Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS20030126472 A1
Publication typeApplication
Application numberUS 10/335,490
Publication date3 Jul 2003
Filing date31 Dec 2002
Priority date31 Dec 2001
Also published asCA2472268A1, CN1610887A, EP1461707A1, US7000247, US7308712, US20050091542, US20050229256, WO2003058457A1
Publication number10335490, 335490, US 2003/0126472 A1, US 2003/126472 A1, US 20030126472 A1, US 20030126472A1, US 2003126472 A1, US 2003126472A1, US-A1-20030126472, US-A1-2003126472, US2003/0126472A1, US2003/126472A1, US20030126472 A1, US20030126472A1, US2003126472 A1, US2003126472A1
InventorsCarl Banzhof
Original AssigneeBanzhof Carl E.
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Automated computer vulnerability resolution system
US 20030126472 A1
Abstract
A system and process for addressing computer security vulnerabilities. The system and process generally comprise aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address the computer vulnerabilities; and deploying said remediation signature to a client computer. The remediation signature essentially comprises a sequence of actions to address a corresponding vulnerability. A managed automated approach to the process is contemplated in which the system is capable of selective deployment of remediation signatures; selective resolution of vulnerabilities; scheduled deployment of remediation signatures; and scheduled scanning of client computers for vulnerabilities.
Images(7)
Previous page
Next page
Claims(47)
What is claimed is:
1. A method for resolving vulnerabilities in a computer, comprising:
aggregating vulnerability information on a plurality of computer vulnerabilities; and
constructing a remediation database of said plurality of computer vulnerabilities.
2. The method of claim 1 further comprising constructing a remediation signature to address a computer vulnerability.
3. The method of claim 2 further comprising deploying said remediation signature to a client computer.
4. The method of claim 1 wherein said aggregating of vulnerability information comprises obtaining vulnerability information from at least one security intelligence agent.
5. The method of claim 4 wherein said security intelligence agent comprises a database of information regarding known computer vulnerabilities.
6. The method of claim 4 wherein said security intelligence agent comprises a scanning service which scans a client computer for vulnerabilities and records the vulnerability information.
7. The method of claim 2 wherein a remediation signature comprises a sequence of actions to address a corresponding vulnerability.
8. The method of claim 2 wherein said constructing a remediation database further comprises associating each remediation signature to a corresponding computer vulnerability.
9. The method of claim 1 wherein said constructing a remediation database further comprises constructing, testing and approving a remediation signature corresponding to a vulnerability.
10. The method of claim 3 wherein said deploying said remediation signatures comprises providing remote access to said remediation signatures.
11. The method of claim 3 wherein said deploying said remediation signatures comprises constructing a remediation profile for a client computer to address vulnerabilities on that computer.
12. The method of claim 3 wherein said remediation profile comprises selected remediation signatures for the client computer corresponding to vulnerabilities on the client computer.
13. The method of claim 10 wherein said deploying said remediation signatures further comprises uploading approved remediation signatures to a flash server for remote access by client computers or client servers.
14. The method of claim 13 wherein said deploying said remediation signatures further comprises downloading remediation signatures from said flash server to a client server.
15. The method of claim 3 wherein said deploying said remediation signatures comprises managing vulnerability resolution.
16. The method of claim 15 wherein said managing vulnerability resolution comprises selective deployment of remediation signatures.
17. The method of claim 15 wherein said managing vulnerability resolution comprises selective resolution of vulnerabilities.
18. The method of claim 15 wherein said managing vulnerability resolution comprises scheduled scanning of client computers for vulnerabilities.
19. The method of claim 15 wherein said managing vulnerability resolution comprises scheduled deployment of remediation signatures.
20. A system for resolving computer vulnerabilities; comprising:
a remediation server capable of coupling to a security intelligence agent having information about computer vulnerabilities in order to aggregate said vulnerability information into a remediation database.
21. The system of claim 20 further comprising a signature module coupled to said remediation server to construct a remediation signature for each vulnerability.
22. The system of claim 21 further comprising a flash server coupled to said signature module to provide remote access to said remediation signatures.
23. The system of claim 22 further comprising a client server capable of coupling to said flash server to access said remediation signatures.
24. The system of claim 23 further comprising a deployment module coupled to said client server capable of deploying said remediation signatures to a client computer coupled to said client server.
25. The system of claim 24 wherein said deployment module is capable of constructing a remediation profile for a client computer to address vulnerabilities on that computer.
26. The system of claim 25 wherein said remediation profile comprises selected remediation signatures for the client computer corresponding to vulnerabilities on the client computer.
27. The system of claim 20 wherein said security intelligence agent comprises a database of information regarding known computer vulnerabilities.
28. The system of claim 20 wherein said security intelligence agent comprises a scanning service which scans a client computer for vulnerabilities and records the vulnerability information.
29. The system of claim 20 wherein said remediation server assigns a remediation signature to each vulnerability.
30. The system of claim 21 wherein said signature module is capable of constructing, testing and approving a remediation signature.
31. The system of claim 22 wherein said flash server provides access to approved remediation signatures.
32. The system of claim 22 wherein said remediation signatures are uploaded to said flash server.
33. The system of claim 23 wherein said client server downloads said remediating signatures from said flash server.
34. The system of claim 24 wherein said deployment module allows managed vulnerability resolution.
35. The system of claim 34 wherein said managed vulnerability resolution comprises selective deployment of remediation signatures.
36 The system of claim 34 wherein said managed vulnerability resolution comprises selective resolution of vulnerabilities.
37. The system of claim 34 wherein said managed vulnerability resolution comprises scheduled scanning of client computers for vulnerabilities.
38. The system of claim 34 wherein said managed vulnerability resolution comprises scheduled deployment of remediation signatures.
39. The system of claim 24 wherein said deployment module constructs a remediation profile for each client computer.
40. The system of claim 39 wherein said remediation profile comprises remediation signatures to resolve vulnerabilities on said client computer.
41. The system of claim 39 wherein said remediation signatures can be selectively included in said remediation profile.
42. The system of claim 21 wherein said remediation signature comprises a sequence of actions to address a corresponding vulnerability.
43. The system of claim 20 further comprising an input module coupled to said remediation server which handles the interfacing of the remediation server to a security intelligence agent having information about computer vulnerabilities.
44. The system of claim 23 further comprising a client module coupled to said client server which handles the interfacing of the client server to the flash server to access said remediation signatures.
45. Computer-readable media tangibly embodying a program of instructions executable by a computer to perform a process for resolving vulnerabilities in a computer, comprising:
aggregating vulnerability information on a plurality of computer vulnerabilities; and
constructing a remediation database of said plurality of computer vulnerabilities.
46. The media of claim 45 wherein the process further comprises constructing a remediation signature to address a computer vulnerability.
47. The media of claim 45 wherein the process further comprises deploying said remediation signature to a client computer.
Description
    CROSS-REFERENCE TO RELATED APPLICATIONS
  • [0001]
    This application claims priority from U.S. Provisional Application serial No. 60/345,689 filed on Dec. 31, 2001.
  • STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
  • [0002]
    Not applicable.
  • REFERENCE TO A MICROFICHE APPENDIX
  • [0003]
    Not applicable.
  • FIELD OF THE INVENTION
  • [0004]
    The invention relates generally to a method and system for resolving security vulnerabilities in computers and, more particularly, to a vulnerability resolution system in which computer security vulnerability information from one or more sources can be aggregated and comprehensive remediation updates can be generated for managed automated distribution to target client computers.
  • BACKGROUND OF THE INVENTION
  • [0005]
    Computers, computer systems, and the applications running thereon are becoming increasingly complex. In addition, with the advent of the Internet and other modern networking technology, computers have become increasingly interconnected and remote accessibility of individual computers and computer networks has become more and more common. In part as a result of this complexity, the number of computer security vulnerabilities that need to be addressed continues to increase. For example, in the year 2000 alone, 650 operating system vulnerabilities were identified, including 126 in the Windows 2000/NT platform and another 46 in the Windows 9x platform. The Computer Security Institute reported 417 vulnerabilities for the year 1999, 1090 vulnerabilities for the year 2000, 2,437 in 2001, and a projected 4000+vulnerabilities in 2002. Given these trends, it has become increasingly difficult to protect computers from security breaches via these vulnerabilities. Moreover, the task of maintaining security for these computer systems and/or networks has become increasingly burdensome and difficult.
