1111111111 mi
`I III IIIIIIII a IIIIII 11111 III uiu mu 11110121111691111111111IIIII
`
`
`
`US 20140245376A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2014/0245376 A1
`(12) Patent Application Publication (10) Pub. No.: US 2014/0245376 Al
`Aug. 28, 2014
`Hibbert et al.
`(43) Pub. Date:
`Aug. 28, 2014
`Hibbert et al.
`(43) Pub. Date:
`
`(54) SYSTEMS AND METHODS OF RISK BASED
`(54) SYSTEMS AND METHODS OF RISK BASED
`RULES FORAPPLICATION CONTROL
`RULES FOR APPLICATION CONTROL
`(71) Applicant: BeyondTrust Software, Inc., Phoenix,
`(71) Applicant: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`AZ (US)
`
`(52) U.S. Cl.
`(52) U.S. Cl
`CPC ............ H04L 63/1433 (2013.01); H04L 63/20
`HO4L 63/1433 (2013.01); HO4L 63/20
`CPC
`(2013.01)
`(2013.01)
`USPC .............................................................. 726/1
`USPC
` 726/1
`
`(72) Inventors: Brad Hibbert, Carp (CA); Chris Silva,
`Inventors: Brad Hibbert, Carp (CA); Chris Silva,
`(72)
`Laguna Beach, CA (US)
`Laguna Beach, CA (US)
`
`(57)
`(57)
`
`ABSTRACT
`ABSTRACT
`
`(73) Assignee: BeyondTrust Software, Inc., Phoenix,
`(73) Assignee: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`AZ (US)
`
`(21) Appl. No.: 14/182,651
`(21) Appl. No.: 14/182,651
`
`(22) Filed:
`(22) Filed:
`
`Feb. 18, 2014
`Feb. 18, 2014
`O
`O
`Related U.S. Application Data
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 14/156,375,
`(63) Continuation-in-part of application No. 14/156,375,
`filed on Jan. 15, 2014.
`filed on Jan. 15, 2014.
`(60) Provisional application No. 61/768,809, filed on Feb.
`(60) Provisional application No. 61/768,809, filed on Feb.
`25, 2013.
`sy- Y - s
`25, 2013.
`s
`
`Publication Classification
`Publication Classification
`
`In various embodiments, an agent on a digital device may
`In various embodiments, an agent on a digital device may
`comprise a monitor module, an application identification
`comprise a monitor module, an application identification
`module, a Vulnerability module, a rules database, and a rule
`module, a vulnerability module, a rules database, and a rule
`module. The monitor module may be configured to monitor a
`module. The monitor module may be configured to monitor a
`device for an instruction to execute a legitimate application.
`device for an instruction to execute a legitimate application.
`The application identification module may be configured to
`The application identification module may be configured to
`identify one or more attributes of the legitimate application.
`identify one or more attributes of the legitimate application.
`The Vulnerability module may be configured to retrieve risk
`The vulnerability module may be configured to retrieve risk
`information based on the one or more attributes of the legiti
`information based on the one or more attributes of the legiti-
`mate application. The risk information may be determined
`mate application. The risk information may be determined
`from known vulnerabilities of the legitimate application. The
`from known vulnerabilities of the legitimate application. The
`rules database may be for storing a rule associated with the
`rules database may be for storing a rule associated with the
`risk information. The rule module may be configured to
`risk information. The rule module may be configured to
`retrieve the rule from the rule database based on the risk
`retrieve the rule from the rule database based on the risk
`information and to control the legitimate application based on
`information and to control the legitimate application based on
`the rule.
`the rule.
`
`(51) Int. Cl.
`(51) Int. Cl.
`H04L 29/06
`HO4L 29/06
`
`(2006.01)
`(2006.01)
`
`300
`3-3
`
`Agent Collects
`Agent Collects
`Appication Evert
`Application Event
`302
`32
`
`:
`
`Event Sent to
`Eye Sent ta.
`Centralized Server :
`Centralized Server
`304
`304
`
`
`
`,T
`- Process .
`Process
`< immediately? :
`immediately?
`306
`
`Insert Into Database
`insert int. Databas
`308
`38
`
`
`
`
`
`Time To N.
`Analyze?
`310
`
`s
`
`Wait
`312
`
`Yes
`Yes
`V
`w
`Compare to
`Compare to
`Winerability
`Vulnerability
`Database
`Database
`314
`33.
`
`- S.
`watch ,
`"Match N
`- vulnerable
`Vulnerable
`Yes--*
`
`ax A. x-Y.
`Criteria?
`Criteria?
`-
`:
`: Yes-
`N 316
`36 .
`
`Report Finding
`Report Finding
`318
`33.8
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1063
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1063
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`91 Jo 1 WIN VIOZ `8Z 't nV
`
`TV 9L£SlZO/lTOZ SR
`
`100
`
`Select Scan
`Targets
`102
`
`Determine
`Available Scan
`Targets
`104
`
`zzAvailableIN ,
`N
`106
`
`Yes
`
`Connect to
`Scan Target
`via Network
`108
`
`./'/AdditionaiNN
`Nit_
`Checks?
`120
`
`N
`
`Match Vulnerable'.
`State?
`N 114
`
`Yes-D Report Finding
`116
`
`No—DI
`
`End Scan
`118
`
`Yes
`
`No
`
`•
`
`,'Connection N.. Yes- '
`DK Successful?
`N
`110
`
`Interrogate
`Target
`112
`
`FIG.
`Prior Art
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 1 of 16
`
`US 2014/0245376 A1
`
`100
`we
`
`
`
`Select Scan
`Targets
`102
`
`
`
`
`下
`
`
`
`
`Determine
`Available Scan
`Targets
`104
`Ce 和
`
`|
`EndScan
`|
`x
`CN NO
`|
`|
`Available?
`
`
`
`
`
`No
`
`1
`
`Pan
`ug OOS -
`Additional a
`Checks?
`三 一 一 一 .
`
`Yes
`
`so
`
`、
`|
`
`
`
`
`
`
`
`Report Finding |
`416
`
`
`
`
`
`SN
`
`
`
`、
`a
`:
`: Match Vulnerable. Yes»
`State?
`人
`1
`S444
`
`
`:
`Connectto
`Ri
`Scan Target
`，
`via Network
`108
`
`
`
`
`
`~
`“
`Aan
`a
`于 connection Yes»
` BUCCESSRUT Eo!
`“ie
`
`
`
`
`
`
`interrg
`gate
`Target
`443
`
`
`
`Fit. 1
`
`Prior Art
`
`

