In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans. For example, conventional network scanners (or “active vulnerability scanners”) typically send packets or other messages to various devices in the network and then audit the network with information contained in any response packets or messages received from the devices in the network. Accordingly, physical limitations associated with the network typically limit the effectiveness for active vulnerability scanners because only devices that can communicate with the active vulnerability scanners can be audited, while actively scanning networks distributed over large areas or having large numbers of devices may take long amounts of time. For example, in a network that includes multiple routers, hosts, and other network devices, an active vulnerability scanner would typically have to send packets that traverse several routers to scan the hosts and other network devices, some of which may be inactive and therefore inaccessible to the active vulnerability scanner. Further, in scenarios where one or more of the routers have firewalls that screen or otherwise filter incoming and outgoing traffic, the active vulnerability scanner may generate incomplete results because the firewalls may prevent the active vulnerability scanner from auditing hosts or other devices behind the firewalls.
Furthermore, active vulnerability scanners typically create audit results that become stale over time because the audit results describe a static state for the network at a particular point in time. Thus, an active vulnerability scanner would likely fail to detect that hosts have been added or removed from the network following a particular active scan, whereby the audit results that active vulnerability scanners create tend to steadily decrease in value over time as changes to the network occur. Furthermore, active vulnerability scanners can have the tendency to cause network disruptions during an audit. For example, probing network hosts or other devices during an audit performed by an active vulnerability scanner may result in communication bottlenecks, processing overhead, and instability, among other potential problems in the network. For example, FIG. 1 illustrates a schematic diagram of an exemplary prior art network security system 100 that includes multiple routers 130, various network hosts or other devices 120, an active vulnerability scanner 110, and an interface to one or more other networks 140 (e.g., the Internet).
In the prior art system 100, the active vulnerability scanner 110 may send packets or other messages to the hosts or devices 120 in the network through the routers 130 to identify one or more of the hosts or devices 120 actively running in the network and one or more of the hosts or devices 120 that may be inactive. However, in many scenarios, one or more of the hosts or devices 120 may be deployed behind firewalls that screen incoming and outgoing traffic, may have disabled access to services that provide important information describing the hosts or devices 120, or may otherwise prevent the active vulnerability scanner 110 from suitably auditing the hosts or devices 120. As such, prior art systems that rely entirely on an active vulnerability scanner (e.g., the system 100 shown in FIG. 1) typically prevent the active vulnerability scanner from obtaining comprehensive information that describes important settings, configurations, or other information associated with the network. In particular, malicious or unauthorized users often employ various techniques to obscure network sessions during an attempted breach, but active vulnerability scanners 110 often cannot detect real-time network activity that may provide indications that the attempted breach is occurring. For example, many backdoor and rootkit applications tend to use non-standard ports and custom protocols to obscure network sessions, whereby intruders may compromise the network while escaping detection. Thus, many active vulnerability scanners 110 can only audit the state of a network at a particular point in time, but suitably managing network security often requires further insight relating to real-time activity that occurs in the network.
Accordingly, although active vulnerability scanners 110 typically employed in existing network security systems 100 can obtain certain information describing the network, the existing systems 100 cannot perform comprehensive security audits to completely describe potential vulnerabilities in the network, build models or topologies for the network, or derive other information that may be relevant to managing the network. Therefore, a need exists for a network security system that can supplement the information obtained from active vulnerability scanners to comprehensively describe potential vulnerabilities in a network, build detailed models or topologies for the network, and derive other information that can be used to manage the network.