AUTOMATED VULNERABILITY INTELLIGENCE GENERATION AND APPLICATION

US 20150242637A1
Filed: 02/25/2015
Published: 08/27/2015
Est. Priority Date: 02/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining distributable vulnerability data comprising, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter, wherein the distributable vulnerability data was derived from an intelligence graph comprising a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges;

identifying installed software packages on a computer system;

correlating a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities;

ordering at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, whereby an ordered plurality of installed software packages and associated vulnerabilities is obtained; and

providing mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for providing computer security vulnerability intelligence are disclosed. The techniques include obtaining distributable vulnerability data that includes, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter, where the distributable vulnerability data was derived from an intelligence graph including a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges. The techniques also include identifying installed software packages on a computer system, correlating a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities, ordering at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, such that an ordered plurality of installed software packages and associated vulnerabilities is obtained, and providing mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.

Citations

20 Claims

1. A computer-implemented method comprising:
- obtaining distributable vulnerability data comprising, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter, wherein the distributable vulnerability data was derived from an intelligence graph comprising a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges;
  
  identifying installed software packages on a computer system;
  
  correlating a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities;
  
  ordering at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, whereby an ordered plurality of installed software packages and associated vulnerabilities is obtained; and
  
  providing mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein each threat priority parameter comprises:
    - an indication of whether a vulnerability is actively exploited;
      
      an indication of whether a workaround is available;
      
      an indication of whether a patch is available;
      
      an indication of a potential impact;
      
      an indication of a software package popularity; and
      
      an indication of vulnerability badness.
  - 3. The method of claim 1, wherein the obtaining distributable vulnerability data comprises:
    - periodically automatically communicating with a computer security data provider.
  - 4. The method of claim 1, wherein the identifying installed software packages comprises:
    - automatically scanning an enterprise computer system.
  - 5. The method of claim 1, wherein the computer system is not represented in the intelligence graph.

6. An electronic computer system comprising:
- an electronic processor programmed to obtain distributable vulnerability data comprising, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter, wherein the distributable vulnerability data was derived from an intelligence graph comprising a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges;
  
  an electronic processor programmed to identify installed software packages on a computer system;
  
  an electronic processor programmed to correlate a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities;
  
  an electronic processor programmed to order at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, whereby an ordered plurality of installed software packages and associated vulnerabilities is obtained; and
  
  an electronic processor programmed to provide mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein each threat priority parameter comprises:
    - an indication of a vulnerability is actively exploited;
      
      an indication of whether a workaround is available;
      
      an indication of whether a patch is available;
      
      an indication of a potential impact;
      
      an indication of a software package popularity; and
      
      an indication of vulnerability badness.
  - 8. The system of claim 6, wherein the electronic processor programmed to obtain distributable vulnerability data is further programmed to:
    - periodically automatically communicate with a computer security data provider.
  - 9. The system of claim 6, wherein the electronic processor programmed to identify installed software packages is further programmed to:
    - automatically scan an enterprise computer system.
  - 10. The system of claim 6, wherein the computer system is not represented in the intelligence graph.

11. A computer-implemented method comprising:
- obtaining intelligence graph data comprising a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges;
  
  deriving, from the intelligence graph data, distributable vulnerability data comprising, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter;
  
  providing the distributable vulnerability data to an entity having a computer system with installed software packages to correlate a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities and to order at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, whereby the entity obtains an ordered plurality of installed software packages and associated vulnerabilities and mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein each threat priority parameter comprises:
    - an indication of whether a vulnerability is actively exploited;
      
      an indication of whether a workaround is available;
      
      an indication of whether a patch is available;
      
      an indication of a potential impact;
      
      an indication of a software package popularity; and
      
      an indication of vulnerability badness.
  - 13. The method of claim 11, further comprising:
    - periodically deriving the threat priority data.
  - 14. The method of claim 11, wherein the providing the distributable vulnerability data comprises providing a web services interface.
  - 15. The method of claim 11, wherein the computer system is not represented in the intelligence graph.

16. An electronic computer system comprising:
- an electronic processor programmed to obtain intelligence graph data comprising a plurality of fundamental instance nodes, a plurality of document nodes, and a plurality of edges;
  
  an electronic processor programmed to derive, from the intelligence graph data, distributable vulnerability data comprising, for each of a plurality of software packages and associated vulnerabilities, threat mitigation information and a threat priority parameter;
  
  an electronic processor programmed to provide the distributable vulnerability data to an entity having a computer system with installed software packages to correlate a plurality of the installed software packages with the distributable vulnerability data to obtain a plurality of installed software packages and associated vulnerabilities and to order at least some of the plurality of installed software packages and associated vulnerabilities according to threat priority parameters, whereby the entity obtains an ordered plurality of installed software packages and associated vulnerabilities and mitigation information for the ordered plurality of installed software packages and associated vulnerabilities.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein each threat priority parameter comprises:
    - an indication of a vulnerability is actively exploited;
      
      an indication of whether a workaround is available;
      
      an indication of whether a patch is available;
      
      an indication of a potential impact;
      
      an indication of a software package popularity; and
      
      an indication of vulnerability badness.
  - 18. The system of claim 16, wherein the electronic processor programmed to derive is further programmed to:
    - periodically derive the threat priority data.
  - 19. The system of claim 16, further comprising a web services interface configured to provide the distributable vulnerability data.
  - 20. The system of claim 16, wherein the computer system is not represented in the intelligence graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
VeriSign, Inc.
Inventors
Tonn, Trevor, Chang, Ray-yu

Granted Patent

US 9,846,780 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

AUTOMATED VULNERABILITY INTELLIGENCE GENERATION AND APPLICATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED VULNERABILITY INTELLIGENCE GENERATION AND APPLICATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links