The above and other objects, features and advantages of the present invention will be more apparent from the following detailed description taken in conjunction with the accompanying drawings, in which:
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Referring to
To enhance the accuracy and the comprehension of the scanning result on network vulnerability, it is installed reliable or available multiple vulnerability scanners 100_1, 100_2, 100_3, 100_4 and 100_5. The installation is carried out such that the respective vulnerability scanners are able to scan as efficient as possible according to installation instructions distributed from the scanner developer. For effective scanning, if necessary, the same vulnerability scanners may be installed at every network, or otherwise a single vulnerability scanner may scan the whole network.
The plurality of agents 200_1, 200_2, 200_3, 200_4, 200_5 are installed on the same system as those of the respective vulnerability scanners 100_1, 100_2, 100_3, 100_4, and 100_5 to serve as a function of the execution and control of the corresponding vulnerability scanner, the scanning policy reception, the scanning result transfer, and so forth.
Each agent 200_1, 200_2, 200_3, 200_4, or 200_5 includes a communication agent module 201, a vulnerability scanner control module 203, a scanning policy specifying module 205, and a scanning result generalization module 207. The communication agent module 201 communicates with the vulnerability scanning control and analysis center 400 and the vulnerability managing and integrating module 300. The vulnerability scanner control module 203 performs a command on vulnerability control transmitted from the vulnerability scanning control and analysis center 400, and transfers a result of command execution. It performs a command including any of vulnerability scanning execution, pause, re-start, stop, state reference of the vulnerability scanner. The scanning policy specifying module 205 serves to specify a common scanning policy transmitted from the vulnerability scanning control and analysis center 400 in conformity with the corresponding vulnerability scanner. The scanning result generalization module 207 serves to transform the scanning results into a generalized format able to be received by the vulnerability managing and integrating module 300 and to transfer the same.
The vulnerability managing and integrating module 300 collects the scanning results of the respective vulnerability scanners 100_1, 100_2, 100_3, 100_4, and 100_5 thru the respective agents 200_1, 200_2, 200_3, 200_4, and 200_5, performs a relevance analysis of the scanning results, and stores a analysis result in a vulnerability database.
The vulnerability managing and integrating module 300 includes a vulnerability manager 301, a scanning policy management module 303, a scanning result integration module 305, a vulnerability database (DB) manager 307, and a relevance analysis module 309. The vulnerability manager 301 serves to communicate with the respective agents 200_1, 200_2, 200_3, 200_4, and 200_5 and the vulnerability scanning control and analysis center 400 and to transfer an external request to a module in charge. The scanning policy management module 303 serves to store the scanning policy transferred from the vulnerability scanning control and analysis center 400 and to retrieve the scanning policy adapted in the past according to a request. The scanning result integration module 305 is connected with the respective agents 200_1, 200_2, 200_3, 200_4, and 200_5 to collect the scanning result and to store the same in the vulnerability database. The vulnerability DB manager 307 is in charge of input/output with the vulnerability database 308. The relevance analysis module 309 serves to analyze the scanning results collected from all the multiple vulnerability scanners 100_1, 100_2, 100_3, 100_4, and 100_5 in terms of their relevance to identify the same vulnerabilities and to eliminate the duplication.
The vulnerability scanning control and analysis center 400 includes a vulnerability scanner integrative-management module 401 performing the control and the execution of the multiple heterogeneous scanners 100_1, 100_2, 100_3, 100_4, and 100_5, and an integrative analysis module 403 performing an integrative analysis based on the scanning results of the heterogeneous scanners 100_1, 100_2, 100_3, 100_4, and 100_5 and the relevance analysis result to thus show to the manager through a graphical user interface (GUI), providing the manager with a query for the integrative analysis result and a feedback function. It further serves to manage scanning policy history to maintain the consistency of the vulnerability scanning policy.
Referring to
The scanning policy setting-up step S100 is a step of setting-up a common scanning policy able to be adapted to the multiple heterogeneous vulnerability scanners and specifying the policy for the respective vulnerability scanners. Specifically, the scanning policy setting-up step S100 includes setting-up the common scanning policy S101, adapting the scanning policy to the multiple heterogeneous vulnerability scanners and controlling the same S102, and specifying the common scanning policy in conformity with the multiple vulnerability scanners S103. Accordingly, in the scanning policy setting-up step S100, the manager is able to set-up the scanning policy adaptable to all of vulnerability scanners and to control all of vulnerability scanners at the same time. To maintain consistent scanning policy, all the scanning policies adapted should be stored in a database and retrieved to.
The vulnerability scanning and result collecting step S200 is a step of performing for the multiple vulnerability scanners to scan, to collect a result thereof, and to store the same in a database. Specifically, the vulnerability scanning and result collecting step S200 includes performing the vulnerability scanning at the same time S201, generalizing the scanning result after scanning S202, and automatically collecting the scanning result from the multiple vulnerability scanners and storing the same S203. Accordingly, in the vulnerability scanning and result collecting step S200, the vulnerability scanning is performed according to the manager's scanning policy and to generalize the scanning results into a common format. The generalized scanning results are collected centrally and stored in the vulnerability database.
The scanning result integrative analysis step S300 is a step of performing a relevance analysis and an integrative analysis on the scanning results collected. Specifically, the scanning result integrative analysis step S300 includes analyzing relevance between vulnerabilities detected by the heterogeneous vulnerability scanners S301, performing automatically an integrative analysis on the scanning result and storing a result thereof S302, and performing a manager's feedback on the analysis result S303. Herein, if there is a correction in the scanning result S400, the step returns to S302 so that the scanning result is corrected and re-stored. Accordingly, from the above step, it is performed to eliminate the duplication through the analysis on relevance between vulnerability information collected from the respective vulnerability scanners, to generate an identifier capable of identify important vulnerability, to carry out an integrative analysis, and to store the analysis result in the database. The manager is able to refer to the integrative analysis result and to make the integrative analysis result more accurately through a feedback.
Now description will be made to the major technologies adaptable to the respective steps in
A. Scanning Policy Setting-Up and Managing Technology (S101 in
The scanning policy expression range and its detailed level are different for each vulnerability scanner. The scanning policy existing in the specified vulnerability scanner may not exist in another vulnerability scanner, and the scanning policy expressed as a single one in the specified scanner may be expressed at another vulnerability scanner as more detailed diverse scanning policies.
For integrative management of the multiple heterogeneous vulnerability scanners, it is needed a scanning policy commonly adaptable to all the vulnerability scanners. The embodiment of the invention defines a generalized vulnerability scanning policy adaptable to the diverse vulnerability scanners as follows:
In the meantime, for consistent maintenance of the vulnerability scanning policy, it is needed history management on the vulnerability scanning policies adapted in the past. A history management function includes following sub-functions.
B. Technology Controlling Multiple Heterogeneous Vulnerability Scanners (S102 in
The security manager can control the multiple heterogeneous vulnerability scanners in central method. Through the following control commands, He/She can control all of vulnerability scanners at the same time, or otherwise selectively control a specified vulnerability scanner.
The following control commands can be commonly adapted to the multiple heterogeneous vulnerability scanners. Some functions can be used as it is provided in the vulnerability scanners, and some functions can be emulated in the agent of the vulnerability scanners.
C. Technology Specifying Scanning Policy in Conformity with Vulnerability Scanner (S103 in
Since a range and its detailed level of the scanning option are different for each scanner, it is needed to specify a common scanning policy in conformity with an option of the respective vulnerability scanners.
In basic, the common scanning policies as defined above are mapped to the major scanning options of the respective vulnerability scanners. A portion of the common scanning policies may be directly mapped to the options of the respective vulnerability scanners, and a portion thereof is able to be emulated at an agent.
Referring to
The options of ‘only web server scanning’, ‘only specified port open host scanning’, ‘only specified OS scanning’, and ‘only network equipment scanning’ identifies the scanning targets having indicated characteristics, utilizing an external tools such as nmap and the like. Then, only the identified scanning targets are transferred to the scanner as an input.
‘Scanning schedule’, ‘plug-in update schedule’, and ‘selection of the kind of scanners and scanning position’ can be specified in the scanner integrative managing module of the vulnerability scanning control and analysis center, and ‘safety check’ and ‘scanning time’ can be specified in an agent level.
The scanning options having no relevance to the common scanning policies and the scanning options existing only in a specified vulnerability scanner are selected in basic according to following principles.
The first three principles have priority over the last two principles. If there is a collision between the last two principles and the first three principles, the first three principles prevail.
D. Scanning Result Generalization Technology (S220 in
When the vulnerability scanning is terminated, the agent collects the scanning results and transfers the same to the vulnerability managing and integrating module. However, since the formats and the described contents of the scanning results are different according to the vulnerability scanners, for relevance analysis, a step is first required to transform into a common format. Accordingly, the agent performs to transform the scanning results into a common format before transferring the scanning format.
The common format of the vulnerability scanning results is as follows. All vulnerability scanning results are essentially transformed into the following format. The fields of ‘scanner name’, ‘degree of severity’, and ‘vulnerability description’ are essential ones so that they should be filled with contents. Since the vulnerability title, the approved vulnerability ID, and the plug-in ID may not be provided according to the vulnerability scanners, they are not designated as an essential one.
Definitions and contents description regulations for each field are as follows:
Vulnerability Title (Selective Item)
Scanner Name (Essential Item)
Vulnerability ID (Selective Item)
Plug-In ID (Selective Item)
Degree of Severity (Essential Item)
A level of the degree of severity may be different according to the vulnerability scanners. It may be in general expressed in thee levels. However, it may be expressed in five levels, or may not be expressed. For consistent expression of the degree of severity, the scanning results of all vulnerability scanners are re-defined as three levels of high, middle, and low as follows:
If the degree of severity of the vulnerability scanner does not have three levels above, it is transformed into the three levels according to the following regulations:
If the above transform regulations are not applied as they are, based on the long experiential insight on a specified vulnerability scanner, the transform regulations can be made different according to the definition of three levels of degree of severity. For instance, in case where in four levels transformation, if the vulnerability belonging to the second level is not just simple information but material information requiring a manager's check, both the second level and the third level may be transformed into middle.
Vulnerability Description (Essential Item)
E. Relevance Analysis Technology (S301 in
A cross-checking method using multiple heterogeneous vulnerability scanners is able to enhance the comprehension and the accuracy of the scanning. Of importance in connection with the accuracy of the scanning results is the process of eliminating the duplication through the relevance analysis in order for an integrative analysis of the scanning results by the heterogeneous vulnerability scanners. The same vulnerabilities as detected by the multiple heterogeneous vulnerability scanners enhance the conviction of the existence of the vulnerability.
A method able to output the most accurate result through a relevance analysis between the scanning results by the heterogeneous vulnerability scanners is a manual mapping method through a plug-in analysis. However, this method is time-consumable so it cannot fast cope with newly emerging vulnerability. Moreover, it has problems in that much analysis time is taken on the whole plug-in whenever a new scanner is used, and that mapping information should be updated through an analysis whenever a plug-in is updated.
In an embodiment of the invention, the mapping is carried out based on only vulnerability scanning results without analyzing the plug-in of the respective scanners. Accordingly, there are no needs to analyze plug-in information of a vulnerability scanner and to update mapping information whenever scanning information for new vulnerability is added.
For an integrative analysis of the scanning results of the heterogeneous vulnerability scanners and a relevance between the now and the prior scanning results, it is needed an identification ID for each vulnerability. In an embodiment of the invention, a method is adapted so that an approved vulnerability identification ID is basically used, and No-match ID is newly issued to the vulnerability with no approved ID and a record thereof is managed.
Mapping using Approved Vulnerability Identification ID
Many vulnerability scanners provide the scanning results together with the approved vulnerability identification ID information. In this case, the vulnerability information is mapped according to the following priority.
The approved vulnerability ID information may be provided to a specified field in the scanning results of the respective vulnerability scanners, and also included in a vulnerability description field. Such vulnerability ID information is stored in a field of ‘vulnerability ID’ when transformed into a common format. Accordingly, if information exists in ‘the vulnerability ID’ field, which means the existence of the approved vulnerability ID, the information is used in a vulnerability mapping process.
Offering Identifier to Vulnerability With No Approved Vulnerability ID
The cases of not providing approved vulnerability ID information are in general divided into two types. The first is where the vulnerability is recently detected one so an approved vulnerability ID is not yet provided, and the second is where the vulnerability is not important.
The case of being of high severity and having no approved vulnerability ID may be considered as the vulnerability that is recently detected and rapidly propagated. In this case, it is done to generate No-match ID and to record the characteristics of the vulnerability as follows such that the same No-match ID will be used for the same vulnerability to be detected in the future. If an approved vulnerability ID is issued for that vulnerability in the future time, mapping information between approved vulnerability ID and No-match ID is stored.
The vulnerability having low severity (middle or low degree of severity) and no approved ID is of low importance as vulnerability information and does not have a large influence on the vulnerability integrative analysis, so that the vulnerability is not allocated with No-match ID and is regarded as individual vulnerability. In the vulnerability result integrative analysis, the analysis is performed on the vulnerability with high degree of severity.
F. Integrative Analysis Technology (S302 in
Severity Integration
Upon analysis of vulnerability, it is important to detect all of vulnerabilities rather than a portion thereof Although vulnerabilities of 99% have been detected, it cannot make sure that the severity is reduced to that extent. If the administrative privilege of the major system is obtained with the vulnerability of only 1%, a worst-case scenario may be caused as is the same case where a network in which a severity analysis is not performed is hacked. Accordingly, it should not miss out even a single vulnerability with high severity upon vulnerability analysis.
In case of using the multiple heterogeneous vulnerability scanners, the severity evaluations on the same vulnerabilities may be different. In this case, when considering the inaccuracy of the scanning results and the fact that all vulnerabilities with high severity should be detected, it is preferable to use the highest severity as integrative severity of the vulnerability thereof.
Severity integrating regulations and a determination process are as follows:
Accuracy Analysis
If the specified vulnerability is detected by the multiple heterogeneous vulnerability scanners, it can be evaluated that a possibility that the vulnerability exists is relatively high. However, although the vulnerability is detected by some of the multiple heterogeneous vulnerability scanners used, it cannot be assumed that a possibility that the vulnerability exists is low. This is because the scaring domain and items may be different for each vulnerability scanner, and the scanning accuracy of some vulnerability scanner may be high.
All vulnerabilities the severities of which are evaluated as high irrespective of the number of the vulnerability scanners that detect the vulnerabilities should be targets to be analyzed and checked. This is in order not to miss out even a single possible vulnerability. In case of the vulnerability whose severity is evaluated as high, the security manager determines whether or not it is finally true through actual checking.
In an embodiment of the invention, there is provided a method for predicting the accuracy of the vulnerability detected through scanning results based on the reliability expected by the security manager in light of his experience with the vulnerability scanner.
The security manager can set up reliability to each vulnerability scanner in order to predict the accuracy of the vulnerability. The security manger may set up different reliability to each vulnerability scanners and the reliability is reflected to the accuracy of the vulnerability according to the following regulations.
The reliability of the vulnerability scanner means how much percentage is reliable from the vulnerabilities detected through the scanning results of the corresponding vulnerability scanner. This is calculated based on the manager's experiential reliability on the corresponding vulnerability scanner, and automatically regulated through the manager's feedback activity. The calculated reliability range is set to 1.0˜0.1 (unit of 0.1).
The accuracy on the vulnerability means a possibility that the vulnerability actually exists in a target system. The measuring of the accuracy on the vulnerability is determined by the summation of the reliability of the vulnerability scanners that detect the vulnerability.
For example, if there are a vulnerability scanner A with reliability of 0.8, a vulnerability scanner B with reliability of 0.4, and a vulnerability scanner C with reliability of 0.3, the vulnerability detected by the vulnerability scanner A has the accuracy of 0.8, and the vulnerability detected by both vulnerability scanners B and C has the accuracy of 0.7.
The reliabilities on the respective vulnerability scanners can be automatically regulated through a statistical analysis on the security manager's feedback activity.
Vulnerability Title Integration
In case where an approved vulnerability ID exists in the vulnerability information, the vulnerability titles on the same vulnerabilities detected by the heterogeneous vulnerability scanners are determined in one according to the following sequence, and the vulnerability title associated with the ID is used. That is, the approved vulnerability title designated by an agency managing the approved ID is used.
In case of no approved vulnerability ID, a vulnerability title field of the scanner with high reliability is used as it is.
Vulnerability Description Integration
In case where an approved vulnerability ID exists in the vulnerability information, the vulnerability descriptions on the same vulnerabilities detected by the heterogeneous vulnerability scanners are determined in one according to the following sequence, and the vulnerability description associated with the ID is used. That is, the approved vulnerability description designated by an agency managing the approved ID is used.
In case of no approved vulnerability ID, a vulnerability description field of the scanner with high reliability is used as it is.
Storage of Integrative Analysis Result
When a relevance analysis and an integrative analysis are terminated, the integrated scanning results are stored in a following table.
The scanning results can be shown through a graphical User Interface (GUI) in such a manner as to be easily understood about the scanning results the security manager should essentially perceive based on data stored in the integrative table.
G. Feedback Reflection Technology (S303 in
A manager can correct an error on the integrative analysis results such as an error of automated integrative analysis process, a scanning result error of the respective scanners, and so forth. In case of the vulnerability to which an approved vulnerability ID is newly issued, the information on the vulnerability may be corrected and reflected to the integrative analysis results.
The following items are ones that a security manager can feed back in the process of checking the integrative analysis results.
The vulnerability that is checked not to exist in the process of checking the scanning results can be corrected by a manager, and the reliability of the corresponding vulnerability scanner is regulated to be down based on the statistical data for correction activity. A manager can randomly regulate the reliability of the vulnerability scanner.
As set forth before, according to the invention, it is possible to obtain complementary vulnerability scanning utilizing the multiple heterogeneous vulnerability scanners, to enhance the accuracy and the comprehension of the scanning results, and to obtain a comprehensive vulnerability analysis on a network.
Moreover, it is possible to flexibly select a vulnerability scanner in conformity with the network environments and the economical situations of a company because the multiple heterogeneous vulnerability scanners can be adapted without depending upon a specified vulnerability scanner.
Furthermore, an automated vulnerability scanning and integrative analysis process is effective in large scaled and complex network security management and which makes it possible to obtain fast security checking and countermeasure for the recent tendency in which upon finding out a new vulnerability, a hacking technology using the vulnerability is fast distributed and worm viruses using the vulnerability are fast diffused.
Although preferred embodiments of the present invention have been described for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Number | Date | Country | Kind |
---|---|---|---|
10-2006-0099642 | Oct 2006 | KR | national |