`

`Patent Application Publication
`
`91 Jo Z WIN VIOZ `8Z tilV
`
`TV 9L£SlZO/lTOZ SR
`
`Network
`Device
`212
`
`200
`
`/
`/
`/
`/
`/
`/
`
`Laptop
`210
`
`Tablet
`Device
`208
`
`Smartphone
`206
`
`COMMUNICATION
`NETWORK
`204
`
`Security
`Assessment
`System 202
`
`PC
`214
`
`Unix Server
`216
`
`Security
`Administration
`System
`220
`
`'\, Windows
`Server 218
`
`FIG.
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 2 of 16
`
`US 2014/0245376 A1
`
`200
`
`/
`
`Tablet
`Device
`208
`
`Sraartphone
`206
`
`/
`
`/
`
`/
`
`Network
`Device
`212
`
`
`
`
`COMMUNICATION
`NETWORK
`204
`
`Laptop
`210
`
`PC
`
`Unix Server
`216
`
`Windows
`Server 218
`
`FIG
`
`Security
`Assessment
`System 202
`
`Security
`Administration
`System
`2260
`
`

`

`Patent Application Publication
`
`91 Jo £ WIN 1710Z `8Z toV
`
`TV 9L£5l'Z0/bT0Z SR
`
`300
`
`Agent Collects
`Application Event
`302
`
`Event Sent to
`Centralized Server
`304
`
`<
`
`Process
`N
`Immediately?
`N-
`306
`N.
`
`e"
`
`Yes
`V
`
`Compare to
`Vulnerability
`Database
`314
`
`Insert into Database
`308
`
`)1, N
`
`N
`.,-/ Time To
`Analyze?
`310
`
`N
`
`Wait
`312
`
`Yes
`
`,
`
`z Match'-
`Vulnerable
`Criteria?
`316
`
`FIG. 3
`
`Report Finding
`318
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 3 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`Report Finding
`318
`
`~ 還
`_-” Process
`Immediately?
`
`<
`
`>--—-No-—-e:
`
`
`
`insert Into Database
`308
`
`
`
`“
`
`_ Time To
`Analyze?
`310
`
`、
`
`
`
`
`
`Ves
`
`
`
`
`
`Compare to
`Vulnerability
`Database
`314
`
`
`
`
`
`
`
`_" Mulnerable
`Criteria?
`
`>
`
`、 “rvonnnnn
` @ Swoon
`
`FIG. 3
`
`300
`
`Agent Collects
`Application Event
`
`302
`
`
`
`
`
`Event Sent to
`Centralized Server
`304
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`91 Jo 17 WIN VIOZ `8Z 't nV
`
`TV 9L£SlZO/lTOZ SR
`
`Agent 400
`
`Event Detection
`Module
`402
`
`Event Recordation
`Module
`404
`
`Scan Module
`406
`
`Record Collection
`Module
`408
`
`Communication
`Module
`410
`
`Communication
`Authentication
`Module
`412
`
`Application
`Database
`414
`
`FIG. 4
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 4 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`Application
`Database
`4 人 4
`
`FIG.
`
`
`
`Agent 400
`
`
`
`
`
`
`
`
`
`Event Detection
`Module
`402
`
`Event Recordation
`Module
`404
`
`Scan Module
`406
`
`
`
`
`
`
`
`Record Collection
`Module
`408
`
`
`
`
`
`
`
`
`
`
`Communication
`Module
`410
`
`
`
`
`
`
`
`
`
`Communication
`Authentication
`Module
`412
`
`
`
`

`

`Patent Application Publication
`
`91 Jo S WIN VIOZ `8Z 't nV
`
`TV 9L£5lZO/lTOZ SR
`
`Security Assessment System 202
`
`Communication
`Module 502
`
`Request
`Authentication
`Module 504
`
`Assessment
`Scheduler
`506
`
`Record
`Management
`Module
`508
`
`Information
`Retrieval Module
`510
`
`Assessment Module
`512