  • [0006]
    Currently, organizations typically use vulnerability scanning software or managed security providers to test computers for security weaknesses. These tools generally provide detailed information on the vulnerabilities found in the computing environment, but provide limited means for correcting or resolving the detected vulnerabilities. In order for an organization to remove identified vulnerabilities, it typically must expend a large amount of labor and resources to identify and/or create a remediation for each vulnerability then even more labor to install the vulnerability remediation on the affected computers. Often, this involves visiting each individual computer and manually applying the necessary remediation. In addition, once the remediation is applied, a user can easily remove it, or install additional software that invalidates the remediation, thereby wasting all of the effort expended in performing the remediation.
  • SUMMARY OF THE INVENTION
  • [0007]
    In accordance with the present invention, a method and system are presented which provide for a more automated and managed way to remediate security vulnerabilities on individual computers and computer networks. More particularly, a vulnerability resolution system is provided in which vulnerability information is aggregated, then used to construct, and subsequently update, vulnerability remediation signatures for download. The downloaded signatures may then be selectively used to address or resolve vulnerabilities on client machines having security vulnerabilities.
  • [0008]
    In one embodiment, a method for resolving vulnerabilities in a computer comprises aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address a computer vulnerability; and deploying said remediation signature to a client computer. The aggregating of vulnerability information comprises obtaining vulnerability information from at least one security intelligence agent, such as a database of information regarding known computer vulnerabilities or a scanning service which scans a client computer for vulnerabilities and records the vulnerability information. The remediation signature typically comprises a sequence of actions to address a corresponding vulnerability. The remediation signatures are generally associated with a corresponding computer vulnerability. A remediation profile may be constructed for a client computer to address vulnerabilities on that computer, where the profile comprises selected remediation signatures for the client computer corresponding to vulnerabilities on the client computer. The remediation signatures may be uploaded to a flash server for remote access or download by client computers or client servers. A managed remediation approach is also contemplated which would include wherein selective deployment of remediation signatures, selective resolution of vulnerabilities, scheduled scanning of client computers for vulnerabilities, scheduled deployment of remediation signatures, etc.
  • [0009]
    In another embodiment, a system for resolving computer vulnerabilities comprises a remediation server capable of coupling to a security intelligence agent having information about computer vulnerabilities in order to aggregate said vulnerability information into a remediation database. Various devices may be coupled to the remediation server to complete the system. For example, a signature module may be coupled to the remediation server to construct a remediation signature for each vulnerability. A flash server may be coupled to the signature module to provide remote access to said remediation signatures. A client server may also be included capable of coupling to said flash server to access said remediation signatures. A deployment module may be coupled to the client server capable of deploying said remediation signatures to a client computer coupled to said client server. The deployment module may also be capable of constructing a remediation profile for a client computer to address vulnerabilities on that computer, wherein the remediation profile typically comprises selected remediation signatures for the client computer corresponding to vulnerabilities on the client computer. An input module may also be coupled to the remediation server to handle the interfacing of the remediation server to a security intelligence agent having information about computer vulnerabilities. And a client module may be coupled to the client server to which handle the interfacing of the client server to the flash server to access said remediation signatures.
  • [0010]
    In another embodiment, computer-readable media tangibly embodying a program of instructions executable by a computer to perform a process for resolving vulnerabilities in a computer comprises aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address a computer vulnerability; and deploying said remediation signature to a client computer.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • [0011]
    [0011]FIG. 1 is a block diagram illustrating an embodiment of a vulnerability resolution system in accordance with the present invention.
  • [0012]
    [0012]FIG. 2 is a block diagram illustrating another embodiment of a vulnerability resolution system in accordance with the present invention.
  • [0013]
    [0013]FIG. 3 is a flow chart illustrating an overview of an embodiment of a computer vulnerability remediation process in accordance with the present invention.
  • [0014]
    [0014]FIG. 4 is a flow chart illustrating an embodiment of an aggregation and construction process for computer vulnerability remediation in accordance with the present invention.
  • [0015]
    [0015]FIGS. 5A and 5B are a flow chart illustrating an embodiment of a remediation management process for computer vulnerability remediation in accordance with the present invention.
  • DETAILED DESCRIPTION OF EMBODIMENTS
  • [0016]
    In this disclosure, numerous specific details are set forth to provide a sufficient understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without such specific details. In other instances, well-known elements have been illustrated in schematic or block diagram form in order not to obscure the present invention in unnecessary detail. Additionally, some details have been omitted inasmuch as such details are not considered necessary to obtain a complete understanding of the present invention, and are considered to be within the understanding of persons of ordinary skill in the relevant art. It is further noted that all functions described herein may be performed in either hardware or software, or a combination thereof, unless indicated otherwise. Certain terms are used throughout the following description and claims to refer to particular system components. As one skilled in the art will appreciate, components may be referred to by different names. This document does not intend to distinguish between components that differ in name, but not function. In the following discussion and in the claims, the terms “including” and “comprising” are used in an open-ended fashion, and thus should be interpreted to mean “including, but not limited to . . . ”. Also, the term “couple” or “couples” is intended to mean either an indirect or direct electrical or communicative connection. Thus, if a first device couples to a second device, that connection may be through a direct connection, or through an indirect connection via other devices and connections. Finally, the terms “remediate” and “remediation” are used to refer generally to addressing or resolving vulnerabilities by reducing or alleviating the security risk presented by the subject vulnerability.
  • [0017]
    [0017]FIG. 1 illustrates an embodiment of a vulnerability resolution system 10 in accordance with the present invention. As shown in FIG. 1, the system 10 comprises a remediation server 12 coupled to a plurality of intelligence agents 14. The remediation server 12 is also coupled to an import module 15, a remediation database 16, and a signature module 18. In this embodiment, the import module 15, remediation database 16, and signature module 18 are incorporated in the remediation server 12. For instance, the import module 15, remediation database 16, and signature module 18 may be stored in memory on the remediation server 12. It is also contemplated, however, that the import module 15, remediation database 16, and signature module 18 could be remotely coupled to the remediation server 12.
  • [0018]
    A flash server 20 is also coupled to the remediation server 12. A client server 22 is coupled to the flash server 20. A client module 23 and deployment module 24 are coupled to the client server 22. In this embodiment, the client module 23 and deployment module 24 are incorporated in the client server 22. For instance, the client module 23 and deployment module 24 may be stored in memory on the client server 22. It is also contemplated, however, that the client module 23 and deployment module 24 could be remotely coupled to the client server 22. And finally, a plurality of client computers 26 are coupled to the client server 22.
  • [0019]
    In the operation of the system 10, the remediation server 12 obtains information relating to computer security vulnerabilities from the intelligence agents 14. The import module 15 provides the necessary interface between the remediation server 12 and the various intelligence agents having such information. Examples of intelligence agents include: ISS Internet Scanner, QualysGuard, Nessus, Eeye, Harris, Retina, Microsoft's hfNetCheck, and others. The vulnerability information may come in many forms from these agents. Two such forms include 1) general information from security intelligence organizations relating to known security vulnerabilities, such as vulnerabilities in widespread software applications like Microsoft Windows; and 2) specific information from scanning services relating to specific vulnerabilities found during a security scan of a client's computer or computer system 26. The remediation server 12 aggregates the vulnerability information obtained, from whatever source, into a remediation database 16. While aggregating the information into the database 16, the remediation server 12 may manipulate the information in many ways. For example, the server 12 may strip unnecessary information out, may sort the information into related vulnerabilities or otherwise, may remove duplicate information, may identify or associate certain related vulnerabilities, etc.
  • [0020]
    In addition, the remediation server 12 uses a signature module 18 to generate remediation signatures for the vulnerabilities. Typically, a remediation signature is a list of actions taken to address or resolve a vulnerability. In this embodiment, the remediation signatures include the following types of remediation actions: service management, registry management, security permissions management, account management, policy management, audit management, file management, process management, as well as service pack, hot fix and patch installation. These types of remediation actions are generally known in the computer security industry.
