(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY(PCT)
`
`(19) World Intellectual Property Organization
`International Bureau
`
`24 July 2003 (24.07.2003)
`
`(43) International Publication Date
`
`(10) International Publication Number
`WO 03/060717 Al
`
`
`
`(51) International Patent Classification’: DELANEY, Karoline, A.;©KNOBBE,GO6F 11/30 (74) Agent:
`
`MARTENS, OLSON AND BEAR, LLP, 620 New-
`
`
`
`(21) International Application Number: —PCT/US02/01093 I) Drive, 16th Floor, Newport Beach, CA 92660
`(22) International Filing Date: 15 January 2002 (15.01.2002)
`(81) Designated States (national): AB, AG, AI, AM,AT(util-
`ity model), AT, AU, AZ, BA, BB, BG, BR, BY, BZ, CA,
`CH,CN, CO, CR, CU, CZ (utility model), CZ, DE (util-
`ity model), DE, DK (utility model), DK, DM, DZ, EC, EE
`(utility model), EE, ES, FI (utility model), FI, GB, GD, GE,
`GH, GM, HR, HU, ID, IL, IN,IS, JP, KE, KG, KP, KR, KZ,
`LC, LK, LR, LS, Li, LU, LV, MA, MD, MG, MK, MN,
`MW, MX, MZ, NO, NZ, OM, PH, PL, PT, RO, RU, SD,
`SE, SG, SI, SK (utility model), SK, SL, TJ, TM, TN, TR,
`TT, TZ, UA, UG, UZ, VN, YU, ZA, ZM, ZW.
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`English
`
`English
`
`(71) Applicant: FOUNDSTONE,INC. [US/US]; 2 Venture
`Street, Suite 100, Irvine, CA 92618 (US).
`
`(72) Inventors; MCCLURE, Stuart, C.; 7 Welbe Circle,
`Ladera Ranch, CA 92694 (US). KURTZ, George; 19
`Douglass Drive, Coto de Caza, CA 92679 (US). KEIR,
`Robin; 2718 Cipres, Mission Viejo, CA 92692 (US).
`BEDDOE, Marshall, A.; 306 Avenida Del Mar #2, San
`Clemente, CA 92672 (US). MORTON,Michael, J.; 6260
`Via Ribazo, Anaheim ITills, CA 92807 (US). PROSISE,
`Christopher, M.; 27815 Tirante, Mission Viejo, CA 92692
`(US). COLE, David, M.; 8171 Racepoini Drive #206,
`Huntington Beach, CA 92646 (US). ABAD, Christopher;
`1007 Russia Avenue, San Francisco, CA 94112 (US).
`
`(84) Designated States (regional): ARIPO patent (GH, GM,
`KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW),
`Eurasian patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM),
`European patent (AT, BE, CH, CY, DE, DK, ES, FI, FR,
`GB, GR,IE, IT, LU, MC, NL, PT, SE, TR), OAPIpatent
`(BE BJ, CF, CG, CI, CM, GA, GN, GQ, GW, ML, MR,
`NL, SN, TD, 1G).
`
`
`
`Published:
`— with international search report
`
`[Continued on next page]
`
`(54) Title: SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING
`
` @
`
`DefineTarget
`
`Metwark
`Std
`
`Guatbitch
`ofIPs
`
`
`Th
`
`Stanpomonnnonn bist
`
`fo ns “Yea
`
`“FIG
`
`SP
`
`SIF
`
`
`
`LiveList
`
`
`
`FeLiveFe
`
`‘
`
`_
`-a-.-
`
`
`
`DeadList
`
`-
`
`
`
`
`
`
`
`
`SIE
`
`od
`SSA
`322 doy 350
`520
`
`Host No|TOPHostioe | AdBatch “ABD SNe ige “
`
`
`
`
`
`Discovery
`Hast Disc;
`dise’vd? (ABD?)
`Dise
`;
`0
`Dis
`_ _ Yes
`—
`
`(30 fhefa oo
`
`Discovery
`Dise
`Dise
`“anger
`
`
`Servre TEPservice,|UDPservice _pi6t
`
`velFadiity atenna
`bey uC
`a
`=|
`Assersment
`_ { (S50 SBA 6 ep
`cae
`|._s6s |
`@.. i
`HED™
`os
`
`
`
`
`7
`rou
`i 4 ae
`rep
`578
`7
`r
`7
`
`:
`L852
`NS
`JIB
`i
`db
`L
`
`
`mek Oem Pca
`
`Piuggerpricat [ee Mop Se
`p)
`
`
`
`
`
`
`
`a
`
`ddentyfication|
`
`Traceroute
`
`?
`
`(57) Abstract: A system and method provide comprehensive and highly automated testing of vulncrabilitics to intrusion ona tar-
`get network (310), including identification of operating system, identification of target network topology and target computers,
`identification of open target ports, assessment of vulnerabilities (364) on target ports, active assessment of vulnerabilities based on
`information acquired from target computers (344), quantitative assessment of target network security and vulnerability, and hierar-
`
`s chical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method
`
`employ minimally obtrusive techniques to avoid interference with or damageLo the target network during or after testing.
`
`03/060717Al
`
`

`

`WO 03/060717 Ad
`
`_!IMNTTITANIIATIINNITTTTANAATTAIN TAT
`
`bor two-letter codes and other abbreviations, refer to the "Guid-
`ance Notes on Codes andAbbreviations" appearing at the begin-
`ning ofeach regular issue ofthe PCT Gazette.
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`FNDSTN.013VPC
`
`PATENT
`
`SYSTEM AND METHOD FOR NETWORK VULNERABILITY
`
`DETECTION AND REPORTING
`
`Backgroundof the Invention
`
`Field of the Invention
`
`This invention relates to network system security, and more particularly relates
`[0001]
`to systems and methods for automatic detection, monitoring and reporting of network
`vulnerabilities.
`
`Description of the Related Art
`
`in a world where
`The reliability and security of a network is essential
`[0002]
`computer networks are a key element in intra-entity and inter-entity communications and
`transactions. Various tools have been used by network administrators, government,
`security consultants, and hackersto test the vulnerabilities oftarget networks, such as, for
`example, whether any computers on a network can be accessed and controlled remotely
`without authorization. Throughthis intensivetesting, a target network can be “hardened”
`against commonvulnerabilities and esoteric attacks. Existing testing systems, however,
`produce inconsistent results, use techniques that are unproven orthat damagethe target
`network,
`fail
`to respond to changing network environments or
`to detect new
`vulnerabilities, and report results in difficult to understand, text-based reports.
`[0003]
`Well-known network security tools now exist
`to test network paths for
`possible intrusion. Fromatesting point, simple commands suchas traceroute and ping
`can be used to manually map a network topography, and determine roughly what network
`addresses are “alive” with a computer “awake” on the network (i.e., determine which
`computers are on and are responding to network packets). A tool such as a port scanner
`can be used to test an individual target computer on the target network to determine what
`network ports are open.
`If open ports are found, these ports may provide access for
`possible intrusion, and potentially represent a vulnerability that can be exploited by a
`malicious hacker.
`to follow a quasi-
`[0004]
`Some suites combining various network tools attempt
`automated process to test target computers on a target network. Thesesuites provide
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-2-
`
`variations on the tools described above, and provide long-form text-based output based on
`the outcomeofthis testing. The output ofthese security tests are extremely technical, and
`require extensive knowledge ofnetwork communications in order to interpret and provide
`advice based on the results. Thus,
`these partially automated suites do not provide
`comprehensivesecurity to an entity seekingto “harden”its network.
`[0005] Further, some security suites actually risk substantial damage to the target
`network. For example, while the use of malformed network packets to test a target
`computer can provide extensive information from the target and feedback on the security
`ofthe target, these malformed packets can destabilize the target computer in unpredictable
`ways. This sometimesresults in a short-term loss of information to the target computer
`or, in more serious cases, a complete crash of the target computer operating system or
`hardware.
