Patent Grant
10503909
A vulnerability is a security defect in a computer system or associated software that allows an attacker to potentially violate the confidentiality, integrity, operations, availability, access control, and/or data of the system or software. Vulnerabilities may result from bugs, design flaws, configuration errors, etc. in the system or software. Various tools have been developed to aid in management of computer system vulnerabilities.
For a detailed description of various examples, reference will now be made to the accompanying drawings in which:
Certain terms are used throughout the following description and claims to refer to particular system components. As one skilled in the art will appreciate, different companies may refer to a component by different names. This document does not intend to distinguish between components that differ in name but not function. In the following discussion and in the claims, the terms “including” and “comprising” are used in an open-ended fashion, and thus should be interpreted to mean “including, but not limited to . . . .” Also, the term “couple” or “couples” is intended to mean either an indirect or direct wired or wireless connection. Thus, if a first device couples to a second device, that connection may be through a direct connection or through an indirect connection via other devices and connections.
Computer vulnerabilities include flaws in software executed by a computer system. Input value validation errors and buffer overflow errors are examples of software flaws that can be exploited by an attacker to misuse a computer system. Vulnerability scanning tools examine computer systems and software applications to identify vulnerabilities. Identified vulnerabilities may be automatically or manually corrected. Conventional vulnerability monitoring systems provide very weak confirmation that a vulnerability has been corrected. For example, conventional vulnerability monitoring systems generally attempt to confirm vulnerability correction via passive rescan of the computer system. That is, if a previously detected vulnerability is not detected by a re-scan, then the vulnerability is deemed to have been corrected.
The remediation system disclosed herein provides positive verification of vulnerability remediation by confirming that operations specified to correct an identified vulnerability have been performed by entities authorized to perform the remediation operations. The remediation system disclosed herein is applicable, for example, to computer systems and networks that are continuously monitored for vulnerabilities, and can provide positive, deterministic confirmation of vulnerability correction in such systems.
The vulnerability scanners 216 are systems that examine the computer(s) 112 to determine whether the computer(s) 112 are susceptible to attack and misuse by unauthorized entities. The vulnerability scanners 216 may examine the software, memory contents, operational settings, and/or other features of the computer(s) 112 to identify vulnerabilities. Some vulnerability scanners 216 may compare known vulnerability data patterns to the software, memory contents, etc. of the computer(s) 216, evaluate computer operational settings, etc., in order to identify vulnerabilities.
The remediation processors 110 implement remediation processes that access the computer(s) 112 to correct vulnerabilities identified by the vulnerability scanners 216. For example, when a program that contains a security flaw is identified in the computer(s) 112 by the vulnerability scanners 216, the remediation processors 110 may be applied to uninstall the identified program and install an updated version of the program in which the security flaw is corrected. Similarly, if the vulnerability scanners 216 identify malicious software on the computer(s) 112, the remediation processors 110 may be activated to remove or quarantine the malicious software. If security or other operational settings of a computer 112 are found to be non-compliant with predetermined settings values, then the remediation processors 110 may change the settings values to comply with the predetermined settings values.
In some implementations of the system 100, at least some of the vulnerability scanners 216 and the remediation processors 110 may be integrated into a single sub-system (e.g., a combined scanner/processor).
The vulnerability remediation verification sub-system 102 provides positive verification of correction of an identified vulnerability, positive verification that each operation needed to correct an identified vulnerability has been performed, and positive verification that each operation is performed by a remediation processor 110 authorized to perform the operation. The vulnerability remediation verification sub-system 102 includes vulnerability monitor 104, reconciliation engine 106, and remediation scheduler 108.
The vulnerability monitor 104 is communicatively coupled to the vulnerability scanners 216. The vulnerability monitor 104 is notified by the vulnerability scanners 216 of each vulnerability (e.g., the vulnerability 114) identified in the computer(s) 112. On notification of the vulnerability 114, the vulnerability monitor 104, stores that information in a database, sets a deadline for completion of remediation, and generates a vulnerability identification structure (i.e., an identified vulnerability token, IVT) that contains information regarding the vulnerability. Some implementations of the vulnerability monitor 104 may generate an IVT including the following fields and information.
