Canvus: Contextaware network vulnerability scanning

Abstract

Abstract. Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats re-quires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodi-cally probing target networks to discover hosts and the services they are running. This polling-based model of vulnerability scanning suffers from two problems that limit its effectiveness—wasted network resources and detection latency that leads to stale data. We argue that these limitations stem primarily from the use of time as the scanning decision variable. To mitigate these problems, we in-stead advocate for an event-driven approach that decides when to scan based on changes in the network context—an instantaneous view of the host and network state. In this paper, we propose an architecture for building network context for enterprise security applications by using existing passive data sources and com-mon network formats. Using this architecture, we built CANVuS, a context-aware network vulnerability scanning system that triggers scanning operations based on changes indicated by network activities. Experimental results show that this ap-proach outperforms the existing models in timeliness and consumes much fewer network resources.