  • [0021]
    A remediation signature may address one or more vulnerabilities. For clarity of explanation, however, it will be assumed that in this embodiment each remediation signature addresses a single vulnerability or type of vulnerability. In an embodiment of this system, the remediation signatures are generated as abstract objects which can be developed and implemented across multiple platforms without the need to change the underlying source code used in the remediation system. This allows for the creation of a remediation signature in the environment of the remediation system which can then be utilized in whatever system or environment the remediation system is operating. The process of constructing a remediation signature may be entirely automatic or it may involve some manual intervention, or a combination of both. In fact, some intelligence agents 14 may actually provide or suggest remediations along with the vulnerability information provided. Depending on the level of complexity of the vulnerability, a corresponding level of complexity may be required for the remediation signature. For example, some vendors provide “patches” or “fixes” or “updates” that address vulnerabilities in their hardware or software via their vendor website. A signature may therefore include direction to go to a vendor website and retrieve a patch or an update as one of the actions undertaken to remediate a computer's vulnerabilities. Given the potential complexity of the signatures, they may not always operate successfully as initially constructed. Accordingly, the signature module 18 or remediation server 12 may have the ability to test and approve the constructed signature in order to ensure that it successfully resolves the intended vulnerability and does not have any unintended deleterious effects.
  • [0022]
    Once a remediation signature has been constructed, in this embodiment of the system 10 the remediation signature is assigned or otherwise associated with the corresponding vulnerability in the remediation database 16. Accordingly, the remediation database 16 may include the vulnerability information and the corresponding remediation signatures for the vulnerabilities identified. Alternatively, it is contemplated that the signatures could be stored elsewhere and remotely associated via a pointer or otherwise to their corresponding vulnerabilities.
  • [0023]
    Remediation signatures and vulnerability information can be posted to the flash server 20 for dissemination. Typically, only after the remediation signature has been tested and approved is it released or uploaded to the flash server 20 for dissemination to clients seeking resolution of their computer vulnerabilities. A client server 22 can then download the desired information from the flash server 20. In this embodiment, a download is typically initiated by a user, such as an IT or computer security personnel. The client server 22 may connect to the flash server 20 in many ways including the Internet or a direct dial-up connection. In this embodiment of the system, the client module 23 provides the necessary interface logic to download the information from the flash server 20. Typically, a client server 22 will periodically download information from the flash server 20 to check for updated vulnerability and remediation information. The client server 22 may also access vendor websites 21, via a global network such as the Internet or otherwise, to obtain additional patches or updates as needed for remediation. In this embodiment of the system 10, the client server 22 analyzes and interprets the signatures downloaded from the flash server 20. If a signature specifies a needed update or patch from a vendor website 21, the client server 22 will connect to the website and download the needed information making the patch or update available locally for remediation of any client computers 26 coupled to the client server 22.
  • [0024]
    In this embodiment, it is also contemplated that the client server 22 will keep a profile of the client computers 26 coupled thereto. The profile of the client computers 26 essentially records or logs the system information relating to the client computers 26. Primarily, the profile contains information regarding remediation performed on the client computer 26. It is contemplated, however, that the profile might also contain information regarding the formatting of the client computer 26, the software applications and versions running on the computer 26, etc., which might be helpful in managing security issues on the subject computer. By comparing the computer profiles with the vulnerability and remediation information downloaded from the flash server 20, the client server 22 can track what remediation may be required for each client computer 26. In addition, the client server 22 can manage the vulnerability resolution process for each client computer 26. For instance, the client server 22, or security or IT personnel via the server, could select which remediation signatures should be deployed to each client computer 26, or which vulnerabilities should or should not be addressed. In addition, vulnerability resolution can be managed by scheduling the various resolution events. For instance, when and how often the client computers 26 are scanned for vulnerabilities can be scheduled, as well as the timing of the deployment of the remediation signatures to address those vulnerabilities.
  • [0025]
    By managing the vulnerability resolution, the remediation of vulnerabilities can be more reliably and more cost effectively addressed. In particular, the remediation can occur in off hours to minimize impact on the productivity of the client computers 26. The remediation can be selectively implemented. The remediation can be tracked and logged so that remediations are not accidentally overwritten or undone. And, the remediation can be accomplished automatically from the client server 22 as opposed to having to perform or install the remediation manually on each client computer, a virtually impossible task for some large-scale companies.
  • [0026]
    [0026]FIG. 2 is a block diagram providing another illustration of an embodiment of a vulnerability resolution system 30 in accordance with the present invention. More particularly, FIG. 2 provides another way to visualize the architecture of a vulnerability system in accordance with the present invention. As shown in FIG. 2, the architecture of this embodiment of the vulnerability system 30 generally comprises an aggregation section 31 and a remediation section 32. The aggregation section 31 of the architecture is essentially responsible for obtaining and aggregating the computer security vulnerability information while the remediation section 32 is essentially responsible for constructing remediation signatures for the identified vulnerabilities and deploying those remediations to client computers in a managed and automated manner.
  • [0027]
    As shown in FIG. 2, the aggregation section 31 of the system architecture 30 comprises intelligence agents 34, an import API or interface 36, and an administrator 38. The import API 36 provides an interface to the intelligence agents 34. As discussed in reference to FIG. 1 above, the intelligence agents 34 provide information regarding computer security vulnerabilities. As noted, these intelligence agents 34 may include automated vulnerability assessment tools, security intelligence services, manufacturers of computer hardware or software, etc. The administrator 38 obtains this vulnerability information from the intelligence agents 34 via the import API 36. The import API 36 typically includes several interfaces or import wizards as required to allow importation of vulnerability assessment data from the variety of intelligence agents available. Generally, the intelligence agents 34 provide information specifying the necessary interface. Once retrieved, the vulnerability information may be aggregated, sorted, selected or otherwise managed via the administrator 38.
  • [0028]
    The remediation section 32 of the system architecture 30 ultimately uses the vulnerability information retrieved by the aggregation section 31 to remediate vulnerabilities on client computers 40. The client computers 40 are shown coupled to a client server 42. The client server 42 allows for automated and managed deployment of the remediation signatures to the client computers 40. The architecture of the remediation section 32 illustrates that the vulnerability information from the aggregation section 31 is conveyed to the client server 42 and client computers 40 via the remediation bus 44, remediation signature 46, and remediation profile 48. As discussed above, the remediation signature 46 is essentially a group of actions which can be taken to address or resolve a vulnerability. The signature may be provided by the intelligence agents 34 with the vulnerability information or, more typically, it may need to be constructed in response to the vulnerability information received. The construction may include some automated creation and/or some manual creation of the appropriate actions to be taken to address the subject vulnerability. Also as discussed, the remediation profile 48 contemplates a record or log of system information relating to the client computers 40 or client servers 42. For instance, the profile may contain information regarding the formatting of the client computers 40 or server 42, the software applications and versions running on the computers 40 or servers 42, the remediation signatures already implemented on the computers 40 and servers 42, the remediation history of the computers 40, etc. By comparing the computer profiles with the vulnerability and remediation information obtained, what remediation may be required for each computer 40 or server 42 can be tracked. FIG. 2 also illustrates that the remediation types or groups 50 in this embodiment include configuration management, backdoor management, service management, account management, and patch management. The available remediation groups are coupled to the remediation bus 44. It is contemplated that other remediation types or groups may be included as well.
  • [0029]
    [0029]FIG. 3 is a flow chart illustrating an overview of an embodiment of a computer vulnerability remediation process in accordance with the present invention. The remediation process 60 begins with vulnerability assessment in box 61. Vulnerability assessment comprises using automated assessment tools and audit processes, intelligence agents, to verify the existence of known vulnerabilities on a given computer or computer network. This assessment process may also include device discovery; that is, the mapping of network and subnetwork components to be assessed and identifying the devices that will be targeted for vulnerability assessment. In box 62, the vulnerability information is imported or aggregated in the system, typically in a remediation database, and remediation signatures can be constructed to address the identified vulnerabilities. As noted, the remediation signatures are typically associated with the corresponding vulnerabilities in the remediation database. The vulnerability information is then reviewed in box 63. The review process typically includes analyzing the vulnerability information to prioritize and identify vulnerabilities for remediation, as well as acceptable risks (i.e., where no remediation is required). As indicated in box 64, the remediation can then be scheduled to occur when, where, and how desired. This allows the remediation to occur in off-peak times to reduce interference with normal computer operations, on only the identified target computers, and in the manner desired. In box 65, the remediation signatures are approved for dissemination to the client's target computers. This contemplates that remediation signatures can be selectively deployed. In addition, signatures designed to address the vulnerabilities identified may be tested and revised before approving the signatures for deployment. Once approved, the remediation signatures and vulnerability information are distributed to the system clients in box 66 for use on the client's computers. Then, remediation can occur as scheduled in box 67. Finally, the remediation undertaken can be reviewed to ensure the remediation was completed successfully via status reports or otherwise. In addition, remediation events may be logged or otherwise recorded to preserve the remediation information. Such information may be included in profiles for the client computers. As noted, such profiles may include information about the target devices such as system configuration, software, and prior remediation actions or a remediation history. Having such information allows for managed remediation of the client computers in the future. Overall then, the embodiment of the remediation process of FIG. 3 presents vulnerability assessment, vulnerability remediation, and vulnerability management as contemplated by the present invention.