The vulnerability monitor 104 signs the vulnerability token with the identity of the vulnerability monitor 104. The vulnerability monitor 104 passes the completed and signed vulnerability token to the reconciliation engine 106.
The reconciliation engine 106 implements a reconciliation process that receives the vulnerability token generated by the vulnerability monitor 102, and extracts the information identifying the vulnerability, the computer 112 where the vulnerability is located, and other information from the token. The reconciliation engine 106 examines the signature contained in the token to verify that the vulnerability token is valid.
If the token's digital signature indicates that the token is valid, the reconciliation engine 106 provides the vulnerability information extracted from the token to the remediation scheduler 108. As described below, the reconciliation engine 106 tracks and verifies the remediation process.
The remediation scheduler 108 implements an automated remediation scheduling process that first defines the operations to be performed to correct the vulnerability 114, and then selects one or more suitable remediation processors 110 to perform the operations. The remediation scheduler 108 schedules the selected remediation processors 110 to perform the remediation operations prior to the deadline set in the vulnerability token.
To provide tracking of the remediation process, the remediation scheduler 108 creates a remediation token (RT) that specifies the operations to be performed and the remediation processor 110 selected to perform each operation, and includes fields in which each selected remediation processor 110 stores identification, remediation actions performed, results of testing the remediation actions, and a verifying digital signature of the remediation processor 110. Each remediation operation and associated information is organized in the remediation token as a remediation frame. Some implementations of the remediation scheduler 108 may generate a RT including the following fields and information.
The remediation scheduler 108 passes the remediation token to the remediation processors 110, and the remediation processors 110 perform the operations specified in the remediation token to correct the vulnerability 114. In some implementations, the remediation scheduler 114 may sequentially pass the remediation token to different selected remediation processors 110 as needed to perform the remediation operations specified in the remediation token. In some implementations a remediation processor 110 may pass the remediation token to a different remediation processor 110 in accordance with the specified remediation operations.
Each remediation processor 110 that receives the remediation token performs the operation(s) specified for the remediation processor 110, tests results of the operation, records the results of the test in the remediation token, and inserts the signature of the remediation processor 110 into the remediation frame specifying the operation performed. As each remediation operation is completed, the remediation processor 110 that performed the operation may pass the remediation token back to the remediation scheduler or to a different remediation processor 110. In some implementations, the remediation processors 110 may also notify the reconciliation engine 106 of completion of a remediation operation to allow the reconciliation engine 106 to track the progress of the remediation process. The remediation processors 110 may provide notification to the reconciliation engine 106 of each operation being completed by passing a copy of the remediation token to the reconciliation engine 106.
On completion of the last operation specified in the remediation token, the remediation processor 110 that performed the operation returns the remediation token to the remediation scheduler 108. The remediation scheduler 108 signs the entire remediation token, indicating that all remediation operations have been performed, and passes the remediation token to the reconciliation engine 106.
The reconciliation engine 106 receives the remediation token from the remediation scheduler 108, and analyzes the remediation token to determine whether the vulnerability 114 has been corrected. In determining whether the vulnerability 114 has been corrected, the reconciliation engine 106:
The reconciliation engine 106 may provide final results of the remediation to other systems, to the vulnerability monitor 104, to a dashboard for display, to a vulnerability remediation database for storage, etc.
In block 302, the vulnerability scanners 216 examine the computer(s) 112 for vulnerabilities. The vulnerability scanners 216 identify vulnerability 114 in a computer 112. The vulnerability scanners 216 notify the vulnerability monitor 104 that the vulnerability 114 has been identified in the computer 112.
In block 404, the vulnerability monitor 104 sets a completion deadline time for correction of the vulnerability 114 and gathers other important information about the identified vulnerability (e.g. computer found on, etc.).
