US2023362189A1PendingUtilityA1

System and method for strategic anti-malware monitoring

78
Assignee: TENABLE INCPriority: Jul 5, 2012Filed: Jul 11, 2023Published: Nov 9, 2023
Est. expiryJul 5, 2032(~6 yrs left)· nominal 20-yr term from priority
H04L 63/145G06F 16/903H04L 63/1416H04L 63/1433G06F 21/564H04L 61/4511H04L 67/02H04L 67/10G06F 21/56
78
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for passively scanning a network, the method comprising:
 sniffing, by an endpoint passive scanner deployed on an endpoint device, network traffic traveling to and/or from the endpoint device, the network traffic comprising a plurality of packets; and   detecting, by the endpoint passive scanner, information that facilitates discovery of one or more assets of the network and/or identification of one or more vulnerabilities in one or more network entities and/or one or more services based on the sniffed network traffic.   
     
     
         2 . The method of  claim 1 , further comprising:
 discovering, by the endpoint passive scanner, the one or more assets of the network and/or identifying the one or more vulnerabilities based on the detected information.   
     
     
         3 . The method of  claim 2 ,
 wherein discovering the one or more assets includes discovering attributes of the one or more assets, and/or   wherein identifying the one or more vulnerabilities includes identifying attributes of the one or more vulnerabilities.   
     
     
         4 . The method of  claim 2 , further comprising:
 providing, by the endpoint passive scanner, an asset-vulnerability report comprising the one or more discovered assets and/or the one or more identified vulnerabilities to a vulnerability manager (VM),   wherein the VM is external to the endpoint device.   
     
     
         5 . The method of  claim 4 , wherein the VM is configured to build a network topology of the network based on one or more asset-vulnerability reports from one or more endpoint passive scanners. 
     
     
         6 . The method of  claim 4 , further comprising:
 performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and   providing, by the endpoint agent, a vulnerability scan report to the VM, the vulnerability scan report comprising a result of performing the vulnerability scan.   
     
     
         7 . The method of  claim 6 , wherein the VM is configured to correlate the one or more discovered assets and/or the one or more identified vulnerabilities of the asset-vulnerability report with the vulnerability scan report. 
     
     
         8 . The method of  claim 1 , further comprising:
 providing, by the endpoint passive scanner, a detection report comprising the detected information to a vulnerability manager (VM),   wherein the VM is external to the endpoint device.   
     
     
         9 . The method of  claim 8 , wherein the VM is configured to discover the one or more assets of the network and/or identify the one or more vulnerabilities in the one or more network entities and/or the one or more services based on one or more detection reports from one or more endpoint passive scanners. 
     
     
         10 . The method of  claim 8 , wherein the VM is configured to build a network topology of the network based on one or more detection reports from one or more endpoint passive scanners. 
     
     
         11 . The method of  claim 8 , further comprising:
 performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and   providing, by the endpoint agent, a vulnerability scan report to the VM, the vulnerability scan report being a report of a result of performing the vulnerability scan.   
     
     
         12 . The method of  claim 11 , wherein the VM is configured to correlate the one or more discovered assets and/or the one or more identified vulnerabilities of the asset-vulnerability report with the vulnerability scan report. 
     
     
         13 . The method of  claim 1 , wherein the one or more assets of the network include any combination of:
 one or more network entities,   one or more applications and/or services running on the one or more network entities, and   operating systems running on the one or more network entities.   
     
     
         14 . The method of  claim 13 , wherein the one or more vulnerabilities of the network include one or both of:
 one or more vulnerabilities associated with one or more applications running on one or more network entities, and   one or more vulnerabilities associated with one or more services running on the one or more network entities.   
     
     
         15 . A method for passively scanning a network, the method comprising:
 obtaining information that is detected based on network traffic traveling to and/or from an endpoint device that is sniffed by an endpoint passive scanner deployed on the endpoint device, the network traffic comprising a plurality of packets; and   discovering one or more assets of the network and/or identifying one or more vulnerabilities in one or more network entities and/or one or more services based on the obtained information.   
     
     
         16 . The method of  claim 15 ,
 wherein discovering the one or more assets includes discovering attributes of the one or more assets, and/or   wherein identifying the one or more vulnerabilities includes identifying attributes of the one or more vulnerabilities.   
     
     
         17 . The method of  claim 15 ,
 wherein obtaining is performed by the endpoint passive scanner, and   wherein discovering and/or identifying are performed by the endpoint passive scanner.   
     
     
         18 . The method of  claim 17 , further comprising:
 building, by a vulnerability manager (VM), a network topology of the network based on the one or more discovered assets and/or the one or more identified vulnerabilities,   wherein the VM is external to the endpoint device.   
     
     
         19 . The method of  claim 18 , further comprising:
 performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and   correlating, by the VM, the one or more discovered assets and/or the one or more identified vulnerabilities with the vulnerability scan.   
     
     
         20 . The method of  claim 15 ,
 wherein obtaining is performed by the endpoint passive scanner, and   wherein discovering and/or identifying are performed by a vulnerability manager (VM) based the obtained information, the VM being external to the endpoint device.   
     
     
         21 . The method of  claim 20 , further comprising:
 building, by a vulnerability manager (VM), a network topology of the network based on the obtained information.   
     
     
         22 . The method of  claim 20 , further comprising:
 performing, by an endpoint agent running on the endpoint device, a vulnerability scan of the endpoint device; and   correlating, by the VM, the one or more discovered assets and/or the one or more identified vulnerabilities with the vulnerability scan.   
     
     
         23 . The method of  claim 15 ,
 wherein the one or more assets of the network include any combination of:
 one or more network entities, 
 one or more applications and/or services running on the one or more network entities, and 
 operating systems running on the one or more network entities, and 
   wherein the one or more vulnerabilities include one or both of:
 one or more vulnerabilities associated with one or more applications running on one or more network entities, and 
 one or more vulnerabilities associated with one or more services running on the one or more network entities. 
   
     
     
         24 . An endpoint device configured to passively scan a network, comprising:
 a memory; and   at least one processor coupled to the memory,   wherein when an endpoint passive scanner is deployed on the endpoint device, the at least one processor and the memory are configured to:
 sniff network traffic traveling to and/or from the endpoint device, the network traffic comprising a plurality of packets; and 
 detect information that facilitates discovery of one or more assets of the network and/or identification of one or more vulnerabilities in one or more network entities and/or one or more services based on the sniffed network traffic. 
   
     
     
         25 . A device, comprising:
 a memory; and   at least one processor coupled to the memory, wherein the at least one processor and the memory are configured to:   obtain information that is detected based on network traffic traveling to and/or from an endpoint device that is sniffed by an endpoint passive scanner deployed on the endpoint device, the network traffic comprising a plurality of packets; and   discover one or more assets of the network and/or identify one or more vulnerabilities in one or more network entities and/or one or more services based on the obtained information.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.