SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REPORTING AN OCCURRENCE IN DIFFERENT MANNERS

US 20150033352A1
Filed: 09/29/2014
Published: 01/29/2015
Est. Priority Date: 07/01/2003
Status: Active Grant

First Claim

Patent Images

1-2. -2. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for identifying operating system information associated with at least one of a plurality of networked devices, and an occurrence in connection with the at least one of the networked device. It is also determined whether at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. To this send, the occurrence is reported in a first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. Further, the occurrence is reported in a second manner different from the first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is not relevant to the at least one networked device based on the operating system information.

Citations

22 Claims

1-2. -2. (canceled)

3. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for receiving an identification of at least one of an operating system or an application associated with at least one of a plurality of devices;
  
  code for accessing a data storage describing a plurality of mitigation techniques that mitigate an attack that takes advantage of a plurality of vulnerabilities;
  
  code for presenting a plurality of options in connection with the plurality of mitigation techniques that correspond with a subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device, the plurality of options relating to an intrusion detection or prevention mitigation technique and a firewall mitigation technique that both correspond with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
  
  code for receiving user input selecting at least one of the options in connection with at least one of the plurality of the mitigation techniques that correspond with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
  
  code for, based on the user input, deploying the selected at least one option in connection with the at least one mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
  
  code for identifying an occurrence in connection with the at least one of the device;
  
  code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device; and
  
  code for preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing the at least one mitigation technique in connection with the selected at least one option, based on the determination whether the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 4. The computer program product of claim 3, and further comprising:
    - code for performing a vulnerability scan for identifying at least one actual vulnerability to which the at least device is actually vulnerable;
      
      code for determining whether the occurrence is capable of taking advantage of the at least one actual vulnerability;
      
      code for reporting the occurrence in a first manner, if it is determined that the occurrence is capable of taking advantage of the at least one actual vulnerability; and
      
      code for reporting the occurrence in a first manner, if it is determined that the occurrence is not capable of taking advantage of the at least one actual vulnerability.
  - 5. The computer program product of claim 4, wherein the computer program product is operable such that it is determined whether the occurrence is capable of taking advantage of the at least one actual vulnerability, by cross-referencing a vulnerability identifier associated with the occurrence with device vulnerability information.
  - 6. The computer program product of claim 5, wherein the computer program product is operable such that the vulnerability identifier includes a Common Vulnerabilities and Exposures Identifier (CVE ID).
  - 7. The computer program product of claim 3, wherein the computer program product is operable such that the selected at least one option in connection with the at least one mitigation technique is deployed utilizing at least one communication sent from at least one server to a client agent.
  - 8. The computer program product of claim 7, wherein the computer program product is operable such that the client agent resides at at least one of a firewall or an intrusion prevention system for implementing the at least one mitigation technique.
  - 9. The computer program product of claim 8, wherein the computer program product is operable such that at least one of:
    - said intrusion prevention system and the firewall are separate;
      
      orsaid intrusion prevention system and the firewall are integrated on the same single platform.
  - 10. The computer program product of claim 3, and further comprisingcode for receiving first user input selecting the intrusion detection or prevention mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
    - andcode for, based on the first user input, deploying the selected intrusion detection or prevention mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
      
      wherein the computer program product is operable such that the occurrence is prevented from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing the selected intrusion detection or prevention mitigation technique, by rejecting a connection request of the at least one device.
  - 11. The computer program product of claim 3, and further comprisingcode for receiving first user input selecting the firewall mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
    - andcode for, based on the first user input, deploying the selected firewall mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
      
      wherein the computer program product is operable such that the occurrence is prevented from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing the selected firewall mitigation technique, by dropping or blocking packets associated with the occurrence that are directed to the at least one device.
  - 12. The computer program product of claim 3, and further comprisingcode for receiving first user input selecting the intrusion detection or prevention mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
    - code for receiving second user input selecting the firewall mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
      
      code for, based on the first user input, deploying the selected intrusion detection or prevention mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device; and
      
      code for, based on the second user input, deploying the selected firewall mitigation technique that corresponds with the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device;
      
