System, method, and computer program product for reporting an occurrence in different manners

US 9,118,710 B2
Filed: 09/29/2014
Issued: 08/25/2015
Est. Priority Date: 07/01/2003
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory computer readable medium, comprising:

code for identifying at least one of an operating system and an application associated with at least one of a plurality of devices;

code for accessing a data storage describing a plurality of mitigation techniques that mitigate at least one attack that takes advantage of a plurality of vulnerabilities;

code for presenting a plurality of first options in connection with the plurality of mitigation techniques that each correspond with at least one of a subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device, the plurality of first options relating to an intrusion detection or prevention mitigation technique and a firewall mitigation technique that both each correspond with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

code for receiving first user input selecting the intrusion detection or prevention mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

code for receiving second user input selecting the firewall mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

code for, based on the first user input, deploying the selected intrusion detection or prevention mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

code for, based on the second user input, deploying the selected firewall mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

code for identifying an occurrence including one or more packets communicated to the at least one device;

code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device; and

code for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the selected intrusion detection or prevention mitigation technique based on the first input and utilizing the firewall mitigation technique based on the second input, by at least one of dropping or blocking the one or more packets of the occurrence that are communicated to the at least one device, and rejecting a connection request in connection with the at least one device;

said computer program product operable such that the plurality of first options are presented and at least one of the first user input selecting the intrusion detection or prevention mitigation technique and the second user input selecting the firewall mitigation technique is received before the identification of the occurrence such that at least one of the intrusion detection or prevention mitigation technique and the firewall mitigation technique is deployed for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, in response to the determination that the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;

said computer program product operable such that at least one of a plurality of second options is presented and at least one of a user input selecting a post-occurrence intrusion detection or prevention mitigation technique, a user input selecting a post-occurrence firewall mitigation technique, and a user input selecting a post-occurrence other mitigation technique is received after the identification of the occurrence such that at least one of the post-occurrence intrusion detection or prevention mitigation technique, the post-occurrence firewall mitigation technique, and the post-occurrence other mitigation technique is utilized, in response to at least one of the user input selecting the post-occurrence intrusion detection or prevention mitigation technique, the user input selecting the post-occurrence firewall mitigation technique, and the user input selecting the post-occurrence other mitigation technique.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for identifying operating system information associated with at least one of a plurality of networked devices, and an occurrence in connection with the at least one of the networked device. It is also determined whether at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. To this send, the occurrence is reported in a first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. Further, the occurrence is reported in a second manner different from the first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is not relevant to the at least one networked device based on the operating system information.

863 Citations

20 Claims

1. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for identifying at least one of an operating system and an application associated with at least one of a plurality of devices;
  
  code for accessing a data storage describing a plurality of mitigation techniques that mitigate at least one attack that takes advantage of a plurality of vulnerabilities;
  
  code for presenting a plurality of first options in connection with the plurality of mitigation techniques that each correspond with at least one of a subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device, the plurality of first options relating to an intrusion detection or prevention mitigation technique and a firewall mitigation technique that both each correspond with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  code for receiving first user input selecting the intrusion detection or prevention mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  code for receiving second user input selecting the firewall mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  code for, based on the first user input, deploying the selected intrusion detection or prevention mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  code for, based on the second user input, deploying the selected firewall mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  code for identifying an occurrence including one or more packets communicated to the at least one device;
  
  code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device; and
  
  code for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the selected intrusion detection or prevention mitigation technique based on the first input and utilizing the firewall mitigation technique based on the second input, by at least one of dropping or blocking the one or more packets of the occurrence that are communicated to the at least one device, and rejecting a connection request in connection with the at least one device;
  
  said computer program product operable such that the plurality of first options are presented and at least one of the first user input selecting the intrusion detection or prevention mitigation technique and the second user input selecting the firewall mitigation technique is received before the identification of the occurrence such that at least one of the intrusion detection or prevention mitigation technique and the firewall mitigation technique is deployed for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, in response to the determination that the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
  
