Dynamic vulnerability correlation

US 10,158,660 B1
Filed: 01/27/2014
Issued: 12/18/2018
Est. Priority Date: 10/17/2013
Status: Active Grant

First Claim

Patent Images

1. A method of vulnerability filtering using one or more ontologies of rules, each of the ontologies comprising at least one rule hierarchy comprising one or more vulnerability or weakness scanning rules, the at least one rule hierarchy including priorities that are assigned to at least some of the vulnerability or weakness scanning rules, the method comprising:

by a computer, attempting to execute a first one of the vulnerability or weakness scanning rules against a target remote computing device in an order based at least in part on the assigned priorities, producing at least one scan result;

based on the at least one scan result, determining that an attempt to execute the first one of the vulnerability or weakness scanning rules against the target remote computing device was unsuccessful; and

based on the determining, not executing a scanning rule in the rule hierarchy having a lower assigned priority than the first scanning rule against the target remote computing device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation associations including, if a particular vulnerability is detected, then not executing other correlated scanning rules for a particular software patch. In another disclosed embodiment, a method of vulnerability paring includes defining a plurality of patch milestones for a software product and scanning a target computer for vulnerabilities associated with a current installed patch.

Citations

26 Claims

1. A method of vulnerability filtering using one or more ontologies of rules, each of the ontologies comprising at least one rule hierarchy comprising one or more vulnerability or weakness scanning rules, the at least one rule hierarchy including priorities that are assigned to at least some of the vulnerability or weakness scanning rules, the method comprising:
- by a computer, attempting to execute a first one of the vulnerability or weakness scanning rules against a target remote computing device in an order based at least in part on the assigned priorities, producing at least one scan result;
  
  based on the at least one scan result, determining that an attempt to execute the first one of the vulnerability or weakness scanning rules against the target remote computing device was unsuccessful; and
  
  based on the determining, not executing a scanning rule in the rule hierarchy having a lower assigned priority than the first scanning rule against the target remote computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - after the not executing the scanning rule, attempting to execute a second one of the vulnerability or weakness scanning rules in a different rule hierarchy than the first scanning rule against the target remote computing device.
  - 3. The method of claim 1, wherein the at least one rule hierarchy is marked as Restrictive, and wherein the method further comprises:
    - if a higher priority scanning rule in the at least one rule hierarchy executes successfully against the target remote computing device, then not executing any subsequent scanning rules in the at least one rule hierarchy against the target remote computing device.
  - 4. The method of claim 1, wherein the at least one rule hierarchy is marked as Inclusive, and wherein the method further comprises:
    - if a higher priority scanning rule in the at least one rule hierarchy does not execute successfully against the target remote computing device, then not executing any subsequent scanning rules in the at least one rule hierarchy against the target remote computing device.
  - 5. The method of claim 1, wherein the ontologies comprise forests of rules including a Common Vulnerabilities and Exposures (CVE) forest, a Common Weakness Enumeration (CWE) forest, and a Generic forest, each of the forests including at least one rule hierarchy comprising a tree of scanning rules enumerated as a set of branches.
  - 6. The method of claim 1, wherein the order of executing the vulnerability or weakness scanning rules is based at least in part on confidence levels designating the respective reliability of each of the vulnerability or weakness scanning rules.
  - 7. The method of claim 1, wherein the order of executing the vulnerability or weakness scanning rules is based at least in part on confidence levels that cause credentialed scans to be executed before remote scans.
  - 8. The method of claim 1, wherein a host agent executes the scanning rule locally on the target remote computing device.
  - 9. The method of claim 1, wherein the target remote computing device is remotely scanned by a Device Profiler to execute the scanning rules.
  - 10. The method of claim 1, wherein the scanning rules comprise vulnerability scanning rules and weakness scanning rules.

11. An apparatus for analyzing vulnerabilities in a networked environment, the system comprising:
- one or more processors;
  
  memory;
  
  a network interface coupled to the one or more processors and configured to scan one or more computers accessible using the network interface; and
  
  one or more non-transitory computer-readable storage media storing computer-readable instructions that, when executed by the one or more processors, cause the one or more processors to perform a method of scanning the one or more remote computers according to a scanning rule hierarchy comprising a plurality of scanning rules, the instructions comprising;
  