`
`In other cases, the testing method used by existing suites is not reliable. If a
`[0006]
`network port scanning method employed onatarget computer is, for example, 80%
`accurate over time, then a completetest ofall 2! ports on a single computer mayresult in
`approximately 13,000 ports incorrectly identified as potentially running vulnerable
`services. Over an entire target network, such “false positives” make it virtually
`impossible to determine the true security level ofthe target network.
`[0007]
`Existing testing methods lack a standard, quantitative method for objectively
`comparing the security ofa target network ortarget computerto other systems. Typically,
`a target network or target computer is ranked only as “high risk,” “medium risk,”or “low
`risk.” However, such a three-tier system alone provides very little substantive feedback or
`comparative information about changes in the network over time, the relative weight of
`different vulnerabilities in determiningthe resultingrisk level, or objective assessments of
`network security among otherwise heterogeneous network environment.
`
`Summaryof the Invention
`through a
`and’ more
`invention solves
`these problems
`The present
`[0008]
`comprehensive network vulnerability testing and reporting method and system.
`Specifically, the testing system features include a selected combination of: (1) a non-
`destructive identification of target computer operating system; (2) a multiple-tier port
`scanning method for determination of what network addresses are active and what ports
`
`-
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-3-
`
`are active at those addresses; (3) a comparison of collected information about the target
`network with a database of known vulnerabilities; (4) a vulnerability assessment of some
`vulnerabilities on identified ports of identified target computers; (5) an active assessment
`of vulnerabilities reusing data discovered from previously discovered target computers;
`(6) an application of a quantitative score to objectively and comparatively rank the
`security of the target network; and, (7) reduction of detailed results of the information
`
`collected into hierarchical, dynamic and graphical representations of the target network,
`
`target computers, and vulnerabilities found therein. Other features are foreseen and
`
`disclosed herein, as well.
`
`[0009]
`In its preferred embodiment, the testing system operates over a modern multi-
`layer packet network such as a corporate intranet or the Internet. The network typically
`includes one or more computers, where a computer includes a desktopstation running any
`operating system, a router, a server, and/or any other networked device capable of sending
`and receiving packets through standard internet protocols such as TCP/IP (Transmission
`Control Protocol/Internet Protocol), UDP (User Datagram Protocol), and the like. The
`
`system and method can be run remotely from a monitoring computer outside the target
`network, or can be run by a monitoring computer included within the target network. The
`
`target networkitself is typically defined as an interconnected set of computers, bounded
`
`by a specific pre-designated sub-network address, range of IP addresses or sub-addresses,
`
`physical network boundaries, computer names or unique identifiers, presence or
`connection via a pre-determined network protocol, and the like. The target computers
`compriseall or a portion of the computers found within the target network. For example,
`a target computer with a simple connection to a WAN (Wide Area Network) can be tested
`remotely, as a single peer target network.
`In a more complicated example, a distributed
`network provider can have multiple sub-networks geographically distributed throughout
`the world but interconnected via an internal protocol, as a WAN target network with
`thousands of target computers.
`
`A target nctwork typically runs on one or more IP-based network protocols.
`[0010]
`Most commonly, the protocol will be TCP/IP and UDP. Similarly, the testing system is
`typically indifferent to the physical layer structure and topology of the target network.
`Only structural elements suchas firewalls or routers that block, reroute, or change packets
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-4-
`
`will affect the testing system. The testing system, however, attempts to adapt to these
`structural elements and generally provides accurate results regardless of physical
`implementation.
`.
`{0011]
`TCP/IP is
`fundamental protocol used for packet-based network
`a
`communications
`on
`local
`area
`networks, wide
`area
`networks,
`and
`global
`telecommunications networks such as the Internet. A sample configuration of a TCP/IP
`SYN (synchronization) packet is shown in Table 1.
