System and method for correlating log data to discover network vulnerabilities and assets

US 9,467,464 B2
Filed: 04/08/2013
Issued: 10/11/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A system for correlating log data to discover assets and vulnerabilities in a network, wherein the system comprises a log correlation engine having one or more processors configured to:

receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network;

determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise;

discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise;

obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and

generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

181 Citations

34 Claims

1. A system for correlating log data to discover assets and vulnerabilities in a network, wherein the system comprises a log correlation engine having one or more processors configured to:
- receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network;
  
  determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise;
  
  discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise;
  
  obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and
  
  generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 31, 32, 33, 34)
- - 2. The system recited in claim 1, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the known vulnerability susceptible to compromise.
  - 3. The system recited in claim 2, wherein the one or more processors associated with the log correlation engine are further configured to obtain the information about the new vulnerability from the at least one cross-referenced data source through a backend distribution process configured to construct an archive containing one or more metadata fields that identify the at least one data source cross-referenced in the at least one correlation rule from which the information about the new vulnerability is obtained.
  - 4. The system recited in claim 2, wherein the one or more processors associated with the log correlation engine are further configured to communicate over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 5. The system recited in claim 1, wherein the one or more text strings contained in the one or more logs describe the observed activity on the at least one internal host that matched the vulnerability regular expression in the at least one correlation rule according to network traffic involving the at least one internal host.
  - 6. The system recited in claim 5, wherein the one or more processors associated with the log correlation engine are further configured to:
    - determine, from the one or more text strings that describe the network traffic involving the at least one internal host, a source network address associated with the at least one internal host and a source port number associated with the observed activity on the least one internal host that matched the vulnerability regular expression, wherein the report further includes the source network address associated with the at least one internal host on which the new vulnerability was discovered and the source port number associated with the observed activity that matched the vulnerability regular expression.
  - 7. The system recited in claim 1, wherein the report further includes one or more variable references that specify dynamic content associated with the new vulnerability.
  - 8. The system recited in claim 1, wherein the one or more processors associated with the log correlation engine are further configured to:
    - discover that the at least one internal host is a new asset that was previously unknown in the network in response to the one or more events containing a source Internet Protocol (IP) address internal to the network that has not already been discovered in the network; and
      
      report that the new asset with the internal source IP address was discovered in the network to a management console configured to include the new asset in an updated model associated with the network.
  - 9. The system recited in claim 8, wherein the one or more processors associated with the log correlation engine are further configured to determine that the source IP address is internal to the network based on the source IP address falling within a first range that indicates IP addresses internal to the network and not falling within a second range that indicates exceptions to the IP addresses internal to the network.
  - 10. The system recited in claim 1, further comprising:
    - a primary log correlation engine server configured to host a primary instance of the log correlation engine; and
      
      one or more auxiliary log correlation engine servers configured to host one or more auxiliary instances of the log correlation engine, wherein the primary log correlation engine server is further configured to receive the one or more logs that contain the one or more text strings associated with the one or more events describing the observed activity in the network, monitor workloads across the one or more auxiliary log correlation engine servers, and automatically distribute the one or more received logs to balance a processing load among the primary log correlation engine server and the one or more auxiliary log correlation engine servers.
  - 31. The system recited in claim 4, wherein the port corresponds to a proxy daemon associated with the one or more passive scanners to enable a management console to pull the information about the discovered new vulnerability from the log correlation engine.
  - 32. The system recited in claim 5, wherein the one or more processors associated with the log correlation engine are further configured to:
    - determine, from the one or more text strings that describe the network traffic involving the at least one internal host, a destination network address and a destination port number associated with the observed activity on the least one internal host that matched the vulnerability regular expression, wherein the report further includes the destination network address and the destination port number associated with the observed activity that matched the vulnerability regular expression.
  - 33. The system recited in claim 1, wherein the one or more processors associated with the log correlation engine are further configured to transfer a file that contains the information about the new vulnerability discovered in the network to a management console over a Secure Shell (SSH).
  - 34. The system recited in claim 1, wherein the one or more processors associated with the log correlation engine are further configured to:
    - discover a new asset that was previously unknown in the network in response to the one or more events containing a destination Internet Protocol (IP) address internal to the network that has not already been discovered in the network; and
      
      report that the new asset with the internal destination IP address was discovered in the network to a management console configured to include the new asset in an updated model associated with the network.