  said computer program product operable such that at least one of a plurality of second options is presented and at least one of a user input selecting a post-occurrence intrusion detection or prevention mitigation technique, a user input selecting a post-occurrence firewall mitigation technique, and a user input selecting a post-occurrence other mitigation technique is received after the identification of the occurrence such that at least one of the post-occurrence intrusion detection or prevention mitigation technique, the post-occurrence firewall mitigation technique, and the post-occurrence other mitigation technique is utilized, in response to at least one of the user input selecting the post-occurrence intrusion detection or prevention mitigation technique, the user input selecting the post-occurrence firewall mitigation technique, and the user input selecting the post-occurrence other mitigation technique.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, wherein the computer program product is operable such that it is determined whether the occurrence is capable of taking advantage of the at least one actual vulnerability, by cross-referencing a vulnerability identifier associated with the occurrence with device vulnerability information.
  - 3. The computer program product of claim 2, wherein the computer program product is operable such that the vulnerability identifier includes a Common Vulnerabilities and Exposures Identifier (CVE ID).
  - 4. The computer program product of claim 1, wherein the computer program product is operable such that the at least one of the plurality of second options is presented as a result of the determination whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities, and the post-occurrence other mitigation technique is utilized in response to the user input selecting the post-occurrence other mitigation technique, for blocking a source of the occurrence.
  - 5. The computer program product of claim 1, wherein the computer program product is operable such that the post-occurrence other mitigation technique is utilized in response to the user input selecting the post-occurrence other mitigation technique, and the post-occurrence other mitigation technique includes performing an update in connection with at least one of a firewall and an intrusion prevention system.
  - 6. The computer program product of claim 1, wherein the computer program product is operable such that the at least one of the plurality of second options is presented as a result of the determination whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities, the post-occurrence other mitigation technique is utilized in response to the user input selecting the post-occurrence other mitigation technique, and the post-occurrence other mitigation technique includes performing a malware scan.
  - 7. The computer program product of claim 1, wherein the computer program product is operable such that the plurality of first options relating to the intrusion detection or prevention mitigation technique and the firewall mitigation technique each correspond with a same single one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device.
  - 8. The computer program product of claim 1, wherein the computer program product is configured for use with at least one NOC server, a data warehouse, and an SDK for allowing access to information associated with at least one vulnerability and at least one remediation technique, the computer program product is configured for determining which devices have vulnerabilities by directly querying a firmware or operating system of the devices;
    - said identification is received;
      
      said at least one of the operating system and the application associated with the at least one device, includes the operating system and the application associated with the at least one device;
      
      said at least one attack includes a plurality of attacks;
      
      said at least one attack includes the plurality of attacks, where the plurality of attacks each take advantage of a different one or more of the plurality of vulnerabilities;
      
      said intrusion detection or prevention mitigation technique includes an intrusion detection and prevention mitigation technique;
      
      said intrusion detection or prevention mitigation technique and the firewall mitigation technique each correspond with a same one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
      
      said occurrence is identified and it is determined whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device, utilizing the selected intrusion detection or prevention mitigation technique if the first input is received;
      
      said occurrence is identified and it is determined whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device, utilizing the firewall mitigation technique if the second input is received;
      
      said occurrence is prevented from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the selected intrusion detection or prevention mitigation technique if the first input is received;
      
      said occurrence is prevented from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the firewall mitigation technique if the second input is received;
      
      said mitigation techniques include remediation techniques;
      
      said occurrence is prevented from taking advantage of at least one of the subset of the plurality of the vulnerabilities, by dropping or blocking the one or more packets of the occurrence that are communicated to the at least one device and by rejecting the connection request in connection with the at least one device;
      
      said connection request in connection with the at least one device including at least one of an incoming connection request and an outgoing connection request;
      
      said first user input selecting the intrusion detection or prevention mitigation technique is received before the identification of the occurrence such that the intrusion detection or prevention mitigation technique is deployed for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities;
      
      said second user input selecting the firewall mitigation technique is received before the identification of the occurrence such that the firewall mitigation technique is deployed for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities;
      
      said post-occurrence intrusion detection or prevention mitigation technique, the post-occurrence firewall mitigation technique, and the post-occurrence other mitigation technique are presented;
      
      said post-occurrence intrusion detection or prevention mitigation technique is utilized in response to the user input selecting the post-occurrence intrusion detection or prevention mitigation technique;
      
      said post-occurrence firewall mitigation technique is utilized in response to the user input selecting the post-occurrence firewall mitigation technique;
      
      said post-occurrence other mitigation technique is utilized in response to the user input selecting the post-occurrence other mitigation technique;
      
      said post-occurrence intrusion detection or prevention mitigation technique is the intrusion detection or prevention mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device;
      
      said post-occurrence firewall mitigation technique is the firewall mitigation technique that corresponds with at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application associated with the at least one device; and
      
      said at least one of the post-occurrence intrusion detection or prevention mitigation technique, the post-occurrence firewall mitigation technique, and the post-occurrence other mitigation technique is utilized for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities.

9. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for retrieving a plurality of first options from a data storage describing a plurality of mitigation techniques that mitigate at least one attack that takes advantage of a plurality of vulnerabilities;
  
  code for presenting the plurality of first options which relate to the plurality of mitigation techniques in connection with a subset of a plurality of the vulnerabilities posed by at least one of an operating system and an application of at least one device, the plurality of first options relating to an intrusion detection or prevention mitigation technique and a firewall mitigation technique;
  
  code for receiving first user input in connection with one of the first options that relates to the intrusion detection or prevention mitigation technique in connection with at least one of the subset of the plurality of the vulnerabilities posed by at least one of the operating system and the application of at least one device;
  
  code for receiving second user input in connection with one of the first options that relates to the firewall mitigation technique in connection with at least one of the subset of the plurality of the vulnerabilities posed by at least one of the operating system and the application of at least one device;
  
  code for, if the first user input is received, deploying the one of the first options that relates to the intrusion detection or prevention mitigation technique in connection with at least one of the subset of the plurality of the vulnerabilities posed by at least one of the operating system and the application of at least one device;
  
  code for, if the second user input is received, deploying the one of the first options that relates to the firewall mitigation technique in connection with at least one of the subset of the plurality of the vulnerabilities posed by at least one of the operating system and the application of at least one device;
  
  code for identifying an occurrence including one or more packets communicated to the at least one device;
  
  code for determining whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the at least one of the operating system and the application of the at least one device; and
  
  code for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the intrusion detection or prevention mitigation technique if the one of the first options that relates to the intrusion detection or prevention mitigation technique is deployed and utilizing the firewall mitigation technique if the one of the first options that relates to the firewall mitigation technique is deployed, by at least one of dropping or blocking the one or more packets of the occurrence that are communicated to the at least one device, and rejecting a connection request in connection with the at least one device;
  
  said computer program product is configured for presenting the plurality of first options and receiving at least one of the first user input in connection with the one of the first options that relates to the intrusion detection or prevention mitigation technique and the second user input in connection with the one of the first options that relates to the firewall mitigation technique, before the identification of the occurrence such that at least one of;
  
  the one of the first options that relates to the intrusion detection or prevention mitigation technique and the one of the first options that relates to the firewall mitigation technique is deployed for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, in response to the determination that the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities posed by the identified at least one of the operating system and the application of the at least one device;
  
  said computer program product is configured for presenting at least one of a plurality of second options and receiving at least one of a user input associated with an intrusion detection or prevention mitigation action, a user input associated with a firewall mitigation action, and a user input associated with an other mitigation action, after the identification of the occurrence such that at least one of the intrusion detection or prevention mitigation action, the firewall mitigation action, and the other mitigation action is utilized, in response to at least one of the user input associated with the intrusion detection or prevention mitigation action, the user input associated with the firewall mitigation action, and the user input associated with the other mitigation action.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer program product of claim 9, wherein the computer program product is configured such that each of the intrusion detection or prevention mitigation action, the firewall mitigation action, and the other mitigation action are capable of being utilized.
  - 11. The computer program product of claim 9, wherein the computer program product is configured for utilizing the other mitigation action in response to the user input associated with the other mitigation action, the other mitigation action utilizing a vulnerability assessor.
  - 12. The computer program product of claim 9, wherein the computer program product is configured such that the at least one of the plurality of second options is capable of being presented in response to the determination whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities, and the computer program product is further configured for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the firewall mitigation technique;
    - and for utilizing the firewall mitigation action, in response to the user input associated with the firewall mitigation action, for further preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities.
  - 13. The computer program product of claim 9, wherein the computer program product is configured such that the at least one of the plurality of second options is capable of being presented in response to the determination whether the occurrence is capable of taking advantage of at least one of the subset of the plurality of the vulnerabilities, and the computer program product is further configured for preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities, utilizing the intrusion detection or prevention mitigation technique;
    - and for utilizing the firewall mitigation action, in response to the user input associated with the firewall mitigation action, for further preventing the occurrence from taking advantage of at least one of the subset of the plurality of the vulnerabilities.

14. A computer program product embodied on a non-transitory computer readable medium, comprising:
- code for receiving actual vulnerability information from at least one first data storage that is generated utilizing potential vulnerability information from at least one second data storage that is capable of being used to identify a plurality of potential vulnerabilities, by including;
  
  at least one first potential vulnerability, andat least one second potential vulnerability;
  
  said actual vulnerability information being generated utilizing the potential vulnerability information by;
  
  identifying at least one configuration associated with at least one of a plurality of networked devices, the at least one configuration relating to at least one of an operating system and an application of the at least one networked device, anddetermining that the at least one networked device is actually vulnerable to at least one actual vulnerability based on the identified at least one configuration, utilizing the potential vulnerability information that is capable of being used to identify the plurality of potential vulnerabilities;
  
  said actual vulnerability information from the at least one first data storage capable of identifying the at least one actual vulnerability to which the at least one networked device is actually vulnerable;
  
  code for identifying an attack involving one or more packets communicated to the at least one networked device;
  
  code for determining whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable; and
  
  code for causing different attack mitigation actions of diverse attack mitigation types, including a firewall-based attack mitigation type and an intrusion prevention system-based attack mitigation type, for preventing the attack from taking advantage of the at least one actual vulnerability of the at least one networked device by at least one of dropping or blocking the one or more packets of the attack that are communicated to the at least one networked device and rejecting a connection request in connection with the at least one networked device, based on the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable, the at least one actual vulnerability being determined as a function of the at least one of the operating system and the application of the at least one networked device and the different attack mitigation actions being specific to the at least one actual vulnerability, thereby resulting in one or more relevant attack mitigation actions of the diverse attack mitigation types being caused based on the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable;
  
  said computer program product operable such that a plurality of first options are presented and at least one of a first user input in connection with the firewall-based attack mitigation type and a second user input in connection with the intrusion prevention system-based attack mitigation type is received before the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable, for preventing the attack from taking advantage of the at least one actual vulnerability of the at least one networked device, in response to the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable;
  
  said computer program product operable such that at least one of a plurality of second options is presented and at least one of a user input selecting an intrusion prevention system action, a user input selecting a firewall action, and a user input selecting an other mitigation action is received after the determination whether the attack is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable such that at least one of the intrusion prevention system action, the firewall action, and the other mitigation action is utilized, in response to at least one of the user input selecting the intrusion prevention system action, the user input selecting the firewall action, and the user input selecting the other mitigation action.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer program product of claim 14, wherein the computer program product is operable such that the different attack mitigation actions of the diverse attack mitigation types are completed by a deployment from at least one server to at least one client agent supporting at least one of a firewall for implementing the firewall-based attack mitigation type or an intrusion prevention system for implementing the intrusion prevention system-based attack mitigation type.
  - 16. The computer program product of claim 14, wherein the computer program product is operable such that the firewall action is utilized in response to the user input selecting the firewall action, for complementing one or more of the different attack mitigation actions by further preventing the attack from taking advantage of the at least one actual vulnerability of the at least one networked device.
  - 17. The computer program product of claim 14, wherein the computer program product is operable such that the other mitigation action is utilized in response to the user input selecting the other mitigation action, for at least mitigating an affect of a potential attack.
  - 18. The computer program product of claim 14, wherein the computer program product is operable such that the other mitigation action is utilized in response to the user input selecting the other mitigation action, for blocking a source of the attack.
  - 19. The computer program product of claim 14, wherein the computer program product is operable such that the other mitigation action is utilized in response to the user input selecting the other mitigation action, the other mitigation action utilizing a router.
  - 20. The computer program product of claim 14, wherein the computer program product is operable such that at least two of:
    - the intrusion prevention system action, the firewall action, and the other mitigation action are capable of being utilized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecurityProfiling, LLC
Original Assignee
SecurityProfiling, LLC
Inventors
Oliphant, Brett M., Blignaut, John P.
Primary Examiner(s)
Patel, Nirav B

Application Number

US14/499,239
Publication Number

US 20150033352A1
Time in Patent Office

330 Days
Field of Search

726 22- 25, 713/188
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/554   involving event detection a...

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

System, method, and computer program product for reporting an occurrence in different manners

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

863 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for reporting an occurrence in different manners

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

863 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links