Advanced asset tracking and correlation
First Claim
1. A system for identifying target assets, the system comprising:
- an asset correlation engine executable by one or more computing device processors and in communication with an asset database,wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset, andwherein the asset correlation engine is operable to;
access a correlation metric, the correlation metric comprising;
attributes, wherein at least one attribute is associated with a particular attribute weight, andexclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values;
receive a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device;
parse the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification;
determine, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable;
in response to determining the attribute is not excludable, determining, based on accessing the correlation metric, an attribute weight associated with the attribute;
generate, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute excluded by the exclusionary rules is not used in generating the target asset information;
determine, based on the target asset information, whether the data chunk matches an asset entry in the asset database; and
in response to determining the data chunk at least partially matches the asset entry in the asset database, associate the data chunk with the asset entry in the asset database.
1 Assignment
0 Petitions
Accused Products
Abstract
A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.
-
Citations
17 Claims
-
1. A system for identifying target assets, the system comprising:
-
an asset correlation engine executable by one or more computing device processors and in communication with an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset, and wherein the asset correlation engine is operable to; access a correlation metric, the correlation metric comprising; attributes, wherein at least one attribute is associated with a particular attribute weight, and exclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values; receive a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device; parse the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification; determine, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable; in response to determining the attribute is not excludable, determining, based on accessing the correlation metric, an attribute weight associated with the attribute; generate, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute excluded by the exclusionary rules is not used in generating the target asset information; determine, based on the target asset information, whether the data chunk matches an asset entry in the asset database; and in response to determining the data chunk at least partially matches the asset entry in the asset database, associate the data chunk with the asset entry in the asset database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for identifying target assets, the method comprising:
-
accessing, using one or more computing device processors, a correlation metric, the correlation metric comprising; attributes, wherein at least one attribute is associated with a particular attribute weight, and exclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values; receiving, using the one or more computing device processors, a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device; parsing, using the one or more computing device processors, the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification; determining, using the one or more computing device processors, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable; in response to determining the attribute is not excludable, determining, using the one or more computing device processors, based on accessing the correlation metric, an attribute weight associated with the attribute; generating, using the one or more computing device processors, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute that is excluded by the exclusionary rules is not used in generating the target asset information; determining, using the one or more computing device processors, based on the target asset information, whether the data chunk matches an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset; and in response to determining the data chunk at least partially matches the asset entry in the asset database, associating, using the one or more computing device processors, the data chunk with the asset entry in the asset database. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A method for identifying target assets, the method comprising:
-
accessing, using one or more computing device processors, a correlation metric, the correlation metric comprising; attributes, wherein each attribute of the attributes is associated with a particular attribute weight, and exclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values; receiving a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device; parsing the data chunk to identify an attribute associated with the data chunk, wherein the attribute associated with the data chunk comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification; determining, using the one or more computing device processors, based on accessing the correlation metric, an attribute weight associated with the attribute associated with the data chunk; generating, using the one or more computing device processors, based on the attribute weight associated with the attribute associated with the data chunk, a digital fingerprint for the target asset; determining, using the one or more computing device processors, based on the digital fingerprint for the target asset, whether the data chunk matches an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset; and in response to determining the data chunk at least partially matches the asset entry in the asset database, associating, using the one or more computing device processors, the data chunk with the asset entry in the asset database.
-
Specification