`
`Report Module
`514
`
`Alert Module
`516
`
`Record
`Management
`Database 518
`
`Risk Acceptance
`Configuration
`Database 520
`
`Vulnerability
`Database 522
`
`FIG. 5
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 5 of 16
`
`US 2014/0245376 A1
`
`
`
`Security Assessment System 202
`
`
`
`Communication
`Module 502
`
`Request
`Authentication
`Module 504
`
`Assessment
`Scheduler
`506
`
`
`
`
`Record
`Management
`Module
`508
`
`
`
`Assessment Module
`212
`
`Report Module
`Sid
`
`Alert Module
`S16
`
`
`
`
`
`
`
`
`
`
`
`information
`Retrieval Module
`510
`
`
`
`Record
`Management
`Database 518
`
`
`
`Risk Acceptance
`Configuration
`Database 520
`
`
`
`
`
`Vulnerability
`Database 522
`
`FIG. 5
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 6 of 16
`
`US 2014/0245376 Al
`
`Start
`
`Scan digital device for third party event records
`
`(-\ ,602
`
`Identify third party event records
`
`Detect events of digital device
`
`4r
`
`Record detected events of digital device
`
`604
`
`(*N./
`
`/ 606
`
`/- \_,608
`
`Collect and optionally consolidate third party event records and
`recordation of detected events to create assessment request
`
`E-\_./.610
`
`Prepare record information for third party event records and
`recordation of detected events
`
`x',612
`
`Digitally sign assessment request and record information
`
`4,
`Provide assessment request and record information to security
`assessment system
`
`tN, 616
`
`END
`
`MG. 6
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 7 of 16
`
`US 2014/0245376 Al
`
`Start
`
`Receive assessment request and record information from digital
`device
`
`(N ./702
`
`Authenticate assessment request and record information
`
`704
`
`°N./
`
`Identify records of assessment request utilizing record
`information
`
`(-N."706
`
`Retrieve record management information based on identified
`records
`
`r \j 708
`
`4,
`Identify application and file attributes from assessment request
`based on record management information
`
`(--\\.J710
`
`Compare application and file attributes to vulnerability database r- s> 712
`
`Determine risk value based on comparison
`
`r\_ / 714
`
`Compare determined risk value to risk acceptance threshold eN.,.716
`
`Send alert based on comparison if determined risk value
`exceeds risk acceptance threshold
`
`Generate report
`
`(
`
`
`
`END
`
`FIG. 7
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 8 of 16
`
`US 2014/0245376 Al
`
`"""""""""-,.:'
`
`• '
`
`•
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet80f16
`
`US 2014/0245376 A1
`
`
`
`
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 9 of 16
`
`US 2014/0245376 Al
`
`Digital Device 902
`
`916
`
`Processor
`904
`
`Memory
`906
`
`Storage
`908
`
`Input Device
`910
`
`Corn, Network
`Interface
`912
`
`918
`
`Output Device
`914
`
`FIG. 9
`
`