  • [0030]
    [0030]FIG. 4 is a flow chart illustrating an embodiment of an aggregation and construction process for computer vulnerability remediation in accordance with the present invention. Essentially, the aggregation and construction process 70 can be viewed as a subprocess of the overall remediation process. The process 70 begins in box 71 with the gathering of vulnerability information from intelligence agents. As previously noted, these intelligence agents include automated vulnerability assessment tools, security intelligence services, manufacturers of computer hardware or software, etc. The vulnerability information retrieved from the intelligence agents is then aggregated in a remediation database as indicated in box 72. In box 73, the vulnerability information is then reviewed and analyzed. This may include sorting the information into related vulnerabilities or otherwise, categorizing or identifying certain related vulnerabilities, prioritizing vulnerabilities, etc. As indicated in box 74, vulnerabilities are identified for creation of remediation signatures. A remediation signature resolves or addresses a vulnerability or type of vulnerability. A remediation signature is then constructed in box 75. As noted, a remediation signature is a group of actions which addresses or resolves the subject vulnerability; for instance, modifying registry settings, changing security permissions, installing patches, etc. The creation of a remediation signature may be completely automated or may include some manual input as well. In box 76, the remediation signature is tested to see if it effectively resolves or addresses the target vulnerability. If not, the process returns to box 75 and another remediation signature is constructed, then retested in box 76. Once an effective signature has been constructed, the process continues to box 77. In box 77, selected signatures may be approved for distribution to clients. Approved signatures are then uploaded to a flash server making them available for download by clients in box 78. In this way, new and updated remediation signatures which address or resolve identified vulnerabilities are made available for download by clients.
  • [0031]
    [0031]FIGS. 5A and 5B are a flow chart illustrating an embodiment of a remediation management process for computer vulnerability remediation in accordance with the present invention. Essentially, the aggregation and construction process 70 can be viewed as a subprocess of the overall remediation process. This embodiment of the remediation management process 80 is typically a software application installed on a client server which is coupled to a plurality of target client computers which may require remediation of security vulnerabilities. Accordingly, the process 80 begins in box 81 by launching the application. In box 82, available remediation signatures and vulnerability information are downloaded, typically from a flash server. In box 83, vulnerability assessment data is imported. Typically, this vulnerability assessment data comes from scanning tools which have scanned or analyzed the target computers for which remediation is being considered. The vulnerability assessment data includes information regarding the security vulnerabilities found on the target computers or devices. Based on the vulnerabilities identified on the target computers, the vulnerabilities are then mapped to remediation signatures in box 84. In this embodiment, mapping of the identified vulnerabilities to corresponding remediation signatures occurs by referencing the remediation database information downloaded from the flash server. It is contemplated, however, that this information may have been previously downloaded, remotely accessed, or presently downloaded to make the necessary correlation between vulnerabilities and available signatures. A remediation profile is then generated for each target computer in box 85. As noted, the profile typically includes information regarding the vulnerabilities identified on the target client computer as well as the corresponding signatures to address those vulnerabilities. In box 86, the client user, typically an IT person or other computer security personnel, is given the opportunity to select which vulnerabilities should be remediated. Generally, the selection is made by reviewing the information regarding vulnerabilities, proposed signatures, and profiles. The selection and review may be made for each computer or by vulnerability. For example, a particular computer could be selected not to receive any remediation, perhaps because the computer does not pose a significant security risk, the vulnerabilities on the computer are not significant, the processes running on the computer cannot be interrupted for remediation, etc. Alternatively, a particular vulnerability could be deselected for all target client computers, such that the vulnerability would not be remediated on any of the target computers, perhaps because the vulnerability dose not pose a sufficient security risk, the remediation signature is deemed too risky, etc. Once the user has selectively managed which vulnerabilities will be remediated, the user can then select which computers will be approved to receive remediation in box 87. In box 88, the proposed remediation is analyzed to determine which remediation signatures will be required. In box 89, the target client computers that are to receive remediation are notified that a remediation is to occur. In this embodiment, the notification essentially comprises a message passed to a local remediation application installed on each client computer. Included in the remediation notification may be when the remediation is scheduled to occur. For instance, the remediation can be scheduled to occur at the instance of a particular event, such as a user logging off the machine, logging in, or any other action. In addition, the remediation may be scheduled to occur at a particular time. Thus, using the target client computer's local clock the remediation can be initiated at the scheduled time. Or alternatively, the remediation could occur as soon as the notification is received at the target client computer. Regardless of the triggering event, when the trigger is met the local remediation is launched in box 90.
  • [0032]
    The process 80 continues in FIG. 5B. Once the remediation is launched, the remediation profile for the client computer is then downloaded in box 91. Typically, the profile is downloaded from the client server on which the client remediation management process application is running, i.e., the server that sent the notification of the pending remediation initially. The profile is then interpreted and the remediation signatures and actions specified in the profile are executed as indicated in box 92. As noted in box 93, during remediation the status of the remediation may be reported to the client server and monitored. In addition, the remediation steps may be prioritized and analyzed to ensure the most efficient sequence of execution as indicated in box 94. As noted in box 95, a reboot may need to be performed for some of the remediation actions to take effect. Completion of the remediation on the target client computer is then logged to the client server in box 96. Once remediation is completed, box 97 indicates that reports are generated indicative of the effect of the remediation. Whether the remediation was successful or not is determined in box 98. If the remediation is not deemed successful, either because it did not resolve the identified vulnerabilities as evidenced by an additional security scan of the client computer, or because the remediation actions had unintended deleterious effects, etc., then the remediation can be rolled back or undone and the remediation process can be repeated as indicated in box 99. If the remediation is deemed successful, i.e., vulnerabilities resolved and no deleterious effects for example, then the process ends in box 100. In this manner, the new and updated remediation signatures made available to address or resolve identified vulnerabilities can be downloaded and used in an automated and managed remediation deployment to target client computers.
  • [0033]
    While the present invention has been illustrated and described in terms of particular apparatus and methods of use, it is apparent that equivalent parts may be substituted for those shown and other changes can be made within the scope of the present invention as defined by the appended claims.
  • [0034]
    The particular embodiments disclosed herein are illustrative only, as the invention may be modified and practiced in different but equivalent manners apparent to those skilled in the art having the benefit of the teachings herein. Furthermore, no limitations are intended to the details of construction or design herein shown, other than as described in the claims below. It is therefore evident that the particular embodiments disclosed above may be altered or modified and all such variations are considered within the scope and spirit of the invention. Accordingly, the protection sought herein is as set forth in the claims below.
Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US4954941 *31 Aug 19884 Sep 1990Bell Communications Research, Inc.Method and apparatus for program updating
US4999806 *4 Sep 198712 Mar 1991Fred ChernowSoftware distribution system
US5581764 *2 May 19943 Dec 1996Novadigm, Inc.Distributed computer network including hierarchical resource information structure and related method of distributing resources
US5649187 *29 Sep 199515 Jul 1997Softel, Inc.Method and apparatus for remotely controlling and monitoring the use of computer software
US5699275 *12 Apr 199516 Dec 1997Highwaymaster Communications, Inc.System and method for remote patching of operating code located in a mobile unit
US5742829 *10 Mar 199521 Apr 1998Microsoft CorporationAutomatic software installation on heterogeneous networked client computer systems
US5764913 *5 Apr 19969 Jun 1998Microsoft CorporationComputer network status monitoring system
US5771347 *27 Jun 199623 Jun 1998International Business Machines Corp.Apparatus and method to allow a user a trial period before licensing a software program product
US5799002 *2 Jul 199625 Aug 1998Microsoft CorporationAdaptive bandwidth throttling for network services
US5805897 *9 Jan 19958 Sep 1998International Business Machines CorporationSystem and method for remote software configuration and distribution
US5809329 *7 Jun 199515 Sep 1998Microsoft CorporationSystem for managing the configuration of a computer system
US5852812 *23 Aug 199522 Dec 1998Microsoft CorporationBilling system for a network
US5854794 *16 Dec 199629 Dec 1998Ag Communication Systems CorporationDigital transmission framing system
US5860012 *19 May 199712 Jan 1999Intel CorporationInstallation of application software through a network from a source computer system on to a target computer system
US5919247 *24 Jul 19966 Jul 1999Marimba, Inc.Method for the distribution of code and data updates
US5933646 *10 May 19963 Aug 1999Apple Computer, Inc.Software manager for administration of a computer operating system
US5933826 *21 Mar 19973 Aug 1999Novell, Inc.Method and apparatus for securing and storing executable content
US5974454 *14 Nov 199726 Oct 1999Microsoft CorporationMethod and system for installing and updating program module components
US5991802 *27 Nov 199623 Nov 1999Microsoft CorporationMethod and system for invoking methods of objects over the internet
US6016499 *21 Jul 199718 Jan 2000Novell, Inc.System and method for accessing a directory services respository
US6029247 *9 Dec 199622 Feb 2000Novell, Inc.Method and apparatus for transmitting secured data
US6052710 *28 Jun 199618 Apr 2000Microsoft CorporationSystem and method for making function calls over a distributed network
US6061740 *15 Jul 19979 May 2000Novell, Inc.Method and apparatus for heterogeneous network management
US6073214 *9 Sep 19986 Jun 2000Microsoft CorporationMethod and system for identifying and obtaining computer software from a remote computer
US6078945 *28 Jul 199720 Jun 2000Tao Group LimitedOperating system for use with computer networks incorporating two or more data processors linked together for parallel processing and incorporating improved dynamic load-sharing techniques
US6094679 *16 Jan 199825 Jul 2000Microsoft CorporationDistribution of software in a computer network environment
US6108649 *3 Mar 199822 Aug 2000Novell, Inc.Method and system for supplanting a first name base with a second name base
US6138157 *12 Oct 199824 Oct 2000Freshwater Software, Inc.Method and apparatus for testing web sites
US6151643 *7 Jun 199621 Nov 2000Networks Associates, Inc.Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer
US6151708 *19 Dec 199721 Nov 2000Microsoft CorporationDetermining program update availability via set intersection over a sub-optical pathway
US6157618 *26 Jan 19995 Dec 2000Microsoft CorporationDistributed internet user experience monitoring system
US6202207 *19 Aug 199813 Mar 2001International Business Machines CorporationMethod and a mechanism for synchronized updating of interoperating software
US6219675 *5 Jun 199717 Apr 2001Microsoft CorporationDistribution of a centralized database
US6243766 *28 Apr 20005 Jun 2001Microsoft CorporationMethod and system for updating software with smaller patch files
US6256668 *9 Oct 19983 Jul 2001Microsoft CorporationMethod for identifying and obtaining computer software from a network computer using a tag
US6263362 *9 Jul 199917 Jul 2001Bigfix, Inc.Inspector for computed relevance messaging
US6269456 *11 Jan 200031 Jul 2001Network Associates, Inc.Method and system for providing automated updating and upgrading of antivirus applications using a computer network
US6272677 *28 Aug 19987 Aug 2001International Business Machines CorporationMethod and system for automatic detection and distribution of code version updates
US6279113 *4 Jun 199821 Aug 2001Internet Tools, Inc.Dynamic signature inspection-based network intrusion detection
US6279156 *26 Jan 199921 Aug 2001Dell Usa, L.P.Method of installing software on and/or testing a computer system
US6281790 *1 Sep 199928 Aug 2001Net Talon Security Systems, Inc.Method and apparatus for remotely monitoring a site
US6282175 *23 Apr 199828 Aug 2001Hewlett-Packard CompanyMethod for tracking configuration changes in networks of computer systems through historical monitoring of configuration status of devices on the network.
US6282709 *12 Nov 199728 Aug 2001Philips Electronics North America CorporationSoftware update manager
US6282712 *16 Sep 199928 Aug 2001Microsoft CorporationAutomatic software installation on heterogeneous networked computer systems
US6298445 *30 Apr 19982 Oct 2001Netect, Ltd.Computer security
US6307841 *16 Aug 199623 Oct 2001Telstra Corporation LimitedNetwork analysis system
US6721713 *27 May 199913 Apr 2004Andersen Consulting LlpBusiness alliance identification in a web architecture framework
US6766458 *3 Oct 200020 Jul 2004Networks Associates Technology, Inc.Testing a computer system
US6859793 *19 Dec 200222 Feb 2005Networks Associates Technology, Inc.Software license reporting and control system and method
US6862581 *20 Dec 20021 Mar 2005Networks Associates Technology, Inc.Patch distribution system, method and computer program product
US20020026591 *12 Apr 200128 Feb 2002Hartley Bruce V.Method and apparatus for assessing the security of a computer system
US20020087882 *19 Jan 20014 Jul 2002Bruce SchneierMehtod and system for dynamic network intrusion monitoring detection and response
US20020100036 *20 Sep 200125 Jul 2002Patchlink.Com CorporationNon-invasive automatic offsite patch fingerprinting and updating system and method
US20030135749 *31 Oct 200117 Jul 2003Gales George S.System and method of defining the security vulnerabilities of a computer system
US20040003266 *20 Mar 20031 Jan 2004Patchlink CorporationNon-invasive automatic offsite patch fingerprinting and updating system and method
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US727816322 Feb 20052 Oct 2007Mcafee, Inc.Security risk analysis system and method
US735353916 Jan 20031 Apr 2008Hewlett-Packard Development Company, L.P.Signal level propagation mechanism for distribution of a payload to vulnerable systems
US742470616 Jul 20039 Sep 2008Microsoft CorporationAutomatic detection and patching of vulnerable files
US750967630 Jul 200424 Mar 2009Electronic Data Systems CorporationSystem and method for restricting access to an enterprise network
US75199548 Apr 200414 Apr 2009Mcafee, Inc.System and method of operating system identification
US753645613 Feb 200419 May 2009Preventsys, Inc.System and method for applying a machine-processable policy rule to information gathered about a network
US76476317 Dec 200412 Jan 2010Hewlett-Packard Development CompanyAutomated user interaction in application assessment
US76651193 Sep 200416 Feb 2010Secure Elements, Inc.Policy-based selection of remediation
US7672948 *8 Oct 20042 Mar 2010Fortinet, Inc.Centralized data transformation
US767304314 May 20072 Mar 2010Mcafee, Inc.System and method for network vulnerability detection and reporting
US76939479 Jun 20066 Apr 2010Mcafee, Inc.Systems and methods for graphically displaying messaging traffic
US76941286 Mar 20036 Apr 2010Mcafee, Inc.Systems and methods for secure communication delivery
US7694337 *20 Sep 20046 Apr 2010Fortinet, Inc.Data structure for vulnerability-based remediation selection
US769827520 May 200513 Apr 2010Computer Associates Think, Inc.System and method for providing remediation management
US77031378 Apr 200520 Apr 2010Fortinet, Inc.Centralized data transformation
US774342118 May 200522 Jun 2010Alcatel LucentCommunication network security risk exposure management systems and methods
