Network-based patching machine
First Claim
1. A method for protecting a computer system using a universal patching machine rather than exclusively applying vendor security patches to produce a vendor-patched computer system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, the method comprising:
- attempting to generate a conversion function that modifies input data to the computer system so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification;
if it is to not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification; and
if it is to not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification.
3 Assignments
0 Petitions
Accused Products
Abstract
A universal patching machine is used to provide network-based security for a data network. The universal patching machine may be implemented on a network appliance located at the edge of the data network. From this location, the universal patching machine intercepts data traffic between the internet and the data network. The universal patching machine examines the intercepted data traffic to detect security vulnerabilities. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic.
54 Citations
19 Claims
-
1. A method for protecting a computer system using a universal patching machine rather than exclusively applying vendor security patches to produce a vendor-patched computer system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, the method comprising:
-
attempting to generate a conversion function that modifies input data to the computer system so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification;
if it is to not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification; and
if it is to not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification.
-
-
2. A method for protecting a computer network by using a universal patching machine implemented on a network appliance to detect and fix vulnerability violations in data traffic flowing through the network appliance between a communications network and the computer network, wherein the universal patching machine includes patch processors and a packet controller, the method comprising:
-
forming the patch processors in the universal patching machine from a plurality of network patches;
receiving the data traffic with the universal patching machine;
using the patch processors to detect vulnerability violations in the received data traffic;
when a vulnerability violation is detected in the data traffic by the patch processors, using the patch processors to issue a modification command to the packet controller that directs the packet controller to fix the data traffic and remove the vulnerability violation; and
using the universal patching machine to provide the fixed data traffic to the computer network. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
Specification