`

`Patent Application Publication
`
`91 Jo 01 WIN VIOZ `8Z tilV
`
`IV 9L£5lZ0/b1OZ SR
`
`User Device 1000
`
`Applications 1002
`
`Agent
`1004
`
`Maware 1006
`
`Anti-Malware 1008
`
`Operating System
`1010
`
`FIG. 10
`
`Patent Application Publication
`
`Aug. 28,2014 Sheet 10 of 16
`
`US 2014/0245376 Al
`
`
`
`
`
`
`
`
`
`
`
`
`
`Agent
`1004
`
`
`
`
`
`
`
`
`
`
`Anti-Malware 1608
`
`
`
`
`
`
`
`User Device 1000
`
`
`
`
`
`
`]
`
`|
`
`ns 1002
`
`
`
`
`
`
`
`
`
`
`Applicatio
`
`
`
`
`
`
` |
`
`
`
`
`
`
`
`
`
`06 o
`
`m
`
`Maiware 1
`
`
`
`
`
`
`
`Operating System
`1010
`
`
`
`
`
`
`
`FIG. 10
`
`

`

`Patent Application Publication
`
`91 Jo H WIN VIOZ `8Z tnV
`
`TV 9L£SlZO/lTOZ SR
`
`Agent 1004
`
`Monitor Module
`1102
`
`Identifier Module
`1104
`
`Vulnerability
`Checker Module
`1106
`
`Rules Module
`1108
`
`Control Module
`1110
`
`Update Module
`1112
`
`Vulnerability
`Database
`1114
`
`Rules Database
`1116
`
`FIG. 11
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 11 of 16
`
`US 2014/0245376 A1
`
`
`
` 4
`Agent 10 Q
`
`|
`
`
`
`
`
`
`
`
`
`Monitor Module
`1162
`
`identifier Module
`1104
`
`Vuinerability
`Checker Module
`1106
`
`Rules Module
`1108
`
`
`
`
`
`
`
`
`
`
`
`Control Modtile
`1710
`
`Update Madule
`1112
`
`
`
`
`
`
`
`
`
`
`
`
`Vulnerability
`Database
`11144
`
`Rules Database
`1116
`
`FIG. 11
`
`

