Client health validation using historical data
First Claim
1. A method comprising:
- using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on an enterprise network;
scanning historical data associated with the client device attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network;
reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks, wherein the scanning is performed by the processing device on the enterprise network as the client device is attempting to regain access to the organization'"'"'s network;
using a scanning result to investigate for an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks;
using the scanning result to investigate for an egress of the malicious agent from the client device to other devices;
utilizing the ingress and egress patterns of the malicious agent to discover propagation characteristics of the malicious agent;
using propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible oaths of communication that the malicious agent can be expected to use to further propagate;
evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, wherein the threshold is established in a risk policy that is set automatically by the vulnerability assessment agent;
instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and
allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, or if the client device is determined to have acceptable health.
2 Assignments
0 Petitions
Accused Products
Abstract
Implementations of client health validation using historical data are described. In one implementation, historical data on a client, such as a laptop, attempting to access a network is scanned. The historical data can come in many forms, including cookies and application data caches saved on the client. The historical data can be used to assess a health of the client. For example, if historical data stored in an application data cache indicates interactions between the client and a website known to disseminate malicious agents, the client can be assessed to have unacceptable health. Alternately, if the historical data indicates that the client has not interacted with enough suspicious sources to constitute a danger to the network, the client can be assessed to have acceptable health. In such a case, the client can be allowed to access the network.
-
Citations
20 Claims
-
1. A method comprising:
-
using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on an enterprise network; scanning historical data associated with the client device attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network; reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks, wherein the scanning is performed by the processing device on the enterprise network as the client device is attempting to regain access to the organization'"'"'s network; using a scanning result to investigate for an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks; using the scanning result to investigate for an egress of the malicious agent from the client device to other devices; utilizing the ingress and egress patterns of the malicious agent to discover propagation characteristics of the malicious agent; using propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible oaths of communication that the malicious agent can be expected to use to further propagate; evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, wherein the threshold is established in a risk policy that is set automatically by the vulnerability assessment agent; instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, or if the client device is determined to have acceptable health. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable storage medium having a set of computer-readable instructions residing thereon that, when executed by a computer, perform acts comprising:
-
using a vulnerability assessment agent comprising a processing device, detecting a client device attempting to regain access to an organization'"'"'s network, wherein the vulnerability assessment agent resides on the organization'"'"'s network; scanning historical data on a client device, wherein the scanning is performed by a processing device, as the client device is attempting to regain access to the organization'"'"'s network for indicators that the client device has interacted with one or more sources from networks other than the organization'"'"'s network; reviewing the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks; using a scanning result to investigate an ingress pattern of a malicious agent interacting between the client device and the one or more sources from other networks; using a separate scanning result to investigate an egress of the malicious agent from the client device to other devices; evaluating the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, the threshold being established in a risk policy that is set automatically by the vulnerability assessment agent; instigating remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; issuing a health certificate to the client if the health of the client is acceptable; and allowing the client device to access the organization'"'"'s network if the historical data does not include indicators associated with suspicious activity, and if the client device is determined to have acceptable health. - View Dependent Claims (10, 11, 12, 13)
-
-
14. An apparatus comprising:
-
one or more processing devices; a vulnerability assessment agent operable by the one or more processing devices configured to; scan historical data on a client device that is attempting to regain access to a corporate network for indicators that the client device has interacted with one or more sources from networks other than the corporate network; review the historical data for indicators associated with suspicious activity between the client device and the one or more sources from other networks; use a scanning result to investigate an ingress for a malicious agent interacting between the client device and the one or more sources from other networks; use the scanning result to investigate an egress of the malicious agent from the client device to other devices; utilize the ingress and egress of the malicious agent to discover propagation characteristics of the malicious agent; use propagation characteristics of the malicious agent to ameliorate the propagation of the malicious agent by blocking possible paths of communication that the malicious agent can be expected to use to further propagate; evaluate the client device to determine whether the client device has acceptable health, the client device being determined to have acceptable health if evidence in the historical data indicates interactions between the client device and the one or more sources from networks other than the organization'"'"'s network is below a threshold at which future health of the client device and the organization'"'"'s network could be at risk, the threshold being established in a risk policy that is set automatically by the vulnerability assessment agent; instigate remedial action if the historical data includes indicators associated with suspicious activity and the threshold for interactivity has been exceeded; and generate assessment of acceptable health of the client if no indicators associated with suspicious activity are found in the historical data, the assessment of acceptable health can be utilized by a system health validation agent to grant a health certificate to the client device, the health certificate being configured to allow the client device to access the corporate network. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification