Client health validation using historical data

US 7,720,965 B2
Filed: 04/23/2007
Issued: 05/18/2010
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on an enterprise network;

scanning historical data associated with the client device attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network;

reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks, wherein the scanning is performed by the processing device on the enterprise network as the client device is attempting to regain access to the organization'"'"'s network;

using a scanning result to investigate for an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks;

using the scanning result to investigate for an egress of the malicious agent from the client device to other devices;

utilizing the ingress and egress patterns of the malicious agent to discover propagation characteristics of the malicious agent;

using propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible oaths of communication that the malicious agent can be expected to use to further propagate;

evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, wherein the threshold is established in a risk policy that is set automatically by the vulnerability assessment agent;

instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and

allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, or if the client device is determined to have acceptable health.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations of client health validation using historical data are described. In one implementation, historical data on a client, such as a laptop, attempting to access a network is scanned. The historical data can come in many forms, including cookies and application data caches saved on the client. The historical data can be used to assess a health of the client. For example, if historical data stored in an application data cache indicates interactions between the client and a website known to disseminate malicious agents, the client can be assessed to have unacceptable health. Alternately, if the historical data indicates that the client has not interacted with enough suspicious sources to constitute a danger to the network, the client can be assessed to have acceptable health. In such a case, the client can be allowed to access the network.

Citations

20 Claims

1. A method comprising:
- using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on an enterprise network;
  
  scanning historical data associated with the client device attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network;
  
  reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks, wherein the scanning is performed by the processing device on the enterprise network as the client device is attempting to regain access to the organization'"'"'s network;
  
  using a scanning result to investigate for an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks;
  
  using the scanning result to investigate for an egress of the malicious agent from the client device to other devices;
  
  utilizing the ingress and egress patterns of the malicious agent to discover propagation characteristics of the malicious agent;
  
  using propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible oaths of communication that the malicious agent can be expected to use to further propagate;
  
  evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, wherein the threshold is established in a risk policy that is set automatically by the vulnerability assessment agent;
  
  instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and
  
  allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, or if the client device is determined to have acceptable health.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein scanning includes one or more of:
    - scanning application data caches on the client device;
      
      scanning logs on the client device;
      
      scanning cookies on the client device.
  - 3. The method of claim 1, wherein reviewing includes scanning the historical data for indicators that the client device has interacted with one or more sources from the other networks included on a blacklist.
  - 4. The method of claim 1, wherein reviewing includes scanning for inconsistencies between the historical data and data associated with activity of the client device stored on one or more edge servers used by the client device to interact with one or more sources from the other networks.
  - 5. The method of claim 1, wherein instigating includes quarantining the client device from the organization'"'"'s network.
  - 6. The method of claim 1, wherein instigating includes marking the client device as suspicious.
  - 7. The method of claim 1, wherein instigation instigating includes performing a deep scan on the client device.
  - 8. The method of claim 1, wherein instigating includes processing the client device to remove any malicious agents and/or any effects of malicious agents on the client device.

9. A computer-readable storage medium having a set of computer-readable instructions residing thereon that, when executed by a computer, perform acts comprising:
- using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on the organization'"'"'s network;
  
  scanning historical data on a client device, wherein the scanning is performed by a processing device, as the client device is attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network;
  
  reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks;
  
  using a scanning result to investigate an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks;
  
  using a separate scanning result to investigate an egress of the malicious agent from the client device to other devices;
  
  evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, the threshold being established in a risk policy that is set automatically by the vulnerability assessment agent;
  
  instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded;
  
  issuing a health certificate to the client if the health of the client is acceptable; and
  
  allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, and if the client device is determined to have acceptable health.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-readable storage medium of claim 9 having a set of computer-readable instructions that, when executed by the computer, perform acts further comprising scanning historical data in application data caches on the client device.
  - 11. The computer-readable storage medium of claim 9 having a set of computer-readable instructions that, when executed by the computer, perform acts further comprising marking the client device as having unacceptable health if the historical data indicates one or more interactions conflicting with a preset policy.
  - 12. The computer-readable storage medium of claim 11 having a set of computer-readable instructions that, when executed by the computer, perform acts further comprising alerting a network administrator that the client device has unacceptable health, and presenting the network administrator with an option to deny the client device access to the organization'"'"'s network.
  - 13. The computer-readable storage medium of claim 11 having a set of computer-readable instructions that, when executed by the computer, perform acts further comprising marking the client device as having unacceptable health if the historical data indicates one or more interactions with a blacklisted source.

14. An apparatus comprising:
- one or more processing devices;
  
  a vulnerability assessment agent operable by the one or more processing devices configured to;
  
  scan historical data on a client device that is attempting to regain access to a corporate network for indicators that the client device has interacted with one or more sources from networks other than the corporate network;
  
  review the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks;
  
  use a scanning result to investigate an ingress for a malicious agent interacting between the client device and the one or more sources from other networks;
  
  use the scanning result to investigate an egress of the malicious agent from the client device to other devices;
  
  utilize the ingress and egress of the malicious agent to discover propagation characteristics of the malicious agent;
  
  use propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible paths of communication that the malicious agent can be expected to use to further propagate;
  
  evaluate the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, the threshold being established in a risk policy that is set automatically by the vulnerability assessment agent;
  
  instigate remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and
  
  generate assessment of acceptable health of the client if no indicators associated with suspicious activity are found in the historical data, the assessment of acceptable health can be utilized by a system health validation agent to grant a health certificate to the client device, the health certificate being configured to allow the client device to access the corporate network.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the vulnerability assessment agent resides on the client device.
  - 16. The apparatus of claim 14, wherein the vulnerability assessment agent is further configured to recognize indicators associated with suspicious activity based on definitions of indicators associated with suspicious activity found in a preset policy.
  - 17. The apparatus of claim 14, wherein indicators associated with suspicious activity include at least one of:
    - data indicating contact with a blacklisted source;
      
      data indicating contact with one or more suspicious sources;
      
      data indicating disagreement between the historical data on the client device and data on one or more edge servers.
  - 18. The apparatus of claim 14, wherein the vulnerability assessment agent is further configured to generate an assessment of unacceptable health of the client device if indicators associated with suspicious activity are found in the historical data.
  - 19. The apparatus of claim 18, wherein the vulnerability assessment agent is further configured to mark the client device as quarantineable if the client device has a high probability of being infected with malicious agents.
  - 20. The apparatus of claim 18, wherein the vulnerability assessment agent is further configured to perform a deep scan on the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kaditz, Jeffrey, Kachachi, Bashar J, Soderberg, Joel M.
Primary Examiner(s)
Nguyen; Thu Ha T

Application Number

US11/738,898
Publication Number

US 20080263677A1
Time in Patent Office

1,121 Days
Field of Search

709/223, 709/224, 709/225, 370/252, 714/39, 713/183, 702/183, 702/186
US Class Current

709/224
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/104   Grouping of entities

Client health validation using historical data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Client health validation using historical data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links