`

`Patent Application Publication
`
`91 Jo Z1 WIN VIOZ `8Z tilV
`
`TV 9L£SlZO/lTOZ SR
`
`Security Server 1200
`
`Risk Assessment
`Module
`1202
`
`Risk API Module
`1204
`
`Rules Generation
`Module
`1206
`
`Record Module
`1208
`
`Vulnerability Update
`Module 1208
`
`Rules Update
`Module 1210
`
`FIG. 12
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 12 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`Rules Update
`Module 1210
`
`
`
`
`
`FIG. 12
`
`
`
`Security Server
`
`1200
`
`
`
`
`
`
`
`
`
`Risk Assessment
`Module
`4202
`
`
`
`Risk AP} Module
`1204
`
`
`
`Rules Generation
`Module
`1206
`
`Recard Module
`1208
`
`
`
`
`
`
`
`
`
`
`
`
`Vulnerability Update
`Module 1208
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 13 of 16
`
`US 2014/0245376 Al
`
`C Start
`
`Monitor device for instruction to execute legitimate application
`
`(..\ ./1302
`
`4,
`
`Identify attributes of legitimate application
`
`Retrieve risk information associated with attributes
`
`Identify risk of application based on risk information
`
`4,
`
`Retrieve rules associated with risk information
`
`11304
`
`(N
`
`(\_ ,1306
`
`(--\ ,1308
`
`11310
`
`Control execution of legitimate application based on retrieved
`rules
`
`e"\,,1312
`
`END
`
`FIG. 13
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 14 of 16
`
`US 2014/0245376 Al
`
`Start
`
`identifying vulnerabilities of one or more legitimate applications
`
`r\)1402
`
`Generate risk information associated with the identified
`vulnerabilities
`
`1404
`c"\_i
`
`Provide update of risk information to one or more digital devices
`
`(-N/ 1406
`
`47
`
`Receive at least one rule
`
`Provide update regarding rule to one or mare digital devices
`
`(N/ 1408
`
`(N/ 1410
`
`Generate report
`
`END
`
`FIG. 14
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 15 of 16
`
`US 2014/0245376 Al
`
`4.>
`
`A- •
`
`1
`
`r4.
`
`0
`
`0
`
`0
`
`0-
`
`• 4:
`
`•.•
`
`i
`
`Patent Application Publication
`
`Aug. 28,2014 Sheet 15 of 16
`
`US 2014/0245376 Al
`
`FIG. 15
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication Aug. 28, 2014 Sheet 16 of 16
`
`US 2014/0245376 Al
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 16 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`US 2014/0245376 Al
`
`1
`
`Aug. 28, 2014
`
`SYSTEMS AND METHODS OF RISK BASED
`RULES FOR APPLICATION CONTROL
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`[0001] The present application claims the benefit of U.S.
`Provisional Patent Application Ser. No. 61/768,809, filed
`Feb. 25, 2013 and entitled "Systems and Methods of Risk
`Based Rules for Application Control," and is a continuation-
`in-part of U.S. Nonprovisional Patent Application Ser. No.
`14/156,375, filed Jan. 15, 2014 and entitled "Systems and
`Methods for Identifying and Reporting Application and File
`Vulnerabilities," both of which are incorporated by reference
`herein.
`
`COPYRIGHT NOTICE
`
`[0002] A portion of the disclosure of this patent document
`contains material that is subject to copyright protection. The
`copyright owner has no objection to the facsimile reproduc-
`tion by anyone of the patent document or the patent disclo-
`sure, as it appears in the Patent and Trademark Office patent
`file or records, but otherwise reserves all copyright rights
`whatsoever.
`
`BACKGROUND
`
`[0003] 1. Field of the Invention(s)
`[0004] The present invention(s) relate generally to applica-
`tion control. More particularly, the invention(s) relate to sys-
`tems and methods for controlling applications utilizing risk
`based rules.
`[0005] 2. Description of Related Art
`[0006] Recent computer attack trends target software vul-
`nerabilities of home and corporate networks. These client-
`side attacks have proven fruitful for cyber criminals. Clients
`are an easier target than servers as servers tend to be more
`highly secured than workstations, with less end user interac-
`tion. As such, these client-side attacks offer the low-hanging
`fruit that hackers are seeking. By targeting end-users, hackers
`gain easier access to a larger number of computers, thereby
`producing the greater yield with the least amount of effort. A
`single vulnerability in a workstation's client applications may
`afford access to more important information assets on the
`same network. A client-side exploit can therefore leverage a
`compromised workstation as a launching point for attacks
