Computer networks are used in many types of organisation, for example within business, industrial and educational organisations. A computer network typically comprises a number of computer systems interconnected by data communications links. Computer networks allow data to be shared between users of individual organisations, and also between users of different organisations.
Computer systems connected to such computer networks operate using software executed on the systems. Such software may contain vulnerabilities which render the software, and computer systems running the software, susceptible to interference by unauthorised means. As will be appreciated by those skilled in the art, a software vulnerability may be considered a characteristic of that software which renders it susceptible to processing operations not intended to be permitted or performed by that software. Examples of software vulnerabilities include software features that enable hackers to manipulate the software in an unauthorised way or features that enable malicious mobile code (worms, executable computer viruses, etc.) to access and/or manipulate the software. Knowledge of a software vulnerability enables the formulation of so-called ‘exploit’ programs which are specifically designed to take advantage of such software vulnerabilities.
Taking a well-known example, in July 2001, a computer virus was discovered that exploited a software vulnerability in a particular web server application. The virus was known as the “Code Red” virus. The virus exploited a stack/buffer overflow vulnerability in the indexing system of the web server application and used a specially designed hypertext transfer protocol (http) request that, when applied to the web server application, caused malicious code to take control of the web server. The primary behaviour of the malicious code was to propagate across networks very rapidly, and indeed, it was estimated that the Code Red virus was capable of infecting approximately half a million Internet Protocol (IP) addresses per day. A further effect was to deface web-sites present on the ‘infected’ server.
Thus, it will be appreciated that since computer networks facilitate the transfer of data across a large number of computer systems in a relatively short space of time, such vulnerabilities can enable malicious mobile code to propagate rapidly across large network areas. The costs involved in rectifying ‘infected’ systems can be very large and it follows that early identification of such vulnerabilities is important so that appropriate remedial action can be taken before the vulnerability is exploited.
A conventional method of determining whether computer systems on a network contain vulnerabilities is to perform a scan of Internet Protocol (IP) addresses on the network to identify the software programs present on computer systems having those IP addresses. The result is a list of IP addresses and associated software programs (including their version number). This information is collected centrally, e.g. by an organisation's IT department, and compared with a central database of known vulnerabilities associated with the identified software versions. It is then the task of the IT department to manually identify the physical machine/user from the IP addresses. This can be a difficult, time-consuming and costly task since the allocation of IP addresses does not necessarily correspond to the physical arrangement of computer systems, and the same IP address can even be assigned to different machines at different times. The task of transporting the appropriate remedy, e.g. a software ‘patch’, to the affected computer system or user usually involves some manual element. Once the computer system or user is identified, this process may involve sending an e-mail to the user informing them that they themselves need to apply the patch and where the patch is stored. It is then up to the user to effect the remedy in their own time.
It will be appreciated that this conventional method relies heavily on the accuracy of the information in the database which relates known vulnerabilities to identified software versions. Inaccurate information in the database can result in no vulnerability being indicated where, in fact, one exists. Alternatively, a vulnerability could be indicated when one does not exist. As will be appreciated from the above, the remediation method is also slow and can leave computer systems susceptible to virus attacks.
It is an object of the present invention to provide an improved method of identifying software vulnerabilities on a computer system, and an improved method of identifying software vulnerabilities in a computer network. It is also an object of the invention to provide an improved method of remediating identified software vulnerabilities. Other objects of the invention are to limit the effect of vulnerability identification methods on the normal operations of a computer network, and to perform such methods in an efficient way.