11. A method for correlating log data to discover assets and vulnerabilities in a network, comprising:
- receiving, at a log correlation engine, one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network;
  
  determining, at the log correlation engine, whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with the log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise;
  
  discovering, at the log correlation engine, a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise;
  
  obtaining, at the log correlation engine, information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and
  
  generating a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method recited in claim 11, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the known vulnerability susceptible to compromise.
  - 13. The method recited in claim 12, wherein the log correlation engine obtains the information about the new vulnerability from the at least one cross-referenced data source through a backend distribution process configured to construct an archive containing one or more metadata fields that identify the at least one data source cross-referenced in the at least one correlation rule from which the information about the new vulnerability is obtained.
  - 14. The method recited in claim 12, wherein the log correlation engine communicates over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 15. The method recited in claim 11, wherein the one or more text strings contained in the one or more logs describe the observed activity on the at least one internal host that matched the vulnerability regular expression in the at least one correlation rule according to network traffic involving the at least one internal host.
  - 16. The method recited in claim 15, further comprising:
    - determining, from the one or more text strings that describe the network traffic involving the at least one internal host, a source network address associated with the at least one internal host and a source port number associated with the observed activity on the least one internal host that matched the vulnerability regular expression, wherein the report further includes the source network address associated with the at least one internal host on which the new vulnerability was discovered and the source port number associated with the observed activity that matched the vulnerability regular expression.
  - 17. The method recited in claim 11, wherein the report further includes one or more variable references that specify dynamic content associated with the new vulnerability.
  - 18. The method recited in claim 11, further comprising:
    - discovering, at the log correlation engine, that the at least one internal host is a new asset that was previously unknown in the network in response to the one or more events containing a source Internet Protocol (IP) address internal to the network that has not already been discovered in the network; and
      
      reporting that the new asset with the internal source IP address was discovered in the network to a management console configured to include the new asset in an updated model associated with the network.
  - 19. The method recited in claim 18, wherein the log correlation engine determines that the source IP address is internal to the network based on the source IP address falling within a first range that indicates IP addresses internal to the network and not falling within a second range that indicates exceptions to the IP addresses internal to the network.
  - 20. The method recited in claim 11, wherein a primary log correlation engine server hosts a primary instance of the log correlation engine and one or more auxiliary log correlation engine servers host one or more auxiliary instances of the log correlation engine, and wherein the method further comprises:
    - receiving the one or more logs that contain the one or more text strings associated with the one or more events describing the observed activity in the network at the primary log correlation engine server; and
      
      monitoring, at the primary log correlation engine server, workloads across the one or more auxiliary log correlation engine servers, wherein the primary log correlation engine server automatically distributes the one or more received logs to balance a processing load among the primary log correlation engine server and the one or more auxiliary log correlation engine servers.

21. A non-transitory computer-readable storage medium having computer-executable instructions stored thereon for correlating log data to discover assets and vulnerabilities in a network, wherein executing the computer-executable instructions a processor causes the processor to:
- receive one or more logs that contain one or more text strings associated with one or more events that describe observed activity on at least one internal host in the network;
  
  determine whether the one or more text strings contained in the one or more logs match a vulnerability regular expression in at least one correlation rule associated with a log correlation engine, wherein the vulnerability regular expression includes one or more match statements that are associated with a known vulnerability susceptible to compromise;
  
  discover a new vulnerability in the network that was previously unknown in response to the one or more text strings contained in the one or more logs matching the one or more match statements in the vulnerability regular expression that are associated with the known vulnerability susceptible to compromise, wherein the discovered new vulnerability indicates that the known vulnerability exists on the at least one internal host such that the at least one internal host is susceptible to compromise;
  
