US20070113100A2 - Multiple-path remediation - Google Patents

Multiple-path remediation Download PDF

Info

Publication number
US20070113100A2
US20070113100A2 US10/882,588 US88258804A US2007113100A2 US 20070113100 A2 US20070113100 A2 US 20070113100A2 US 88258804 A US88258804 A US 88258804A US 2007113100 A2 US2007113100 A2 US 2007113100A2
Authority
US
United States
Prior art keywords
remediation
vulnerability
technique
techniques
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/882,588
Other versions
US20060259779A2 (en
US20050044389A1 (en
US8266699B2 (en
Inventor
Brett Oliphant
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SecurityProfiling Inc
Original Assignee
SecurityProfiling Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=38668695&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20070113100(A2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by SecurityProfiling Inc filed Critical SecurityProfiling Inc
Priority to US10/882,588 priority Critical patent/US8266699B2/en
Assigned to SECURITYPROFILING, INC. reassignment SECURITYPROFILING, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OLIPHANT, BETT M.
Publication of US20050044389A1 publication Critical patent/US20050044389A1/en
Publication of US20060259779A2 publication Critical patent/US20060259779A2/en
Publication of US20070113100A2 publication Critical patent/US20070113100A2/en
Application granted granted Critical
Publication of US8266699B2 publication Critical patent/US8266699B2/en
Assigned to SECURITYPROFILING, LLC reassignment SECURITYPROFILING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SECURITYPROFILING, INC.
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to computer systems, and more particularly to management of security of computing and network devices that are connected to other such devices.
  • One form of the present invention is a database of information about a plurality of devices, updated in real-time and used by an application to make a security-related decision.
  • the database stores data indicating the installed operating system(s), installed software, patches that have been applied, system policies that are in place, and configuration information for each device.
  • the database answers queries by one or more devices or applications attached by a network to facilitate security-related decision making.
  • a firewall or router handles a connection request or maintenance of a connection based on the configuration information stored in the database that relates to one or both of the devices involved in the transmission.
  • FIG. 1 is a block diagram of a networked system of computers in one embodiment of the present invention.
  • FIG. 2 is a block diagram showing components of several computing devices in the system of FIG. 1 .
  • FIGS. 3 and 4 trace signals that travel through the system of FIGS. 1 and 2 and the present invention is applied to them.
  • System 100 includes a vulnerability and remediation database 110 connected by Internet 120 to subnet 130 .
  • firewall 131 serves as the gateway between Internet 120 and the rest of subnet 130 .
  • Router 133 directs connections between computers 137 and each other and other devices on Internet 120 .
  • Server 135 collects certain information and provides certain data services that will be discussed in further detail herein.
  • security server 135 includes processor 142 , and memory 144 encoded with programming instructions executable by processor 142 to perform several important security-related functions. For example, security server 135 collects data from devices 131 , 133 , 137 , and 139 , including the software installed on those devices, their configuration and policy settings, and patches that have been installed. Security server 135 also obtains from vulnerability and remediation database 110 a regularly updated list of security vulnerabilities in software for a wide variety of operating systems, and even in the operating systems themselves. Security server 135 also downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities. In a preferred embodiment, each vulnerability in remediation database 110 is identified by a vulnerability identifier, and the vulnerability identifier can be used to retrieve remediation information from database 110 (and from database 146 , discussed below in relation to FIG. 2 ).
  • computers 137 and 139 each comprise a processor 152 , 162 , memory 154 , 164 , and storage 156 , 166 .
  • Computer 137 executes a client-side program (stored in storage 156 , loaded into memory 154 , and executed by processor 152 ) that maintains an up-to-date collection of information regarding the operating system, service pack (if applicable), software, and patches installed on computer 137 , and the policies and configuration data (including configuration files, and elements that may be contained in files, such as *.ini and *.conf files and registry information, for example), and communicates that information on a substantially real-time basis to security server 135 .
  • the collection of information is not retained on computer 137 , but is only communicated once to security server 135 , then is updated in real time as changes to that collection occur.
  • configuration information for each device may take the form of initialization files (often named *.ini or *.conf), configuration registry (such as the Windows Registry on Microsoft WINDOWS operating systems), or configuration data held in volatile or non-volatile memory.
  • initialization files often named *.ini or *.conf
  • configuration registry such as the Windows Registry on Microsoft WINDOWS operating systems
  • configuration data held in volatile or non-volatile memory.
  • Such configuration information often determines what and how data is accepted from other devices, sent to other devices, processed, stored, or otherwise handled, and in many cases determines what routines and sub-routines are executed in a particular application or operating system.
  • Computer 139 stores, loads, and executes a similar software program that communicates configuration information pertaining to computer 139 to security server 135 , also substantially in real time. Changes to the configuration registry in computer 139 are monitored, and selected changes are communicated to security server 135 so that relevant information is always available. Security server 135 may connect directly to and request software installation status and configuration information from firewall 131 and router 133 , for embodiments wherein firewall 131 and router 133 do not have a software program executing on them to communicate this information directly.
  • This collection of information is made available at security server 135 , and combined with the vulnerability and remediation data from source 110 .
  • the advanced functionality of system 100 is thereby enabled as discussed further herein.
  • Computers 137 and 139 are traditional client or server machines, each having a processor 152 , 162 , memory 154 , 164 , and storage 156 , 166 .
  • Firewall 131 and router 133 also have processors 172 , 182 and storage 174 , 184 , respectively, as is known in the art.
  • devices 137 and 139 each execute a client-side program that continuously monitors the software installation and configuration status for that device. Changes to that status are communicated in substantially real time to security server 135 , which continuously maintains the information in database 146 .
  • Security server 135 connects directly to firewall 131 and router 133 to obtain software installation and configuration status for those devices in the absence of a client-side program running thereon.
  • Processors 142 , 152 , 162 may each be comprised of one or more components configured as a single unit. Alternatively, when of a multi-component form, processor 142 , 152 , 162 may each have one or more components located remotely relative to the others. One or more components of processor 142 , 152 , 162 may be of the electronic variety defining digital circuitry, analog circuitry, or both.
