Distributed security agent technology
First Claim
1. A method of dynamic vulnerability detection using definitions specified at least in part in an Open Vulnerability and Assessment Language (OVAL), the method comprising:
- with an agent executing on a computing device;
receiving, by the agent, a criterion for evaluating the computing device, the criterion being specified in an OVAL and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested;
by the agent, conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device, and retrieving a first state value of the object tested by the object test;
determining, by the agent, based on a result of the first evaluation of the criterion, that the computing device satisfies the criterion;
storing the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test;
after storing the first state value, by the agent, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test;
determining, by the agent, based on a result of the second evaluation of the criterion, that the computing device satisfies the criterion;
identifying, by the agent, one or more differences between the stored expected state value and the second state value; and
transmitting the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing device, from the computing device to a monitor server.
3 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods are disclosed for identifying differences in objects of a computing device using definitions expressed in vulnerability assessment languages such as Open Vulnerability and Assessment Language (OVAL). In one example of the disclosed technology, a method includes receiving criteria for evaluating the computing device using an agent. The criteria specify object tests used to generate associated state values based on states or status of the tested objects. The criteria are evaluated and first state values generated by performing the object tests are stored as expected values for object tests. The criteria are then evaluated by re-performing the object tests, and second state values thereby generated are compared to the first state values. One or more differences between the first and second state values can be identified and reported to, for example, a monitor server.
-
Citations
26 Claims
-
1. A method of dynamic vulnerability detection using definitions specified at least in part in an Open Vulnerability and Assessment Language (OVAL), the method comprising:
-
with an agent executing on a computing device; receiving, by the agent, a criterion for evaluating the computing device, the criterion being specified in an OVAL and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested; by the agent, conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device, and retrieving a first state value of the object tested by the object test; determining, by the agent, based on a result of the first evaluation of the criterion, that the computing device satisfies the criterion; storing the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test; after storing the first state value, by the agent, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test; determining, by the agent, based on a result of the second evaluation of the criterion, that the computing device satisfies the criterion; identifying, by the agent, one or more differences between the stored expected state value and the second state value; and transmitting the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing device, from the computing device to a monitor server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing device, comprising:
-
one or more processors; and one or more computer-readable storage media storing computer-executable instructions that, when executed by the one or more processors, cause the computing device to perform operations, the operations comprising; receiving a criterion for evaluating the computing device, the criterion being specified in an Open Vulnerability and Assessment Language (OVAL) and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested; conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device and retrieving a first state value of the object tested by the object test; determining that the computing device satisfies the object test; storing the first state value on the computing device separate from the object test; after storing the first state value, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test; determining that the computing device still satisfies the criterion, but that there are one or more differences between the stored first state value and the second state value of the object; and transmitting the differences between the stored first state value and the second state value of the object, along with a flag indicating that the differences represent a potential vulnerability in the computing device, from the computing device to a monitor server. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising a computing server comprising one or more hardware processors, one or more network interfaces, and one or more computer-readable storage media storing computer-executable instructions that, when executed by the one or more hardware processors, cause the computing server to perform operations, the operations comprising:
-
receiving, via the one or more network interfaces, a criterion for evaluating the computing server, the criterion being specified in an Open Vulnerability and Assessment Language (OVAL) and comprising an object test for testing an object of the computing server for a vulnerability, wherein the object test describes a state of the object of a computing device to be tested; conducting, using the one or more hardware processors, a first evaluation of the criterion specified in the OVAL and generating first state values by performing the object test of the criterion on the computing server, and retrieving a first state value of the object tested by the object test; determining, using the one or more hardware processors, based on a result of the first evaluation of the criterion, that the computing device satisfies the object test; storing, using the one or more hardware processors, the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test; after storing the first state value, conducting, using the one or more hardware processors, a second evaluation of the criterion by performing the object test of the criterion on the computing server, and retrieving a second state value of the object tested by the object test; determining, using the one or more hardware processors, based on a result of the second evaluation of the criterion, that the computing device satisfies the object test; identifying, using the one or more hardware processors, one or more differences between the stored first state value and the second state value of the object; and transmitting, via the one or more network interfaces, the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing server, from the computing server to a monitor server. - View Dependent Claims (23, 24, 25, 26)
-
Specification