`re
`Source Port Destination PortaROGUICE:
`
`
`
`OMEeSTinationPort
`Sequence Number
`Acknowledgement Number
`:
`Reserved Data
`1
`Flags
`Checksum
`Urgent Pointer
`i
`Padding
`
`Data Offset
`
`Window
`
`Options
`
`Data
`
`
`Table 1: Typical TCP SYN packet
`A computer typically runs on one or more operating systems. More
`[0012]
`commonly, these operating systems include those provided by Microsoft®, such as the
`Microsoft Windows® family of operating systems, MacOS® from Apple®, various flavors
`of UNIX including Linux®, NetBSD, FreeBSD, Solaris®, and the like. Additionally,
`devices on the target network may include router operating systems, mobile
`communication device operating systems, palmtop or handheld operating systems,
`appliance operating systems, set-top box operating systems, gaming operating systems,
`digital rights management systems, surveillance systems, smart card transaction systems,
`transportation management systems, andthe like, that assign unique or temporary network
`addresses and are capable of sending and/or receivingtraffic from the target network.
`[0013]
`Target computers,
`in one embodiment, are identified by a unique or
`temporarily unique IP (Internet Protocol) address, typically in the form A.B.C.D, where
`each of A, B, C and D represent the Class A, Class B, Class C and Class D sub-networks
`and each has a value between 0 and 255. Typically, the target network is defined by one
`or more ranges of IP addresses controlled by the target network, but may contain
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`5.
`
`target computers or target sub-networks connected to the target network
`additional
`topographically but notpart ofthe predetermined IP range orranges.
`
`[0014]
`
`UDP
`
`(User Datagram Protocol)
`
`is
`
`an
`
`alternative
`
`“connectionless”
`
`communications protocol that runs above IP (Internet Protocol). UDP lacks the error
`correction and receipt acknowledgment features of connection-based protocols such as
`TCP. ICMP (Internet Control Message Protocol) is another extension of IP which permits
`control communications (most commonly through a ICMP PINGrequest) between hosts
`on an IP network.
`
`Another aspect of the invention includes non-destructive and relatively non-
`[0015]
`intrusive identification ofthe target operating system ofa target computer.
`[0016]
`Another aspect of the invention includes parallel testing of multiple target
`computers on a target network.
`
`Another aspect of the invention includes an improved testing method to
`[0017]
`determine whetherparticular target computers on a target network are alive.
`
`Another aspect of the invention includes an improved method for determining
`[0018]
`whether a set of commonly used ports are open on a target computer.
`[0019]
`Another aspect of the invention includes an improved method for reliably
`determining whether a set of commonly used UDPports are open orclosed ona target
`computer.
`
`Another aspect of the invention includes a method for associating the ports
`[0020]
`found open on a target computer with a knownset of vulnerabilities.
`[0021]
`Another aspect of the invention includes parallel testing of multiple ports and
`multiple target computers simultaneously.
`
`[0022]
`
`Another aspect of the invention includes active assessment of some known set
`
`of vulnerabilities at a target computer.
`
`Yet another aspect of the invention includes application of an objective
`[0023]
`quantitative score to the vulnerabilities found on a target network.
`
`Still another aspect of the invention includes compilation of a dynamic,
`[0024]
`graphical report representing the network topology, network computers, and network
`
`vulnerabilities in a hierarchical report including both overview and detail documents.
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-6-
`
`In one embodiment, the present invention is a system for determining an
`[0025]
`operating system of a target computer operably connected to a network. The system
`comprises (1) first and second data packets, the first and second data packets compliant
`with a protocol supported by the network,the first and second data packets transmitted via
`the network to the target computer; (2) first and second operating system fingerprints
`comprising data bits stored in a computer-readable medium,the first and second operating
`system fingerprints associated with a first operating system; (3) a first target computer
`fingerprint comprising data bits stored in a computer-readable medium,the first target
`computer fingerprint including a representation of at least a portion of data received in
`response to the transmission of the first data packet; (4) a second target computer
`fingerprint comprising data bits stored in a computer-readable medium,the second target
`computer fingerprint including a representation ofat least a portion of data received in
`response to the transmission of the second data packet; and (5) fingerprint comparison
`instructions executable by a computer to comparethe first operating system fingerprint
`and the first
`target computer fingerprint,
`to compare the second operating system
`fingerprint and the second target computer fingerprint, and to generate a result indicative
`of whether the first operating system was running on the target computer.
