Network vulnerability assessment involves the detection of potential unauthorized uses and associated exploits (collectively "vulnerabilities") as they relate to computer networks, the devices that connect to such networks, and/or the subsystems that make up those devices. Network types can include, for example, the Internet, FDDI, token ring, etc. Devices can include routers, switches, workstations, personal computers, printers, and other devices. Subsystems can include, for example, hardware types, operating systems, application programs, etc.
Network vulnerability assessment can be highly complex because the vulnerabilities in a given network can depend upon the version and configuration of the network and upon the devices and subsystems coupled to the network. Additionally, networks can possess atomic as well as composite vulnerabilities. An atomic vulnerability can be a particular application running on a specific device port, for example SMTP. A composite vulnerability can result, among other reasons, because of the combination of two particular subsystems. For example, an operating system, such as WINDOWS NT 3.5, with a collection of certain subordinate applications can present composite vulnerabilities.
Another difficulty for vulnerability assessment stems from the highly dynamic nature of network environments. Devices of known or unknown type can be added and removed from the network at any time. Additionally, different versions and types of subsystems can be introduced to the network. Each change or upgrade includes the potential for new or changed vulnerabilities to exist on that network.
There are a number of conventional systems that attempt to assess the vulnerability of computer systems but are deficient for a variety of reasons. For example, Computer Oracle and Password System (COPS) is designed to probe for vulnerabilities on a host system. However, COPS does not maintain information across an entire network and can predict vulnerabilities only on a single host. Other conventional systems include System Administrator Tool for Analyzing Networks (SATAN Suite) and Internet Security Scanner (ISS). These products can scan computer systems for vulnerabilities by active probing, analyze the collected data for vulnerabilities, and display the results. However, several disadvantages are associated with these products. For example, data collection and analysis are implemented as a single process. Such a methodology creates a prohibitively time consuming process. Furthermore, as new vulnerabilities are discovered or a network is changed, it is not possible to recreate a previous network configuration in order to test for the newly-discovered potential vulnerabilities.
Additional problems with conventional systems include the fact that the analysis process can take a prohibitive amount of computing power as the network grows; as such, potential vulnerabilities can be missed. A further problem is that such conventional systems scan for live Internet Protocol (IP) addresses on a network; therefore, vulnerabilities that exist on services that are not active during a scan can be missed.