner from obtaining comprehensive information that
`describes important settings, configurations, or other infor-
`mation associated with the network. In particular, malicious
`or unauthorized users often employ various techniques to
`15 obscure network sessions during an attempted breach, but
`active vulnerability scanners often cannot detect real-time
`network activity that may provide indications that the
`attempted breach is occurring. For example, many backdoor
`and rootkit applications tend to use non-standard ports and
`20 custom protocols to obscure network sessions, whereby
`intruders may compromise the network while escaping detec-
`tion. Thus, many active vulnerability scanners can only audit
`the state of a network at a particular point in time, but suitably
`managing network security often requires further insight
`25 relating to real-time activity that occurs in the network.
`Accordingly, although active vulnerability scanners typically
`employed in existing network security systems can obtain
`certain information describing the network, existing systems
`cannot perform comprehensive security audits to completely
`30 describe potential vulnerabilities in the network, build mod-
`els or topologies for the network, or derive other information
`that may be relevant to managing the network.
`Furthermore, in many instances, certain hosts or devices
`may participate in sessions occurring on the network, yet the
`35 limitations described above can prevent active vulnerability
`scanners alone from suitably auditing the hosts or devices. As
`such, various existing network security systems employ one
`or more passive vulnerability scanners in combination with
`active vulnerability scanners to analyze traffic traveling
`40 across the network, which may supplement the information
`obtained from the active vulnerability scanners. However,
`even when employing passive vulnerability scanners in com-
`bination with active vulnerability scanners, the amount of
`data returned by the active vulnerability scanners and the
`45 passive vulnerability scanners can often be quite substantial,
`which can lead to difficulties in administrating the potentially
`large number of vulnerabilities and assets in the network
`because many network topologies may include hundreds,
`thousands, or even larger numbers of nodes, whereby suitably
`so representing the network topologies in a manner that provides
`visibility into the network can be unwieldy. For example, an
`important concern in managing network vulnerabilities
`relates to detecting viruses or other malware on managed
`hosts and identifying weak points that may compromise the
`55 network or otherwise expose the network to viruses, malware,
`or other threats. In general, protecting a network against
`viruses or other malware typically requires information tech-
`nology administrators to manage anti-malware software
`themselves and install resident anti-malware agents on man-
`60 aged hosts in the network.
`However, existing anti-malware solutions that rely upon
`resident anti-malware agents have various limitations and
`drawbacks, including that anti-malware agents typically have
`millions or billions of signatures and therefore require
`65 defended systems to have the anti-malware agent installed
`thereon and continuously monitor a file system associated
`with the defended system to perform the in-depth analysis
`
`

`

`US 9,088,606 B2
`
`3
`needed to find or otherwise detect malicious data and activity,
`which can consume substantial resources and hinder perfor-
`mance. Furthermore, anti-malware agents typically only
`leverage the technology associated with one anti-malware
`vendor because installing every known anti-malware technol-
`ogy can further severely impact performance, whereby anti-
`malware agents often do not evaluate defended systems
`against the entire malware sample that may be known in the
`industry. Consequently, anti-malware agents can have sub-
`stantial gaps in coverage because attackers often specifically
`create infections or malware payloads to bypass detection
`with certain anti-virus vendor technologies. For example, if
`an attacker knows that a particular organization has deployed
`"Brand X" anti-malware agents on managed hosts in a net-
`work, the attacker may specifically package malware in a
`manner that escapes detection with "Brand X" anti-malware
`agents even though "Brand Y" anti-malware agents may
`detect the same malware package. In another example, poly-
`morphic and mutating viruses raise the possibility that one
`anti-virus technology may detect a malicious sample while
`other anti-virus technologies may completely miss the same
`malicious sample. Accordingly, because running every anti-
`virus technology available on the market to close gaps in
`coverage cannot be feasibly done without severely burdening
`performance, anti-malware strategies that use resident agents
`suffer from various drawbacks and limitations that may
`expose a network to malicious data and activity.