  • processor 142 , 152 , 162 are of a conventional, integrated circuit microprocessor arrangement, such as one or more PENTIUM 4 or XEON processors from INTEL Corporation of 2200 Mission College Boulevard, Santa Clara, Calif., 95052, USA, or ATHLON XP processors from Advanced Micro Devices, One AMD Place, Sunnyvale, Calif., 94088, USA.
  • PENTIUM 4 or XEON processors from INTEL Corporation of 2200 Mission College Boulevard, Santa Clara, Calif., 95052, USA
  • ATHLON XP processors from Advanced Micro Devices, One AMD Place, Sunnyvale, Calif., 94088, USA.
  • Memories 144 , 154 , 164 may include one or more types of solid-state electronic memory, magnetic memory, or optical memory, just to name a few.
  • memory 40 b may include solid-state electronic Random Access Memory (RAM), Sequentially Accessible Memory (SAM) (such as the First-In, First-Out (FIFO) variety or the Last-In First-Out (LIFO) variety), Programmable Read Only Memory (PROM), Electrically Programmable Read Only Memory (EPROM), or Electrically Erasable Programmable Read Only Memory (EEPROM); an optical disc memory (such as a DVD or CD ROM); a magnetically encoded hard drive, floppy disk, tape, or cartridge media; or a combination of any of these memory types.
  • memories 144 , 154 , 164 may be volatile, nonvolatile, or a hybrid combination of volatile and nonvolatile varieties.
  • storage 146 , 156 , 166 comprises one or more of the memory types just given for memories 144 , 154 , 164 , preferably selected from the non-volatile types.
  • connection request 211 arrives at firewall 131 requesting that data be transferred to computer 137 .
  • the payload of request 211 is, in this example, a probe request for a worm that takes advantage of a particular security vulnerability in a certain computer operating system.
  • firewall 131 sends a query 213 to security server 135 .
  • Query 213 includes information that security server 135 uses to determine (1) the intended destination of connection request 211 , and (2) some characterization of the payload of connection request 211 , such as a vulnerability identifier.
  • Security server 135 uses this information to determine whether connection request 211 is attempting to take advantage of a particular known vulnerability of destination machine 137 , and uses information from database 146 (see FIG. 2 ) to determine whether the destination computer 137 has the vulnerable software installed, and whether the vulnerability has been patched on computer 137 , or whether computer 137 has been configured so as to be invulnerable to a particular attack.
  • Security server 135 sends result signal 217 back to firewall 131 with an indication of whether the connection request should be granted or rejected. If it is to be granted, firewall 131 passes the request to router 133 as request 219 , and router 133 relays the request as request 221 to computer 137 , as is understood in the art. If, on the other hand, signal 217 indicates that connection request 211 is to be rejected, firewall 133 drops or rejects the connection request 211 as is understood in the art.
  • FIG. 4 illustrates subnet 130 with computer 137 compromised.
  • computer 137 Under the control of a virus or worm, for example, computer 137 sends connection attempt 231 to router 133 in an attempt to probe or take advantage of a potential vulnerability in computer 139 .
  • router 133 On receiving connection request 231 , router 133 sends relevant information about request 231 in a query 233 to security server 135 .
  • security server 135 determines whether connection request 231 poses any threat, and in particular any threat to software on computer 139 .
  • security server 135 determines whether the vulnerability has been patched, and if not, it determines whether computer 139 has been otherwise configured to avoid damage due to that vulnerability. Security server 135 replies with signal 235 to query 233 with that answer. Router 133 uses response 235 to determine whether to allow the connection attempt.
  • security server 135 upon a determination by security server 135 that a connection attempt or other attack has occurred against a computer that is vulnerable (based on its current software, patch, policy, and configuration status), selects one or more remediation techniques from database 146 that remediate the particular vulnerability. Based on a prioritization previously selected by an administrator or the system designer, the remediation technique(s) are applied ( 1 ) to the machine that was attacked, ( 2 ) to all devices subject to the same vulnerability (based on their real-time software, patch, policy, and configuration status), or ( 3 ) to all devices to which the selected remediation can be applied.
  • remediation techniques include the closing of open ports on the device; installation of a patch that is known to correct the vulnerability; changing the device's configuration; stopping, disabling, or removing services; setting or modifying policies; and the like.
  • events and actions are logged (preferably in a non-volatile medium) for later analysis and review by system administrators. In these embodiments, the log also stores information describing whether the target device was vulnerable to the attack.
  • a real-time status database has many other applications as well.
  • the database 146 is made available to an administrative console running on security server 135 or other administrative terminal.
  • administrators can immediately see whether any devices in subnet 130 are vulnerable to it, and if so, which ones. If a means of remediation of the vulnerability is known, the remediation can be selectively applied to only those devices subject to the vulnerability.
  • the database 146 is integrated into another device, such as firewall 131 or router 133 , or an individual device on the network. While some of these embodiments might avoid some failures due to network instability, they substantially increase the complexity of the device itself. For this reason, as well as the complexity of maintaining security database functions when integrated with other functions, the network-attached device embodiment described above in relation to FIGS. 1-4 is preferred.
  • a software development kit allows programmers to develop security applications that access the data collected in database 146 .
  • the applications developed with the SDK access information using a defined application programming interface (API) to retrieve vulnerability, remediation, and device status information available to the system.
  • API application programming interface
  • the applications then make security-related determinations and are enabled to take certain actions based on the available data.
  • database 146 includes vulnerability and remediation information such that, for at least one vulnerability, multiple methods of remediating the vulnerability are specified.
  • remediation information such that, for at least one vulnerability, multiple methods of remediating the vulnerability are specified.
  • all known alternatives are presented that are relevant to the device or machine's particular configuration or setup. For example, when a vulnerability of a device is presented to an administrator, the administrator is given a choice among the plurality of remediation options to remediate the vulnerability.
  • the administrator can select a preferred type of remediation that will be applied if available and a fallback type. For example, an administrator may select application of a policy setting over installation of a software patch, so that the risk of disruption of critical business systems is minimized.
  • an administrator or other user is presented with a set of user interface elements that identify multiple options for remediating and identifying the vulnerability. The administrator or user select the method to be used, and that remediation is applied to the vulnerable device(s).

Abstract

A security information management system is described, wherein a database of potential vulnerabilities is maintained, along with data describing remediation techniques (patches, policy settings, and configuration options) available to protect against them. At least one vulnerability is associated in the database with multiple available remediation techniques. In one embodiment, the system presents a user with the list of remediation techniques available to protect against a known vulnerability, accepts the user's selection from the list, and executes the selected technique. In other embodiments, the system uses a predetermined prioritization schedule to automatically select among the available remediation techniques, then automatically executes the selected technique.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims the benefit of U.S. Provisional Application No. 60/484,085. This application is also related to applications titled REAL-TIME VULNERABILITY MONITORING (Attorney Docket No. 36029-3), POLICY-PROTECTION PROXY (Attorney Docket No. 36029-5), VULNERABILITY AND REMEDIATION DATABASE (Attorney Docket No. 36029-6), AUTOMATED STAGED PATCH AND POLICY MANAGEMENT (Attorney Docket No. 36029-7), and CLIENT CAPTURE OF VULNERABILITY DATA (Attorney Docket 36029-8), all filed on even date herewith. All of these applications are hereby incorporated herein by reference as if fully set forth.
  • FIELD OF THE INVENTION
  • The present invention relates to computer systems, and more particularly to management of security of computing and network devices that are connected to other such devices.
  • BACKGROUND
  • With the growing popularity of the Internet and the increasing reliance by individuals and businesses on networked computers, network security management has become a critical function for many people. Furthermore, with computing systems themselves becoming more complex, security vulnerabilities in a product are often discovered long after the product is released into general distribution. Improved methods are needed, therefore, for managing updates and patches to software systems, and for managing configurations of those systems.
  • The security management problem is still more complex, though. Often techniques intended to remediate vulnerabilities (such as configuration changes, changes to policy settings, or application of patches) add additional problems. Sometimes patches to an operating system or application interfere with operation of other applications, and can inadvertently disable mission-critical services and applications of an enterprise. At other times, remediation steps open other vulnerabilities in software. There is, therefore, a need for improved security management techniques.
  • SUMMARY
  • One form of the present invention is a database of information about a plurality of devices, updated in real-time and used by an application to make a security-related decision. The database stores data indicating the installed operating system(s), installed software, patches that have been applied, system policies that are in place, and configuration information for each device. The database answers queries by one or more devices or applications attached by a network to facilitate security-related decision making. In one form of this embodiment, a firewall or router handles a connection request or maintenance of a connection based on the configuration information stored in the database that relates to one or both of the devices involved in the transmission.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram of a networked system of computers in one embodiment of the present invention.
  • FIG. 2 is a block diagram showing components of several computing devices in the system of FIG. 1.
  • FIGS. 3 and 4 trace signals that travel through the system of FIGS. 1 and 2 and the present invention is applied to them.
  • DESCRIPTION
  • For the purpose of promoting an understanding of the principles of the present invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will, nevertheless, be understood that no limitation of the scope of the invention is thereby intended; any alterations and further modifications of the described or illustrated embodiments, and any further applications of the principles of the invention as illustrated therein are contemplated as would normally occur to one skilled in the art to which the invention relates.
  • Generally, the present invention in its preferred embodiment operates in the context of a network as shown in FIG. 1. System 100 includes a vulnerability and remediation database 110 connected by Internet 120 to subnet 130. In this exemplary embodiment, firewall 131 serves as the gateway between Internet 120 and the rest of subnet 130. Router 133 directs connections between computers 137 and each other and other devices on Internet 120. Server 135 collects certain information and provides certain data services that will be discussed in further detail herein.
  • In particular, security server 135 includes processor 142, and memory 144 encoded with programming instructions executable by processor 142 to perform several important security-related functions. For example, security server 135 collects data from devices 131, 133, 137, and 139, including the software installed on those devices, their configuration and policy settings, and patches that have been installed. Security server 135 also obtains from vulnerability and remediation database 110 a regularly updated list of security vulnerabilities in software for a wide variety of operating systems, and even in the operating systems themselves. Security server 135 also downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities. In a preferred embodiment, each vulnerability in remediation database 110 is identified by a vulnerability identifier, and the vulnerability identifier can be used to retrieve remediation information from database 110 (and from database 146, discussed below in relation to FIG. 2).
  • In this preferred embodiment, computers 137 and 139 each comprise a processor 152, 162, memory 154, 164, and storage 156, 166. Computer 137 executes a client-side program (stored in storage 156, loaded into memory 154, and executed by processor 152) that maintains an up-to-date collection of information regarding the operating system, service pack (if applicable), software, and patches installed on computer 137, and the policies and configuration data (including configuration files, and elements that may be contained in files, such as *.ini and *.conf files and registry information, for example), and communicates that information on a substantially real-time basis to security server 135. In an alternative embodiment, the collection of information is not retained on computer 137, but is only communicated once to security server 135, then is updated in real time as changes to that collection occur.
  • In these exemplary systems, “configuration information” for each device may take the form of initialization files (often named *.ini or *.conf), configuration registry (such as the Windows Registry on Microsoft WINDOWS operating systems), or configuration data held in volatile or non-volatile memory. Such configuration information often determines what and how data is accepted from other devices, sent to other devices, processed, stored, or otherwise handled, and in many cases determines what routines and sub-routines are executed in a particular application or operating system.
  • Computer 139 stores, loads, and executes a similar software program that communicates configuration information pertaining to computer 139 to security server 135, also substantially in real time. Changes to the configuration registry in computer 139 are monitored, and selected changes are communicated to security server 135 so that relevant information is always available. Security server 135 may connect directly to and request software installation status and configuration information from firewall 131 and router 133, for embodiments wherein firewall 131 and router 133 do not have a software program executing on them to communicate this information directly.
  • This collection of information is made available at security server 135, and combined with the vulnerability and remediation data from source 110. The advanced functionality of system 100 is thereby enabled as discussed further herein.
  • Turning to FIG. 2, one sees additional details and components of the devices in subnet 130. Computers 137 and 139 are traditional client or server machines, each having a processor 152, 162, memory 154, 164, and storage 156, 166. Firewall 131 and router 133 also have processors 172, 182 and storage 174, 184, respectively, as is known in the art. In this embodiment, devices 137 and 139 each execute a client-side program that continuously monitors the software installation and configuration status for that device. Changes to that status are communicated in substantially real time to security server 135, which continuously maintains the information in database 146. Security server 135 connects directly to firewall 131 and router 133 to obtain software installation and configuration status for those devices in the absence of a client-side program running thereon.