`In a preferred
`aspect, the invention further comprises: (6) a third data packet, the third data packet
`compliant with the protocol, the first range ofbits of the third data packet representing a
`third parameter value different from the first and second parameter values, the third data
`packet transmitted via the network to the target computer; (7) a third operating system
`fingerprint comprising data bits stored in a computer-readable medium,
`the third
`operating system fingerprint associated with thefirst operating system,the third operating
`system fingerprint differing from the first and second operating system fingerprints; and
`(8) a third target computer fingerprint comprising data bits stored in a computer-readable
`medium, the third target computer fingerprint including a representation of at least a
`portion of data received in response to the transmission of the first data packet, the
`comparison instructions executable by a computer to compare the third operating system
`fingerprint and the third target computer fingerprint before generating the result.
`In a
`further preferred aspect,
`the invention further comprises:
`(9) fourth, fifth and sixth
`operating system fingerprints comprising data bits stored in a computer-readable medium,
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-7-
`
`the fourth, fifth and sixth operating system fingerprints associated with a second operating
`system, at least one of the fourth, fifth and sixth operating system fingerprints differing
`from a respective one of the first, second and third operating system fingerprints; the
`comparison instructions executable by a computer to compare the fourth Operating system
`fingerprint and the first target computer fingerprint, to comparethe fifth operating system
`fingerprint and the second target computer fingerprint, to compare the sixth operating
`system fingerprint and the third target computer fingerprint, and to generate a second
`result indicative of whether the second operating system was running on the target
`computer. Preferred aspects of this embodiment are ones wherein (10) the first parameter
`value is obtainedbysetting no bits, the second parameter value is obtained bysetting one
`bit, and the third parameter value is obtained by setting twobits, or (11) wherein the first
`parameter value is 0, the second parameter value is 128, and the third parameter valueis
`128 plus a multiple of 256.
`[0026]
`In another embodiment, the present invention is a system for determining an
`operating system of a target computer accessible via a network. The system comprises:
`(1) a plurality of data packets compliant with a protocol supported by the network, the
`plurality of data packets transmitted via the network to the target computer; (2) a first
`plurality of operating system fingerprints, each comprising data bits stored in a computer-
`readable medium, each associated with a first operating system; (3) a plurality of target
`computer fingerprints, each comprising data bits stored in a computer-readable medium,
`each including a representation of at least a portion of data received in response to the
`transmission ofthe plurality of data packets; and (4) fingerprint comparison instructions
`executable by a computer to comparethefirst plurality ofthe operating system fingerprint
`and the plurality of the target computerfingerprints, and to generate a result indicative of
`whetherthefirst operating system was running on the target computer. A preferred aspect
`ofthe embodiment is one wherein the protocol is TCP/IP. Another preferred aspect of the
`embodiment further comprises (5) a second plurality of operating system fingerprints,
`each comprising data bits stored in a computer-readable medium,each associated with a
`second operating system, the fingerprint comparison instructions comparing the second
`plurality of the operating system fingerprints and the plurality of the target computer
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-8-
`
`fingerprints to generate a secondresult indicative of whether the second operating system
`was running on the target computer.
`
`[0027]
`A further embodimentof the present invention is a method for determining an
`operating system of a target computer accessible via a network. The method comprises
`the steps of (1) transmitting to the target computera plurality of data packets compliant
`with a protocol supported by the network; (2) generating a plurality of target computer
`fingerprints, each includingat least a portion of data received via the network in response
`to the transmission of the plurality of data packets; (3) comparing the plurality of target
`computerfingerprints toafirst set of predetermined operating system fingerprints, each of
`the first set of predetermined operating system fingerprints associated with a first
`operating system; and (4) generating a result indicative of whether thefirst operating
`system was running on the target computer.
