Distributed security agent technology

US 10,599,850 B1
Filed: 05/31/2013
Issued: 03/24/2020
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method of dynamic vulnerability detection using definitions specified at least in part in an Open Vulnerability and Assessment Language (OVAL), the method comprising:

with an agent executing on a computing device;

receiving, by the agent, a criterion for evaluating the computing device, the criterion being specified in an OVAL and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested;

by the agent, conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device, and retrieving a first state value of the object tested by the object test;

determining, by the agent, based on a result of the first evaluation of the criterion, that the computing device satisfies the criterion;

storing the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test;

after storing the first state value, by the agent, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test;

determining, by the agent, based on a result of the second evaluation of the criterion, that the computing device satisfies the criterion;

identifying, by the agent, one or more differences between the stored expected state value and the second state value; and

transmitting the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing device, from the computing device to a monitor server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are disclosed for identifying differences in objects of a computing device using definitions expressed in vulnerability assessment languages such as Open Vulnerability and Assessment Language (OVAL). In one example of the disclosed technology, a method includes receiving criteria for evaluating the computing device using an agent. The criteria specify object tests used to generate associated state values based on states or status of the tested objects. The criteria are evaluated and first state values generated by performing the object tests are stored as expected values for object tests. The criteria are then evaluated by re-performing the object tests, and second state values thereby generated are compared to the first state values. One or more differences between the first and second state values can be identified and reported to, for example, a monitor server.

33 Citations

26 Claims

1. A method of dynamic vulnerability detection using definitions specified at least in part in an Open Vulnerability and Assessment Language (OVAL), the method comprising:
- with an agent executing on a computing device;
  
  receiving, by the agent, a criterion for evaluating the computing device, the criterion being specified in an OVAL and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested;
  
  by the agent, conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device, and retrieving a first state value of the object tested by the object test;
  
  determining, by the agent, based on a result of the first evaluation of the criterion, that the computing device satisfies the criterion;
  
  storing the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test;
  
  after storing the first state value, by the agent, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test;
  
  determining, by the agent, based on a result of the second evaluation of the criterion, that the computing device satisfies the criterion;
  
  identifying, by the agent, one or more differences between the stored expected state value and the second state value; and
  
  transmitting the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing device, from the computing device to a monitor server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising sending a report to the monitor server indicating whether the computing device satisfies the object test.
  - 3. The method of claim 1, wherein the storing comprises storing the expected value in an OVAL-formatted file.
  - 4. The method of claim 1, wherein the identifying comprises comparing the second state value to the stored expected state value for the object test.
  - 5. The method of claim 1, wherein:
    - the object test is a first object test; and
      
      the storing the first state value comprises storing a second object test specifying the first state value as an expected value for the second object tests.
  - 6. The method of claim 1, wherein:
    - the criterion is a first criterion; and
      
      the storing the first state values comprises storing a second criterion different than the first criterion, the second criterion being based at least in part on the first criterion.
  - 7. The method of claim 1, wherein the object test is one of the following:
    - file integrity monitoring, monitoring system characteristics, a compliance test, an inventory test, a patch test, or a vulnerability test.
  - 8. The method of claim 1, wherein the storing comprises saving the first state value on the computing device.
  - 9. The method of claim 1, wherein the criterion is specified at least in part using an Extensible Configuration Checklist Description Format (XCCDF) and/or an OVAL specification format.
  - 10. The method of claim 1, wherein the stored expected state value is specified as an object test using an Extensible Configuration Checklist Description Format (XCCDF) and/or an OVAL specification format.
  - 11. The method of claim 2, wherein the report is stored in an ETL data warehouse or data mart.

12. A computing device, comprising:
- one or more processors; and
  
  one or more computer-readable storage media storing computer-executable instructions that, when executed by the one or more processors, cause the computing device to perform operations, the operations comprising;
  
  receiving a criterion for evaluating the computing device, the criterion being specified in an Open Vulnerability and Assessment Language (OVAL) and comprising an object test for testing an object of the computing device for a vulnerability, wherein the object test describes a state of the object of the computing device to be tested;
  
  conducting a first evaluation of the criterion specified in the OVAL, comprising performing the object test of the criterion on the computing device and retrieving a first state value of the object tested by the object test;
  
  determining that the computing device satisfies the object test;
  
  storing the first state value on the computing device separate from the object test;
  
  after storing the first state value, conducting a second evaluation of the criterion, comprising performing the object test of the criterion on the computing device and retrieving a second state value of the object tested by the object test;
  
  determining that the computing device still satisfies the criterion, but that there are one or more differences between the stored first state value and the second state value of the object; and
  
  transmitting the differences between the stored first state value and the second state value of the object, along with a flag indicating that the differences represent a potential vulnerability in the computing device, from the computing device to a monitor server.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The computing device of claim 12, wherein the operations further comprise:
    - sending a report to the monitor server indicating whether the computing device satisfies the object test.
  - 14. The computing device of claim 12, wherein the storing comprises storing the expected value in an OVAL-formatted file.
  - 15. The computing device of claim 12, wherein the identifying comprises comparing the second state value to the stored first state value for the object test.
  - 16. The computing device of claim 12, wherein:
    - the criterion is a first criterion; and
      
      the storing the first state value comprises storing a second criterion, different than the first criterion.
  - 17. The computing device of claim 12, wherein the storing comprises saving the first state value on the one or more computer-readable storage media of the computing device.
  - 18. The computing device of claim 12, wherein the criterion is specified at least in part using an Extensible Configuration Checklist Description Format (XCCDF) and/or an OVAL specification format.
  - 19. The computing device of claim 12, wherein the stored expected state value is specified as an object test using an Extensible Configuration Checklist Description Format (XCCDF) and/or an OVAL specification format.
  - 20. The computing device of claim 12, wherein the operations further comprise:
    - evaluating one or more security criteria based, at least in part, on a result of the object test, each of the one or more security criteria indicating a level of compliance or vulnerability of the computing device according to a security policy.
  - 21. The computing device of claim 12, wherein conducting the first evaluation of the criterion comprises analyzing the integrity of one or more files stored on one or more computer-readable storage media of the computing device.

22. A system comprising a computing server comprising one or more hardware processors, one or more network interfaces, and one or more computer-readable storage media storing computer-executable instructions that, when executed by the one or more hardware processors, cause the computing server to perform operations, the operations comprising:
- receiving, via the one or more network interfaces, a criterion for evaluating the computing server, the criterion being specified in an Open Vulnerability and Assessment Language (OVAL) and comprising an object test for testing an object of the computing server for a vulnerability, wherein the object test describes a state of the object of a computing device to be tested;
  
  conducting, using the one or more hardware processors, a first evaluation of the criterion specified in the OVAL and generating first state values by performing the object test of the criterion on the computing server, and retrieving a first state value of the object tested by the object test;
  
  determining, using the one or more hardware processors, based on a result of the first evaluation of the criterion, that the computing device satisfies the object test;
  
  storing, using the one or more hardware processors, the first state value as an expected state value for the object, wherein the first state value is stored on the computing device separate from the object test;
  
  after storing the first state value, conducting, using the one or more hardware processors, a second evaluation of the criterion by performing the object test of the criterion on the computing server, and retrieving a second state value of the object tested by the object test;
  
  determining, using the one or more hardware processors, based on a result of the second evaluation of the criterion, that the computing device satisfies the object test;
  
  identifying, using the one or more hardware processors, one or more differences between the stored first state value and the second state value of the object; and
  
  transmitting, via the one or more network interfaces, the identified one or more differences, along with a flag indicating that the identified one or more differences represent a potential vulnerability in the computing server, from the computing server to a monitor server.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22, wherein the operations further comprise:
    - transmitting, via the one or more network interfaces, a report to the monitor server indicating whether the computing server satisfies the object test.
  - 24. The system of claim 22, wherein the storing the first state values as the expected state value for the object comprises storing the expected state value in an OVAL-formatted file.
  - 25. The system of claim 22, wherein the criterion comprises a security policy and the identified one or more differences indicate a change to the security policy.
  - 26. The system of claim 22, further comprising the monitor server, wherein the monitor server is configured to transmit the criterion to the computing server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Loihl, Robert, Huffman, Robert
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
Ho, Thomas

Application Number

US13/907,600
Time in Patent Office

2,489 Days
Field of Search

726 25, 726 1
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

Distributed security agent technology

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed security agent technology

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links