`against other workstations or servers otherwise protected by
`perimeter defenses and accessible only via internal network.
`[0007] Client-side exploits take advantage of vulnerabili-
`ties in client software, such as web browsers, email applica-
`tions and media players (e.g., Internet Explorer, Firefox,
`Microsoft Outlook, Microsoft Media Player and RealNet-
`works' RealPlayer). Client-side exploits can also exploit vul-
`nerabilities in system-wide libraries used by client applica-
`tions. For example, a vulnerability in an image library that
`renders JPEG images might be exploitable via a web browser
`or an email application. Client-side exploits are not prevented
`by traditional perimeter defenses, such as firewalls and web
`proxies. Trends monitored by the SANS Institute (http://
`www.sans.org) and other industry organizations indicate that
`client-side vulnerabilities began to offset server-side vulner-
`abilities in 2005.
`
`SUMMARY
`
`In various embodiments, a method comprises
`[0008]
`receiving a plurality of records from a first digital device, each
`of the plurality of records generated during execution or
`termination of a different executable and containing informa-
`tion related to execution or termination of the different
`executable, retrieving at least one segment from at least one of
`the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`segment including an application or file attribute related to the
`different executable, comparing the application or file
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`risk.
`In various embodiments, the plurality of records
`[0009]
`comprises log files associated with different executables. The
`application or file attributes may comprise, for example, an
`application or file version, an execution time, or a calling
`process.
`[0010] The method may further comprise identifying a type
`of the at least one of the plurality of records, retrieving record
`information from a record information database based on the
`identified type of the at least one of the plurality of records,
`and identifying a position of the at least one segment within
`the at least one of the plurality of records, wherein retrieving
`the at least one segment comprises retrieving the at least one
`segment from the identified position.
`[0011]
`In some embodiments, the method further com-
`prises scheduling when the comparison of the application or
`file attribute to the vulnerability database is to occur and
`waiting to compare the application or file attribute to the
`vulnerability database based on the schedule. In various
`embodiments, the method further comprises comprising
`authenticating the plurality of records, wherein the applica-
`tion or file attribute is compared to the vulnerability database
`only after successful authentication.
`[0012] Comparing the application or file attribute to a vul-
`nerability database may comprise comparing the application
`or file attribute to a whitelist. In some embodiments, compar-
`ing the application or file attribute to a vulnerability database
`may comprise comparing the application or file attribute to a
`blacklist. In various embodiments, comparing the application
`or file attribute to a vulnerability database may comprise the
`application or file attribute to a greylist, the greylist compris-
`ing application or file attributes associated with suspicious
`applications or files.
`[0013] The method may further comprise determining a
`risk value based on the comparison of the application or file
`attribute to the greylist and providing an alert based on the risk
`value. Further, the method may also comprise comprising
`comparing the risk value to a user threshold wherein provid-
`ing the alert based on the risk value comprises providing the
`alert based on the comparison.
`[0014] An exemplary system comprises a communication
`module, an information retrieval module, an assessment mod-
`ule, and a report module. The communication module may be
`configured to receive a plurality of records from a first digital
`device, each of the plurality of records generated during
`execution or termination of a different executable and con-
`taining information related to execution or termination of the
`different executable. The information retrieval module may
`be configured to retrieve at least one segment from at least one
`of the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`
`

