System and method for correlating log data to discover network vulnerabilities and assets
First Claim
1. A system for correlating log data to discover assets and vulnerabilities in a network, wherein the system comprises a log correlation engine having one or more processors configured to:
- receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network;
determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise;
discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise;
obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and
generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host.
3 Assignments
0 Petitions
Accused Products
Abstract
The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.
181 Citations
34 Claims
-
1. A system for correlating log data to discover assets and vulnerabilities in a network, wherein the system comprises a log correlation engine having one or more processors configured to:
-
receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network; determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise; discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise; obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 31, 32, 33, 34)
-
-
11. A method for correlating log data to discover assets and vulnerabilities in a network, comprising:
-
receiving, at a log correlation engine, one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network; determining, at the log correlation engine, whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise; discovering, at the log correlation engine, a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise; obtaining, at the log correlation engine, information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and generating a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for correlating log data to discover assets and vulnerabilities in a network, wherein executing the computer-executable instructions a processor causes the processor to:
-
receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network; determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with a log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise; discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise; obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification