Network-based patching machine
First Claim
1. A method for protecting a computer system using a universal patching machine rather than protecting a computer system by exclusively applying vendor-provided security patches to the computer system to produce a vendor-patched system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, wherein the input data is data traffic flowing between a communications network and the computer system, wherein the output is the resulting output data traffic produced by the computer system in response to its current state and the input data, and wherein the state is the state of the software in the computer system, the method comprising:
- attempting to generate a conversion function for the universal patching machine that modifies input data to the computer system by performing a character replacement so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification;
if it is not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system by rate limiting the input data so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification;
if it is not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification; and
using the conversion function in the universal patching machine to protect the computer system.
3 Assignments
0 Petitions
Accused Products
Abstract
A universal patching machine is used to provide network-based security for a data network. The universal patching machine may be implemented on a network appliance located at the edge of the data network. From this location, the universal patching machine intercepts data traffic between the internet and the data network. The universal patching machine examines the intercepted data traffic to detect security vulnerabilities. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic.
47 Citations
1 Claim
-
1. A method for protecting a computer system using a universal patching machine rather than protecting a computer system by exclusively applying vendor-provided security patches to the computer system to produce a vendor-patched system, wherein when input data is applied to the vendor-patched computer system, a resulting output and state for the vendor-patched computer system are produced, wherein the input data is data traffic flowing between a communications network and the computer system, wherein the output is the resulting output data traffic produced by the computer system in response to its current state and the input data, and wherein the state is the state of the software in the computer system, the method comprising:
-
attempting to generate a conversion function for the universal patching machine that modifies input data to the computer system by performing a character replacement so that the computer system has an output and state that exactly match the output and state of the vendor-patched computer system in response to the input data before modification; if it is not possible to generate the conversion function that modifies the input data so that the output and state of the computer system exactly match the output and state of the vendor-patched computer system, attempting to generate a conversion function that modifies the input data to the computer system by rate limiting the input data so that the computer system has a state that exactly matches the state of the vendor-patched computer in response to the input data before modification and that has an output that approximately matches the output of the vendor-patched computer in response to the input data before modification; if it is not possible to generate a conversion function that modifies the input data so that the state of the computer system exactly matches the state of the vendor-patched computer system and so that the output of the computer system approximately matches the output of the vendor-patched computer system, generating a conversion function that modifies input data to the computer system so that the computer system has a state and output that approximately match the state and output of the vendor-patched computer in response to the input data before modification; and using the conversion function in the universal patching machine to protect the computer system.
-
Specification