  • Processors 142, 152, 162 may each be comprised of one or more components configured as a single unit. Alternatively, when of a multi-component form, processor 142, 152, 162 may each have one or more components located remotely relative to the others. One or more components of processor 142, 152, 162 may be of the electronic variety defining digital circuitry, analog circuitry, or both. In one embodiment, processor 142, 152, 162 are of a conventional, integrated circuit microprocessor arrangement, such as one or more PENTIUM 4 or XEON processors from INTEL Corporation of 2200 Mission College Boulevard, Santa Clara, Calif., 95052, USA, or ATHLON XP processors from Advanced Micro Devices, One AMD Place, Sunnyvale, Calif., 94088, USA.
  • Memories 144, 154, 164 may include one or more types of solid-state electronic memory, magnetic memory, or optical memory, just to name a few. By way of non-limiting example, memory 40b may include solid-state electronic Random Access Memory (RAM), Sequentially Accessible Memory (SAM) (such as the First-In, First-Out (FIFO) variety or the Last-In First-Out (LIFO) variety), Programmable Read Only Memory (PROM), Electrically Programmable Read Only Memory (EPROM), or Electrically Erasable Programmable Read Only Memory (EEPROM); an optical disc memory (such as a DVD or CD ROM); a magnetically encoded hard drive, floppy disk, tape, or cartridge media; or a combination of any of these memory types. Also, memories 144, 154, 164 may be volatile, nonvolatile, or a hybrid combination of volatile and nonvolatile varieties.
  • In this exemplary embodiment, storage 146, 156, 166 comprises one or more of the memory types just given for memories 144, 154, 164, preferably selected from the non-volatile types.
  • This collection of information is used by system 100 in a wide variety of ways. With reference to FIG. 3, assume for example that a connection request 211 arrives at firewall 131 requesting that data be transferred to computer 137. The payload of request 211 is, in this example, a probe request for a worm that takes advantage of a particular security vulnerability in a certain computer operating system. Based on characteristics of the connection request 211, firewall 131 sends a query 213 to security server 135. Query 213 includes information that security server 135 uses to determine (1) the intended destination of connection request 211, and (2) some characterization of the payload of connection request 211, such as a vulnerability identifier. Security server 135 uses this information to determine whether connection request 211 is attempting to take advantage of a particular known vulnerability of destination machine 137, and uses information from database 146 (see FIG. 2) to determine whether the destination computer 137 has the vulnerable software installed, and whether the vulnerability has been patched on computer 137, or whether computer 137 has been configured so as to be invulnerable to a particular attack.
  • Security server 135 sends result signal 217 back to firewall 131 with an indication of whether the connection request should be granted or rejected. If it is to be granted, firewall 131 passes the request to router 133 as request 219, and router 133 relays the request as request 221 to computer 137, as is understood in the art. If, on the other hand, signal 217 indicates that connection request 211 is to be rejected, firewall 133 drops or rejects the connection request 211 as is understood in the art.
  • Analogous operation can protect computers within subnet 130 from compromised devices within subnet 130 as well. For example, FIG. 4 illustrates subnet 130 with computer 137 compromised. Under the control of a virus or worm, for example, computer 137 sends connection attempt 231 to router 133 in an attempt to probe or take advantage of a potential vulnerability in computer 139. On receiving connection request 231, router 133 sends relevant information about request 231 in a query 233 to security server 135. Similarly to the operation discussed above in relation to FIG. 3, security server 135 determines whether connection request 231 poses any threat, and in particular any threat to software on computer 139. If so, security server 135 determines whether the vulnerability has been patched, and if not, it determines whether computer 139 has been otherwise configured to avoid damage due to that vulnerability. Security server 135 replies with signal 235 to query 233 with that answer. Router 133 uses response 235 to determine whether to allow the connection attempt.
  • In some embodiments, upon a determination by security server 135 that a connection attempt or other attack has occurred against a computer that is vulnerable (based on its current software, patch, policy, and configuration status), security server 135 selects one or more remediation techniques from database 146 that remediate the particular vulnerability. Based on a prioritization previously selected by an administrator or the system designer, the remediation technique(s) are applied (1) to the machine that was attacked, (2) to all devices subject to the same vulnerability (based on their real-time software, patch, policy, and configuration status), or (3) to all devices to which the selected remediation can be applied.
  • In various embodiments, remediation techniques include the closing of open ports on the device; installation of a patch that is known to correct the vulnerability; changing the device's configuration; stopping, disabling, or removing services; setting or modifying policies; and the like. Furthermore, in various embodiments, events and actions are logged (preferably in a non-volatile medium) for later analysis and review by system administrators. In these embodiments, the log also stores information describing whether the target device was vulnerable to the attack.
  • A real-time status database according to the present invention has many other applications as well. In some embodiments, the database 146 is made available to an administrative console running on security server 135 or other administrative terminal. When a vulnerability is newly discovered in software that exists in subnet 130, administrators can immediately see whether any devices in subnet 130 are vulnerable to it, and if so, which ones. If a means of remediation of the vulnerability is known, the remediation can be selectively applied to only those devices subject to the vulnerability.
  • In some embodiments, the database 146 is integrated into another device, such as firewall 131 or router 133, or an individual device on the network. While some of these embodiments might avoid some failures due to network instability, they substantially increase the complexity of the device itself. For this reason, as well as the complexity of maintaining security database functions when integrated with other functions, the network-attached device embodiment described above in relation to FIGS. 1-4 is preferred.
  • In a preferred embodiment, a software development kit (SDK) allows programmers to develop security applications that access the data collected in database 146. The applications developed with the SDK access information using a defined application programming interface (API) to retrieve vulnerability, remediation, and device status information available to the system. The applications then make security-related determinations and are enabled to take certain actions based on the available data.
  • In the preferred embodiment, database 146 includes vulnerability and remediation information such that, for at least one vulnerability, multiple methods of remediating the vulnerability are specified. When the system has occasion to implement or offer remediation of a vulnerability, all known alternatives are presented that are relevant to the device or machine's particular configuration or setup. For example, when a vulnerability of a device is presented to an administrator, the administrator is given a choice among the plurality of remediation options to remediate the vulnerability. In some embodiments, the administrator can select a preferred type of remediation that will be applied if available and a fallback type. For example, an administrator may select application of a policy setting over installation of a software patch, so that the risk of disruption of critical business systems is minimized.
  • In other embodiments, an administrator or other user is presented with a set of user interface elements that identify multiple options for remediating and identifying the vulnerability. The administrator or user select the method to be used, and that remediation is applied to the vulnerable device(s).
  • All publications, prior applications, and other documents cited herein are hereby incorporated by reference in their entirety as if each had been individually incorporated by reference and fully set forth.
  • While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is to be considered as illustrative and not restrictive in character, it being understood that only the preferred embodiments have been shown and described and that all changes and modifications that would occur to one skilled in the relevant art are desired to be protected.