US77619203 Sep 200420 Jul 2010Fortinet, Inc.Data structure for policy-based remediation selection
US7774848 *23 Jul 200410 Aug 2010Fortinet, Inc.Mapping remediation to plurality of vulnerabilities
US777915624 Jan 200717 Aug 2010Mcafee, Inc.Reputation based load balancing
US777946611 Jul 200617 Aug 2010Mcafee, Inc.Systems and methods for anomaly detection in patterns of monitored communications
US784501028 Oct 200530 Nov 2010Ntt Docomo, Inc.Terminal control apparatus and terminal control method
US78702039 Jun 200611 Jan 2011Mcafee, Inc.Methods and systems for exposing messaging reputation to an end user
US790354915 May 20068 Mar 2011Secure Computing CorporationContent-based policy compliance systems and methods
US793748024 Jan 20073 May 2011Mcafee, Inc.Aggregation of reputation data
US794971624 Jan 200724 May 2011Mcafee, Inc.Correlation and analysis of entity attributes
US800160017 Dec 200916 Aug 2011Fortinet, Inc.Centralized data transformation
US804214929 May 200718 Oct 2011Mcafee, Inc.Systems and methods for message threat management
US804218112 Jul 200618 Oct 2011Mcafee, Inc.Systems and methods for message threat management
US80454588 Nov 200725 Oct 2011Mcafee, Inc.Prioritizing network traffic
US804683314 Nov 200525 Oct 2011Sourcefire, Inc.Intrusion event correlation with network discovery information
US806935228 Feb 200729 Nov 2011Sourcefire, Inc.Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session
US806948112 Jul 200629 Nov 2011Mcafee, Inc.Systems and methods for message threat management
US809111713 Feb 20043 Jan 2012Preventsys, Inc.System and method for interfacing with heterogeneous network data gathering tools
US80959842 Mar 200610 Jan 2012Alcatel LucentSystems and methods of associating security vulnerabilities and assets
US812735329 Apr 200828 Feb 2012Sourcefire, Inc.Real-time user awareness for a computer network
US81322501 Jul 20056 Mar 2012Mcafee, Inc.Message profiling systems and methods
US813582314 May 200713 Mar 2012Mcafee, Inc.System and method for network vulnerability detection and reporting
US81358301 Jun 200913 Mar 2012Mcafee, Inc.System and method for network vulnerability detection and reporting
US816097525 Jan 200817 Apr 2012Mcafee, Inc.Granular support vector machine with random granularity
US817155523 Jul 20041 May 2012Fortinet, Inc.Determining technology-appropriate remediation for vulnerability
US817979824 Jan 200715 May 2012Mcafee, Inc.Reputation based connection throttling
US81859306 Nov 200722 May 2012Mcafee, Inc.Adjusting filter or classification control settings
US820125731 Mar 200412 Jun 2012Mcafee, Inc.System and method of managing network security risks
US82049459 Oct 200819 Jun 2012Stragent, LlcHash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US821449724 Jan 20073 Jul 2012Mcafee, Inc.Multi-dimensional reputation scoring
US8266699 *1 Jul 200411 Sep 2012SecurityProfiling Inc.Multiple-path remediation
US82720558 Oct 200918 Sep 2012Sourcefire, Inc.Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system
US827206018 Apr 201018 Sep 2012Stragent, LlcHash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US828988215 Jan 201016 Oct 2012Sourcefire, Inc.Systems and methods for modifying network map attributes
US833610321 Jun 201018 Dec 2012Fortinet, Inc.Data structure for policy-based remediation selection
US834169117 Dec 200925 Dec 2012Colorado Remediation Technologies, LlcPolicy based selection of remediation
US8392995 *11 Jan 20055 Mar 2013Hewlett-Packard Development Company, L.P.Network management
US843379011 Jun 201030 Apr 2013Sourcefire, Inc.System and method for assigning network blocks to sensors
US843415219 Mar 200930 Apr 2013Hewlett-Packard Development Company, L.P.System and method for restricting access to an enterprise network
US84386432 Mar 20067 May 2013Alcatel LucentInformation system service-level security risk analysis
US8458793 *13 Jul 20044 Jun 2013International Business Machines CorporationMethods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems
US847404328 Aug 200825 Jun 2013Sourcefire, Inc.Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing
US85440982 Mar 200624 Sep 2013Alcatel LucentSecurity vulnerability information aggregation
US854961119 Jul 20111 Oct 2013Mcafee, Inc.Systems and methods for classification of messaging entities
US856113414 Dec 201215 Oct 2013Colorado Remediation Technologies, LlcPolicy-based selection of remediation
US856116724 Jan 200715 Oct 2013Mcafee, Inc.Web reputation scoring
US8561175 *13 Feb 200415 Oct 2013Preventsys, Inc.System and method for automated policy audit and remediation management
US8561190 *16 May 200515 Oct 2013Microsoft CorporationSystem and method of opportunistically protecting a computer from malware
US856119722 Apr 201015 Oct 2013Fortinet, Inc.Vulnerability-based remediation selection
US857800216 Dec 20105 Nov 2013Sourcefire, Inc.Systems and methods for determining characteristics of a network and enforcing policy
US857805116 Aug 20105 Nov 2013Mcafee, Inc.Reputation based load balancing
US85784809 Jun 20065 Nov 2013Mcafee, Inc.Systems and methods for identifying potentially malicious messages
US85895032 Apr 200919 Nov 2013Mcafee, Inc.Prioritizing network traffic
US860103411 Mar 20113 Dec 2013Sourcefire, Inc.System and method for real time data awareness
US860691015 Dec 201110 Dec 2013Mcafee, Inc.Prioritizing network traffic
US861558215 Feb 201224 Dec 2013Mcafee, Inc.System and method for network vulnerability detection and reporting
US862106015 Feb 201231 Dec 2013Mcafee, Inc.System and method for network vulnerability detection and reporting
US862107315 Feb 201231 Dec 2013Mcafee, Inc.System and method for network vulnerability detection and reporting
US86215591 May 201231 Dec 2013Mcafee, Inc.Adjusting filter or classification control settings
US862163816 May 201131 Dec 2013Mcafee, Inc.Systems and methods for classification of messaging entities
US863149528 Nov 201114 Jan 2014Mcafee, Inc.Systems and methods for message threat management
US863569025 Jan 200821 Jan 2014Mcafee, Inc.Reputation based message processing
US86357024 Apr 201221 Jan 2014Fortinet, Inc.Determining technology-appropriate remediation for vulnerability
US866112610 Feb 201225 Feb 2014Mcafee, Inc.System and method for network vulnerability detection and reporting
US867118222 Jun 201011 Mar 2014Sourcefire, Inc.System and method for resolving operating system or service identity conflicts
US867748614 Apr 201118 Mar 2014Sourcefire, Inc.System and method for near-real time network attack detection, and system and method for unified detection via detection routing
US870076710 Feb 201215 Apr 2014Mcafee, Inc.System and method for network vulnerability detection and reporting
US87625374 Jun 201224 Jun 2014Mcafee, Inc.Multi-dimensional reputation scoring
US876311424 Jan 200724 Jun 2014Mcafee, Inc.Detecting image spam
US87891406 Dec 201122 Jul 2014Preventsys, Inc.System and method for interfacing with heterogeneous network data gathering tools
US87937636 Dec 201129 Jul 2014Preventsys, Inc.System and method for interfacing with heterogeneous network data gathering tools
US8839460 *11 Sep 200816 Sep 2014Qualcomm IncorporatedMethod for securely communicating information about the location of a compromised computing device
US8850568 *7 Mar 200830 Sep 2014Qualcomm IncorporatedMethod and apparatus for detecting unauthorized access to a computing device and securely communicating information about such unauthorized access
US889288531 Aug 201218 Nov 2014Duo Security, Inc.System and method for delivering a challenge response in an authentication protocol
US889323024 Feb 201418 Nov 2014Duo Security, Inc.System and method for proxying federated authentication protocols
US889325129 Jul 201318 Nov 2014Duo Security, Inc.System and method for embedded authentication
US889878726 Mar 200725 Nov 2014AVG Netherlands, B.V.Software vulnerability exploitation shield
US890992612 Sep 20039 Dec 2014Rockwell Automation Technologies, Inc.System and methodology providing automation security analysis, validation, and learning in an industrial controller environment
US896663914 Feb 201424 Feb 2015Risk I/O, Inc.Internet breach correlation
US8984643 *14 Feb 201417 Mar 2015Risk I/O, Inc.Ordered computer vulnerability remediation reporting
US898464428 Sep 201417 Mar 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US900908423 Aug 201214 Apr 2015Rockwell Automation Technologies, Inc.System and methodology providing automation security analysis and network intrusion protection in an industrial environment
US90093214 Jun 201214 Apr 2015Mcafee, Inc.Multi-dimensional reputation scoring
US90533108 Aug 20149 Jun 2015Duo Security, Inc.System and method for verifying status of an authentication device through a biometric profile