`In a preferred aspect the embodiment
`comprises the further steps of (5) comparing the plurality of target computer fingerprints
`to a second set of predetermined operating system fingerprints, each of the second set of
`predetermined operating system fingerprints associated with a second operating system;
`and (6) generating a result indicative of whether the second operating system was running
`on the target computer. One preferred aspect of that embodiment is one wherein the
`protocol is TCP/IP and wherein the value of the MSSoption oftwo oftheplurality of data
`packets is divisible by 128. Anotherpreferred aspect ofthat embodiment is one wherein a
`first of the plurality of data packets has a maximum segmentsize option of 0, wherein a
`second ofthe plurality of data packets has a maximum segmentsize option of 128, and
`wherein a third of the plurality of data packets has a maximum segmentsize option of
`384.
`
`A still further embodiment of the invention is a method for identifying an
`[0028]
`operating system of a target computer via a network, the method comprising the steps of:
`(1) sending a first data packet to the target computervia the network, the first data packet
`complying with a protocolof the network and havinga first pattern ofbits in a first range
`ofbits; (2) generatinga first response value representing at least a portion of data received
`via the network in response to the sending of the first data packet; (3) sending a second
`data packet to the target computervia the network, the second data packet complying with
`the protocol and having a secondpattern ofbits in a first range ofbits, the second pattern
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-9.
`
`ofbits different from the first pattern; (4) generating a second response value representing
`at least a portion of data received via the network in responseto the sendingofthe second
`data packet; (5) sending a third data packet to the target computer via the network, the
`third data packet complying with the protocol and havingathird pattern ofbits in a first
`range ofbits, the third pattem ofbits different from the first or the second pattern; (6)
`generating a third response value representing at least a portion of data received via the
`network in response to the sending of the third data packet; (7) comparing the first
`response valueto a first predetermined value associated with a first operating system; (8)
`comparing the second responsevalue to a second predetermined value associated with the
`first operating system; (9) comparing the third response value to a third predetermined
`value associated with the first operating system; and (10) generating a value indicative of
`a relationship between the first operating system and the target computer. A preferred
`aspect of the embodiment comprisesthe further steps of: (11) comparing the first response
`value to a fourth predetermined value associated with a second operating system; (12)
`comparing the second response valueto a fifth predetermined value associated with the
`second operating system; and (13) comparing the third response value to a sixth
`predetermined value associated with the second operating system. A preferred aspect of
`that embodiment is one wherein nobit is set in the first pattern of bits, wherein onebit is
`set in the second pattern of bits, and wherein twobits are set in the third pattern ofbits.
`Another preferred aspect of that embodiment is one wherein the number ofbytes in the
`second pattern ofbits that have at least onebit set is greater than the number of bytes in
`the first pattern of bits that have at least one bit set, and wherein the numberof bytes in
`the third pattern ofbits that haveat least one bit set is greater than the number ofbytes in
`the second pattern ofbits that have at least onebit set.
`[0029]
`Yet another embodimentofthe present invention is a system for determining
`whether a target computer is on a network, the system comprising: (1) a first set of port
`identifiers stored in a computer-readable medium, each ofthe first set of port identifiers
`representing a port used by computers to receive data packets compliant with a first
`protocol of the network, each of the first set of port identifiers representing a port
`associated with known network services; (2) a first set of data packets, each directed to a
`port represented by at least one ofthe first set of port identifiers, each ofthe first set of
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-10-
`
`data packets compliant with the first protocol and transmitted to the target computer via
`the network; (3) a first set of acknowledgement packets received via the network in
`response to the transmission of the first set of data packets, and (4) a list of host
`identifiers, each host identifier representing a computer on the network that transmits data
`in response to a packet sent to the respective computer, a host identifier representing the
`target computer addedto thelist of host identifiers if the first set of acknowledgment
`packets indicates a responsivenessofthe target computer. An alternative preferred aspect
`of the embodiment further comprises: (5a) a second set of port identifiers stored in a
`computer-readable medium, each of the second set ofport identifiers representing a port
`used by computers to receive data packets compliant with a second protocol of the
`network, each of the second set of port identifiers representing a port associated with
`known network services;
`(6a) a second set of data packets, each directed to a port
`represented byat least one of the secondset of port identifiers, each of the second set of
`data packets compliant with the second protocol and transmitted to the target computer
`via the network, at least one of the secondset of data packets including data associated
`with the known network services; (7a) a second set of acknowledgement packets received
`via the network in response to the transmission of the second set of data packets; and (8a)
`a host identifier representing the target computer addedto thelist of host identifiers if the
`second set of acknowledgmentpackets indicates a responsiveness of the target computer.