`In addition to the drawbacks and limitations that may arise
`from relying upon resident anti-malware agents, any single or
`even layered anti-malware strategy may not fully protect a
`network against all the possible avenues through which
`viruses and other malware may compromise a network. For
`example, even if a malware infection has been detected and
`remediated on certain managed hosts in a network, existing
`anti-malware solutions typically do not (or cannot) assess
`how the malware infection arose or the extent to which the
`malware infection may have spread throughout the network.
`However, knowing details relating to whether and/or how the
`malware infection originated and propagated can be critical to
`properly isolating and remediating the infection (e.g., differ-
`ent concerns may be implicated if the infection arose because
`one employee opened a bad attachment that compromised a
`standalone host versus a widespread inspection that has com-
`promised a substantial portion of the network environment).
`Furthermore, anti-malware strategies that leverage anti-virus,
`intrusion detection, and/or security information and event
`management (SIEM) correlation technologies may have little
`or no ability to identify whether certain managed hosts may
`be participating in an active botnet, wherein any system that
`operates or otherwise participates in a botnet should be con-
`sidered fully compromised and a serious threat to an organi-
`zation (e.g., because botnets can be exploited to introduce
`viruses or other malware into the network).
`Consequently, although anti-malware technology may be
`generally available and essential to provide base security
`protection in a network, anti-malware technology cannot be
`considered foolproof and organizations must accept the fact
`that an infection will happen at some point. In fact, many
`organizations (especially those having large networks) rou-
`tinely deal with daily infections despite prevalent anti-mal-
`ware agents that seek to detect mutating threats and new
`hostile code types that can be introduced into a network. Even
`more worrisome may be the fact that many organizations with
`large networks have deliberately chosen to not use any anti-
`malware solution, much less a multi-layered anti-malware
`solution, instead relying on network security and system
`hardening. Accordingly, because the days when Internet-
`
`4
`wide worms made front page news are long gone, a substan-
`tial need exists for a network security system that can leverage
`active and passive vulnerability discovery to identify mali-
`cious data on managed hosts in a network, detect participation
`in active botnets, and employ other techniques to protect a
`network against viruses and other malware without requiring
`resident anti-virus agents to be installed on the managed
`hosts.
`
`SUMMARY OF THE INVENTION
`
`5
`
`10
`
`According to one aspect of the invention, the system and
`method described herein may provide various mechanisms
`and techniques to leverage active network scanning and pas-
`15 sive network monitoring to provide strategic anti-malware
`monitoring in a network. In particular, the system and method
`described herein may remotely connect to managed hosts in a
`network to compute hashes or other signatures associated
`with processes running thereon and suspicious files hosted
`20 thereon, wherein the hashes may communicated to a cloud
`database that aggregates all known virus or malware signa-
`tures that various anti-virus vendors have catalogued to detect
`malware infections without requiring the hosts to have a local
`or resident anti-virus agent. Furthermore, running processes
`25 and file system activity may be monitored in the network to
`further detect malware infections. Additionally, the network
`scanning and network monitoring may be used to detect hosts
`that may potentially be participating in an active botnet or
`hosting botnet content and audit anti-virus strategies
`30 deployed in the network.
`According to one aspect of the invention, the system and
`method described herein may further have one or more active
`scanners communicate packets or other messages within the
`network to detect new or changed information describing
`35 various routers, hosts, servers, or other devices in the net-
`work. For example, in one implementation, the active scan-
`ners may perform credentialed audits or uncredentialed scans
`to scan the hosts, servers, or other devices in the network and
`obtain information that may then be analyzed to further iden-
`40 tify potential vulnerabilities in the network. More particu-
`larly, in one implementation, the credentialed audits may
`include the active scanners using any suitable authentication
`technology to log into and obtain local access to the hosts,
`servers, or other devices in the network and perform any
`45 suitable operation that local users could perform thereon
`without necessarily requiring a local agent (although those
`skilled in the art will appreciate that a local agent may be used
`in certain implementations). Accordingly, the credentialed
`audits performed with the active scanners may be used to
`so obtain highly accurate host-based data that includes various
`client-side issues (e.g., missing patches, operating system
`settings, locally running services, etc.), while the uncreden-
`tialed audits performed therewith may generally include net-
`work-based scans that involve communicating packets or
`55 messages to the hosts, servers, or other devices in the network
`and observing responses thereto in order to identify certain
`network vulnerabilities.
