Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2010: Recent Advances in Intrusion Detection pp 138–157Cite as

CANVuS: Context-Aware Network Vulnerability Scanning

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Abstract

Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats requires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodically probing target networks to discover hosts and the services they are running. This polling-based model of vulnerability scanning suffers from two problems that limit its effectiveness—wasted network resources and detection latency that leads to stale data. We argue that these limitations stem primarily from the use of time as the scanning decision variable. To mitigate these problems, we instead advocate for an event-driven approach that decides when to scan based on changes in the network context—an instantaneous view of the host and network state. In this paper, we propose an architecture for building network context for enterprise security applications by using existing passive data sources and common network formats. Using this architecture, we built CANVuS, a context-aware network vulnerability scanning system that triggers scanning operations based on changes indicated by network activities. Experimental results show that this approach outperforms the existing models in timeliness and consumes much fewer network resources.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abedin, M., Nessa, S., Al-Shaer, E., Khan, L.: Vulnerability analysis for evaluating quality of protection of security policies. In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), Alexandria VA (October 2006)

    Google Scholar 

  2. Ahmed, M.S., Al-Shaer, E., Khan, L.: Towards autonomic risk-aware security configuration. In: Proceedings of the 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), Salvador, Bahia, Brazil (April 2008)

    Google Scholar 

  3. Allman, M., Kreibich, C., Paxson, V., Sommer, R., Weaver, N.: Principles for developing comprehensive network visibility. In: Provos, N. (ed.) Proceedings of 3rd USENIX Workshop on Hot Topics in Security, San Jose, CA, USA, July 29, USENIX Association (2008)

    Google Scholar 

  4. Allman, M., Paxson, V.: A reactive measurement framework. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 92–101. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington DC (November 2002)

    Google Scholar 

  6. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: Automated black-box web application vulnerability testing. In: Proceedings of the 31st IEEE Symposium on Security & Privacy (S&P 2010), Oakland, CA (May 2010)

    Google Scholar 

  7. Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the application of security patches for optimal uptime. In: Proceedings of the 16th Annual LISA System Administration Conference, Philadelphia, PA, USA (November 2002)

    Google Scholar 

  8. Edward Bjarte. Prads - passive real-time asset detection system, http://gamelinux.github.com/prads

  9. Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security; Repelling the Wily Hacker. Addison Wesley, Reading (1994)

    MATH  Google Scholar 

  10. Cooke, E., Bailey, M., Jahanian, F., Mortier, R.: The dark oracle: Perspective-aware unused and unreachable address discovery. In: Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI 2006) (May 2006)

    Google Scholar 

  11. eEye Digital Security. Retina - network security scanner, http://www.eeye.com/Products/Retina.aspx

  12. Ilya Etingof. Pysnmp, http://pysnmp.sourceforge.net/

  13. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006 (December 2006)

    Google Scholar 

  14. Kreibich, C., Sommer, R.: Policy-controlled event management for distributed intrusion detection. In: ICDCS Workshops, pp. 385–391. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  15. McAllister, S., Kirda, E., Kruegel, C.: Leveraging user interactions for in-depth testing of web applications. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 191–210. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Microsoft. Watcher - web security testing tool and passive, http://websecuritytool.codeplex.com

  18. Oberheide, J., Cooke, E., Jahanian, F.: Cloudav: N-version antivirus in the network cloud. In: Proceedings of the 17th USENIX Security Symposium (Security 2008), San Jose, CA (July 2008)

    Google Scholar 

  19. Oberheide, J., Cooke, E., Jahanian, F.: If It Ain’t Broke, Don’t Fix It: Challenges and New Directions for Inferring the Impact of Software Patches. In: 12th Workshop on Hot Topics in Operating Systems (HotOS XII), Monte Verita, Switzerland (May 2009)

    Google Scholar 

  20. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA (October 2006)

    Google Scholar 

  21. Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005), Baltimore, MD (August 2005)

    Google Scholar 

  22. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  23. Roesch, M.: Snort: Lightweight intrusion detection for networksx. In: Proceedings of the 13th Systems Administration Conference (LISA), pp. 229–238 (1999)

    Google Scholar 

  24. Sawilla, R.E., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 18–34. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  25. Tenable Network Security. Nessus - vulnerability scanner, http://www.nessus.org

  26. Tenable Network Security. Nessus passive vulnerability scanner, http://www.nessus.org/products/pvs/

  27. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of 2002 IEEE Symposium on Security and Privacy (S&P 2002), Oakland, CA (May 2002)

    Google Scholar 

  28. Sinha, S., Bailey, M., Jahanian, F.: Shedding light on the configuration of dark addresses. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2007) (February 2007)

    Google Scholar 

  29. Sinha, S., Bailey, M.D., Jahanian, F.: One Size Does Not Fit All: 10 Years of Applying Context Aware Security. In: Proceedings of the 2009 IEEE International Conference on Technologies for Homeland Security (HST 2009), Waltham, Massachusetts, USA (May 2009)

    Google Scholar 

  30. Sinha, S., Jahanian, F., Patel, J.M.: Wind: Workload-aware intrusion detection. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 290–310. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Sourcefire. Sourcefire rna - real-time network awareness, http://www.sourcefire.com/products/3D/rna

  32. Sourcefire, Inc. Clamav antivirus (2008), http://www.clamav.net/

  33. University of Michigan. University of Michigan — ITS — Safe Computing — IT Security Services Office (April 2010), http://safecomputing.umich.edu/about/

  34. Vallentin, M.: VAST: Network Visibility Across Space and Time. Master’s thesis, Technische Universitat Munchen (January 2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science and Engineering, University of Michigan, 2260 Hayward St., Ann Arbor, Michigan, 48109, USA

    Yunjing Xu, Michael Bailey, Eric Vander Weele & Farnam Jahanian

Authors
  1. Yunjing Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Bailey
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eric Vander Weele
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Farnam Jahanian
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Xu, Y., Bailey, M., Vander Weele, E., Jahanian, F. (2010). CANVuS: Context-Aware Network Vulnerability Scanning. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation