SYSTEM AND METHOD FOR CORRELATING LOG DATA TO DISCOVER NETWORK VULNERABILITIES AND ASSETS

US 20140283083A1
Filed: 04/08/2013
Published: 09/18/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system for correlating log data to discover vulnerable network assets, wherein the system comprises a log correlation engine having one or more processors configured to:

receive one or more logs that contain events describing observed activity in a network;

determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability;

obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and

generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

Citations

30 Claims

1. A system for correlating log data to discover vulnerable network assets, wherein the system comprises a log correlation engine having one or more processors configured to:
- receive one or more logs that contain events describing observed activity in a network;
  
  determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability;
  
  obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and
  
  generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system recited in claim 1, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the indicated vulnerability.
  - 3. The system recited in claim 2, wherein the one or more processors associated with the log correlation engine are further configured to obtain the information about the indicated vulnerability from the at least one cross-referenced data source through a backend distribution process that constructs an archive containing the information about the indicated vulnerability.
  - 4. The system recited in claim 2, wherein the one or more processors associated with the log correlation engine are further configured to communicate over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 5. The system recited in claim 1, wherein the at least one event contains a text string that matches the regular expression in the at least one correlation rule.
  - 6. The system recited in claim 1, wherein the report further includes a host identifier and a port identifier associated with the indicated vulnerability.
  - 7. The system recited in claim 1, wherein the report further includes one or more variable references that specify dynamic content associated with the indicated vulnerability.
  - 8. The system recited in claim 1, wherein the one or more processors associated with the log correlation engine are further configured to:
    - determine that the one or more logs contain at least one event associated with an Internet Protocol (IP) address internal to the network; and
      
      report that a host associated with the internal IP address was discovered in the network if the internal IP address has not already been discovered in the network.
  - 9. The system recited in claim 8, wherein the one or more processors associated with the log correlation engine are further configured to determine that the one or more logs contain at least one event associated with the IP address internal to the network if the IP address falls within a first range that indicates IP addresses internal to the network and does not fall within a second range that indicates exceptions to the IP addresses internal to the network.
  - 10. The system recited in claim 1, further comprising:
    - a primary log correlation engine server configured to host a primary instance associated with the log correlation engine; and
      
      one or more auxiliary log correlation engine servers configured to host one or more auxiliary instances associated with the log correlation engine, wherein the primary log correlation engine server is further configured to receive the one or more logs that contain the events describing the observed activity in the network, monitor workloads across the one or more auxiliary log correlation engine servers, and automatically distribute the one or more received logs to balance a processing load among the primary log correlation engine server and the auxiliary log correlation engine servers.

11. A method for correlating log data to discover vulnerable network assets, comprising:
- receiving, at a log correlation engine, one or more logs that contain events describing observed activity in a network;
  
  determining, at the log correlation engine, that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability;
  
  obtaining, at the log correlation engine, information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and
  
  generating a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method recited in claim 11, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the indicated vulnerability.
  - 13. The method recited in claim 12, wherein the log correlation engine obtains the information about the indicated vulnerability from the at least one cross-referenced data source through a backend distribution process that constructs an archive containing the information about the indicated vulnerability.
  - 14. The method recited in claim 12, wherein the log correlation engine communicates over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 15. The method recited in claim 11, wherein the at least one event contains a text string that matches the regular expression in the at least one correlation rule.
  - 16. The method recited in claim 11, wherein the report further includes a host identifier and a port identifier associated with the indicated vulnerability.
  - 17. The method recited in claim 11, wherein the report further includes one or more variable references that specify dynamic content associated with the indicated vulnerability.
  - 18. The method recited in claim 11, further comprising:
    - determining, at the log correlation engine, that the one or more logs contain at least one event associated with an Internet Protocol (IP) address internal to the network; and
      
