Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
Network security risk-assessment tools, i.e. “scanners,” may be used by a network manager to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
During the course of scanning, such security risk-assessment tools often open remote network connections to various target systems. Most of these connections rely on Transmission Control Protocol/Internet Protocol (TCP/IP) connectivity to establish communications, and test for security risks. There are many of such security vulnerabilities. As such, testing for the presence of the vulnerabilities can become quite time consuming, especially when auditing a network consisting of hundreds or thousands of systems.
Many aspects of scanning contribute to the latency of such process. One prominent aspect is the time that a target system takes to respond to network requests and the time that individual packets of data require to travel between a source system performing a risk-assessment scan and the target system of such a scan.
In the course of auditing for particular security threats, a scanner typically institutes a predefined timeout before determining that the target system is not responding. In order to optimize performance when scanning many systems or scanning a single system for many vulnerabilities, a scanner may lower this timeout value to prevent unnecessary waiting for unresponsive remote target systems. Due to varying network conditions, however, a timeout value that is set too low may result in abandoning scans against vulnerable systems that are only reachable over a high latency (i.e. slow data transfer speeds) network.
Prior Art FIG. 1A shows an exemplary system 100 which is subject to scanning latencies. As shown, such system 100 includes the Internet 102 which is in turn coupled to a wide area network (WAN) 104. The networks 102 and 104 are coupled via a router 106 for communication purposes.
Coupled to the networks 102 and 104 is a plurality of computers which include at least one scanning source 108 and a plurality of target computers 110. As shown in FIG. 1A, communication latencies may vary between the scanning source 108 and the target computers 110 due to variable network conditions existent in the networks 102 and 104. For example, a first and second target computer may require less than 10 ms to respond to the scanning source 108, while a third and fourth target computer may require more than 200 ms to respond to the scanning source 108.
Prior Art FIG. 1B shows exemplary statistics illustrating the manner in which timeouts contribute to scanning latencies. As shown, the actual response latency due to network conditions for a first and second target computer is less than 10 ms, while a third and fourth target computer requires more than 200 ms to respond. In each scan, the default timeout is set at 500 ms, a constant value in accordance with the prior art. Accordingly, there is a net time lost in each scan which varies based on network conditions. See FIG. 1B.
There is thus a need for a scanner capable of reducing the latency of the scanning process while avoiding abandoning vulnerable systems reachable over high latency networks.