Systems and methods for evaluating security software configurations

US 10,318,742 B1
Filed: 11/28/2016
Issued: 06/11/2019
Est. Priority Date: 11/28/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for evaluating security software configurations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, within a software security system, a live configuration comprising active configuration settings applied by the software security system when protecting a computing system against abnormal activity;

establishing, for the software security system, a test configuration comprising at least one configuration setting that is different from the live configuration;

recording a live result of the software security system performing, using the live configuration, a protective action that protects the computing system against abnormal activity;

generating an alternate result of the protective action by performing the protective action on the computing system using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system; and

performing a security action based on the live result of the protective action and the alternate result of the protective action, wherein performing the security action comprises providing the live result of the protective action and the alternate result of the protective action to a backend system that;

associates the live result and the alternate result with metadata about the computing system in a database;

enables client software security systems to search the database based on metadata about computing systems protected by the software security systems to find a suggested configuration for the client software security system; and

provides, by a user interface of the client software security system, a result of the search to an administrator of the client software security system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for evaluating security software configurations may include (1) identifying, within a software security system, a live configuration that includes active configuration settings applied by the software security system when protecting a computing system, (2) establishing a test configuration that includes at least one configuration setting that is different from the live configuration, (3) recording a live result of the software security system performing a protective action using the live configuration, (4) generating an alternate result of the protective action by performing the protective action using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system, and (5) performing a security action based on the live result of the protective action and the alternate result of the protective action. Various other methods, systems, and computer-readable media are also disclosed.

14 Citations

View as Search Results

16 Claims

1. A computer-implemented method for evaluating security software configurations, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, within a software security system, a live configuration comprising active configuration settings applied by the software security system when protecting a computing system against abnormal activity;
  
  establishing, for the software security system, a test configuration comprising at least one configuration setting that is different from the live configuration;
  
  recording a live result of the software security system performing, using the live configuration, a protective action that protects the computing system against abnormal activity;
  
  generating an alternate result of the protective action by performing the protective action on the computing system using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system; and
  
  performing a security action based on the live result of the protective action and the alternate result of the protective action, wherein performing the security action comprises providing the live result of the protective action and the alternate result of the protective action to a backend system that;
  
  associates the live result and the alternate result with metadata about the computing system in a database;
  
  enables client software security systems to search the database based on metadata about computing systems protected by the software security systems to find a suggested configuration for the client software security system; and
  
  provides, by a user interface of the client software security system, a result of the search to an administrator of the client software security system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein recording the live result comprises recording, while the software security system performs the protective action, at least one of:
    - a percentage of processor cycles consumed by the software security system;
      
      a percentage of a file system of the computing system scanned by the software security system as part of performing the protective action;
      
      a length of time taken to perform the protective action;
      
      a number of security incidents observed by the software security system;
      
      an estimated false positive rate of security incidents of security incidents observed by the software security system;
      
      an estimated false negative rate of security incidents observed by the software security system; and
      
      a percentage of input/output operations directed to the computing system that were scanned by the software security system as part of performing the protective action.
  - 3. The method of claim 1, wherein generating the alternate result comprises performing the protective action on the computing system using the test configuration simultaneously with performing the protective action using the live configuration.
  - 4. The method of claim 1, wherein:
    - the computing device comprises a server that manages configuration settings for software security systems on a plurality of endpoint devices; and
      
      performing the security action further comprises configuring each software security system on each endpoint device.
  - 5. The method of claim 1, wherein:
    - the computing device comprises a network gateway device that inspects digital files being passed to an endpoint device by the network gateway device; and
      
      performing protective action on the endpoint device comprises performing the protective action on the digital files at the network gateway device before the digital files are passed to the endpoint device.
  - 6. The method of claim 1, further comprising repeating recording the live result and generating the alternate result at a subsequent point in time based on at least one of:
    - a predetermined period of time elapsing;
      
      a change in the computing system;
      
      the software security system receiving a software update; and
      
      a change in the live configuration of the software security system.
  - 7. The method of claim 1, wherein performing the security action further comprises causing the software security system to replace the live configuration with the test configuration based on a comparison of the live result and the alternate result.
  - 8. The method of claim 1, wherein the configuration settings used by the software security system comprise a scan sensitivity setting that describes a ruleset used by the software security system as part of determining whether a file or link is malicious.
  - 9. The method of claim 1, wherein performing the security action further comprises providing a result of a comparison between the live result and the alternate result to an administrator of the software security system via a graphical user interface.

10. A system for evaluating security software configurations, the system comprising:
- an identification module, stored in memory, that identifies, within a software security system, a live configuration comprising active configuration settings applied by the software security system when protecting a computing system against abnormal activity;
  
  an establishing module, stored in memory, that establishes, for the software security system, a test configuration comprising at least one configuration setting that is different from the live configuration;
  
  a recording module, stored in memory, that records a live result of the software security system performing, using the live configuration, a protective action that protects the computing system against abnormal activity;
  
  a generation module, stored in memory, that generates an alternate result of the protective action by performing the protective action on the computing system using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system;
  
  a security module, stored in memory, that performs a security action based on the live result of the protective action and the alternate result of the protective action, wherein performing the security action comprises providing the live result of the protective action and the alternate result of the protective action to a backend system that;
  
  associates the live result and the alternate result with metadata about the computing system in a database;
  
  enables client software security systems to search the database based on metadata about computing systems protected by the software security systems to find a suggested configuration for the client software security system; and
  
  provides, by a user interface of the client software security system, a result of the search to an administrator of the client software security system; and
  
  at least one physical processor configured to execute the identification module, the establishing module, the recording module, the generation module, and the security module.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the recording module records a live result at least in part by recording, while the software security system performs the protective action, at least one of:
    - a percentage of processor cycles consumed by the software security system;
      
      a percentage of the file system of the computing system scanned by the software security system as part of performing the protective action;
      
      a length of time taken to perform the protective action;
      
      the number of security incidents observed by the software security system;
      
      an estimated false positive rate of security incidents of security incidents observed by the software security system;
      
      an estimated false negative rate of security incidents observed by the software security system; and
      
      a percentage of input/output operations directed to the computing system that were scanned by the software security system as part of performing the protective action.
  - 12. The system of claim 10, wherein the generation module generates the alternate result by performing the protective action on the computing system using the test configuration simultaneously with performing the protective action using the live configuration.
  - 13. The system of claim 10:
    - further comprising a server that manages configuration settings for software security systems on a plurality of endpoint devices; and
      
      wherein the security module performs the security action at least in part by configuring each software security system on each endpoint device.
  - 14. The system of claim 10:
    - further comprising a network gateway device, comprising a gateway memory, that inspects digital files being passed to an endpoint device by the network gateway device; and
      
      wherein the software security system performs the protective action on the endpoint device by performing the protective action on the digital files at the network gateway device before the digital files are passed to the endpoint device.
  - 15. The system of claim 10, the recording module repeats recording the live result and the generation module repeats generating the alternate result at a subsequent point in time based on at least one of:
    - a predetermined period of time elapsing;
      
      a change in the computing system;
      
      the software security system receiving a software update; and
      
      a change in the live configuration of the software security system.

16. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, within a software security system, a live configuration comprising active configuration settings applied by the software security system when protecting a computing system against abnormal activity;
  
  establish, for the software security system, a test configuration comprising at least one configuration setting that is different from the live configuration;
  
  record a live result of the software security system performing, using the live configuration, a protective action that protects the computing system against abnormal activity;
  
  generate an alternate result of the protective action by performing the protective action on the computing system using the test configuration instead of the live configuration and without applying changes resulting from the protective action to the computing system; and
  
  perform a security action based on the live result of the protective action and the alternate result of the protective action, wherein performing the security action comprises providing the live result of the protective action and the alternate result of the protective action to a backend system that;
  
  associates the live result and the alternate result with metadata about the computing system in a database;
  
  enables client software security systems to search the database based on metadata about computing systems protected by the software security systems to find a suggested configuration for the client software security system; and
  
  provides, by a user interface of the client software security system, a result of the search to an administrator of the client software security system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sankruthi, Anand
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/362,169
Time in Patent Office

925 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06F 2221/033 Test or assess software

Systems and methods for evaluating security software configurations

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for evaluating security software configurations

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links