In block 406, the vulnerability monitor 104 generates a vulnerability token. The vulnerability token is a message structure that identifies the computer 112, the vulnerability 114, and other parameters. The vulnerability monitor 104 signs the vulnerability token, and passes the signed vulnerability token to the reconciliation engine 106.
In block 408, the reconciliation engine 106 provides the information contained in the vulnerability token to the remediation scheduler 108. The remediation scheduler 108 examines the information, determines the operations to be performed to correct the vulnerability 114 in block 304, and selects remediation processors 110 to perform the vulnerability correction operations in block 410.
In block 306, the remediation scheduler 108 schedules performance of the remediation operations by the selected remediation processors 110.
In block 412, the remediation scheduler 108 generates a remediation token that specifies the remediation operations to be performed and the remediation processors 110 selected to perform the remediation operations. The remediation token include fields to be written by the remediation processors 110 on completion of each remediation operation.
In block 414, the remediation scheduler 108 passes the remediation token to the selected remediation processors 110, and the remediation processors 110 perform the operations specified in the remediation token. Each remediation processor 110 performing one of the remediation operations writes results of testing the operation performed to the remediation token and signs the remediation token.
In block 416, each remediation processor 110 performing one of the operations notifies the reconciliation engine 106 of completion of the operation performed. The notification may be provided by passing a copy of the remediation token to the reconciliation engine 106 on completion of each operation.
In block 418, all of the remediation operations specified in the remediation token have been completed. The remediation processor 110 performing the last of the operations returns the remediation token to the remediation scheduler 108. The remediation scheduler 108 signs the remediation token and passes the signed remediation token to the reconciliation engine 106.
In blocks 308 and 320, the reconciliation engine 106 examines the remediation token and determines whether the vulnerability 114 has been corrected. Determining whether the vulnerability has been corrected includes determining whether the operations specified in the remediation frames of the remediation token, have been performed successfully in blocks 310 and 322, and determining whether the operations were performed by authorized remediation processors 110 in blocks 312 and 324. The vulnerability may also be deemed corrected only if the operations are performed prior to the deadline set by the vulnerability monitor 104, and the remediation token is signed by the remediation scheduler 108. Thus, implementations of the vulnerability remediation verification sub-system 102 implementing these methods positively validate correction of an identified vulnerability.
The storage device 502 includes remediation operation selection 504, remediation operation scheduling 506, and remediation verification 508. The remediation operation selection 504 includes instructions that are executable by a processor in the remediation scheduler 108 to select remediation operations to be performed to correct a vulnerability.
The remediation operation scheduling 506 includes instructions that are executable by a processor in the vulnerability scheduler 108 to schedule remediation processors 110 to perform the operations selected to correct a vulnerability.
The remediation verification 508 includes instructions that are executable by a processor in the reconciliation engine 106 to determine whether a vulnerability has been corrected. The remediation verification 508 includes operation success verification 510 and remediation processor verification 512. The operation success verification 510 includes instructions that are executable by a processor in the reconciliation engine 106 to determine whether the operations selected to correct a vulnerability have been successfully performed. The remediation processor verification 512 includes instructions that are executable by a processor in the reconciliation engine 106 to determine whether the operations selected to correct a vulnerability have been performed by an authorized remediation processor 110.
The computer 602 includes one or more processors 602 and storage 604 coupled to the processors 602. The storage 604 may be the computer-readable storage device 502. The processor 602 is a general-purpose microprocessor, a digital signal processor, a microcontroller, or other device capable of executing instructions retrieved from a computer-readable storage medium. Processor architectures generally include execution units (e.g., fixed point, floating point, integer, etc.), storage (e.g., registers, memory, etc.), instruction decoding, instruction and data fetching logic, peripherals (e.g., interrupt controllers, timers, direct memory access controllers, etc.), input/output systems (e.g., serial ports, parallel ports, etc.) and various other components and sub-systems.
