Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
First Claim
1. A method for identifying data processing systems within a network having a vulnerability, comprising the steps of:
- computing a set of hash values derived from and representing a set of resources distributed across a plurality of data processing systems within a network;
storing, at a first data processing system within the network, the computed set of hash values together with an identification of the respective one of said plurality of data processing systems storing a resource corresponding to each computed hash value;
in response to an indication that a first resource is associated with a specific vulnerability, comparing at least one hash value representing the first resource with the stored set of hash values to identify matching hash values, and using the identification of matching hash values and the stored identification of respective systems to determine the systems within the plurality of data processing systems storing replicas of the first resource.
3 Assignments
0 Petitions
Accused Products
Abstract
Provided are methods, apparatus and computer programs for identifying vulnerabilities to viruses of hacking. Hash values are computed and stored for resources stored on systems within a network. If a first resource or a collection of resources (such as files comprising an operating system, Web Browser or mail server) is associated with a vulnerability, hash values for the first resource or collection of resources are compared with the stored hash values to identify systems which have the vulnerability. Messages may be sent to the people responsible for the vulnerable systems, or the vulnerability may be removed by automatic downloading of patches or service packs.
-
Citations
29 Claims
-
1. A method for identifying data processing systems within a network having a vulnerability, comprising the steps of:
-
computing a set of hash values derived from and representing a set of resources distributed across a plurality of data processing systems within a network;
storing, at a first data processing system within the network, the computed set of hash values together with an identification of the respective one of said plurality of data processing systems storing a resource corresponding to each computed hash value;
in response to an indication that a first resource is associated with a specific vulnerability, comparing at least one hash value representing the first resource with the stored set of hash values to identify matching hash values, and using the identification of matching hash values and the stored identification of respective systems to determine the systems within the plurality of data processing systems storing replicas of the first resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A data processing apparatus comprising:
-
a data processing unit;
a data storage unit;
a repository manager configured to store a set of hash values and associated system identifiers in a repository within the data storage unit, wherein the set of hash values are derived from and represent a set of resources distributed across a plurality of data processing systems and the system identifiers identify particular systems within said plurality of data processing systems at which the resources are stored; and
a vulnerability coordinator configured to respond to an indication that a first resource has a vulnerability, by comparing at least one hash value representing the first resource with the stored set of hash values to identify matching hash values, and configured to use the identification of matching hash values and stored system identifiers to identify systems within the plurality of data processing systems storing replicas of the first resource. - View Dependent Claims (16, 17)
-
-
18. A distributed data processing system comprising:
-
a plurality of client data processing systems each comprising a data processing unit and a data storage unit storing resources; and
a server data processing system comprising a data processing unit;
a data storage unit;
a repository manager configured to store a set of hash values and associated system identifiers in a repository within the data storage unit, wherein the set of hash values are derived from and represent a set of resources distributed across the plurality of client data processing systems, and the system identifiers identify particular systems within said plurality of data processing systems at which the resources are stored; and
a vulnerability coordinator which is configured to respond to an indication that a first resource has a vulnerability, by comparing at least one hash value representing the first resource with the stored set of hash values to identify matching hash values, and to use the identification of matching hash values and stored system identifiers to identify systems within the plurality of data processing systems storing replicas of the first resource.
-
-
19. A computer program product, comprising program code recorded on a recording medium, for controlling the performance of operations on a data processing system on which the program code executes, the program code comprising:
-
a repository manager configured to store a set of hash values and associated system identifiers in a repository, wherein the set of hash values are derived from and represent a set of resources distributed across a plurality of data processing systems and the system identifiers identify particular systems within said plurality of data processing systems at which the resources are stored; and
a vulnerability coordinator configured to respond to an indication that a first resource has a vulnerability, by comparing at least one hash value representing the first resource with the stored set of hash values to identify matching hash values, and to use the identification of matching hash values and stored system identifiers to identify systems within the plurality of data processing systems storing replicas of the first resource.
-
-
20. A method for determining whether a data processing system has a vulnerability, comprising the steps of:
computing a set of hash values representing a set of resources of the data processing system;
for a resource associated with the vulnerability, comparing at least one hash value representing the vulnerability-associated resource with the computed set of hash values, to identify matching hash values; and
determining, from said identification of matching hash values, whether the data processing system includes the resource associated with the vulnerability; and
in response to determining that the data processing system includes the resource associated with the vulnerability, classifying the data processing system as vulnerable. - View Dependent Claims (21, 22, 23, 24, 25)
-
26. A computer program product comprising program code recorded on a recording medium for controlling operations within a data processing apparatus, wherein the program code comprises:
-
a hashing function for generating hash values representing data processing system resources; and
a vulnerability determination program configured to compare at least one hash value representing a resource associated with a vulnerability with a set of hash values representing resources of the data processing apparatus, thereby to identify matching hash values, and configured to use the identification of matching hash values to determine whether the data processing apparatus includes the resource associated with the vulnerability. - View Dependent Claims (27, 28, 29)
-
Specification