Advanced Asset Tracking and Correlation

US 20200137122A1
Filed: 12/30/2019
Published: 04/30/2020
Est. Priority Date: 02/17/2015
Status: Active Grant

First Claim

Patent Images

1. A system for identifying target assets, the system comprising:

an asset correlation engine executable by one or more computing device processors and in communication with an asset database,wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset,wherein the asset correlation engine is operable to;

access correlation information comprising attribute information associated with one or more assets, andwherein the system is operable to;

receive data associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device;

parse the data to identify a target attribute associated with the target asset, wherein the target attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification attribute, a software attribute, a hardware attribute, and an instance identification attribute;

access exclusionary rules associated with attributes;

determine, based on the exclusionary rules associated with the attributes, whether the target attribute is excludable;

in response to determining the target attribute is not excludable, determine, based on the correlation information, target attribute information associated with the target attribute;

determine, based on the target attribute information associated with the target attribute, target asset information, wherein a second target attribute excluded by the exclusionary rules is not used in determining the target asset information;

determine whether the target asset information at least partially correlates with an asset entry in the asset database; and

in response to determining the target asset information at least partially correlates with the asset entry in the asset database, process the target asset information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management system may be remotely deployed (e.g., using a cloud-based architecture) to add security to an enterprise network. For example, the security management system may scan assets within the enterprise network for vulnerabilities and may receive data from these scans. The security management system may also receive data from other sources, and, as a result, the system may handle data having many different formats and attributes. When the security management system tries to associate data to assets, there may not be a globally unique identifier that is applicable for all received data. Provided in the present disclosure are exemplary techniques for tracking assets across a network using an asset correlation engine that can flexibly correlate data with assets based on attribute information.

Citations

20 Claims

1. A system for identifying target assets, the system comprising:
- an asset correlation engine executable by one or more computing device processors and in communication with an asset database,wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset,wherein the asset correlation engine is operable to;
  
  access correlation information comprising attribute information associated with one or more assets, andwherein the system is operable to;
  
  receive data associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, an application, a virtual machine, and a computing device;
  
  parse the data to identify a target attribute associated with the target asset, wherein the target attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification attribute, a software attribute, a hardware attribute, and an instance identification attribute;
  
  access exclusionary rules associated with attributes;
  
  determine, based on the exclusionary rules associated with the attributes, whether the target attribute is excludable;
  
  in response to determining the target attribute is not excludable, determine, based on the correlation information, target attribute information associated with the target attribute;
  
  determine, based on the target attribute information associated with the target attribute, target asset information, wherein a second target attribute excluded by the exclusionary rules is not used in determining the target asset information;
  
  determine whether the target asset information at least partially correlates with an asset entry in the asset database; and
  
  in response to determining the target asset information at least partially correlates with the asset entry in the asset database, process the target asset information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the attribute information comprises attribute weight information, and wherein the target attribute information comprises target attribute weight information.
  - 3. The system of claim 1, wherein at least one of the correlation information, the attribute information, or the target attribute information is associated with a category.
  - 4. The system of claim 1, wherein the processing the target asset information comprises associating the target asset information with the at least partially correlated asset entry in the asset database.
  - 5. The system of claim 1, wherein the target asset information is comprised in a digital fingerprint.
  - 6. The system of claim 1, wherein the correlation information or the attribute information is generated using an iterative training process.
  - 7. The system of claim 6, wherein the iterative training process comprises iteratively testing candidate attribute weight information, and determining whether the candidate attribute weight information leads to an expected correlation result for mapping test target asset information with test asset entry information.
  - 8. The system of claim 1, wherein the asset correlation engine is further operable to receive the data from an agent operable to scan the target asset.
  - 9. The system of claim 8, wherein the agent comprises or is a cloud agent.
  - 10. The system of claim 1, wherein the target asset comprises at least one of the desktop workstation, the server, the laptop, the tablet, the mobile phone, the application, the virtual machine, and the computing device