  instructions to attempt to execute two or more branches of the vulnerability scanning rule hierarchy against the one or more remote computers, each of the branches comprising a portion of the vulnerability scanning rules ordered based at least in part on assigned priorities, producing at least one vulnerability scanning rule execution result,instructions to, based on the at least one vulnerability scanning rule execution result, determine that an attempt to execute at least one vulnerability scanning rule associated with the at least one vulnerability scanning rule execution result against the one or more remote computers was unsuccessful, andinstructions to, based on the determination, not execute a respective portion of vulnerability scanning rules in one or more branches of the vulnerability scanning rule hierarchy, having a lower assigned priority than the at least one vulnerability scanning rule associated with the at least one vulnerability scanning rule execution result, against the one or more remote computers.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein the computer-readable instructions further comprise:
    - instructions to, after executing the instructions to not execute the vulnerability scanning rules, attempt to execute a second one of the vulnerability scanning rules in a different branch of the vulnerability scanning rule hierarchy than the two or more branches against the one or more remote computers.
  - 13. The apparatus of claim 11, wherein the vulnerability scanning rule hierarchy is marked as Restrictive, and wherein the computer-readable instructions further comprise:
    - instructions to, if an attempt to execute a higher priority vulnerability scanning rule in the vulnerability scanning rule hierarchy against the one or more remote computers is successful, then not attempt to execute any subsequent vulnerability scanning rules in the scanning rule hierarchy against the one or more remote computers.
  - 14. The apparatus of claim 11, wherein the vulnerability scanning rule hierarchy is marked as Inclusive, and wherein the computer-readable instructions further comprise:
    - if an attempt to execute a higher priority vulnerability scanning rule in the scanning rule hierarchy against the one or more remote computers is not successful, then not attempt to execute any subsequent vulnerability scanning rules in the vulnerability scanning rule hierarchy against the one or more remote computers.
  - 15. The apparatus of claim 11, wherein the order of executing the vulnerability scanning rules is based at least in part on confidence levels designating the respective reliability of each of the vulnerability scanning rules.
  - 16. The apparatus of claim 11, wherein the order of executing the vulnerability scanning rules is based at least in part on confidence levels that cause credentialed scans to be executed before remote scans.

17. One or more computer-readable storage media storing computer-readable instructions that, when executed by a computer, cause the computer to perform a method of scanning one or more target remote computers according to a rule hierarchy comprising a plurality of vulnerability or weakness scanning rules, the instructions comprising:
- instructions to attempt to execute a first one of the vulnerability or weakness scanning rules to scan the one or more target remote computers using the network interface in an order based at least in part on priorities assigned according to the rule hierarchy comprising the plurality of the vulnerability or weakness scanning rules, producing at least one scan result,instructions to, based on the at least one scan result, determine that the attempt to execute the first one of the vulnerability or weakness scanning rules was unsuccessful, andinstructions to, based on the determination, not execute a vulnerability or weakness scanning rule in the rule hierarchy having a different assigned priority than the first vulnerability or weakness scanning rule against the one or more target remote computers.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The computer-readable storage media of claim 17,wherein the instructions further comprise, after the not executing the vulnerability or weakness scanning rule, attempting to execute a second one of the vulnerability or weakness scanning rules in a different rule hierarchy than the first vulnerability or weakness scanning rule against the one or more target remote computers.
  - 19. The computer-readable storage media of claim 17, wherein the rule hierarchy is marked as Restrictive, and wherein the instructions further comprise:
    - if a higher priority vulnerability or weakness scanning rule in the at least one rule hierarchy executes successfully against the one or more target remote computers, then not executing any subsequent vulnerability or weakness scanning rules in the rule hierarchy against the one or more target remote computers.
  - 20. The computer-readable storage media of claim 17, wherein the rule hierarchy is marked as Inclusive, and wherein the instructions further comprise:
    - if a higher priority vulnerability or weakness scanning rule in the at least one rule hierarchy does not execute successfully against the one or more target remote computers, then not executing any subsequent vulnerability or weakness scanning rules in the rule hierarchy against the one or more target remote computers.
  - 21. The computer-readable storage media of claim 17, wherein the ontologies comprise forests of rules including a Common Vulnerabilities and Exposures (CVE) forest, a Common Weakness Enumeration (CWE) forest, and a Generic forest, each of the forests including at least one rule hierarchy comprising a tree of scanning rules enumerated as a set of branches.
  - 22. The computer-readable storage media of claim 17, wherein the order of executing the scanning rules is based at least in part on confidence levels designating the respective reliability of each of the scanning rules.
  - 23. The computer-readable storage media of claim 17, wherein the order of executing the scanning rules is based at least in part on confidence levels that cause credentialed scans to be executed before remote scans.
  - 24. The computer-readable storage media of claim 17, wherein a host agent executes the vulnerability or weakness scanning rules locally on the one or more target remote computers.
  - 25. The computer-readable storage media of claim 17, wherein the one or more target remote computers are remotely scanned by a Device Profiler to execute the scanning rules.
  - 26. The computer-readable storage media of claim 17, wherein the scanning rules comprise vulnerability scanning rules and weakness scanning rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Reguly, Tyler, Pawlukowsky, Chris, Condren, Matthew Jonathan
Primary Examiner(s)
Le, David

Application Number

US14/165,410
Time in Patent Office

1,786 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Dynamic vulnerability correlation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic vulnerability correlation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links