Uniquely identifying attacked assets

US 8,392,998 B1
Filed: 11/30/2009
Issued: 03/05/2013
Est. Priority Date: 11/30/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

maintaining, by at least one data processing apparatus, asset data for each asset in a system of assets, each of the assets being identified by a corresponding unique identifier and at least one non-unique identifier, wherein each non-unique identifier can be shared with at least one other asset in the system of assets and each unique identifier is unique within the system of assets;

maintaining, by at least one data processing apparatus, protection data for each of a plurality of sensors, wherein the protection data for each sensor associates one or more assets in the system of assets to a corresponding sensor by mapping an identifier for the corresponding sensor to each unique identifier of the assets associated with the corresponding sensor;

receiving, at least one data processing apparatus, attack data specifying a plurality of attacks detected by sensors in the plurality of sensors as attacks on assets in the system of assets, wherein the attack data specifies, for each attack, an identification of the attack, an identification of the sensor that detected the attack, and the non-unique identifier of the asset that was attacked;

determining, by at least one data processing apparatus, for a particular one of the plurality of attacks detected by a particular one of the plurality of sensors as an attack on a particular one of the system of assets, the unique identifier of the particular asset, the determining including;

identifying the non-unique identifier of the particular asset and the particular sensor from the attack data;

identifying, from the protection data of the identified particular sensor, the unique identifiers of the assets associated with the particular sensor;

determining, from the asset data, that a particular unique identifier in the identified unique identifiers is mapped to the identified non-unique identifier of the particular asset; and

determining that the particular unique identifier is the unique identifier of the particular asset; and

updating a risk categorization for the particular asset to account for the determined particular attack on the particular asset.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for uniquely identifying attacked assets. One method includes maintaining asset data mapping unique asset identifiers to non-unique asset identifiers and maintaining protection data mapping identifiers of sensors to unique identifiers of assets protected by the sensor. Attack data specifying attacks on particular assets is received. The unique identifier of each asset attacked is determined from the attack data, the protection data and the asset data.

26 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- maintaining, by at least one data processing apparatus, asset data for each asset in a system of assets, each of the assets being identified by a corresponding unique identifier and at least one non-unique identifier, wherein each non-unique identifier can be shared with at least one other asset in the system of assets and each unique identifier is unique within the system of assets;
  
  maintaining, by at least one data processing apparatus, protection data for each of a plurality of sensors, wherein the protection data for each sensor associates one or more assets in the system of assets to a corresponding sensor by mapping an identifier for the corresponding sensor to each unique identifier of the assets associated with the corresponding sensor;
  
  receiving, at least one data processing apparatus, attack data specifying a plurality of attacks detected by sensors in the plurality of sensors as attacks on assets in the system of assets, wherein the attack data specifies, for each attack, an identification of the attack, an identification of the sensor that detected the attack, and the non-unique identifier of the asset that was attacked;
  
  determining, by at least one data processing apparatus, for a particular one of the plurality of attacks detected by a particular one of the plurality of sensors as an attack on a particular one of the system of assets, the unique identifier of the particular asset, the determining including;
  
  identifying the non-unique identifier of the particular asset and the particular sensor from the attack data;
  
  identifying, from the protection data of the identified particular sensor, the unique identifiers of the assets associated with the particular sensor;
  
  determining, from the asset data, that a particular unique identifier in the identified unique identifiers is mapped to the identified non-unique identifier of the particular asset; and
  
  determining that the particular unique identifier is the unique identifier of the particular asset; and
  
  updating a risk categorization for the particular asset to account for the determined particular attack on the particular asset.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the protection data is generated from user input, received through a user interface, specifying associations between sensors and assets.
  - 3. The method of claim 1, wherein the protection data for a sensor is based at least in part on one or more alerts received from the sensor, wherein each alert corresponds to an attack on at least one of the system of assets.
  - 4. The method of claim 1, wherein a unique identifier of an asset includes a Media Access Control (MAC) address of the asset.
  - 5. The method of claim 1, wherein a non-unique identifier of an asset includes an internet protocol address of the asset.
  - 6. The method of claim 1, further comprising generating a respective alert for each attack specified in the attack data, wherein the alert for each attack specifies the attack and the unique identifier of the respective attacked asset.
  - 7. The method of claim 1, further comprising:
    - maintaining a respective risk categorization for each asset in the system of assets for each of a plurality of potential attacks on the asset, wherein each risk categorization is indexed by the unique identifier of the corresponding asset and calculated based at least in part on detected attacks on assets determined to have the unique identifier of the corresponding asset.

