Method for administration of computer security threat countermeasures to a computer system

US 9,208,321 B2
Filed: 05/07/2008
Issued: 12/08/2015
Est. Priority Date: 07/22/2003
Status: Active Grant

First Claim

Patent Images

1. A method of administering a countermeasure for a computer security threat to a target computer system, comprising:

receiving at a computer system a notification of a computer security threat;

encoding at the computer system information of the computer security threat into a threat management vector (TMV) that includes an identification of an affected operating system that is affected by the computer security threat, an identification of an affected operating system release level for the affected operating system, and an identification of one or more countermeasures for the affected operating system and the affected operating system release level;

transmitting the TMV from the computer system to a plurality of target computer systems;

receiving the TMV at a target computer system in the plurality of target computer systems;

processing at the target computer system the one or more countermeasures identified in the TMV that correspond to an operating system and operating system release level of the target computer system; and

mutating the TMV by extracting from the TMV a system vector that identifies the affected operating system, augmenting a system level vector referenced by the system vector with an instance identifier that identifies the target computer system, replacing a reference to a countermeasure in the system level vector with a reference to a vulnerability vector that identifies a vulnerability of the affected operating system, and augmenting the vulnerability vector with a reference to the countermeasure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A countermeasure for a computer security threat to a computer system is administered by establishing a baseline identification of an operating or application system type and an operating or application system release level for the computer system that is compatible with a Threat Management Vector (TMV). A TMV is then received, including therein a first field that provides identification of at least one operating system type that is affected by a computer security threat, a second field that provides identification of an operating system release level for the operating system type, and a third field that provides identification of a set of possible countermeasures for an operating system type and an operating system release level. Countermeasures that are identified in the TMV are processed if the TMV identifies the operating system type and operating system release level for the computer system as being affected by the computer security threat. The received TMV may be mutated to a format for processing of the countermeasure.

30 Citations

View as Search Results

14 Claims

1. A method of administering a countermeasure for a computer security threat to a target computer system, comprising:
- receiving at a computer system a notification of a computer security threat;
  
  encoding at the computer system information of the computer security threat into a threat management vector (TMV) that includes an identification of an affected operating system that is affected by the computer security threat, an identification of an affected operating system release level for the affected operating system, and an identification of one or more countermeasures for the affected operating system and the affected operating system release level;
  
  transmitting the TMV from the computer system to a plurality of target computer systems;
  
  receiving the TMV at a target computer system in the plurality of target computer systems;
  
  processing at the target computer system the one or more countermeasures identified in the TMV that correspond to an operating system and operating system release level of the target computer system; and
  
  mutating the TMV by extracting from the TMV a system vector that identifies the affected operating system, augmenting a system level vector referenced by the system vector with an instance identifier that identifies the target computer system, replacing a reference to a countermeasure in the system level vector with a reference to a vulnerability vector that identifies a vulnerability of the affected operating system, and augmenting the vulnerability vector with a reference to the countermeasure.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1,wherein the receiving the TMV at the target computer system comprises receiving a threat management criterion history file in response to installation, configuration or maintenance of the target computer system, andwherein the processing comprises processing countermeasures that are identified in the threat management criterion history file.
  - 3. The method of claim 2 further comprising updating a threat management information base for the target computer system to account for the countermeasures that are processed.
  - 4. The method of claim 2 wherein the processing comprises an identification of a countermeasure mode of installation.
  - 5. The method of claim 1 wherein the receiving the TMV at the target computer system comprises pruning the TMV to discard at least one threat management criterion that is not needed for processing countermeasures.

6. A system, comprising:
- a computer system that receives a notification of a computer security threat, encodes information of the computer security threat into a threat management vector (TMV) that includes therein a first field that provides identification of at least one affected operating system type that is affected by the computer security threat, a second field that provides identification of an affected operating system release level for the affected operating system type, and a third field that provides identification of a set of possible countermeasures for the affected operating system type and the affected operating system release level, and transmits the TMV from the computer system to a plurality of target computer systems; and
  
  a target computer system in the plurality of target computer systems that receives the TMV, the target computer system comprising;
  
  (a) an information base for establishing a baseline identification of an operating system type and an operating system release level for the target computer system that is compatible with the TMV,(b) a threat management criterion receiver for receiving the TMV in the target computer system, and(c) a remediation manager for processing in the target computer system countermeasures that are identified in the TMV if the TMV identifies the operating system type and operating system release level for the target computer system as being affected by the computer security threat,wherein the computer system mutates the TMV by extracting from the TMV a system vector that identifies the affected operating system type, augmenting a system level vector referenced by the system vector with an instance identifier that identifies the target computer system, replacing a reference to a countermeasure in the system level vector with a reference to a vulnerability vector that identifies a vulnerability of the affected operating system type, and augmenting the vulnerability vector with a reference to the countermeasure.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6 wherein the computer system further comprises:
    - an information base configurator for receiving a threat management criterion history file in response to installation, configuration or maintenance of the target computer system and to process countermeasures that are identified in the threat management criterion history file.
  - 8. The system of claim 7 wherein the information base configurator updates the information base to account for countermeasures that are processed.
  - 9. The system of claim 6 wherein the target computer system further comprises:
    - a threat management criterion inductor for determining whether the TMV identifies the operating system type and operating system release level for target the computer system as being affected by the computer security threat and to add at least one instance identifier to the TMV to account for multiple instances of an operating system running on the target computer system, if the TMV identifies the operating system type and operating system release level for the target computer system as being affected by the computer security threat; and
      
      wherein the remediation manager processes countermeasures that are identified in the TMV for an instance of the operating system type and operating system release level running on the target computer system when the instance of the operating system type and operating system release level running on the target computer system is instantiated in the target computer system.
  - 10. The system of claim 9 wherein the remediation manager processes countermeasures that are identified in the TMV by installing and running the countermeasures.
  - 11. The system of claim 10:
    - wherein the TMV includes therein the first field that provides identification of at least one affected operating system type that is affected by a computer security threat, the second field that provides identification of the operating system release level for the affected operating system type, a fourth field that provides identification of at least one application program type that is affected by the computer security threat and a fifth field that provides identification of a release level for the application program type, the third field providing identification of a set of possible countermeasures for the application program type and the application program release level; and
      
      wherein the remediation manager processes countermeasures that are identified in the TMV if the TMV identifies an application program type and application program release level for the target computer system as being affected by the computer security threat.
  - 12. The system of claim 11 wherein the target computer system further comprises:
    - a threat management criterion inductor for determining whether the TMV identifies the application program type and application programming release level for the target computer system as being affected by the computer security threat and to add at least one instance identifier to the threat management TMV to account for multiple instances of the application program type for the target computer system running on the target computer system if the TMV identifies the application program type and application program release level for the target computer system as being affected by the computer security threat; and
      
      wherein the remediation manager processes countermeasures that are identified in the TMV for the multiple instances of the application program type for the target computer system running on the target computer system when the multiple instances of the application program type is instantiated in the target computer system.
  - 13. The system of claim 6 wherein the set of possible countermeasures comprises an identification of a countermeasure mode of installation.
  - 14. The system of claim 6 wherein the threat management criterion receiver is further configured to prune at least a threat management criterion from the TMV that is not needed by the remediation manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Bardsley, Jeffrey S., Brock, Ashley A., Davis, Charles K. III, Kim, Nathaniel W., McKenna, John J., Villegas, Carlos F.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US12/116,256
Publication Number

US 20090328206A1
Time in Patent Office

2,771 Days
Field of Search

726 26- 30
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/577 Assessing vulnerabilities a...

Method for administration of computer security threat countermeasures to a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for administration of computer security threat countermeasures to a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links