VIRTUAL PATCHING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT

US 20150033323A1
Filed: 09/29/2014
Published: 01/29/2015
Est. Priority Date: 07/01/2003
Status: Abandoned Application

First Claim

Patent Images

1-2. -2. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for displaying, via at least one user interface, at least one option for dropping packets in connection with the at least one networked device for attack prevention. In use, it is determined whether an occurrence in connection with the at least one networked device is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable. Further, based on the user input, packets are dropped in connection with the occurrence in immediate response to the detection thereof, to prevent an attack prior to completion of patch installation.

15 Citations

View as Search Results

22 Claims

1-2. -2. (canceled)

3. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for allowing access to first information from at least one first data storage identifying a plurality of potential vulnerabilities including at least one first potential vulnerability and at least one second potential vulnerability;
  
  code for causing at least one operation in connection with at least one of a plurality of networked devices, the at least one operation configured for;
  
  identifying at least one configuration associated with the at least one networked device, anddetermining that the at least one networked device is actually vulnerable to at least one actual vulnerability based on the identified at least one configuration, utilizing the first information from the at least one first data storage identifying the plurality of potential vulnerabilities, such that second information is stored in at least one second data storage separate from the at least one first data storage, the second information identifying the at least one actual vulnerability to which the at least one networked device is actually vulnerable;
  
  code for reporting the second information;
  
  code for detecting an occurrence in connection with the at least one of the networked device;
  
  code for determining whether the occurrence is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable;
  
  code for displaying, via at least one user interface, at least one option for blocking the occurrence in connection with the at least one networked device;
  
  code for receiving, via the at least one user interface, user input selecting the at least one option for blocking the occurrence in connection with the at least one networked device; and
  
  code for, based on the user input, automatically blocking the occurrence, to prevent an attack from taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable while there is no installation of a patch at the at least one of the networked device that removes the at least one actual vulnerability from the at least one networked device.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 4. The computer program product of claim 3, wherein the computer program product is operable such that the occurrence includes a connection request, and in addition to the blocking, the computer program product is operable for redirecting the connection request to an explanatory message.
  - 5. The computer program product of claim 4, wherein the computer program product is operable such that, in addition to the blocking and redirecting, the computer program product is further operable for dropping packets in connection with the at least one networked device.
  - 6. The computer program product of claim 3, wherein the computer program product is operable such that the occurrence includes a connection request, and in addition to the blocking, the computer program product is operable for performing at least one operation for supporting the installation of the patch at the at least one of the networked device that removes the at least one actual vulnerability from the at least one networked device.
  - 7. The computer program product of claim 6, wherein the computer program product is operable such that a client agent is installable on the at least one networked device and is capable of supporting at least one aspect of the identification of the at least one configuration associated with the at least one networked device, the detection of the occurrence in connection with the at least one of the networked device, the automatically blocking of the occurrence, and the installation of the patch.
  - 8. The computer program product of claim 3, and further comprising:
    - code for displaying, via at least one user interface, at least one option for dropping packets in connection with the at least one networked device;
      
      code for receiving, via the at least one user interface, additional user input selecting the at least one option for dropping packets in connection with the at least one networked device; and
      
      code for, based on the additionally user input, automatically dropping packets in connection with the at least one networked device, to prevent the attack from taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable while there is no installation of the patch at the at least one of the networked device that removes the at least one actual vulnerability from the at least one networked device.
  - 9. The computer program product of claim 8, wherein the computer program product is operable such that a client agent is installable on the at least one networked device and is capable of supporting at least one aspect of the identification of the at least one configuration associated with the at least one networked device, the detection of the occurrence in connection with the at least one of the networked device, the automatically blocking of the occurrence, and the dropping of the packets.
  - 10. The computer program product of claim 3, wherein the computer program product is configured such that the at least one user interface is part of an intrusion prevention system console of an intrusion prevention system component that includes a client agent that is installable on the at least one networked device and is capable of:
    - working in connection with a vulnerability management component in supporting at least one aspect of the identification of the at least one configuration associated with the at least one networked device, and working in connection with the intrusion prevention system component in supporting at least one aspect of the detection of the occurrence in connection with the at least one of the networked device.
  - 11. The computer program product of claim 3, wherein the computer program product is operable such that the determining whether the occurrence is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable, includes cross referencing a Common Vulnerabilities and Exposures (CVE) identifier associated with the occurrence with a profile of the at least one networked device.
  - 12. The computer program product of claim 3, wherein the computer program product is operable for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with at least one vulnerability and at least one remediation technique, and wherein the computer program product is operable for determining which devices have weaknesses by directly querying a firmware or operating computer program product of the devices.

13. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for accessing at least one first data structure including actual vulnerability information that is generated utilizing potential vulnerability information from at least one second data structure that is capable of being used to identify a plurality of potential vulnerabilities including;
  
  at least one first potential vulnerability, andat least one second potential vulnerability;
  
  said actual vulnerability information being generated utilizing the potential vulnerability information by;
  
  identifying at least one configuration associated with at least one of a plurality of networked devices, the at least one configuration relating to at least one of an operating system or an application of the at least one networked device, anddetermining that at least one networked device is actually vulnerable to at least one actual vulnerability based on the identified at least one configuration, utilizing the potential vulnerability information that is capable of being used to identify the plurality of potential vulnerabilities;
  
  said actual vulnerability information from the at least one first data structure capable of being used for identifying the at least one actual vulnerability to which at least one networked device is actually vulnerable;
  
  code for determining whether an attack is capable of taking advantage of the at least one actual vulnerability to which at least one networked device is actually vulnerable; and
  
  code for applying different attack mitigation actions of diverse attack mitigation types, including a firewall-based attack mitigation type and an intrusion prevention system-based attack mitigation type, for preventing the attack from taking advantage of the at least one actual vulnerability at the at least one networked device, based on the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which at least one networked device is actually vulnerable, the at least one actual vulnerability being a function of the at least one of the operating system or the application of the at least one networked device and the different attack mitigation actions being specific to the at least one actual vulnerability, thereby resulting in relevant attack mitigation actions of the diverse attack mitigation types being applied based on whether one or more attacks are capable of taking advantage of only relevant actual vulnerabilities.
- View Dependent Claims (14, 15)
- - 14. The computer program product of claim 13, wherein the computer program product is operable such that the different attack mitigation actions of the diverse attack mitigation types are completed by a deployment from at least one server to at least one client agent supporting at least one of a firewall for implementing the firewall-based attack mitigation type or an intrusion prevention system for implementing the intrusion prevention system-based attack mitigation type.
  - 15. The computer program product of claim 13, wherein the computer program product is operable such that one or more of the different attack mitigation actions of the diverse attack mitigation types are conditionally applied based on user selection thereof, thereby providing user-selected relevant attack mitigation actions of the diverse attack mitigation types being applied based on the determination whether one or more attacks are capable of taking advantage of only relevant actual vulnerabilities.

16. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for accessing a data structure describing a plurality of mitigation techniques that mitigate a plurality of attacks that take advantage of a plurality of vulnerabilities, for retrieving a plurality of options in connection with a portion of the mitigation techniques that correspond with a subset of the plurality of the vulnerabilities resulting from an operating system and an application indicated to be on at least one device;
  
  code for presenting the plurality of options in connection with the portion of mitigation techniques that correspond with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device, the plurality of options relating to an intrusion prevention mitigation technique and a firewall mitigation technique;
  
  code for receiving first user input selecting the intrusion prevention mitigation technique in connection with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device;
  
  code for receiving second user input selecting the firewall mitigation technique in connection with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device;
  
  code for, based on the first user input, applying the selected the intrusion prevention mitigation technique in connection with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device, for occurrence mitigation;
  
  code for, based on the second user input, applying the selected firewall mitigation technique in connection with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device, for occurrence mitigation;
  
  code for identifying an occurrence including one or more packets directed to the at least one of the device;
  
  code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device; and
  
  code for preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing at least one of the intrusion prevention mitigation technique or the firewall mitigation technique based on the application thereof, based on the determination whether the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer program product of claim 16, wherein the computer program product is operable such that the plurality of options that are presented in connection with the portion of mitigation techniques correspond only with the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device.
  - 18. The computer program product of claim 16, wherein the computer program product is operable such that the presented plurality of options are updated to exclude one or more options related to a part of the mitigation techniques that correspond with another subset of the plurality of the vulnerabilities that were removed as result of at least one patch previously installed on the at least one device.
  - 19. The computer program product of claim 16, and further comprising:
    - code for performing a vulnerability scan for identifying at least one actual vulnerability to which the at least device is actually vulnerable;
      
      code for determining whether the occurrence is capable of taking advantage of the at least one actual vulnerability;
      
      code for reporting the occurrence in a first manner, if it is determined that the occurrence is capable of taking advantage of the at least one actual vulnerability; and
      
      code for reporting the occurrence in a first manner, if it is determined that the occurrence is not capable of taking advantage of the at least one actual vulnerability.
  - 20. The computer program product of claim 19, wherein the computer program product is operable such that it is determined whether the occurrence is capable of taking advantage of the at least one actual vulnerability, by cross-referencing a vulnerability identifier associated with the occurrence with device vulnerability information.
  - 21. The computer program product of claim 16, wherein the computer program product is operable such that at least one of the plurality of options is presented and the second user input is received before the identification of the occurrence such that the occurrence is prevented from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, in immediate response to the determination that the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device, and the computer program product is further operable such that at least one of the plurality of options is presented and the first user input is received after the identification of the occurrence such that the second option is applied in immediate response to the user input for further preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device.
  - 22. The computer program product of claim 16, wherein the computer program product is operable such that the determination whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities resulting from the operating system and the application indicated to be on the at least one device, is carried out by inspecting at least one characteristic of a payload of at least one of the packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecurityProfiling, LLC
Original Assignee
SecurityProfiling, LLC
Inventors
Oliphant, Brett M., Blignaut, John P.

Application Number

US14/499,250
Publication Number

US 20150033323A1
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

VIRTUAL PATCHING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

VIRTUAL PATCHING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others