8. A system comprising:
- a processor; and
  
  a computer storage medium coupled to the processor and including instructions, which, when executed by the processor, causes the processor to perform operations comprising;
  
  maintaining asset data for each asset in a system of assets, each of the assets being identified by a corresponding unique identifier, the asset data mapping the unique identifier and at least one non-unique identifier, wherein each non-unique identifier can be shared with at least one other asset in the system of assets and each unique identifier is unique within the system of assets;
  
  maintaining protection data for each of a plurality of sensors, wherein the protection data for each sensor associates one or more assets in the system of assets to a corresponding sensor by mapping an identifier for the corresponding sensor to each unique identifier of the assets associated with the corresponding sensor;
  
  receiving attack data specifying a plurality of attacks detected by sensors in the plurality of sensors as attacks on assets in the system of assets, wherein the attack data specifies, for each attack, an identification of the attack, an identification of the sensor that detected the attack, and the non-unique identifier of the asset that was attacked;
  
  determining, for a particular one of the plurality of attacks detected by a particular one of the plurality of sensors as an attack on a particular one of the system of assets, the unique identifier of the particular asset, the determining including;
  
  identifying the non-unique identifier of the particular asset and the particular sensor from the attack data;
  
  identifying, from the protection data of the identified particular sensor, the unique identifiers of the assets associated with the particular sensor;
  
  determining, from the asset data, that a particular unique identifier in the identified unique identifiers is mapped to the identified non-unique identifier of the particular asset; and
  
  determining that the particular unique identifier is the unique identifier of the particular asset; and
  
  updating a risk categorization for the particular asset to account for the determined particular attack on the particular asset.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the protection data is generated from user input, received through a user interface, specifying associations between sensors and assets.
  - 10. The system of claim 8, wherein the protection data for a sensor is based at least in part on one or more alerts received from the sensor, wherein each alert corresponds to an attack on at least one of the system of assets.
  - 11. The system of claim 8, wherein a unique identifier of an asset includes a MAC address of the asset.
  - 12. The system of claim 8, wherein a non-unique identifier of an asset includes an internet protocol address of the asset.
  - 13. The system of claim 8, further operable to perform operations comprising generating a respective alert for each attack specified in the attack data, wherein the alert for each attack specifies the attack and the unique identifier of the respective attacked asset.
  - 14. The system of claim 8, further operable to perform operations comprising:
    - maintaining a respective risk categorization for each asset in the system of assets for each of a plurality of potential attacks on the asset, wherein each risk categorization is indexed by the unique identifier of the corresponding asset and calculated based at least in part on detected attacks on assets determined to have the unique identifier of the corresponding asset.

15. A non-transitory computer-storage medium encoded with a computer program including instructions operable to cause at least one data processing apparatus to perform operations comprising:
- maintaining asset data for each asset in a system of assets, each of the assets being identified by a corresponding unique identifier, the asset data mapping the unique identifier and at least one non-unique identifier, wherein each non-unique identifier can be shared with at least one other asset in the system of assets and each unique identifier is unique within the system of assets;
  
  maintaining protection data for each of a plurality of sensors, wherein the protection data for each sensor associates one or more assets in the system of assets to a corresponding sensor by mapping an identifier for the corresponding sensor to each unique identifier of the assets associated with the corresponding sensor;
  
  receiving attack data specifying a plurality of attacks detected by sensors in the plurality of sensors as attacks on assets in the system of assets, wherein the attack data specifies, for each attack, an identification of the attack, an identification of the sensor that detected the attack, and the non-unique identifier of the asset that was attacked;
  
  determining, for a particular one of the plurality of attacks detected by a particular one of the plurality of sensors as an attack on a particular one of the system of assets, the unique identifier of the particular asset, the determining including;
  
  identifying the non-unique identifier of the particular asset and the particular sensor from the attack data;
  
  identifying, from the protection data of the identified particular sensor, the unique identifiers of the assets associated with the particular sensor;
  
  determining, from the asset data, that a particular unique identifier in the identified unique identifiers is mapped to the identified non-unique identifier of the particular asset; and
  
  determining that the particular unique identifier is the unique identifier of the particular asset; and
  
  updating a risk categorization for the particular asset to account for the determined particular attack on the particular asset.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory storage medium of claim 15, wherein the protection data is generated from user input, received through a user interface, specifying associations between sensors and assets.
  - 17. The non-transitory storage medium of claim 15, wherein the protection data for a sensor is based at least in part on one or more alerts received from the sensor, wherein each alert corresponds to an attack on at least one of the system of assets.
  - 18. The non-transitory storage medium of claim 15, wherein a non-unique identifier of an asset includes an internet protocol address of the asset and a unique identifier of the asset includes a MAC address of the asset.
  - 19. The non-transitory storage medium of claim 15, further operable to perform operations comprising generating a respective alert for each attack specified in the attack data, wherein the alert for each attack specifies the attack and the unique identifier of the respective attacked asset.
  - 20. The non-transitory storage medium of claim 15, further operable to perform operations comprising:
    - maintaining a respective risk categorization for each asset in the system of assets for each of a plurality of potential attacks on the asset, wherein each risk categorization is indexed by the unique identifier of the corresponding asset and calculated based at least in part on detected attacks on assets determined to have the unique identifier of the corresponding asset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Schrecker, Sven, Nakawatase, Ryan
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/627,802
Time in Patent Office

1,191 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Uniquely identifying attacked assets

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Uniquely identifying attacked assets

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links