Advanced asset tracking and correlation

US 10,021,140 B2
Filed: 03/06/2017
Issued: 07/10/2018
Est. Priority Date: 02/17/2015
Status: Active Grant

First Claim

Patent Images

1. A security management system comprising:

an asset database operable to store a plurality of asset entries, wherein each asset entry in the asset database is associated with an asset of a network; and

an asset correlation engine in communication with the asset database, wherein the asset correlation engine is operable to;

receive a data chunk associated with a target asset of the network;

parse the data chunk to identify an attribute in the data chunk, wherein the identified attribute is one of a strongly correlated attribute, a moderately correlated attribute, and a loosely correlated attribute with respect to the target asset;

determine an attribute weight for the identified attribute, wherein an attribute weight of the highly correlated attribute is 1.5 to 40 times as large as an attribute weight of the moderately correlated attribute, and wherein the attribute weight of the moderately correlated attribute is 1.5 to 25 times as large as an attribute weight of the loosely correlated attribute;

generate an asset score for an asset entry in the asset database using the attribute weight; and

create a new asset entry in the asset database for the target asset in response to determining the asset score is less than a predetermined threshold value, wherein the data chunk is associated with the new asset entry in the asset database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.

19 Citations

View as Search Results

20 Claims

1. A security management system comprising:
- an asset database operable to store a plurality of asset entries, wherein each asset entry in the asset database is associated with an asset of a network; and
  
  an asset correlation engine in communication with the asset database, wherein the asset correlation engine is operable to;
  
  receive a data chunk associated with a target asset of the network;
  
  parse the data chunk to identify an attribute in the data chunk, wherein the identified attribute is one of a strongly correlated attribute, a moderately correlated attribute, and a loosely correlated attribute with respect to the target asset;
  
  determine an attribute weight for the identified attribute, wherein an attribute weight of the highly correlated attribute is 1.5 to 40 times as large as an attribute weight of the moderately correlated attribute, and wherein the attribute weight of the moderately correlated attribute is 1.5 to 25 times as large as an attribute weight of the loosely correlated attribute;
  
  generate an asset score for an asset entry in the asset database using the attribute weight; and
  
  create a new asset entry in the asset database for the target asset in response to determining the asset score is less than a predetermined threshold value, wherein the data chunk is associated with the new asset entry in the asset database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The security management system of claim 1, wherein the asset correlation engine is further operable to:
    - generate asset scores for the plurality of asset entries in the asset database; and
      
      create the new asset entry in the asset database for the target asset in response to determining each of the asset scores is less than the predetermined threshold value.
  - 3. The security management system of claim 1, wherein at least one of the attribute weight and the asset score is determined using a correlation matrix.
  - 4. The security management system of claim 1, wherein the asset correlation engine is further operable to:
    - identify a plurality of attributes in the data chunk, wherein each identified attribute of the plurality of identified attributes is one of a strongly correlated attribute, a moderately correlated attribute, and a loosely correlated attribute with respect to the target asset; and
      
      determine the attribute weight for each identified attribute, wherein a plurality of attribute weights are used to generate the asset score.
  - 5. The security management system of claim 4, wherein a first attribute weight of a first identified attribute comprised in the plurality of identified attributes is greater than a second attribute weight of a second identified attribute comprised in the plurality of identified attributes.
  - 6. The security management system of claim 5, wherein the first identified attribute comprises a strongly correlated attribute and the second identified attribute comprises a loosely correlated attribute.
  - 7. The security management system of claim 5, wherein the first identified attribute comprises a strongly correlated attribute and the second identified attribute comprises a moderately correlated attribute.
  - 8. The security management system of claim 5, wherein the first identified attribute comprises a moderately correlated attribute and the second identified attribute comprises a loosely correlated attribute.
  - 9. The security management system of claim 5, wherein the second attribute weight is not used to generate the asset score.
  - 10. The security management system of claim 3, wherein the correlation matrix defines the attribute weight for the identified attribute.
  - 11. The security management system of claim 5, wherein a correlation matrix defines the first attribute weight for the first identified attribute and the second attribute weight for the second identified attribute.
  - 12. The security management system of claim 1, wherein the asset correlation engine is further operable to receive the data chunk from an agent operable to scan the target asset, and wherein the identified attribute comprises an agent identifier.
  - 13. The security management system of claim 12, wherein the agent is further operable to write the agent identifier to a local memory device associated with the target asset.
  - 14. The security management system of claim 1, wherein the asset correlation engine is further operable to receive the data chunk from a scanner that is operable to scan the target asset.
  - 15. The security management system of claim 1, wherein the target asset comprises one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, and a virtual machine.
  - 16. The security management system of claim 1, wherein the identified attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, and instance identification.

17. A method comprising:
- providing a plurality of asset entries in an asset database, wherein each asset entry in the asset database is associated with an asset of a network;
  
  receiving, by an asset correlation engine in communication with the asset database, a data chunk associated with a target asset of the network;
  
  parsing, by the asset correlation engine, the data chunk to identify an attribute in the data chunk, wherein the identified attribute is one of a strongly correlated attribute, a moderately correlated attribute, and a loosely correlated attribute with respect to the target asset;
  
  determining, by the asset correlation engine, an attribute weight for the identified attribute, wherein an attribute weight of the highly correlated attribute is 1.5 to 40 times as large as an attribute weight of the moderately correlated attribute, and wherein the attribute weight of the moderately correlated attribute is 1.5 to 25 times as large as an attribute weight of the loosely correlated attribute;
  
  generating, by the asset correlation engine, an asset score for an asset entry in the asset database using the attribute weight; and
  
  creating, by the asset correlation engine, a new asset entry in the asset database for the target asset in response to determining the asset score is less than a predetermined threshold value, wherein the data chunk is associated with the new asset entry in the asset database.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - generating, by the asset correlation engine, asset scores for the plurality of asset entries in the asset database; and
      
      creating, by the asset correlation engine, the new asset entry in the asset database for the target asset in response to determining each of the asset scores is less than the predetermined threshold value.
  - 19. The method of claim 18, wherein at least one of the attribute weight and the asset score is determined using a correlation matrix.
  - 20. The method of claim 17, wherein the identified attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, agent identification, and instance identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualys Incorporated
Original Assignee
Qualys Incorporated
Inventors
Molloy, Sean M., Wirges, Matthew L., Sonawane, Amol S.
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/451,135
Publication Number

US 20170230424A1
Time in Patent Office

491 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

G06F 16/24578   using ranking

G06F 16/90335   Query processing

G06F 40/205   Parsing

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Advanced asset tracking and correlation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced asset tracking and correlation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links