Method and system for security maintenance in a network

US 8,112,521 B2
Filed: 02/25/2010
Issued: 02/07/2012
Est. Priority Date: 02/25/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

issuing a communication associated with one or more programs to one or more devices in a network;

detecting a response to the communication from each of the one or more devices;

detecting an event logger message from an event logger when the one or more devices sends an event logger event message to the event logger in response to the communication;

analyzing, by a hardware processor, the response and the event logger message;

identifying a threat response when at least one of the detected response represents one of an unexpected response or a response time-out indicating a lack of response from the one or more devices, or the event logger message reports an event;

determining a network vulnerability based on identification of the threat response;

sending a follow-up communication to the one or more devices returning the threat response;

detecting a follow-up response from each of the one or more devices returning the threat response; and

analyzing the follow-up response to determine a network threat condition resulting in the threat response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for monitoring a network and detecting network vulnerabilities is provided. A communication associated with one or more programs is issued to one or more devices in a network and the response from the devices is detected and analyzed. Based on the analysis, a device response is identified as a threat response if it represents at least an alert, an unexpected response or a response time-out indicating that the device did not response to the communication. The vulnerability of the network is determined based on the threat responses of the devices.

21 Citations

View as Search Results

17 Claims

1. A method, comprising:
- issuing a communication associated with one or more programs to one or more devices in a network;
  
  detecting a response to the communication from each of the one or more devices;
  
  detecting an event logger message from an event logger when the one or more devices sends an event logger event message to the event logger in response to the communication;
  
  analyzing, by a hardware processor, the response and the event logger message;
  
  identifying a threat response when at least one of the detected response represents one of an unexpected response or a response time-out indicating a lack of response from the one or more devices, or the event logger message reports an event;
  
  determining a network vulnerability based on identification of the threat response;
  
  sending a follow-up communication to the one or more devices returning the threat response;
  
  detecting a follow-up response from each of the one or more devices returning the threat response; and
  
  analyzing the follow-up response to determine a network threat condition resulting in the threat response.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - detecting an initiation event; and
      
      initiating the issuance of the communication to the one or more devices when the initiation event is detected.
  - 3. The method of claim 1, further comprising:
    - sending a delegation communication from a master device in the network to one or more delegate devices in the network to process at least a portion of the one or more programs.
  - 4. The method of claim 1, further comprising:
    - for each of the one more devices, generating a device alert when the threat response represents a device failure for the one or more programs.
  - 5. The method of claim 1, further comprising:
    - running the one or more programs on an emulator device, comprising;
      
      issuing the communication associated with one or more monitoring programs to the emulator device;
      
      detecting an emulator response to the communication from the emulator device;
      
      identifying the emulator response as an emulator threat response when the response represents one of an alert, an unexpected response, or a response time-out indicating a lack of response; and
      
      determining a vulnerability of the emulator device based on identification of the threat response.
  - 6. The method of claim 5, further comprising:
    - running the one or more programs on the emulator device simultaneously with issuing the communication to the one or more devices.
  - 7. The method of claim 1, further comprising:
    - running the one or more programs on the emulator device prior to issuing the communication to the one or more devices in the network.

8. A non-transitory computer-readable medium comprising computer-readable instructions of a computer program that, when executed by a processor, cause the processor to perform a method, the method comprising:
- issuing a communication associated with one or more programs to one or more devices in a network;
  
  detecting a response to the communication from each of the one or more devices;
  
  detecting an event logger message from an event logger when the one or more devices sends an event logger event message to the event logger in response to the communication;
  
  analyzing, by a hardware processor, the response and the event logger message;
  
  identifying a threat response when at least one of the detected response represents one of an unexpected response or a response time-out indicating a lack of response from the one or more devices, or the event logger message reports an event; and
  
  determining a network vulnerability based on identification of the threat response;
  
  sending a follow-up communication to the one or more devices returning the threat response;
  
  detecting a follow-up response from each of the one or more devices returning the threat response; and
  
  analyzing the follow-up response to determine a network threat condition resulting in the threat response.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, wherein the method further comprises:
    - detecting an initiation event; and
      
      initiating the issuance of the communication to the one or more devices when the initiation event is detected.
  - 10. The non-transitory computer-readable medium of claim 8, the method further comprising:
    - sending a delegation communication from a master device in the network to one or more delegate devices in the network to process at least a portion of the one or more programs.
  - 11. The non-transitory computer-readable medium of claim 8, the method further comprising:
    - for each of the one more devices, generating a device alert when the threat response represents a device failure for the one or more programs.
  - 12. The non-transitory computer-readable medium of claim 8, the method further comprising:
    - running the one or more programs on an emulator device, comprising;
      
      issuing the communication associated with one or more monitoring programs to the emulator device;
      
      detecting an emulator response to the communication from the emulator device;
      
      identifying the emulator response as an emulator threat response when the response represents one of an alert, an unexpected response, or a response time-out indicating a lack of response; and
      
      determining a vulnerability of the emulator device based on identification of the threat response.
  - 13. The non-transitory computer-readable medium of claim 12, the method further comprising:
    - running the one or more programs on the emulator device simultaneously with issuing the communication to the one or more devices.
  - 14. The non-transitory computer-readable medium of claim 13, the method further comprising:
    - running the one or more programs on the emulator device prior to issuing the communication to the one or more devices.

15. A system, comprising:
- a coordinator device, being a hardware processor, connected to a network;
  
  a program database coupled to the coordinator device for storing programs; and
  
  a threat response database coupled to the coordinator device for storing threat responses associated with devices connected to the network;
  
  wherein the coordinator device comprises a coordinator module configured to;
  
  issue a communication associated with one or more programs to one or more devices in a network;
  
  detect a response to the communication from each of the one or more devices;
  
  detect an event logger message from an event logger when the one or more devices sends an event logger event message to the event logger in response to the communication;
  
  analyze, by a hardware processor, the response and the event logger message;
  
  identify a threat response when at least one of the detected response represents one of an unexpected response or a response time-out indicating a lack of response from the one or more devices, or the event logger message reports an event; and
  
  determine a network vulnerability based on identification of the threat response;
  
  send a follow-up communication to the one or more devices returning the threat response;
  
  detect a follow-up response from each of the one or more devices returning the threat response; and
  
  analyze the follow-up response to determine a network threat condition resulting in the threat response.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, further comprising:
    - an emulator device coupled to the coordinator device, wherein the emulator device emulates the one or more devices on the network.
  - 17. The system of claim 15, further comprising:
    - delegate devices connected to the network for performing at least a portion of the programs on the one or more devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
General Electric Company
Original Assignee
General Electric Company
Inventors
Barnett, Bruce Gordon, Hershey, John Erik, Thanos, Daniel
Primary Examiner(s)
Patel, Haresh N

Application Number

US12/712,831
Publication Number

US 20110208849A1
Time in Patent Office

712 Days
Field of Search

709217-228, 726/22, 713/153, 340/541, 340/547, 340/531
US Class Current

709/224
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1433 Vulnerability analysis

Method and system for security maintenance in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for security maintenance in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links