`According to one aspect of the invention, the system and
`method described herein may have one or more passive scan-
`60 ners observe traffic traveling in the network to identify poten-
`tial vulnerabilities in the network and detect activity that may
`potentially target or otherwise attempt to exploit vulnerabili-
`ties in the network. The passive scanners may generally
`observe the traffic traveling across the network to reconstruct
`65 one or more sessions occurring in the network, which may
`then be analyzed to identify potential vulnerabilities in the
`network and/or activity targeting the identified vulnerabili-
`
`

`

`US 9,088,606 B2
`
`5
`ties. As such, the passive scanners may monitor the network in
`real-time to detect any potential vulnerabilities in the net-
`work, identify changes in the network, or otherwise provide
`visibility into the network and the activity that occurs therein.
`For example, in one implementation, the passive scanners
`may be deployed at a network hub, a spanned switch port, a
`network tap, a network choke point, a dial up node, a server
`farm, behind a firewall, or any other suitable location that
`enables the passive scanners to observe incoming and outgo-
`ing traffic in the network. In one implementation, the passive
`scanners may generally be deployed on any suitable server or
`other host in the network.
`According to one aspect of the invention, the system and
`method described herein may use information that the passive
`scanners obtained from observing (or "sniffing") the traffic
`traversing the network in combination with information that
`the active scanners obtained in the credentialed audits and/or
`uncredentialed scans to build a topology or other suitable
`model describing the network. For example, in one imple-
`mentation, the model built from the information obtained
`with the active scanners and the passive scanners may
`describe any routers, hosts, servers, or other devices detected
`or actively running in the network, any services or client-side
`software actively running or supported on the routers, hosts,
`servers, or other devices, and trust relationships associated
`with the various routers, hosts, servers, or other devices in the
`network, among other things. In one implementation, the
`passive scanners may further apply various signatures to the
`information in the observed traffic to identify network vul-
`nerabilities, determine whether any data in the observed traf-
`fic potentially targets such vulnerabilities, build or update the
`network model, or otherwise obtain information that may be
`used to manage the network in response to any new or
`changed information in the network. Similarly, the active
`scanners may perform the credentialed audits and/or uncre-
`dentialed scans at periodic intervals, at scheduled times, or
`according to other criteria to further identify the network
`vulnerabilities, build or update the network model, or other-
`wise obtain information that may be used to manage the
`network based on a current state at the time when the active
`scanners performed the credentialed audits and/or uncreden-
`tialed scans.
`According to one aspect of the invention, the system and
`method described herein may further have a management
`console in communication with the active and passive scan-
`ners, wherein the management console may provide a unified
`security monitoring solution to manage the vulnerabilities
`and the various routers, hosts, servers, or other devices in the
`network. In particular, the management console may aggre-
`gate the information obtained from the active scanners and
`the passive scanners to build or update the model associated
`with the network, which may generally include real-time
`information describing various vulnerabilities, applied or
`missing patches, intrusion events, anomalies, event logs, file
`integrity audits, configuration audits, or any other informa-
`tion that may be relevant to managing the vulnerabilities and
`assets in the network. As such, the management console may
`provide a unified interface to mitigate and manage gover-
`nance, risk, and compliance across the network, and further to
`leverage the information obtained with the active and passive
`scanners to detect malware infections in the network without
`requiring that hosts managed therein have a local or resident
`anti-virus agent, to detect hosts that may potentially be par-
`ticipating in an active botnet or hosting botnet content, and to
`audit anti-virus strategies deployed in the network.
`According to one aspect of the invention, the system and
`method described herein may further have a log aggregator
`
`6
`receive events from various sources distributed across the
`network, including events generated by internal firewalls,
`external firewalls, routers, servers, devices, operating sys-
`tems, applications, or any other suitable network source. In
`5 one implementation, the log aggregator may normalize the
`events contained in various logs received from the sources
`distributed across the n