`

`US 2014/0245376 Al
`
`Aug. 28, 2014
`
`2
`
`segment including an application or file attribute related to the
`different executable. The assessment module may be config-
`ured to compare the application or file attribute to a vulner-
`ability database and identify a risk based on the comparison.
`The report module may be configured to generate a report
`identifying the risk.
`[0015] A computer readable medium may comprise
`executable instructions. The computer readable medium may
`be nontransitive. The instructions being executable by a pro-
`cessor to perform a method. The method may comprise
`receiving a plurality of records from a first digital device, each
`of the plurality of records generated during execution or
`termination of a different executable and containing informa-
`tion related to execution or termination of the different
`executable, retrieving at least one segment from at least one of
`the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`segment including an application or file attribute related to the
`different executable, comparing the application or file
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`risk.
`In various embodiments, an agent on a digital device
`[0016]
`may comprise a monitor module, an application identification
`module, a vulnerability module, a rules database, and a rule
`module. The monitor module may be configured to monitor a
`device for an instruction to execute a legitimate application.
`The application identification module may be configured to
`identify one or more attributes of the legitimate application.
`The vulnerability module may be configured to retrieve risk
`information based on the one or more attributes of the legiti-
`mate application. The risk information may be determined
`from known vulnerabilities of the legitimate application. The
`rules database may be for storing a rule associated with the
`risk information. The rule module may be configured to
`retrieve the rule from the rule database based on the risk
`information and to control the legitimate application based on
`the rule.
`In some embodiments, the rule module configured
`[0017]
`to control the legitimate application based on the rule may
`comprise blocking the legitimate application from executing
`based on the rule, allowing the legitimate application to
`execute based on the rule, or allowing the legitimate applica-
`tion to execute based on the rule but blocking some function-
`ality of the legitimate application from executing based on the
`rule.
`[0018] The monitor module configured to monitor the
`device for an instruction to execute the legitimate application
`may comprise the monitor module intercepting instructions
`being provided to or from an operating system of the device.
`The attribute may be an application identifier. The attribute
`may be an application version identifier.
`[0019]
`In various embodiments, the rule comprises an
`instruction to block all or part of the execution of the legiti-
`mate application if risk information indicates, at least in part,
`that a vulnerability associated with the legitimate application
`was publicly disclosed before a predetermined date. The pre-
`determined date may be calculated as occurring at a period of
`time before a current date or at before any provided date.
`[0020]
`In some embodiments, the rule comprises an
`instruction to block all or part of the execution of the legiti-
`mate application if risk information indicates, at least in part,
`that a public exploit of a vulnerability associated with the
`legitimate application exists.
`
`In various embodiments, the rule comprises an
`[0021]
`instruction to block all or part of the execution of the legiti-
`mate application if risk information indicates, at least in part,
`that a vulnerability associated with the legitimate application
`was identified before a predetermined period of time. The rule
`may be applicable to multiple different legitimate applica-
`tions on the device. The rule module may be configured to
`retrieve a plurality of rules from the rule database, each of the
`plurality of rules associated with the risk information. The
`rule module configured to control the legitimate application
`based on the rule may comprise controlling the legitimate
`application based on the strictest rule of the plurality of rules.
`[0022] The risk information may comprise a risk value and
`the rule comprises instructions regarding control of the appli-
`cation based on the risk value.
`[0023] An exemplary method may comprise monitoring a
`device for an instruction to execute a legitimate application,
`identifying one or more attributes of the legitimate applica-
`tion, retrieving risk information based on the one or more
`attributes of the legitimate application, the risk information
`determined from known vulnerabilities of the legitimate
`application, storing a rule associated with the risk informa-
`tion, retrieving the rule from the rule database based on the
`risk information, and controlling the legitimate application
`based on the rule.
`[0024] An exemplary non-transitory computer readable
`medium may comprise instructions executable by a processor
`to perform a method. The exemplary method may comprise
`monitoring a device for an instruction to execute a legitimate
`application, identifying one or more attributes of the legiti-
`mate application, retrieving risk information based on the one
`or more attributes of the legitimate application, the risk infor-
`mation determined from known vulnerabilities of the legiti-
`mate application, storing a rule associated with the risk infor-
`mation, retrieving the rule from the rule database based on the
`risk information, and controlling the legitimate application
`based on the rule.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0025] FIG. 1 is a flow chart for active network scanning of
`targets to match a vulnerability state in the prior art.
`[0026] FIG. 2 is a block diagram of an exemplary environ-
`ment in some embodiments.
`[0027] FIG. 3 is a flow chart for collection of information
`describing application events on a user device and comparing
`different portions of the collection against a vulnerability
`database in some embodiments.
`[0028] FIG. 4 is a block diagram of a user device agent in
`some embodiments.
`[0029] FIG. 5 is a block diagram of a security assessment
`server in some embodiments.
`[0030] FIG. 6 is a flowchart for collection and preparation
`of records by a user device in some embodiments.
`[0031] FIG. 7 is a flowchart for comparing segments con-
`tained within the collection against whitelist, blacklists, and/
`or greylists to report vulnerabilities in some embodiments.
`[0032] FIG. 8 is an exemplary report generated by the secu-
`rity assessment server in some embodiments.
`[0033] FIG. 9 is a block diagram of an exemplary digital
`device.
`[0034] FIG. 10 is a block diagram of a user device in some
`embodiments.
`[0035] FIG. 11 is a block diagram of an agent that may be
`on a user device in some embodiments.
`
`