`A preferred aspect of that embodimentis one wherein the first protocol is TCP, wherein
`the second protocol is UDP, wherein the second set of acknowledgment packets is a
`nonzero set of UDP data response packets. Another alternative preferred aspect of the
`embodiment further comprises: (5b) a second set ofport identifiers stored in a computer-
`readable medium, each of the second set ofport identifiers representing a port used by
`computers to receive data packets compliant with a second protocol of the network, each
`of the second set of port identifiers representing a port associated with known network
`services; (6b) a second set of data packets, each directed to a port represented by at least
`one of the secondset of port identifiers, cach of the second set of data packets compliant
`with the second protocol and transmitted to the target computer via the network,at least
`one of the second set of data packets including data associated with the known network
`services; (7b) a second set of acknowledgement packets received via the network in
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-li-
`
`response to the transmission of the second set of data packets; and (8b) a host identifier
`representing the target computer added to a secondlist of host identifiers if the second set
`of acknowledgment packets does not indicate an unresponsivenessof the target computer,
`each of the second list of host identifiers representing a computer not known to be
`unresponsive. A preferred aspect of that embodiment is one wherein thefirst protocolis
`TCP, wherein the second protocol is UDP, wherein the second set of acknowledgment
`packets is an empty set of ICMP error packets. A further preferred aspect of either
`alternative embodiment further comprises: (9) a third set of data packets, each directed to
`
`a port represented by at least one of the secondset of port identifiers, each compliant with
`the second protocol, the third set of data packets transmitted to the target computer
`throughout a predetermined maximum latency period; (10) a first response receivedfirst
`in time in response to the transmission ofthe third set of data packets; (11) a second
`response received second in time in response to the transmission of the third set of data
`packets, a time duration between the receipt of the first response and the receipt of the
`second response defining a target computer latency period. A further preferred aspect of
`the embodiment is one wherein each of the second set of data packets is transmitted
`continuously to the target computer for the duration ofthe target computer latency period.
`[0030]
`A still further embodiment of the present invention is a system for testing the
`accessibility of a target computer via a network. The system comprises: (1) a set of port
`identifiers stored in a computer-readable medium, each of the set of port identifiers
`representing a UDP-compliantport, at least one ofthe port identifiers representing a port
`associated with known network services; (2) a set of UDP-compliant data packets, each
`associated with a port represented byat least one ofthe set of port identifiers, each of the
`UDP-compliant data packets transmitted continuously to the target computer for a
`duration approximately the sameas the latency period of the target computer, at least one
`of the UDP-compliant data packets including data associated with the known network
`services; (3) a first list representing computers accessible via the network, the first list
`including the target computerif a nonzero set of UDP data response packets is received in
`response to the transmission of the data packets; and (4) a second list representing
`computers not known to be inaccessible via the network, the second list including the
`
`

`

`WO 03/060717
`
`PCT/US02/01093
`
`-12-
`
`target computer if an empty set of ICMP error packets is received in response to the
`
`transmission of the data packets.
`
`[0031]
`
`Another embodiment of the present invention is a method for determining
`
`whether a target computer is accessible via a network. The method comprises the steps
`
`of: (1) identifying TCP ports; (2) sending first data packets to the TCP ports of the target
`
`receiving first
`(3)
`computer, each of the first data packets compliant with TCP;
`acknowledgment packets in response to the sending of the first data packets; and (4)
`
`adding a representation of the target computer to a list representing accessible computers
`
`if the first acknowledgment packets are nonzero. A preferred aspect of the embodiment
`
`comprises the further steps of:
`
`(5) identifying UDP ports associated with network
`
`services; (6) sending second data packets to the UDP ports ofthe target computer,at least
`
`one of the second data packets sent continuously to the target computer throughout a
`
`latency period of the target computer; (7) receiving second acknow