11. A method for identifying target assets, the method comprising:
- accessing, using one or more computing device processors, correlation information comprising attribute information associated with one or more assets;
  
  accessing, using the one or more computing device processors, exclusionary rules associated with attributes;
  
  receiving, using the one or more computing device processors, data associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device;
  
  parsing, using the one or more computing device processors, the data associated with the target asset of the network to identify a target attribute associated with the data, wherein the target attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification attribute, a software attribute, a hardware attribute, and an instance identification attribute;
  
  determining, using the one or more computing device processors, based on the exclusionary rules associated with the attributes, whether the target attribute is excludable;
  
  in response to determining the target attribute is not excludable, determining, using the one or more computing device processors, based on the correlation information, target attribute information associated with the target attribute;
  
  determining, using the one or more computing device processors, based on the target attribute information associated with the target attribute, target asset information, wherein a second target attribute excluded by the exclusionary rules is not used in generating the target asset information;
  
  determining, using the one or more computing device processors, whether the target asset information at least partially correlates with an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset; and
  
  in response to determining the target asset information at least partially correlates with the asset entry in the asset database, processing, using the one or more computing device processors, the target asset information.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the data is received using a cloud-based agent.
  - 13. The method of claim 11, wherein the processing the target asset information comprises associating the target asset information with the at least partially correlated asset entry in the asset database.
  - 14. The method of claim 13, wherein the attribute information comprises attribute weight information, and wherein the target attribute information comprises target attribute weight information.
  - 15. The method of claim 11, further comprising in response to determining the target asset information does not at least partially correlate with the asset entry in the asset database, creating a new asset entry in the asset database, wherein the new asset entry comprises at least a portion of the target asset information.
  - 16. The method of claim 11, wherein determining whether the target asset information at least partially correlates with the asset entry in the asset database, comprises scanning, based on at least a portion of the target asset information or the target attribute information, the asset entries in the asset database, and determining at least partially matching or correlating asset entries.
  - 17. The method of claim 11, wherein determining whether the target asset information at least partially correlates with the asset entry in the asset database, comprises determining, based on the target asset information or the target attribute information, and using at least one fuzzy matching technique, whether the target asset information at least partially correlates with at least one asset entry in the asset database.

18. A method for identifying target assets, the method comprising:
- accessing, using the one or more computing device processors, exclusionary rules associated with attributes;
  
  receiving, using the one or more computing device processors, data associated with a target asset of a network, wherein the target asset comprises at least one of a desktop workstation, a server, a laptop, a tablet, a mobile phone, a virtual machine, and a computing device;
  
  parsing, using the one or more computing device processors, the data associated with the target asset of the network to identify a target attribute associated with the data, wherein the target attribute comprises at least one of an IP address attribute, a DNS name attribute, a network attribute, an operating system attribute, a NetBIOS name attribute, an agent identification attribute, a software attribute, a hardware attribute, and an instance identification attribute;
  
  determining, using the one or more computing device processors, target attribute information associated with the target attribute;
  
  determining, using the one or more computing device processors, based on the target attribute information associated with the target attribute, a digital fingerprint for the target asset;
  
  determining, using the one or more computing device processors, based on the digital fingerprint for the target asset, whether a target asset information associated with the target attribute information at least partially correlates with an asset entry in an asset database, wherein the asset database is operable to store asset entries, wherein at least one asset entry in the asset database is associated with an asset.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, further comprising in response to determining the target asset information at least partially correlates with the asset entry in the asset database, identifying, using the one or more computing device processors, the target asset.
  - 20. The method of claim 18, wherein the data is received using a cloud-based agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualys Incorporated
Original Assignee
Qualys Incorporated
Inventors
Molloy, Sean M., Wirges, Matthew L., Sonawane, Amol S.

Granted Patent

US 10,986,135 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/245   Query processing

G06F 16/24578   using ranking

G06F 16/90335   Query processing

G06F 40/205   Parsing

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Advanced Asset Tracking and Correlation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced Asset Tracking and Correlation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links