Signal level propagation mechanism for distribution of a payload to vulnerable systems

US 20040088581A1
Filed: 01/16/2003
Published: 05/06/2004
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method of identifying software vulnerabilities in a computer network comprising a set of computer systems having software stored thereon, a scanning system, and a management system, wherein the method comprises:

operating the scanning system to apply to at least one computer system of at least a subset of the computer systems a first interrogation program arranged to exploit a known software vulnerability;

in the event that the known vulnerability is exploited, operating the first interrogation program to cause the computer system on which the known software vulnerability was exploited to apply to a plurality of said computer systems in said subset a second interrogation program arranged to exploit the known software vulnerability;

in the event that the known vulnerability is exploited by the second interrogation program, operating the second interrogation program to generate management information at the computer system on which the known vulnerability was exploited by the second interrogation program, the management information at least identifying the respective computer system at which the known vulnerability was exploited; and

sending the generated management information to the management system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of identifying a software vulnerability in computer systems in a computer network includes a multiple level scanning process controlled from a management system connected to the network. The management system runs a root scanner which applies an interrogation program to remote systems having network addresses in a predefined address range. When a software vulnerability is detected, the interrogation program causes the respective remote system to scan topologically local systems, the remote system itself applying a second interrogation program to the local systems to detect and mitigate the vulnerability using an associated mitigation payload. Whilst that local scanning process is in progress, the root scanner can be applied to remote systems in other predefined address ranges.

314 Citations

19 Claims

1. A method of identifying software vulnerabilities in a computer network comprising a set of computer systems having software stored thereon, a scanning system, and a management system, wherein the method comprises:
- operating the scanning system to apply to at least one computer system of at least a subset of the computer systems a first interrogation program arranged to exploit a known software vulnerability;
  
  in the event that the known vulnerability is exploited, operating the first interrogation program to cause the computer system on which the known software vulnerability was exploited to apply to a plurality of said computer systems in said subset a second interrogation program arranged to exploit the known software vulnerability;
  
  in the event that the known vulnerability is exploited by the second interrogation program, operating the second interrogation program to generate management information at the computer system on which the known vulnerability was exploited by the second interrogation program, the management information at least identifying the respective computer system at which the known vulnerability was exploited; and
  
  sending the generated management information to the management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, wherein the second interrogation program is configured to avoid of causing the computer system on which the known software vulnerability was exploited to apply to other computer systems in said set an interrogation program capable of exploiting said known software vulnerability.
  - 3. A method according to claim 2, wherein the scanning system is operated as a single root scanning system in respect of said set of computer systems.
  - 4. A method according to claim 1, wherein the first interrogation program is operated to cause the computer system on which the known software vulnerability was exploited by the first interrogation program to generate management information, which management information is then sent to the management system.
  - 5. A method according to claim 1, wherein at least the second of said interrogation programs is arranged so as to remediate the known software vulnerability it is arranged to exploit, and wherein, in the event that the interrogation program exploits a software vulnerability, the method further comprises operating that interrogation program to remediate said software vulnerability.
  - 6. A method according to claim 1, wherein the set of computer systems comprises a plurality of subsets of computer systems, and wherein:
    - (a) the scanning system is operated to apply the first interrogation program to the computer systems of one of said subsets;
      
      (b) when said vulnerability is exploited in a computer system of said one subset;
      
      the first interrogation program is operated on the computer system which was exploited by the first interrogation program to apply the second interrogation program to other computer systems of said one subset whereby, in the event that the vulnerability is exploited by the second interrogation program in a computer system of the first subset, the steps of generating and sending management information are performed on each computer system so exploited, and operation of the scanning system in respect of said one subset is terminated;
      
      (c) steps (a) and (b) are performed in respect of others of said subsets, whereby whilst the second interrogation program is being applied to computer systems within each subset in which the vulnerability has been exploited by the first interrogation program, the scanning system applies the first interrogation program to the computer systems of subsets to which it has not hitherto been applied.
  - 7. A method according to claim 6, wherein the subsets of computer systems are topologically remote from each other.
  - 8. A method according to claim 6, wherein the scanning system is operated to apply the first interrogation program to the computer systems of a plurality of said subsets concurrently.
  - 9. A method according to claim 6, wherein the scanning systems is operated to apply the first interrogation program to the computer systems of a plurality of said subsets sequentially.

10. A method of detecting a software vulnerability in computer systems contained in a computer network, each computer system having a respective address within the network, wherein the method comprises:
- running on a root system connected to the network a root scanning program which applies to a plurality of said computer systems that have addresses within a predefined address range a first interrogation program configured to detect a known software vulnerability, in the event that said vulnerability is detected, running the first interrogation program to cause the computer system in which the vulnerability was detected to scan computer systems that have addresses within at least a subset of said predefined address range by applying to those computer systems a second interrogation program configured to detect said vulnerability, in the event that said vulnerability is detected by the second interrogation program, running the second interrogation program to cause the computer system in which it detected said vulnerability to run a mitigation program mitigating said vulnerability.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. A method according to claim 10, wherein the first interrogation program comprises a copy scanning program and a mitigation program, the method including the step of running the mitigation program on the computer system in which said vulnerability was detected by the first interrogation program to mitigate the vulnerability on that computer system, and wherein the second interrogation program comprises said mitigation program but omits said copy scanning program.
  - 12. A method according to claim 10, wherein said first and second interrogation programs each include an identification payload, the method including running the identification payload on each computer system in which the vulnerability is detected by either of said first and second interrogation programs to generate management information identifying that computer system and to send the management information to the root system.
  - 13. A method according to claim 10, wherein the first interrogation program includes a reporting payload which comprises program code operable on said computer system in which the vulnerability is exploited by the first interrogation program, the method including a reporting step in which the reporting payload program code operates in conjunction with the scanning step of said computer system to generate report information relating to progress of the scanning step and to send said report information back to the root system.
  - 14. A method according to claim 13, wherein the report information contains an indication of at least one of:
    - completion of the scanning step, corresponding to completion of scanning of all of a plurality of computer systems having addresses in said subset of the predefined address range; and
      
      disabling of the scanning step before said completion.
  - 15. A method according to claim 14, wherein the root system, in response to receipt of said report information indicating disabling of the scanning step before completion, itself completes scanning of the computer systems of the addresses in said subset to detect said vulnerability.
  - 16. A method according to claim 10, wherein, in the event that said vulnerability is detected by said application of the first interrogation program, the computer system in which the vulnerability was detected is caused to generate at least one report indicative of the progress of the scanning step of that computer system and to send such a report to the root system.
  - 17. A method according to claim 16, where, in the event that said vulnerability is detected by said application of the first interrogation program, the computer system in which the vulnerability was detected is caused to generate reports periodically and to send such reports periodically to the root system, and wherein the root system checks for receipt of such periodic reports and, in the event of a report not being received, generates an alert.

18. A computer program stored on a computer usable medium, the computer program comprising computer-readable instructions arranged to operate under the control of processing means to identify a software vulnerability in a computer network to which the processing means are connected, the computer network comprising a set of computer systems having software stored thereon, the computer program performing the following steps:
- a scanning step comprising sending to at least one computer system of at least a subset of the computer systems a first interrogation program arranged to exploit a known software vulnerability;
  
  in the event that the known vulnerability is exploited, causing the first interrogation program to operate to cause the computer system on which the known software vulnerability was exploited to apply to a plurality of said computer systems in said subset a second interrogation program arranged to exploit the known software vulnerability;
  
  the first and second interrogation programs being such that, in the event that the known vulnerability is exploited by the second interrogation program, the second interrogation program is operated to generate management information at the computer system on which the known vulnerability was exploited by the second interrogation program, the management information at least identifying the respective computer system at which the known vulnerability was exploited; and
  
  receiving the generated management information.

19. A computer program stored on a computer usable medium, the computer program comprising computer-readable instructions arranged to operate under the control of processing means to identify a software vulnerability in computer systems contained in a computer network, each computer system having a respective address within the network, the processing means forming part of a root system connected to the network, wherein the computer program performs the step of:
- running on the root system connected to the network a root scanning program which applies to a plurality of said computer systems that have addresses within a predefined address range a first interrogation program configured to detect a known software vulnerability; and
  
  in the event that said vulnerability is detected, causing the first interrogation program to operate so as to cause the computer system in which the vulnerability was detected to scan computer systems that have addresses within at least a subset of said predefined address range by applying to those computer systems a second interrogation program configured to detect said vulnerability, the first and second interrogation programs being such that, in the event that said vulnerability is detected by the second interrogation program, the second interrogation program is operated to cause the computer system in which it detected said vulnerability to run a mitigation program mitigating said vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Flash Uplink LLC (Quest Patent Research Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Griffin, Jonathan, Norman, Andrew Patrick, Brawn, John Melvin, Dalton, Chris Ralph

Granted Patent

US 7,353,539 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1433 Vulnerability analysis

Signal level propagation mechanism for distribution of a payload to vulnerable systems

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

314 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Signal level propagation mechanism for distribution of a payload to vulnerable systems

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

314 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links