Security level information offering method and system

US 20030140249A1
Filed: 03/07/2002
Published: 07/24/2003
Est. Priority Date: 01/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for offering security level comprising the steps of:

(a) specifying, based on configuration information on a specific equipment, a vulnerability of said equipment, and associating information of the vulnerability with said equipment, said information of the vulnerability including a threat level value of the vulnerability;

(b) computing a security level value of the vulnerability of the specific equipment based on the type of this equipment, the threat level value of the vulnerability for which no modification has been taken regarding this equipment, and the number of days while the vulnerability has been left without any modification taken for the vulnerability; and

(c) outputting security level information based on the security level value obtained in said step (b).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system of security information processed such that it can be understood by a person with insufficient knowledge about security technologies is provided. The system comprises a vulnerability information storing unit for storing at least threat level values of vulnerabilities of a computer system to be monitored; a vulnerability information offering unit to extract vulnerability information to be applied to said computer system from said vulnerability information storing unit based on the configuration information of the computer system, and to associate the vulnerability information with this computer system; a vulnerability modification information storing unit for storing the information on whether or not a system manager has applied modification work based on this vulnerability information; and a security level computing unit for computing, regarding a specific equipment, a security level regarding a vulnerability of said equipment from a type of this equipment, the threat level value of the vulnerability that has not been modified with regarding this equipment, and the number or days while the vulnerability has been left without any modification taken.

45 Citations

View as Search Results

10 Claims

1. A method for offering security level comprising the steps of:
- (a) specifying, based on configuration information on a specific equipment, a vulnerability of said equipment, and associating information of the vulnerability with said equipment, said information of the vulnerability including a threat level value of the vulnerability;
  
  (b) computing a security level value of the vulnerability of the specific equipment based on the type of this equipment, the threat level value of the vulnerability for which no modification has been taken regarding this equipment, and the number of days while the vulnerability has been left without any modification taken for the vulnerability; and
  
  (c) outputting security level information based on the security level value obtained in said step (b).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, further comprising the steps of (d) computing a security level value of said equipment by comparing the security level values of vulnerabilities when there are a plurality of vulnerabilities associated with said equipment, which have not been modified, and setting a security level value with the highest threat level value among the security level values of said vulnerabilities as the security level value of said equipment, and wherein said step (c) outputs the security level information based on the security value of said equipment obtained in step (d).
  - 3. The method according to claim 2 further comprising the steps of (e) computing the security level value of a network when a plurality of equipments are connected to the network, by comparing security level values of the equipments, and setting a security level value with the highest threat level value among the security level values of said equipments as the security level value of said network, and wherein said step (c) outputs security level information based on the security value of said network.
  - 4. The method according to claim 1, wherein said step (c) outputs security information based on both security level value obtained in the step (b) and basic security information computed based on a basic configuration, etc. of the equipment or the network.
  - 5. The method according to claim 1, wherein said step (c) comprises a step of expressing said security level value in comparison with a security level reference value of a relevant system or the network to which said system is connected.

6. A system for computing a security level of a computer system, said system comprising:
- a configuration information storing unit for storing configuration information on the computer system to be monitored;
  
  a vulnerability information storing unit for storing various types of updated vulnerability information including at least a threat level value of the vulnerability;
  
  a vulnerability information offering unit to extract vulnerability information to be applied to said computer system from said vulnerability information storing unit based on said configuration information, and to associate the vulnerability information with this computer system;
  
  a vulnerability modification information storing unit for storing the information on whether or not a system manager has applied modification work based on this vulnerability information;
  
  a security level computing unit for computing, regarding a specific equipment, a security level regarding the vulnerability of said equipment from a type of this equipment, the threat level value of the vulnerability that has not been modified with regarding this equipment, and the number or days while the vulnerability has been left without any modification taken; and
  
  a security level information generating unit for generating and output security level information based on the security level value obtained in said computing unit.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system according to claim 6, said system further comprising, a security level value comparing unit to compute a security level value of said equipment by comparing security level values of vulnerabilities when there are a plurality of vulnerabilities associated with said equipment, which have not been modified, and setting a security level value with the highest threat level among the security level values of said vulnerabilities as the security level value of said equipment, and wherein said security level information generating unit generates security level information based on said security level value of said equipment computed by the security level value comparing unit.
  - 8. The system according to claim 7, wherein said security-level value comparing unit computes a security value of a network by comparing security level values of equipments when a plurality of equipments are connected to said network, and setting a security level value with the highest level of threat among the security level values of said equipments as the security value level of said network;
    - and said security level information generating unit outputs security level information based on the security level value of said network computed by the security level value comparing unit.
  - 9. The system according to claim 6, wherein said security level information generating unit outputs security information based on both security value obtained in said security level computing unit and basic security information computed based on a basic configuration, etc. of an equipment or a network.
  - 10. The system according to claim 6, wherein said security level information generating unit expresses said security level value in comparison with a security reference value of a relevant system or the network to which this system is connected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushikigaisha Toshiba
Original Assignee
Kabushikigaisha Toshiba
Inventors
Taninaka, Yoshihito, Ohura, Noriaki

Application Number

US10/092,814
Publication Number

US 20030140249A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Security level information offering method and system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Security level information offering method and system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links