TY - GEN
T1 - CANVuS
T2 - 13th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2010
AU - Xu, Yunjing
AU - Bailey, Michael
AU - Vander Weele, Eric
AU - Jahanian, Farnam
PY - 2010
Y1 - 2010
N2 - Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats requires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodically probing target networks to discover hosts and the services they are running. This polling-based model of vulnerability scanning suffers from two problems that limit its effectiveness - wasted network resources and detection latency that leads to stale data. We argue that these limitations stem primarily from the use of time as the scanning decision variable. To mitigate these problems, we instead advocate for an event-driven approach that decides when to scan based on changes in the network context - an instantaneous view of the host and network state. In this paper, we propose an architecture for building network context for enterprise security applications by using existing passive data sources and common network formats. Using this architecture, we built CANVuS, a context-aware network vulnerability scanning system that triggers scanning operations based on changes indicated by network activities. Experimental results show that this approach outperforms the existing models in timeliness and consumes much fewer network resources.
AB - Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats requires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodically probing target networks to discover hosts and the services they are running. This polling-based model of vulnerability scanning suffers from two problems that limit its effectiveness - wasted network resources and detection latency that leads to stale data. We argue that these limitations stem primarily from the use of time as the scanning decision variable. To mitigate these problems, we instead advocate for an event-driven approach that decides when to scan based on changes in the network context - an instantaneous view of the host and network state. In this paper, we propose an architecture for building network context for enterprise security applications by using existing passive data sources and common network formats. Using this architecture, we built CANVuS, a context-aware network vulnerability scanning system that triggers scanning operations based on changes indicated by network activities. Experimental results show that this approach outperforms the existing models in timeliness and consumes much fewer network resources.
UR - http://www.scopus.com/inward/record.url?scp=78249234134&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78249234134&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-15512-3_8
DO - 10.1007/978-3-642-15512-3_8
M3 - Conference contribution
AN - SCOPUS:78249234134
SN - 3642155111
SN - 9783642155116
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 138
EP - 157
BT - Recent Advances in Intrusion Detection - 13th International Symposium, RAID 2010, Proceedings
PB - Springer
Y2 - 15 September 2010 through 17 September 2010
ER -