  obtain information about the new vulnerability discovered in the network from at least one data source cross-referenced in the at least one correlation rule, wherein the at least one correlation rule pairs the vulnerability regular expression associated with the known vulnerability susceptible to compromise with the cross-referenced at least one data source to indicate that the information about the new vulnerability is available from the at least one data source; and
  
  generate a report indicating that the new vulnerability was discovered in the network, wherein the report includes the information about the new vulnerability obtained from the at least one data source cross-referenced in the at least one correlation rule and further indicates that the network is susceptible to compromise due to the discovered new vulnerability indicating that the known vulnerability exists on the at least one internal host.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer-readable storage medium recited in claim 21, wherein the at least one data source cross-referenced in the at least one correlation rule comprises an identifier associated with vulnerability data that one or more passive scanners use to detect the known vulnerability susceptible to compromise.
  - 23. The non-transitory computer-readable storage medium recited in claim 22, wherein executing the computer-executable instructions the processor further causes the processor to obtain the information about the new vulnerability from the at least one cross-referenced data source through a backend distribution process configured to construct an archive containing one or more metadata fields that identify the at least one data source cross-referenced in the at least one correlation rule from which the information about the new vulnerability is obtained.
  - 24. The non-transitory computer-readable storage medium recited in claim 22, wherein executing the computer-executable instructions the processor further causes the processor to communicate over a port associated with the one or more passive scanners to configure the log correlation engine as a passive scanner.
  - 25. The non-transitory computer-readable storage medium recited in claim 21, wherein the one or more text strings contained in the one or more logs describe the observed activity on the at least one internal host that matched the vulnerability regular expression in the at least one correlation rule according to network traffic involving the at least one internal host.
  - 26. The non-transitory computer-readable storage medium recited in claim 25, wherein executing the computer-executable instructions the processor further causes the processor to:
    - determine, from the one or more text strings that describe the network traffic involving the at least one internal host, a source network address associated with the at least one internal host and a source port number associated with the observed activity on the least one internal host that matched the vulnerability regular expression, wherein the report further includes the source network address associated with the at least one internal host on which the new vulnerability was discovered and the source port number associated with the observed activity that matched the vulnerability regular expression.
  - 27. The non-transitory computer-readable storage medium recited in claim 21, wherein the report further includes one or more variable references that specify dynamic content associated with the new vulnerability.
  - 28. The non-transitory computer-readable storage medium recited in claim 21, wherein executing the computer-executable instructions the processor further causes the processor to:
    - discover that the at least one internal host is a new asset that was previously unknown in the network in response to the one or more events containing a source Internet Protocol (IP) address internal to the network that has not already been discovered in the network; and
      
      report that the new asset with the internal source IP address was discovered in the network to a management console configured to include the new asset in an updated model associated with the network.
  - 29. The non-transitory computer-readable storage medium recited in claim 28, wherein executing the computer-executable instructions the processor further causes the processor to determine that the source IP address is internal to the network based on the source IP address falling within a first range that indicates IP addresses internal to the network and not falling within a second range that indicates exceptions to the IP addresses internal to the network.
  - 30. The non-transitory computer-readable storage medium recited in claim 21, wherein a primary log correlation engine server hosts a primary instance of the log correlation engine and one or more auxiliary log correlation engine servers host one or more auxiliary instances of the log correlation engine, and wherein executing the computer-executable instructions the processor further causes the processor to:
    - direct the one or more logs that contain the one or more text strings associated with the one or more events describing the observed activity in the network to the primary log correlation engine server; and
      
      cause the primary log correlation engine server to monitor workloads across the one or more auxiliary log correlation engine servers and automatically distribute the one or more received logs to balance a processing load among the primary log correlation engine server and the one or more auxiliary log correlation engine servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Gula, Ron, Ranum, Marcus, Deraison, Renaud
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Zoubair, Noura

Application Number

US13/858,367
Publication Number

US 20140283083A1
Time in Patent Office

1,282 Days
Field of Search

726/1, 726/4, 726 22- 25, 714/20
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1433 Vulnerability analysis

System and method for correlating log data to discover network vulnerabilities and assets

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for correlating log data to discover network vulnerabilities and assets

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links