Claims (27)

1. A system, comprising:
a database associating
a plurality of device vulnerabilities to which computing devices can be subject, each vulnerability having a vulnerability identifier, with
a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities;
such that:
each of the device vulnerabilities is associated with at least one remediation technique;
each remediation technique associated with a particular device vulnerability remediates that particular vulnerability;
each remediation technique has a remediation type selected from the type group consisting of patch, policy setting, and configuration option; and
a first one of the device vulnerabilities is associated with at least two remediation techniques;
a query signal comprising the vulnerability identifier for the first one of the device vulnerabilities; and
a response signal, automatically generated in response to the query signal, that describes the at least two remediation techniques.
2. The system of claim 1, further comprising a user interface that:
offers the at least two remediation techniques for selection by a user;
accepts a selection by the user of at least one of the at least two remediation techniques; and
applies the selected at least one of the at least two remediation techniques.
3. The system of claim 1, further comprising:
a processor; and
a memory encoded with programming instructions executable by the processor to:
receive the response signal;
automatically select one of the at least two remediation techniques; and
apply the selected remediation technique.
4. The system of claim 3, wherein:
each of the at least two remediation techniques has a remediation type; and
the automatic selecting is based on the remediation type of each of the at least two remediation techniques.
5. The system of claim 3, wherein the automatic selecting is based on input from a user that is acquired before the response signal is received.
6. The system of claim 3, wherein the automatic selecting is based on input from a user that is acquired after the response signal is received.
7. A method, comprising:
providing a database that associates a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities, wherein:
each vulnerability has a vulnerability identifier;
each vulnerability is associated with at least one remediation technique operable to remediate that particular vulnerability; and
each remediation technique has a remediation type selected from the group consisting of patch, policy setting, and configuration option;
transmitting a query signal comprising the vulnerability identifier for a first device vulnerability; and
transmitting a response signal, automatically generated in response to the query signal, that describes at least two remediation techniques associated with the first device vulnerability.
8. The method of claim 7, further comprising:
offering the at least two remediation techniques for selection by a user via a user interface; and
accepting a selection by the user of at least one of the at least two remediation techniques via the user interface.
9. The method of claim 7, further comprising providing a computing device including:
a processor; and
memory encoded with programming instructions executable by the processor to:
receive the response signal;
automatically select one of the at least two remediation techniques; and
apply the selected remediation technique.
10. The method of claim 9, wherein:
each of the at least two remediation techniques has a remediation type; and
the automatic selecting is based on the remediation types of the at least two remediation techniques.
11. The method of claim 9, wherein the automatic selecting is based on input from a user.
12. A method of managing one or more computing devices, comprising:
maintaining a table that:
contains a plurality of vulnerabilities to which the computing devices might be vulnerable;
contains a plurality of remediation techniques, each selected from the group consisting of patches, configuration settings, and policy settings; and
associates each vulnerability with one or more remediation techniques that are effective to protect at least one of the computing devices from the vulnerability, in which a first vulnerability in the plurality of vulnerabilities is associated with both a first remediation technique and a second remediation technique;
identifying a computing device that is vulnerable to the first vulnerability;
presenting the first remediation technique and the second remediation technique to a user as options via a user interface;
accepting user input via the user interface, wherein the user input selects at least one of the first remediation technique and the second remediation technique; and automatically implementing the at least one selected remediation technique.
13. The method of claim 12, wherein the accepting occurs before the identifying.
14. The method of claim 12, wherein the accepting occurs after the identifying.
15. A system, including:
a processor; and
software running on the processor that:
maintains a list of vulnerabilities to which a computer might be vulnerable;
maintains a collection of remediation techniques that collectively remediate all of the vulnerabilities on the list; and
keeps track of one or more remediation techniques that remediate each vulnerability on the list, wherein a first particular vulnerability on the list might be remediated by either a first remediation technique or a second remediation technique.
16. The system of claim 15, wherein the software also:
receives a query signal that identifies the first particular vulnerability; and
automatically sends a response signal that is responsive to the query signal and identifies the first remediation technique and the second remediation technique.
17. The system of claim 16, further comprising a computer that:
sends the query signal to the processor;
receives the response signal; and
implements the first remediation technique.
18. The system of claim 15, wherein the software also:
receives a query signal that identifies the first particular vulnerability;
automatically selects a remediation technique from the first remediation technique and the second remediation technique; and
automatically sends a response signal that identifies the selected remediation technique.
19. The system of claim 18, wherein the automatic selection is based on a predetermined selection rule provided by a user.
20. The system of claim 15, wherein the software also updates the list and the collection based on information received from an update server.
21. An apparatus, comprising a device encoded with logic executable by one or more processors to manage one or more computing devices by associating a plurality of device vulnerabilities, to which the computing devices can be subject, with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities,
wherein:
each vulnerability has a vulnerability identifier and is associated with at least one remediation technique;
each remediation technique has a remediation type selected from the group consisting of patch, policy setting, and configuration option;
a first one of the device vulnerabilities is associated with at least two remediation techniques;
a query signal is sent to the device, the query signal comprising the vulnerability identifier for the first one of the device vulnerabilities; and
a response signal is sent from the device, the response signal being automatically generated in response to the query signal.
22. The apparatus of claim 21, wherein the response signal describes the at least two remediation techniques.
23. The apparatus of claim 22, wherein a user interface is operable to:
offer the at least two remediation techniques to a user; and
accept a selection by the user of at least one of the at least two remediation techniques.
24. The apparatus of claim 23, wherein the logic is further executable by the one or more processors to apply the selected remediation technique.
25. The apparatus of claim 22, wherein a first computing device includes a processor and a memory encoded with programming instructions executable by the processor to:
receive the response signal;
select automatically one of the at least two remediation techniques; and
apply the selected remediation technique.
26. The apparatus of claim 21, wherein:
the device automatically selects one of the at least two remediation techniques; and
the response signal identifies the selected remediation technique.
27. The apparatus of claim 26, wherein the automatic selection is based on a predetermined selection rule provided by a user.
US10/882,588 2003-07-01 2004-07-01 Multiple-path remediation Expired - Fee Related US8266699B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/882,588 US8266699B2 (en) 2003-07-01 2004-07-01 Multiple-path remediation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US48408503P 2003-07-01 2003-07-01
US10/882,588 US8266699B2 (en) 2003-07-01 2004-07-01 Multiple-path remediation