The storage 604 includes vulnerability monitoring logic 606, reconciliation logic 612, remediation scheduling logic 618, and remediation processing logic 626. The remediation processing logic 626 includes instructions executable by the processors 602 to implement the remediation processors 110.
The vulnerability monitoring logic 606 includes instructions executable by the processors 602 to implement the vulnerability monitor 104. Thus, the vulnerability monitor 104 comprises one or more processors 602 and instructions of the vulnerability monitoring logic 606. The vulnerability monitoring logic 606 includes remediation operation selection logic 608 and vulnerability token generation logic 610 that include instructions executable by the processors 602 to perform remediation operation selection and vulnerability token generation as described herein.
The reconciliation logic 612 includes instructions executable by the processors 602 to implement the reconciliation engine 106. Thus, the reconciliation engine 106 comprises one or more processors 602 and instructions of the reconciliation logic 612. The reconciliation logic 612 includes vulnerability token parsing logic 614 and remediation success determination logic 616 that include instructions executable by the processors 602 to examine the remediation token and determine whether vulnerability remediation is successful as described herein.
The remediation scheduling logic 618 includes instructions executable by the processors 602 to implement the remediation scheduler 108. Thus, the remediation scheduler 108 comprises one or more processors 602 and instructions of the remediation scheduling logic 618. The remediation scheduling logic 618 includes remediation processor selection logic 620 and remediation token generation logic 622 that include instructions executable by the processors 602 to select remediation processors 110 to perform remediation operations, and to generate remediation tokens as described herein.
The above discussion is meant to be illustrative of the principles and various embodiments of the present invention. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US2014/063314 | 10/31/2014 | WO | 00 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2016/068974 | 5/6/2016 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 7660419 | Ho | Feb 2010 | B1 |
| 8046195 | Vecera et al. | Oct 2011 | B2 |
| 8090660 | Solomon et al. | Jan 2012 | B2 |
| 8112434 | Patten et al. | Feb 2012 | B2 |
| 8156140 | Roshen et al. | Apr 2012 | B2 |
| 8185916 | Toussaint et al. | May 2012 | B2 |
| 8200278 | Little | Jun 2012 | B2 |
| 8250654 | Kennedy | Aug 2012 | B1 |
| 8265275 | Lotspiech | Sep 2012 | B2 |
| 8321909 | Fot et al. | Nov 2012 | B2 |
| 8364745 | Roshen | Jan 2013 | B2 |
| 8379847 | Bell et al. | Feb 2013 | B2 |
| 8433746 | Vecera et al. | Apr 2013 | B2 |
| 8458793 | McKenna | Jun 2013 | B2 |
| 8489733 | Vecera et al. | Jul 2013 | B2 |
| 8561175 | Williams et al. | Oct 2013 | B2 |
| 8570905 | Hulse et al. | Oct 2013 | B2 |
| 8613043 | Fot et al. | Dec 2013 | B2 |
| 8655941 | Roshen | Feb 2014 | B2 |
| 8707427 | Hooks et al. | Apr 2014 | B2 |
| 8775651 | Brown et al. | Jul 2014 | B2 |
| 9239841 | Arnaudov et al. | Jan 2016 | B2 |
| 9697061 | Lazier | Jul 2017 | B1 |
| 20020112156 | Gien | Aug 2002 | A1 |
| 20060005010 | Olsen et al. | Jan 2006 | A1 |
| 20060031938 | Choi | Feb 2006 | A1 |
