Advanced asset tracking and correlation

US 10,523,713 B2
Filed: 07/09/2018
Issued: 12/31/2019
Est. Priority Date: 02/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system for identifying target assets, the system comprising:

an asset correlation engine executable by one or more computing device processors and in communication with an asset database,wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset, andwherein the asset correlation engine is operable to;

access a correlation metric, the correlation metric comprising;

attributes, wherein at least one attribute is associated with a particular attribute weight, andexclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values;

receive a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device;

parse the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification;

determine, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable;

in response to determining the attribute is not excludable, determining, based on accessing the correlation metric, an attribute weight associated with the attribute;

generate, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute excluded by the exclusionary rules is not used in generating the target asset information;

determine, based on the target asset information, whether the data chunk matches an asset entry in the asset database; and

in response to determining the data chunk at least partially matches the asset entry in the asset database, associate the data chunk with the asset entry in the asset database.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data chunks from these scans. The security management system may also receive data chunks from other sources, and, as a result, the system may handle data chunks having many different formats and attributes. When the security management system tries to associate data chunks to assets, there may not be a globally unique identifier that is applicable for all received data chunks. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly match data chunks to assets based on the attribute or attributes that are available within the data chunks.

Citations

17 Claims

1. A system for identifying target assets, the system comprising:
- an asset correlation engine executable by one or more computing device processors and in communication with an asset database,wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset, andwherein the asset correlation engine is operable to;
  
  access a correlation metric, the correlation metric comprising;
  
  attributes, wherein at least one attribute is associated with a particular attribute weight, andexclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values;
  
  receive a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device;
  
  parse the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification;
  
  determine, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable;
  
  in response to determining the attribute is not excludable, determining, based on accessing the correlation metric, an attribute weight associated with the attribute;
  
  generate, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute excluded by the exclusionary rules is not used in generating the target asset information;
  
  determine, based on the target asset information, whether the data chunk matches an asset entry in the asset database; and
  
  in response to determining the data chunk at least partially matches the asset entry in the asset database, associate the data chunk with the asset entry in the asset database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the attribute is at least one of a strongly correlated attribute, a moderately correlated attribute, and a loosely correlated attribute.
  - 3. The system of claim 2, wherein a first attribute weight of the strongly correlated attribute is greater than a second attribute weight of the moderately correlated attribute, or wherein the second attribute weight of the moderately correlated attribute is greater than a third attribute weight of the loosely correlated attribute.
  - 4. The system of claim 2, wherein a first attribute weight of the strongly correlated attribute is at least 1.5 to 40 times as large as a second attribute weight of the moderately correlated attribute, or wherein the second attribute weight of the moderately correlated attribute is at least 1.5 to 25 times as large as a third attribute weight of the loosely correlated attribute.
  - 5. The system of claim 1, wherein the target asset information is comprised in a digital fingerprint.
  - 6. The system of claim 1, wherein attribute weights for the attributes comprised in the correlation metric are generated using an iterative training process.
  - 7. The system of claim 6, wherein the iterative training process comprises iteratively testing candidate attribute weights for the attributes comprised in the correlation metric, and determining whether the candidate attribute weights lead to an expected matching result for mapping a test target asset with a test asset entry.
  - 8. The system of claim 1, wherein the asset correlation engine is further operable to receive the data chunk from an agent operable to scan the target asset.
  - 9. The system of claim 8, wherein the agent comprises or is a cloud agent.

10. A method for identifying target assets, the method comprising:
- accessing, using one or more computing device processors, a correlation metric, the correlation metric comprising;
  
  attributes, wherein at least one attribute is associated with a particular attribute weight, andexclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values;
  
  receiving, using the one or more computing device processors, a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device;
  
  parsing, using the one or more computing device processors, the data chunk to identify an attribute associated with the data chunk, wherein the attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification;
  
  determining, using the one or more computing device processors, based on accessing the exclusionary rules associated with the attributes, whether the attribute is excludable;
  
  in response to determining the attribute is not excludable, determining, using the one or more computing device processors, based on accessing the correlation metric, an attribute weight associated with the attribute;
  
  generating, using the one or more computing device processors, based on the attribute weight associated with the attribute, target asset information, wherein a second attribute that is excluded by the exclusionary rules is not used in generating the target asset information;
  
  determining, using the one or more computing device processors, based on the target asset information, whether the data chunk matches an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset; and
  
  in response to determining the data chunk at least partially matches the asset entry in the asset database, associating, using the one or more computing device processors, the data chunk with the asset entry in the asset database.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the data chunk is received using an agent.
  - 12. The method of claim 11, wherein the agent is a cloud-based agent.
  - 13. The method of claim 12, wherein the target asset comprises an IP address.
  - 14. The method of claim 10, further comprising in response to determining the data chunk does not at least partially match the asset entry in the asset database, create a new asset entry in the asset database, and associate the data chunk with the new asset entry in the asset database.
  - 15. The method of claim 10, wherein determining, based on the target asset information, whether the data chunk matches the asset entry in the asset database, comprises scanning, based on the target asset information, the asset entries in the database and determining a list of potentially matching asset entries.
  - 16. The method of claim 10, wherein determining, based on the target asset information, whether the data chunk matches the asset entry in the asset database, comprises determining, based on the target asset information and using at least one fuzzy matching technique, whether the data chunk matches the asset entry in the asset database.

17. A method for identifying target assets, the method comprising:
- accessing, using one or more computing device processors, a correlation metric, the correlation metric comprising;
  
  attributes, wherein each attribute of the attributes is associated with a particular attribute weight, andexclusionary rules associated with the attributes, wherein the exclusionary rules are based on a single attribute value or a range of attribute values;
  
  receiving a data chunk associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device;
  
  parsing the data chunk to identify an attribute associated with the data chunk, wherein the attribute associated with the data chunk comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification, a software attribute, a hardware attribute, and an instance identification;
  
  determining, using the one or more computing device processors, based on accessing the correlation metric, an attribute weight associated with the attribute associated with the data chunk;
  
  generating, using the one or more computing device processors, based on the attribute weight associated with the attribute associated with the data chunk, a digital fingerprint for the target asset;
  
  determining, using the one or more computing device processors, based on the digital fingerprint for the target asset, whether the data chunk matches an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset; and
  
  in response to determining the data chunk at least partially matches the asset entry in the asset database, associating, using the one or more computing device processors, the data chunk with the asset entry in the asset database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualys Incorporated
Original Assignee
Qualys Incorporated
Inventors
Molloy, Sean M., Wirges, Matthew L., Sonawane, Amol S.
Primary Examiner(s)
Pyzocha, Michael

Application Number

US16/030,719
Publication Number

US 20180324221A1
Time in Patent Office

540 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

G06F 16/24578   using ranking

G06F 16/90335   Query processing

G06F 40/205   Parsing

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Advanced asset tracking and correlation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced asset tracking and correlation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links