`

`US 2014/0245376 Al
`
`Aug. 28, 2014
`
`3
`
`[0036] FIG. 12 is a block diagram of a security server that
`may be in communication with the agent of the user device in
`some embodiments.
`[0037] FIG. 13 is a flowchart for controlling execution of an
`application based on risk information and rules in some
`embodiments.
`[0038] FIG. 14 is a flowchart for updating risk information
`and rules in some embodiments.
`[0039] FIG. 15 is an exemplary vulnerability interface
`identifying vulnerabilities of legitimate applications in some
`embodiments.
`[0040] FIG. 16 is an exemplary report generated by the
`security server in some embodiments.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`[0041] FIG. 1 is a flow chart 100 for active network scan-
`ning of targets to match a vulnerability state in the prior art. A
`traditional vulnerability assessment of scan targets will
`launch an array of tests that audit the configuration or state of
`target hardware and software. These checks will test for vul-
`nerabilities such as missing patches or insecure configura-
`tions. A subset of these tests typically examines software and
`client applications installed on target machines. By examin-
`ing the file system, registry and configuration files, the scan-
`ner can detect outdated versions of applications (e.g., Internet
`Explorer, Firefox, Microsoft Outlook, Microsoft Media
`Player and RealNetworks' RealPlayer). Typically these
`active tests will examine installed applications to identify:
`[0042] Application Name
`[0043] Application Publisher
`[0044] File Name
`[0045] File Location/Path
`[0046] File Version
`[0047] File Timestamp
`[0048] File Description
`[0049] File Checksum (MD5, SHA-1, etc.)
`[0050] Digital Signature
`[0051] From this information the vulnerability scanner
`searches a database of known vulnerabilities to see if the
`installed application is associated with known vulnerabilities.
`Prescriptive guidance is then provided to the user of the
`vulnerability scanner.
`[0052] Flow chart 100 is an exemplary process of network
`scanning of targets in the prior art. In step 102, a scanning
`server selects scan targets. A scan target may be any digital
`device configured to support the scan. In one example, a
`digital device must have installed scanning software and at
`least one agent to be responsive to centralized server that may
`command the scan. A digital device is any device with a
`processor and memory.
`[0053]
`In step 104, the scanning server may determine
`available scan targets. The scanning server typically requires
`scheduling of network scans. Scanning generally occurs
`when the target digital device is unused because the scanning
`may reduce the digital device's performance. Unfortunately,
`when many digital devices are unused, they may be shut down
`(i.e., unavailable to the network) a result of which is that the
`unconnected and/or unpowered digital device is not capable
`of being scanning.
`[0054]
`In step 106, the scanning server determines the
`availability of a target digital device. If the target digital
`device is on the network and has resources for scanning (e.g.,
`the target digital device is available at 3:00 AM in the morning
`and/or has not been used by a user for a predetermined period
`
`of time), the scanning server may connect to the scan target
`(e.g., the target digital device) via the network in step 108. If
`the target digital device is not available, the process may end
`in step 118 or be reschedule for another time whereby the
`scanning server must, once again, determine if the target
`digital device is available (see step 106).
`[0055]
`If the scanning server connects to the target digital
`device successfully in step 110, the scanning server may
`directly scan the target digital device or may trigger a self scan
`of the target digital device in step 112 (i.e., interrogate target).
`If the connection is not successful, the process may end in step
`118 and the scan rescheduled.
`[0056] During scanning, applications, files and registries
`may be directly examined to identify applications and files.
`The information is retrieved and compared against a database
`of known vulnerabilities. If a match of a vulnerable state is
`determined in step 114, the scanning server or the target
`digital device may report the fi