For many large information technology (IT) organizations, the network assets (i.e. computers, laptops, routers, switches, web servers, database machines, and other components connected on the network) can grow to be so numerous, dispersed and managed by dispersed IT staff that it can become difficult to track and categorize these assets using traditional manual or automated approaches. In traditional systems, real time updates to the network infrastructure information using automated rules is not present.
There are various systems that maintain network asset and topology information. These systems usually use various network discovery techniques to discover the network nodes and topology at any given point of time. The discovery can be reissued to update the information regarding the network. These network assets may then be scanned using commercially available scanners or proprietary techniques to determine the vulnerabilities present on these assets. Scanners may also detect the open ports on a given asset that can be used to reach the asset and exploit its vulnerabilities.
For the foregoing approaches, asset information may not always be fully up-to-date. Further, the information usually corresponds to static attributes of the asset (e.g. business classification of asset, IP address, vulnerabilities etc.) but not to the dynamic attributes, such as current and historic bandwidth utilization, current set of attacks happening on the asset, current risk based on network traffic and static attributes of the asset etc., in real time.
Other systems also allow importation of static asset data collected by network scanners and periodic update of this data (usually in weeks or months, but possibly days at customer installations). Thus, the network asset information is not always up-to-date. Such systems also allow asset auto creation based on IP Address, Hostname and Media Access Control address (MAC address) of the machine, but not a rule based approach. Categories may also be added or removed from the assets through rules, but not any other aspect of the asset information (e.g., current patch level, vulnerabilities, risk etc. and any other user defined attributes.). The age of an asset may be maintained based upon last scan time, and using this information, asset model confidence may be calculated for activity occurring on the asset. For such systems, the asset model information confidence is based on the duration since last scan time. Since the last scan, the asset may have been patched for certain vulnerabilities, re-purposed for different business use, services may have been added or removed, and other changes may have been made.