      reporting that a host associated with the internal IP address was discovered in the network if the internal IP address has not already been discovered in the network.
  - 19. The method recited in claim 18, wherein the log correlation engine determines that the one or more logs contain at least one event associated with the IP address internal to the network if the IP address falls within a first range that indicates IP addresses internal to the network and does not fall within a second range that indicates exceptions to the IP addresses internal to the network.
  - 20. The method recited in claim 11, wherein a primary log correlation engine server hosts a primary instance associated with the log correlation engine and one or more auxiliary log correlation engine servers host one or more auxiliary instances associated with the log correlation engine, and wherein the method further comprises:
    - receiving the one or more logs that contain the events describing the observed activity in the network at the primary log correlation engine server; and
      
      monitoring, at the primary log correlation engine server, workloads across the one or more auxiliary log correlation engine servers, wherein the primary log correlation engine server automatically distributes the one or more received logs to balance a processing load among the primary log correlation engine server and the auxiliary log correlation engine servers.

21. A computer-readable storage medium having computer-executable instructions stored thereon for correlating log data to discover vulnerable network assets, wherein executing the computer-executable instructions a processor causes the processor to:
- receive one or more logs that contain events describing observed activity in a network;
  
  determine that the one or more logs contain at least one event that matches a regular expression in at least one correlation rule associated with a log correlation engine that indicates a vulnerability;
  
  obtain information about the indicated vulnerability from at least one data source cross-referenced in the at least one correlation rule; and
  
  generate a report that the indicated vulnerability was discovered in the network, wherein the report includes the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer-readable storage medium recited in claim 21, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the indicated vulnerability.
  - 23. The computer-readable storage medium recited in claim 22, wherein executing the computer-executable instructions the processor further causes the processor to obtain the information about the indicated vulnerability from the at least one cross-referenced data source through a backend distribution process that constructs an archive containing the information about the indicated vulnerability.
  - 24. The computer-readable storage medium recited in claim 22, wherein executing the computer-executable instructions the processor further causes the processor to communicate over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 25. The computer-readable storage medium recited in claim 21, wherein the at least one event contains a text string that matches the regular expression in the at least one correlation rule.
  - 26. The computer-readable storage medium recited in claim 21, wherein the report further includes a host identifier and a port identifier associated with the indicated vulnerability.
  - 27. The computer-readable storage medium recited in claim 21, wherein the report further includes one or more variable references that specify dynamic content associated with the indicated vulnerability.
  - 28. The computer-readable storage medium recited in claim 21, wherein executing the computer-executable instructions the processor further causes the processor to:
    - determine that the one or more logs contain at least one event associated with an Internet Protocol (IP) address internal to the network; and
      
      report that a host associated with the internal IP address was discovered in the network if the internal IP address has not already been discovered in the network.
  - 29. The computer-readable storage medium recited in claim 28, wherein executing the computer-executable instructions the processor further causes the processor to determine that the one or more logs contain at least one event associated with the IP address internal to the network if the IP address falls within a first range that indicates IP addresses internal to the network and does not fall within a second range that indicates exceptions to the IP addresses internal to the network.
  - 30. The computer-readable storage medium recited in claim 21, wherein a primary log correlation engine server hosts a primary instance associated with the log correlation engine and one or more auxiliary log correlation engine servers host one or more auxiliary instances associated with the log correlation engine, and wherein executing the computer-executable instructions the processor further causes the processor to:
    - direct the one or more logs that contain the events describing the observed activity in the network to the primary log correlation engine server; and
      
      cause the primary log correlation engine server to monitor workloads across the one or more auxiliary log correlation engine servers and automatically distribute the one or more received logs to balance a processing load among the primary log correlation engine server and the auxiliary log correlation engine servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
GULA, Ron, Ranum, Marcus, Deraison, Renaud

Granted Patent

US 9,467,464 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1433 Vulnerability analysis

SYSTEM AND METHOD FOR CORRELATING LOG DATA TO DISCOVER NETWORK VULNERABILITIES AND ASSETS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR CORRELATING LOG DATA TO DISCOVER NETWORK VULNERABILITIES AND ASSETS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links