Publications (4)

Publication Number Publication Date
US20050044389A1 US20050044389A1 (en) 2005-02-24
US20060259779A2 US20060259779A2 (en) 2006-11-16
US20070113100A2 true US20070113100A2 (en) 2007-05-17
US8266699B2 US8266699B2 (en) 2012-09-11

Family

ID=38668695

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/882,588 Expired - Fee Related US8266699B2 (en) 2003-07-01 2004-07-01 Multiple-path remediation

Country Status (1)

Country Link
US (1) US8266699B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060185018A1 (en) * 2005-02-17 2006-08-17 Microsoft Corporation Systems and methods for shielding an identified vulnerability
US20100138897A1 (en) * 2004-09-03 2010-06-03 Secure Elements, Inc. Policy-based selection of remediation
US20100257585A1 (en) * 2004-09-03 2010-10-07 Fortinet, Inc. Data structure for policy-based remediation selection

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7243148B2 (en) * 2002-01-15 2007-07-10 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7543056B2 (en) 2002-01-15 2009-06-02 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7257630B2 (en) 2002-01-15 2007-08-14 Mcafee, Inc. System and method for network vulnerability detection and reporting
JP2006518080A (en) 2003-02-14 2006-08-03 プリベンシス,インコーポレイティド Network audit and policy assurance system
US7627891B2 (en) * 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US8201257B1 (en) 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
US7774848B2 (en) * 2004-07-23 2010-08-10 Fortinet, Inc. Mapping remediation to plurality of vulnerabilities
US20060018478A1 (en) * 2004-07-23 2006-01-26 Diefenderfer Kristopher G Secure communication protocol
US8171555B2 (en) 2004-07-23 2012-05-01 Fortinet, Inc. Determining technology-appropriate remediation for vulnerability
US7672948B2 (en) * 2004-09-03 2010-03-02 Fortinet, Inc. Centralized data transformation
US7703137B2 (en) * 2004-09-03 2010-04-20 Fortinet, Inc. Centralized data transformation
US20060080738A1 (en) * 2004-10-08 2006-04-13 Bezilla Daniel B Automatic criticality assessment
US20060101517A1 (en) * 2004-10-28 2006-05-11 Banzhof Carl E Inventory management-based computer vulnerability resolution system
US8973088B1 (en) * 2011-05-24 2015-03-03 Palo Alto Networks, Inc. Policy enforcement using host information profile
US8875223B1 (en) 2011-08-31 2014-10-28 Palo Alto Networks, Inc. Configuring and managing remote security devices
US10922417B2 (en) * 2015-09-15 2021-02-16 Nec Corporation Information processing apparatus, information processing method, and program
US10762218B2 (en) 2017-06-20 2020-09-01 Microsoft Technology Licensing, Llc Network buildout for cloud computing environments with data control policies
US10708136B2 (en) 2017-06-20 2020-07-07 Microsoft Technology Licensing, Llc Standardization of network management across cloud computing environments and data control policies
US10567356B2 (en) 2017-06-20 2020-02-18 Microsoft Technology Licensing, Llc Monitoring cloud computing environments with data control policies
US10979452B2 (en) 2018-09-21 2021-04-13 International Business Machines Corporation Blockchain-based malware containment in a network resource

Citations (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6005942A (en) * 1997-03-24 1999-12-21 Visa International Service Association System and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card
US20030126472A1 (en) * 2001-12-31 2003-07-03 Banzhof Carl E. Automated computer vulnerability resolution system
US6679928B2 (en) * 2001-04-12 2004-01-20 Rodel Holdings, Inc. Polishing composition having a surfactant
US20040088565A1 (en) * 2002-11-04 2004-05-06 Norman Andrew Patrick Method of identifying software vulnerabilities on a computer system
US20040117640A1 (en) * 2002-12-17 2004-06-17 International Business Machines Corporation Automatic client responses to worm or hacker attacks
US7228566B2 (en) * 2001-07-10 2007-06-05 Core Sdi, Incorporated Automated computer system security compromise
US7278163B2 (en) * 2005-02-22 2007-10-02 Mcafee, Inc. Security risk analysis system and method
US7315801B1 (en) * 2000-01-14 2008-01-01 Secure Computing Corporation Network security modeling system and method
US7353539B2 (en) * 2002-11-04 2008-04-01 Hewlett-Packard Development Company, L.P. Signal level propagation mechanism for distribution of a payload to vulnerable systems
US7424706B2 (en) * 2003-07-16 2008-09-09 Microsoft Corporation Automatic detection and patching of vulnerable files
US7458098B2 (en) * 2002-03-08 2008-11-25 Secure Computing Corporation Systems and methods for enhancing electronic communication security
US7509676B2 (en) * 2004-07-30 2009-03-24 Electronic Data Systems Corporation System and method for restricting access to an enterprise network
US7519994B2 (en) * 2002-03-08 2009-04-14 Secure Computing Corporation Systems and methods for adaptive message interrogation through multiple queues
US7519954B1 (en) * 2004-04-08 2009-04-14 Mcafee, Inc. System and method of operating system identification
US7627891B2 (en) * 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US7673043B2 (en) * 2002-01-15 2010-03-02 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7698275B2 (en) * 2004-05-21 2010-04-13 Computer Associates Think, Inc. System and method for providing remediation management
US7761920B2 (en) * 2004-09-03 2010-07-20 Fortinet, Inc. Data structure for policy-based remediation selection
US7882555B2 (en) * 2001-03-16 2011-02-01 Kavado, Inc. Application layer security method and system
US8135830B2 (en) * 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8135823B2 (en) * 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8181173B2 (en) * 2007-10-12 2012-05-15 International Business Machines Corporation Determining priority for installing a patch into multiple patch recipients of a network
US8185930B2 (en) * 2007-11-06 2012-05-22 Mcafee, Inc. Adjusting filter or classification control settings

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69031191T2 (en) 1989-05-15 1998-02-12 Ibm System for controlling access privileges
US5765153A (en) 1996-01-03 1998-06-09 International Business Machines Corporation Information handling system, method, and article of manufacture including object system authorization and registration
US5892903A (en) 1996-09-12 1999-04-06 Internet Security Systems, Inc. Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system
US6044466A (en) 1997-11-25 2000-03-28 International Business Machines Corp. Flexible and dynamic derivation of permissions
US6345361B1 (en) 1998-04-06 2002-02-05 Microsoft Corporation Directional set operations for permission based security in a computer system
US6298445B1 (en) 1998-04-30 2001-10-02 Netect, Ltd. Computer security
AU4568299A (en) 1998-06-15 2000-01-05 Dmw Worldwide, Inc. Method and apparatus for assessing the security of a computer system
US6321334B1 (en) 1998-07-15 2001-11-20 Microsoft Corporation Administering permissions associated with a security zone in a computer system security model
US6473800B1 (en) 1998-07-15 2002-10-29 Microsoft Corporation Declarative permission requests in a computer system
US6526513B1 (en) 1999-08-03 2003-02-25 International Business Machines Corporation Architecture for dynamic permissions in java
JP2003529254A (en) 2000-03-27 2003-09-30 ネットワーク セキュリティー システムズ, インコーポレーテッド Internet / network security method and system for checking customer security from a remote device
GB2366640B (en) 2000-03-30 2004-12-29 Ibm Distribution of activation information
US20030061506A1 (en) 2001-04-05 2003-03-27 Geoffrey Cooper System and method for security policy
AU2001294110A1 (en) 2000-08-18 2002-02-25 Camelot Information Technologies Ltd. Permission level generation based on adaptive learning
AU2002244083A1 (en) 2001-01-31 2002-08-12 Timothy David Dodd Method and system for calculating risk in association with a security audit of a computer network
JP2002366525A (en) 2001-06-12 2002-12-20 Needs Creator Kk Security policy maintenance system
US20020199122A1 (en) 2001-06-22 2002-12-26 Davis Lauren B. Computer security vulnerability analysis methodology
US6851113B2 (en) 2001-06-29 2005-02-01 International Business Machines Corporation Secure shell protocol access control
JP2003037601A (en) 2001-07-23 2003-02-07 Needs Creator Kk Data filtering box
US8776230B1 (en) 2001-10-02 2014-07-08 Mcafee, Inc. Master security policy server
US7444679B2 (en) 2001-10-31 2008-10-28 Hewlett-Packard Development Company, L.P. Network, method and computer readable medium for distributing security updates to select nodes on a network
JP2006518080A (en) 2003-02-14 2006-08-03 プリベンシス,インコーポレイティド Network audit and policy assurance system

Patent Citations (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6005942A (en) * 1997-03-24 1999-12-21 Visa International Service Association System and method for a multi-application smart card which can facilitate a post-issuance download of an application onto the smart card
US7315801B1 (en) * 2000-01-14 2008-01-01 Secure Computing Corporation Network security modeling system and method
US7882555B2 (en) * 2001-03-16 2011-02-01 Kavado, Inc. Application layer security method and system
US6679928B2 (en) * 2001-04-12 2004-01-20 Rodel Holdings, Inc. Polishing composition having a surfactant
US7228566B2 (en) * 2001-07-10 2007-06-05 Core Sdi, Incorporated Automated computer system security compromise
US20030126472A1 (en) * 2001-12-31 2003-07-03 Banzhof Carl E. Automated computer vulnerability resolution system
US7000247B2 (en) * 2001-12-31 2006-02-14 Citadel Security Software, Inc. Automated computer vulnerability resolution system
US7308712B2 (en) * 2001-12-31 2007-12-11 Mcafee, Inc. Automated computer vulnerability resolution system
US8135823B2 (en) * 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US8135830B2 (en) * 2002-01-15 2012-03-13 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7673043B2 (en) * 2002-01-15 2010-03-02 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7458098B2 (en) * 2002-03-08 2008-11-25 Secure Computing Corporation Systems and methods for enhancing electronic communication security
US7519994B2 (en) * 2002-03-08 2009-04-14 Secure Computing Corporation Systems and methods for adaptive message interrogation through multiple queues
US20040088565A1 (en) * 2002-11-04 2004-05-06 Norman Andrew Patrick Method of identifying software vulnerabilities on a computer system
US7353539B2 (en) * 2002-11-04 2008-04-01 Hewlett-Packard Development Company, L.P. Signal level propagation mechanism for distribution of a payload to vulnerable systems
US20040117640A1 (en) * 2002-12-17 2004-06-17 International Business Machines Corporation Automatic client responses to worm or hacker attacks
US7627891B2 (en) * 2003-02-14 2009-12-01 Preventsys, Inc. Network audit and policy assurance system
US7424706B2 (en) * 2003-07-16 2008-09-09 Microsoft Corporation Automatic detection and patching of vulnerable files
US7519954B1 (en) * 2004-04-08 2009-04-14 Mcafee, Inc. System and method of operating system identification
US7698275B2 (en) * 2004-05-21 2010-04-13 Computer Associates Think, Inc. System and method for providing remediation management
US7509676B2 (en) * 2004-07-30 2009-03-24 Electronic Data Systems Corporation System and method for restricting access to an enterprise network
US7761920B2 (en) * 2004-09-03 2010-07-20 Fortinet, Inc. Data structure for policy-based remediation selection
US7278163B2 (en) * 2005-02-22 2007-10-02 Mcafee, Inc. Security risk analysis system and method
US8181173B2 (en) * 2007-10-12 2012-05-15 International Business Machines Corporation Determining priority for installing a patch into multiple patch recipients of a network
US8185930B2 (en) * 2007-11-06 2012-05-22 Mcafee, Inc. Adjusting filter or classification control settings

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100138897A1 (en) * 2004-09-03 2010-06-03 Secure Elements, Inc. Policy-based selection of remediation
US20100257585A1 (en) * 2004-09-03 2010-10-07 Fortinet, Inc. Data structure for policy-based remediation selection
US8336103B2 (en) * 2004-09-03 2012-12-18 Fortinet, Inc. Data structure for policy-based remediation selection
US8341691B2 (en) 2004-09-03 2012-12-25 Colorado Remediation Technologies, Llc Policy based selection of remediation
US20060185018A1 (en) * 2005-02-17 2006-08-17 Microsoft Corporation Systems and methods for shielding an identified vulnerability

Also Published As

Publication number Publication date
US20060259779A2 (en) 2006-11-16
US20050044389A1 (en) 2005-02-24
US8266699B2 (en) 2012-09-11

Similar Documents

Publication Publication Date Title
US20070256132A2 (en) Vulnerability and remediation database
US8266699B2 (en) Multiple-path remediation
US20140109230A1 (en) Real-time vulnerability monitoring
US20070118756A2 (en) Policy-protection proxy
US10609063B1 (en) Computer program product and apparatus for multi-path remediation
US10104110B2 (en) Anti-vulnerability system, method, and computer program product
US20070113265A2 (en) Automated staged patch and policy management
US20160094576A1 (en) Anti-vulnerability system, method, and computer program product
US9118708B2 (en) Multi-path remediation
US20150040233A1 (en) Sdk-equipped anti-vulnerability system, method, and computer program product
US9118709B2 (en) Anti-vulnerability system, method, and computer program product
US20050022003A1 (en) Client capture of vulnerability data
US9118710B2 (en) System, method, and computer program product for reporting an occurrence in different manners
US20150033350A1 (en) System, method, and computer program product with vulnerability and intrusion detection components
US20150033353A1 (en) Operating system anti-vulnerability system, method, and computer program product
US20150033348A1 (en) System, method, and computer program product for providing multiple remediation techniques

Legal Events

Date Code Title Description
AS Assignment

Owner name: SECURITYPROFILING, INC., INDIANA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OLIPHANT, BETT M.;REEL/FRAME:015544/0421

Effective date: 20040701

Owner name: SECURITYPROFILING, INC.,INDIANA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:OLIPHANT, BETT M.;REEL/FRAME:015544/0421

Effective date: 20040701

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: SECURITYPROFILING, LLC, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SECURITYPROFILING, INC.;REEL/FRAME:033857/0956

Effective date: 20140923

REMI Maintenance fee reminder mailed
FPAY Fee payment

Year of fee payment: 4

SULP Surcharge for late payment
IPR Aia trial proceeding filed before the patent and appeal board: inter partes review

Free format text: TRIAL NO: IPR2017-02191

Opponent name: TREND MICRO, INC. ANDTRENT MICRO AMERICA, INC.

Effective date: 20170927

DC Disclaimer filed

Free format text: DISCLAIMS COMPLETE CLAIM 7 OF SAID PATENT

Effective date: 20180904

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20200911