US905509431 May 20129 Jun 2015Cisco Technology, Inc.Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system
US906402421 Aug 200723 Jun 2015Google Inc.Bundle generation
US909230210 Sep 201428 Jul 2015Duo Security, Inc.System and method for determining component version compatibility across a device ecosystem
US909443426 Aug 201328 Jul 2015Mcafee, Inc.System and method for automated policy audit and remediation management
US9100431 *28 Sep 20144 Aug 2015Securityprofiling, LlcComputer program product and apparatus for multi-path remediation
US911090528 Feb 201318 Aug 2015Cisco Technology, Inc.System and method for assigning network blocks to sensors
US911706921 Dec 201325 Aug 2015Securityprofiling, LlcReal-time vulnerability monitoring
US9118706 *29 Jun 200725 Aug 2015Verizon Patent And Licensing Inc.Using imported data from security tools
US9118708 *28 Sep 201425 Aug 2015Securityprofiling, LlcMulti-path remediation
US9118709 *28 Sep 201425 Aug 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US9118710 *29 Sep 201425 Aug 2015Securityprofiling, LlcSystem, method, and computer program product for reporting an occurrence in different manners
US9118711 *29 Sep 201425 Aug 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US913543229 Aug 201315 Sep 2015Cisco Technology, Inc.System and method for real time data awareness
US915270814 Dec 20096 Oct 2015Google Inc.Target-video specific co-watched video clusters
US915452313 Feb 20156 Oct 2015Fortinet, Inc.Policy-based selection of remediation
US9202183 *9 Jun 20061 Dec 2015Ca, Inc.Auditing system and method
US922568616 Mar 201529 Dec 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US92706959 Mar 201523 Feb 2016Risk I/O, Inc.Identifying vulnerabilities of computing assets based on breach data
US928208520 Dec 20118 Mar 2016Duo Security, Inc.System and method for digital user authentication
US933815624 Feb 201410 May 2016Duo Security, Inc.System and method for integrating two-factor authentication in a device
US934901316 Aug 201324 May 2016Fortinet, Inc.Vulnerability-based remediation selection
US9350752 *28 Sep 201424 May 2016Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US93614516 May 20147 Jun 2016Duo Security, Inc.System and method for enforcing a policy for an authenticator device
US939202418 Aug 201512 Jul 2016Fortinet, Inc.Policy-based selection of remediation
US94120737 Apr 20159 Aug 2016Rockwell Automation Technologies, Inc.System and methodology providing automation security analysis and network intrusion protection in an industrial environment
US94430738 Aug 201413 Sep 2016Duo Security, Inc.System and method for verifying status of an authentication device
US94509757 May 201520 Sep 2016Cisco Technology, Inc.Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system
US945436518 Jun 201527 Sep 2016Duo Security, Inc.System and method for determining component version compatibility across a device ecosystem
US94546564 May 201527 Sep 2016Duo Security, Inc.System and method for verifying status of an authentication device through a biometric profile
US945598811 Apr 201627 Sep 2016Duo Security, Inc.System and method for verifying status of an authentication device
US946746331 Aug 201211 Oct 2016Duo Security, Inc.System and method for assessing vulnerability of a mobile device
US949117517 Oct 20148 Nov 2016Duo Security, Inc.System and method for proxying federated authentication protocols
US95322224 May 201627 Dec 2016Duo Security, Inc.System and method of notifying mobile devices to complete transactions after additional agent verification
US95441432 Mar 201110 Jan 2017Duo Security, Inc.System and method of notifying mobile devices to complete transactions
US954427216 Jun 201410 Jan 2017Intel CorporationDetecting image spam
US956952312 Jun 201514 Feb 2017Google Inc.Bundle generation
US95845353 Aug 201528 Feb 2017Cisco Technology, Inc.System and method for real time data awareness
US960255016 May 201621 Mar 2017Fortinet, Inc.Policy-based selection of remediation
US9607156 *24 Feb 201428 Mar 2017Duo Security, Inc.System and method for patching a device through exploitation
US960881410 Sep 201428 Mar 2017Duo Security, Inc.System and method for centralized key distribution
US9699204 *29 Apr 20154 Jul 2017Electronics And Telecommunications Research InstituteAbnormal traffic detection apparatus and method based on modbus communication pattern learning
US976259016 Apr 201512 Sep 2017Duo Security, Inc.System and method for an integrity focused authentication service
US977444827 Oct 201426 Sep 2017Duo Security, Inc.System and methods for opportunistic cryptographic key management on an electronic device
US977457927 Jun 201626 Sep 2017Duo Security, Inc.Method for key rotation
US9787710 *6 May 201610 Oct 2017AO Kaspersky LabMethod and system of eliminating vulnerabilities of a router
US98006046 May 201524 Oct 2017Honeywell International Inc.Apparatus and method for assigning cyber-security risk consequences in industrial process control environments
US20030172301 *8 Mar 200211 Sep 2003Paul JudgeSystems and methods for adaptive message interrogation through multiple queues
US20040073800 *22 May 200315 Apr 2004Paragi ShahAdaptive intrusion detection system
US20040088581 *16 Jan 20036 May 2004Brawn John MelvinSignal level propagation mechanism for distribution of a payload to vulnerable systems
US20040107345 *12 Sep 20033 Jun 2004Brandt David D.System and methodology providing automation security protocols and intrusion detection in an industrial controller environment
US20040117624 *12 Sep 200317 Jun 2004Brandt David D.System and methodology providing automation security analysis, validation, and learning in an industrial controller environment
US20050005159 *1 Jul 20046 Jan 2005Oliphant Brett M.Vulnerability and remediation database
US20050008001 *13 Feb 200413 Jan 2005John Leslie WilliamsSystem and method for interfacing with heterogeneous network data gathering tools
US20050010819 *13 Feb 200413 Jan 2005Williams John LeslieSystem and method for generating machine auditable network policies
US20050015622 *13 Feb 200420 Jan 2005Williams John LeslieSystem and method for automated policy audit and remediation management
US20050015623 *13 Feb 200420 Jan 2005Williams John LeslieSystem and method for security information normalization
US20050015760 *16 Jul 200320 Jan 2005Oleg IvanovAutomatic detection and patching of vulnerable files
US20050022003 *1 Jul 200427 Jan 2005Oliphant Brett M.Client capture of vulnerability data
US20050044389 *1 Jul 200424 Feb 2005Oliphant Brett M.Multiple-path remediation
US20050132232 *7 Dec 200416 Jun 2005Caleb SimaAutomated user interaction in application assessment
US20050172019 *11 Jan 20054 Aug 2005Williamson Matthew M.Network management
US20050198530 *12 Dec 20038 Sep 2005Chess David M.Methods and apparatus for adaptive server reprovisioning under security assault
US20050257267 *13 Feb 200417 Nov 2005Williams John LNetwork audit and policy assurance system
US20060010497 *20 May 200512 Jan 2006O'brien DarciSystem and method for providing remediation management
US20060015941 *13 Jul 200419 Jan 2006Mckenna John JMethods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems
US20060018478 *14 Oct 200426 Jan 2006Diefenderfer Kristopher GSecure communication protocol
US20060021051 *23 Jul 200426 Jan 2006D Mello KurtDetermining technology-appropriate remediation for vulnerability
US20060021052 *23 Jul 200426 Jan 2006D Mello KurtMapping remediation to plurality of vulnerabilities
US20060021053 *20 Sep 200426 Jan 2006D Mello KurtData structure for vulnerability-based remediation selection
US20060026686 *30 Jul 20042 Feb 2006Trueba Luis R ZSystem and method for restricting access to an enterprise network
US20060053134 *8 Oct 20049 Mar 2006Durham Roderick HCentralized data transformation
US20060053265 *8 Apr 20059 Mar 2006Durham Roderick HCentralized data transformation
US20060053476 *3 Sep 20049 Mar 2006Bezilla Daniel BData structure for policy-based remediation selection
US20060075503 *13 Sep 20056 Apr 2006Achilles Guard, Inc. Dba Critical WatchMethod and system for applying security vulnerability management process to an organization
US20060080738 *23 Nov 200413 Apr 2006Bezilla Daniel BAutomatic criticality assessment
US20060099847 *28 Oct 200511 May 2006Ntt Docomo, Inc.Terminal control apparatus and terminal control method
US20060185018 *17 Feb 200517 Aug 2006Microsoft CorporationSystems and methods for shielding an identified vulnerability
US20060191012 *22 Feb 200524 Aug 2006Banzhof Carl ESecurity risk analysis system and method