| 20060101517 | Banzhof | May 2006 | A1 |
| 20060101519 | Lasswell | May 2006 | A1 |
| 20060168653 | Contrera | Jul 2006 | A1 |
| 20060218635 | Kramer | Sep 2006 | A1 |
| 20060282897 | Sima | Dec 2006 | A1 |
| 20070100913 | Sumner et al. | May 2007 | A1 |
| 20070294376 | Ayachitula | Dec 2007 | A1 |
| 20080092237 | Yoon et al. | Apr 2008 | A1 |
| 20080140759 | Conner et al. | Jun 2008 | A1 |
| 20090006167 | Toussaint et al. | Jan 2009 | A1 |
| 20090064271 | Ng et al. | Mar 2009 | A1 |
| 20090086965 | Glendinning | Apr 2009 | A1 |
| 20090271863 | Govindavajhala | Oct 2009 | A1 |
| 20100100965 | O'Brien et al. | Apr 2010 | A1 |
| 20100174684 | Schwaab et al. | Jul 2010 | A1 |
| 20110078798 | Chen | Mar 2011 | A1 |
| 20110125527 | Nair | May 2011 | A1 |
| 20110153712 | Whetsel | Jun 2011 | A1 |
| 20110302412 | Deng et al. | Dec 2011 | A1 |
| 20120166799 | Shamsaasef et al. | Jun 2012 | A1 |
| 20120174185 | Milman et al. | Jul 2012 | A1 |
| 20120185725 | Peters et al. | Jul 2012 | A1 |
| 20130086689 | Laverdiere-Papineau | Apr 2013 | A1 |
| 20130104236 | Ray et al. | Apr 2013 | A1 |
| 20130318536 | Fletcher | Nov 2013 | A1 |
| 20130332660 | Talagala et al. | Dec 2013 | A1 |
| 20140068630 | Fildebrandt | Mar 2014 | A1 |
| 20140082736 | Guarnieri et al. | Mar 2014 | A1 |
| 20140089264 | Talagala et al. | Mar 2014 | A1 |
| 20140164776 | Hook et al. | Jun 2014 | A1 |
| 20140177839 | Wagner et al. | Jun 2014 | A1 |
| 20140189340 | Hadley | Jul 2014 | A1 |
| 20140344569 | Li | Nov 2014 | A1 |
| 20150172308 | Borohovski | Jun 2015 | A1 |
| 20150326547 | Carlson | Nov 2015 | A1 |
| 20150381578 | Thota et al. | Dec 2015 | A1 |
| 20160072886 | Lin et al. | Mar 2016 | A1 |
| Number | Date | Country |
|---|---|---|
| 2008121744 | Oct 2008 | WO |
| Entry |
|---|
| The Open Group, “SOA Reference Architecture Technical Standard: Integration Layer,” 8 p, Sep. 22, 2014. |
| Reserve Bank of India, “Working Group Report on Cloud Computing Option for Urban Cooperative Banks,” Oct. 5, 2012, pp. 1-18, Available at: <rbi.org.in/scripts/PublicationReportDetails.aspx?ID=679>. |
| Lisa Phifer, “Managing WLAN Risks with Vulnerability Assessment,” Technology Whitepaper, 2011, pp. 1-23, AirMagnet, Inc. |
| International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2014/073036, dated Jul. 7, 2015, 7 pages. |
| International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2014/063435, dated Jun. 29, 2015, 9 pages. |
| International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2014/063314, dated Jul. 31, 2015, 12 pages. |
| International Preliminary Report on Patentability received for PCT Patent Application No. PCT/US2014/073036, dated Jul. 13, 2017, 6 pages. |
| International Preliminary Report on Patentability received for PCT Patent Application No. PCT/US2014/063435, dated May 11, 2017, 8 pages. |
| International Preliminary Report on Patentability received for PCT Patent Application No. PCT/US2014/063314, dated May 11, 2017, 11 pages. |
| Eldos Corporation, “Securing Your Client-server or Multi-tier Application,” 2014, pp. 1-16 [online], Retrieved from the Internet on Sep. 23, 2014 at URL: <eldos.com/security/articles/1942.php?page=all>. |
| Dan Schutzer et al., “Big Data and Security,” The Innovator, Jan. 2013, pp. 1-23, vol. 54, Issue 1, BITS Financial Services Roundtable. |
| Number | Date | Country | |
|---|---|---|---|
| 20170220808 A1 | Aug 2017 | US |