      wherein the computer program product is operable such that the occurrence is prevented from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing the selected intrusion detection or prevention mitigation technique and the firewall mitigation technique, by dropping or blocking packets associated with the occurrence that are directed to the at least one device and further by rejecting a connection request of the at least one device.
  - 13. The computer program product of claim 3, wherein the computer program product is operable such the intrusion detection or prevention mitigation technique involves an intrusion detection or prevention rule for being deployed to an intrusion detection or prevention system and the firewall mitigation technique involves a firewall rule for being deployed to a firewall, such that the intrusion detection or prevention rule and the firewall rule collectively result in the dropping or blocking of packets that are directed to the at least one device and the rejecting of a connection request of the at least one device, for specifically mitigating any attack capable of taking advantage of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device.
  - 14. The computer program product of claim 3, wherein the computer program product is operable such that at least one user interface in the form of an intrusion detection or prevention system console is provided for receiving the user input;
    - and the computer program product is further operable such that the plurality of options that are presented relate to the plurality of mitigation techniques that correspond with only the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device, for reducing false positives.
  - 15. The computer program product of claim 3, wherein the computer program product is operable such that the plurality of options are presented and the user input selecting the at least one option is received after the identification of the occurrence such that the at least one mitigation technique is deployed in immediate response to the user input.
  - 16. The computer program product of claim 3, wherein the computer program product is operable such that the plurality of options are presented and the user input selecting the at least one option is received before the identification of the occurrence such that the occurrence is prevented from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, in automatic response to the determination that the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device.
  - 17. The computer program product of claim 3, wherein the computer program product is operable such that the plurality of options are presented and the user input selecting a first one of the options is received before the identification of the occurrence such that the firewall mitigation technique is deployed for preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, in immediate response to the determination that the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device, and the computer program product is further operable such that the plurality of options are presented and the user input selecting a second one of the options is received after the identification of the occurrence such that the intrusion detection or prevention mitigation technique is deployed in immediate response to the user input selecting the second one of the options for further preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system or the application associated with the at least one device.
  - 18. The computer program product of claim 3, wherein the computer program product is operable for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with at least one vulnerability and at least one remediation technique, and wherein the computer program product is operable for determining which devices have vulnerabilities by directly querying a firmware or operating system of the devices.

19. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for retrieving a plurality of options from a data storage describing a plurality of mitigation techniques that mitigate an attack that takes advantage of a plurality of vulnerabilities;
  
  code for presenting the plurality of options which relate to the plurality of mitigation techniques in connection with a subset of a plurality of the vulnerabilities posed by at least one of an operating system or an application of at least one device, the plurality of options relating to an intrusion detection or prevention mitigation technique and a firewall mitigation technique;
  
  code for receiving user input selecting at least one of the options which relate to at least one of the plurality of the mitigation techniques in connection with the subset of the plurality of the vulnerabilities posed by the at least one of the operating system or the application of the at least one device;
  
  code for, based on the user input, deploying the selected at least one option which relates to the at least one mitigation technique in connection with the subset of the plurality of the vulnerabilities posed by the at least one of the operating system or the application of the at least one device, to the at least one device with the at least one of the operating system or the application;
  
  code for identifying an occurrence including one or more packets directed to the at least one of the device;
  
  code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the at least one of the operating system or the application of the at least one device; and
  
  code for preventing the occurrence from taking advantage of the at least one of the subset of the plurality of the vulnerabilities, utilizing the at least one mitigation technique related to the selected at least one option, based on the determination whether the occurrence is capable of taking advantage of the at least one of the subset of the plurality of the vulnerabilities posed by the at least one of the operating system or the application of the at least one device.

20. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for receiving actual vulnerability information from at least one first data storage that is generated utilizing potential vulnerability information from at least one second data storage that is capable of being used to identify a plurality of potential vulnerabilities, by including;
  
  at least one first potential vulnerability, and at least one second potential vulnerability;
  
  said actual vulnerability information being generated utilizing the potential vulnerability information by;
  
  identifying at least one configuration associated with at least one of a plurality of networked devices, the at least one configuration relating to at least one of an operating system or an application of the at least one networked device, anddetermining that at least one networked device is actually vulnerable to at least one actual vulnerability based on the identified at least one configuration, utilizing the potential vulnerability information that is capable of being used to identify the plurality of potential vulnerabilities;
  
  said actual vulnerability information from the at least one first data storage capable of identifying the at least one actual vulnerability to which at least one networked device is actually vulnerable;
  
  code for determining whether an attack is capable of taking advantage of the at least one actual vulnerability to which at least one networked device is actually vulnerable; and
  
  code for causing different attack mitigation actions of diverse attack mitigation types, including a firewall-based attack mitigation type and an intrusion prevention system-based attack mitigation type, for preventing the attack from taking advantage of the at least one actual vulnerability at the at least one networked device, based on the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which at least one networked device is actually vulnerable, the at least one actual vulnerability being determined as a function of the at least one of the operating system or the application of the at least one networked device and the different attack mitigation actions being specific to the at least one actual vulnerability, thereby resulting in relevant attack mitigation actions of the diverse attack mitigation types being caused based on the determination whether one or more attacks are capable of taking advantage of only relevant actual vulnerabilities.
- View Dependent Claims (21, 22)
- - 21. The computer program product of claim 20, wherein the computer program product is operable such that the different attack mitigation actions of the diverse attack mitigation types are completed by a deployment from at least one server to at least one client agent supporting at least one of a firewall for implementing the firewall-based attack mitigation type or an intrusion prevention system for implementing the intrusion prevention system-based attack mitigation type.
  - 22. The computer program product of claim 20, wherein the computer program product is operable such that one or more of the different attack mitigation actions of the diverse attack mitigation types are conditionally caused based on user selection thereof, thereby providing user-selected relevant attack mitigation actions of the diverse attack mitigation types being caused based on the determination whether one or more attacks are capable of taking advantage of only relevant actual vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecurityProfiling, LLC
Original Assignee
SecurityProfiling, LLC
Inventors
Oliphant, Brett M., Blignaut, John P.

Granted Patent

US 9,118,710 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/554   involving event detection a...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REPORTING AN OCCURRENCE IN DIFFERENT MANNERS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REPORTING AN OCCURRENCE IN DIFFERENT MANNERS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links