US20060259593 *1 Jul 200416 Nov 2006Securityprofiling, Inc.Client capture of vulnerability data
US20060259779 *1 Jul 200416 Nov 2006Securityprofiling, Inc.Multiple-path remediation
US20060259972 *1 Jul 200416 Nov 2006Securityprofiling, Inc.Vulnerability and remediation database
US20060259974 *16 May 200516 Nov 2006Microsoft CorporationSystem and method of opportunistically protecting a computer from malware
US20070067847 *2 Mar 200622 Mar 2007AlcatelInformation system service-level security risk analysis
US20070067848 *2 Mar 200622 Mar 2007AlcatelSecurity vulnerability information aggregation
US20070112941 *1 Jul 200417 May 2007Securityprofiling, Inc.Client capture of vulnerability data
US20070113100 *1 Jul 200417 May 2007Securityprofiling, Inc.Multiple-path remediation
US20070136622 *9 Jun 200614 Jun 2007Kevin PriceAuditing System and Method
US20070226797 *26 Mar 200727 Sep 2007Exploit Prevention Labs, Inc.Software vulnerability exploitation shield
US20070256132 *1 Jul 20041 Nov 2007Securityprofiling, Inc.Vulnerability and remediation database
US20070283007 *14 May 20076 Dec 2007Keir Robin MSystem And Method For Network Vulnerability Detection And Reporting
US20070283441 *14 May 20076 Dec 2007Cole David MSystem And Method For Network Vulnerability Detection And Reporting
US20080077976 *27 Sep 200627 Mar 2008Rockwell Automation Technologies, Inc.Cryptographic authentication protocol
US20080209518 *28 Feb 200728 Aug 2008Sourcefire, Inc.Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session
US20080244741 *14 Nov 20052 Oct 2008Eric GustafsonIntrusion event correlation with network discovery information
US20080263664 *17 Apr 200723 Oct 2008Mckenna John JMethod of integrating a security operations policy into a threat management vector
US20080276319 *29 Apr 20086 Nov 2008Sourcefire, Inc.Real-time user awareness for a computer network
US20090007269 *29 Jun 20071 Jan 2009Network Security Technologies, Inc.Using imported data from security tools
US20090183233 *19 Mar 200916 Jul 2009Electronic Data Systems CorporationSystem and Method for Restricting Access to an Enterprise Network
US20090228698 *7 Mar 200810 Sep 2009Qualcomm IncorporatedMethod and Apparatus for Detecting Unauthorized Access to a Computing Device and Securely Communicating Information about such Unauthorized Access
US20090228981 *11 Sep 200810 Sep 2009Qualcomm IncorporatedMethod For Securely Communicating Information About The Location Of A Compromised Computing Device
US20090259748 *1 Jun 200915 Oct 2009Mcclure Stuart CSystem and method for network vulnerability detection and reporting
US20090262659 *28 Aug 200822 Oct 2009Sourcefire, Inc.Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing
US20100088767 *8 Oct 20098 Apr 2010Sourcefire, Inc.Target-based smb and dce/rpc processing for an intrusion detection system or intrusion prevention system
US20100100965 *22 Dec 200922 Apr 2010Computer Associates Think, Inc.System and method for providing remediation management
US20100138897 *17 Dec 20093 Jun 2010Secure Elements, Inc.Policy-based selection of remediation
US20100153490 *17 Dec 200917 Jun 2010Fortinet, Inc.Centralized data transformation
US20100199353 *22 Apr 20105 Aug 2010Fortinet, Inc.Vulnerability-based remediation selection
US20100257585 *21 Jun 20107 Oct 2010Fortinet, Inc.Data structure for policy-based remediation selection
US20110219230 *2 Mar 20118 Sep 2011Jon OberheideSystem and method of notifying mobile devices to complete transactions
US20130263267 *24 May 20133 Oct 2013International Business Machines CorporationMethods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems
US20140137190 *20 Feb 201315 May 2014Rapid7, Inc.Methods and systems for passively detecting security levels in client devices
US20150033287 *29 Sep 201429 Jan 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US20150033323 *29 Sep 201429 Jan 2015Securityprofiling, LlcVirtual patching system, method, and computer program product
US20150033349 *28 Sep 201429 Jan 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US20150033351 *28 Sep 201429 Jan 2015Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US20150033352 *29 Sep 201429 Jan 2015Securityprofiling, LlcSystem, method, and computer program product for reporting an occurrence in different manners
US20150040230 *28 Sep 20145 Feb 2015Securityprofiling, LlcMulti-path remediation
US20150040231 *28 Sep 20145 Feb 2015Securityprofiling, LlcComputer program product and apparatus for multi-path remediation
US20150235035 *4 May 201520 Aug 2015Netflix, IncMethod and system for improving security and reliability in a networked application environment
US20150381642 *29 Apr 201531 Dec 2015Electronics And Telecommunications Research InstituteAbnormal traffic detection apparatus and method based on modbus communication pattern learning
US20160072835 *16 Nov 201510 Mar 2016Risk I/O, Inc.Ordered computer vulnerability remediation reporting
US20160088010 *24 Aug 201524 Mar 2016Securityprofiling, LlcReal-time vulnerability monitoring
US20160094576 *24 Aug 201531 Mar 2016Securityprofiling, LlcAnti-vulnerability system, method, and computer program product
US20160234243 *30 Sep 201511 Aug 2016Honeywell International Inc.Technique for using infrastructure monitoring software to collect cyber-security risk data
US20170169229 *10 Dec 201515 Jun 2017Sap SeVulnerability analysis of software components
US20170272459 *6 May 201621 Sep 2017AO Kaspersky LabMethod and system of eliminating vulnerabilities of a router
US20170272460 *11 Aug 201621 Sep 2017AO Kaspersky LabMethod and system of eliminating vulnerabilities of smart devices
EP1505499A1 *23 Jun 20049 Feb 2005Microsoft CorporationAutomatic detection and patching of vulnerable files
EP1630710A2 *12 Jul 20051 Mar 2006Microsoft CorporationContainment of worms
EP1630710A3 *12 Jul 200515 May 2013Microsoft CorporationContainment of worms
EP1768044A2 *21 Sep 200628 Mar 2007AlcatelSecurity vulnerability information aggregation
EP1768044A3 *21 Sep 200623 Apr 2008Alcatel LucentSecurity vulnerability information aggregation
EP1949242A2 *9 Nov 200630 Jul 2008Sourcefire, Inc.Systems and methods for modifying network map attributes
EP1949242A4 *9 Nov 200617 Aug 2011Sourcefire IncSystems and methods for modifying network map attributes
EP2284757A1 *21 Sep 200616 Feb 2011Alcatel LucentSecurity vulnerability information aggregation
WO2006005679A1 *28 Jun 200519 Jan 2006International Business Machines CorporationMethods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems
WO2006023013A1 *15 Jun 20052 Mar 2006Electronic Data Systems CorporationSystem and method for restricting access to an enterprise network
WO2007058946A29 Nov 200624 May 2007Sourcefire, Inc.Systems and methods for modifying network map attributes
Classifications
U.S. Classification726/25
International ClassificationG06F21/22, G06F21/24, H04L29/06, G06F21/00
Cooperative ClassificationG06F21/577, H04L63/1433, H04L63/12
European ClassificationG06F21/57C
Legal Events
DateCodeEventDescription
31 Dec 2002ASAssignment
Owner name: CITADEL SECURITY SOFTWARE, INC., TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BANZHOF, CARL E.;REEL/FRAME:013643/0923
Effective date: 20021231
22 Dec 2006ASAssignment
Owner name: MCAFEE SECURITY LLC, TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CITADEL SECURITY SOFTWARE, INC.;REEL/FRAME:018668/0179
Effective date: 20061204
Owner name: MCAFEE SECURITY LLC,TEXAS
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CITADEL SECURITY SOFTWARE, INC.;REEL/FRAME:018668/0179
Effective date: 20061204
23 Feb 2007ASAssignment
Owner name: MCAFEE, INC., A DELAWARE CORPORATION, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCAFEE SECURITY, LLC, A DELAWARE LIMITED LIABILITY COMPANY;REEL/FRAME:018923/0152
Effective date: 20070222
Owner name: MCAFEE, INC., A DELAWARE CORPORATION,CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCAFEE SECURITY, LLC, A DELAWARE LIMITED LIABILITY COMPANY;REEL/FRAME:018923/0152
Effective date: 20070222
26 Aug 2008B1Reexamination certificate first reexamination
Free format text: THE PATENTABILITY OF CLAIMS 13-25 IS CONFIRMED. CLAIMS 1, 3, 6, 10, 26, 30-32, 35, 38 AND 41 ARE DETERMINED TO BE PATENTABLE AS AMENDED. CLAIMS 2, 4, 5, 7-9, 11, 12, 27-29, 33, 34, 36, 37, 39, 40 AND 42-44, DEPENDENT ON AN AMENDED CLAIM, ARE DETERMINED TO BE PATENTABLE.
14 Aug 2009FPAYFee payment
Year of fee payment: 4
27 Oct 2009RRRequest for reexamination filed
Effective date: 20060302
17 Jul 2013FPAYFee payment
Year of fee payment: 8
14 Aug 2017FPAYFee payment
Year of fee payment: 12
24 Aug 2017ASAssignment
Owner name: MCAFEE, LLC, CALIFORNIA
Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918
Effective date: 20161220