MAI MUUTMINUT DIN LUMUTULDUM
`IIIII IIIII 111111 111111 IIII IIII
`
`
`I IIIII I IIIII IIIIIIII IIIIIIII
`
`
`
`
`
`
`
`US009900333B2
`
`( 12 ) United States Patent
`(12) United States Patent
`(12) United States Patent
`Thakar et al .
`
`Thakar et al. Thakar et al.
`
`( 10 ) Patent No . :
`
`(10) Patent No.: (10) Patent No.:
`( 45 ) Date of Patent :
`
`(45) Date of Patent: (45) Date of Patent:
`
`US 9 , 900 , 333 B2
`US 9,900,333 B2
`US 9,900,333 B2
`Feb . 20 , 2018
`
`Feb. 20, 2018 Feb. 20, 2018
`
`( 54 ) SYSTEM AND METHOD FOR DETECTING
`(54) (54)
`
`
`SYSTEM AND METHOD FOR DETECTING SYSTEM AND METHOD FOR DETECTING
`VULNERABILITY STATE DELTAS
`
`VULNERABILITY STATE DELTAS VULNERABILITY STATE DELTAS
`( 71 ) Applicant : Qualys , Inc . , Redwood Shores , CA
`
`(71) (71)
`
`Applicant: Qualys, Inc., Redwood Shores, CA Applicant: Qualys, Inc., Redwood Shores, CA
`( US )
`
`(US) (US)
`( 72 ) Inventors : Sumedh Thakar , San Jose , CA ( US ) ;
`
`Inventors: Sumedh Thakar, San Jose, CA (US); Inventors: Sumedh Thakar, San Jose, CA (US);
`
`(72) (72)
`Bharat Patel , Belmont , CA ( US ) ;
`
`Bharat Patel, Belmont, CA (US); Bharat Patel, Belmont, CA (US);
`Balaji Venkatesan , Foster City , CA
`Balaji Venkatesan, Foster City, CA
`Balaji Venkatesan, Foster City, CA
`( US ) ; Tristan Burch , Denver , CO ( US ) ;
`
`(US); Tristan Burch, Denver, CO (US); (US); Tristan Burch, Denver, CO (US);
`Sean M . Molloy , Parker , CO ( US ) ;
`
`Sean M. Molloy, Parker, CO (US); Sean M. Molloy, Parker, CO (US);
`Matthew L . Wirges , West Bend , WI
`Matthew L. Wirges, West Bend, WI
`Matthew L. Wirges, West Bend, WI
`( US )
`
`(US) (US)
`( 73 ) Assignee : Qualys , Inc . , Redwood Shores , CA
`
`Assignee: Qualys, Inc., Redwood Shores, CA Assignee: Qualys, Inc., Redwood Shores, CA
`
`(73) (73)
`( US )
`
`(US) (US)
`Subject to any disclaimer , the
`Subject to any disclaimer , the term of this
`
`Subject to any disclaimer, the term of this Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`
`patent is extended or adjusted under 35 patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 30 days .
`U.S.C. 154(b) by 30 days.
`U.S.C. 154(b) by 30 days.
`( 21 ) Appl . No . : 14 / 614 , 920
`
`Appl. No.: 14/614,920 Appl. No.: 14/614,920
`
`(21) (21)
`( 22 ) Filed :
`Feb . 5 , 2015
`
`(22) (22)
`
`Filed: Filed:
`
`Feb. 5, 2015 Feb. 5, 2015
`Prior Publication Data
`( 65 )
`
`(65) (65)
`
`Prior Publication Data Prior Publication Data
`US 2016 / 0234237 A1 Aug . 11 , 2016
`US 2016/0234237 Al
`Aug. 11, 2016
`US 2016/0234237 Al
`Aug. 11, 2016
`( 51 ) Int . Ci .
`(51) (51)
`
`
`Int. Cl. Int. Cl.
`H04L 29 / 06
`
`H04L 29/06 H04L 29/06
`U . S . CI .
`U.S. Cl.
`U.S. Cl.
`CPC . . . . . .
`
`CPC CPC
`
`( 52 )
`(52)
`(52)
`
`( 2006 . 01 )
`
`(2006.01) (2006.01)
`H04L 63 / 1433 ( 2013 . 01 )
`
` H04L 63/1433 (2013.01) H04L 63/1433 (2013.01)
`
`( * ) Notice :
`
`Notice: Notice:
`(*)
`(*)
`
`( 56 )
`
`(56) (56)
`
`( 58 ) Field of Classification Search
`
`(58) Field of Classification Search (58) Field of Classification Search
`. . . . . . HO4L 63 / 00 ; G06F 21 / 00
`???
`
`CPC CPC
`
`H04L 63/00; G06F 21/00 H04L 63/00; G06F 21/00
`. . . . . . . .
`See application file for complete search history .
`See application file for complete search history.
`See application file for complete search history.
`References Cited
`
`References Cited References Cited
`U . S . PATENT DOCUMENTS
`
`U.S. PATENT DOCUMENTS U.S. PATENT DOCUMENTS
`2007 / 0124246 A1 *
`5 / 2007 Lawyer . . . . . . . . . . . . . . . . G06Q 10 / 00
`
`2007/0124246 Al * 2007/0124246 Al *
`
`5/2007 Lawyer 5/2007 Lawyer
`
`G06Q 10/00 G06Q 10/00
`705 / 50
`
`705/50 705/50
`2010 / 0058478 A1 * 3 / 2010 Shetty . . .
`. . . . . G06F 21 / 10
`
`2010/0058478 Al* 3/2010 Shetty 2010/0058478 Al* 3/2010 Shetty
`
`GO6F 21/10 GO6F 21/10
`726 / 26
`
`726/26 726/26
`
`* cited by examiner
`* cited by examiner * cited by examiner
`
`Primary Examiner — Joseph P Hirl
`
`Primary Examiner — Joseph P Hirl Primary Examiner — Joseph P Hirl
`Assistant Examiner — Leynna Truvan
`
`Assistant Examiner — Leynna Truvan Assistant Examiner — Leynna Truvan
`( 74 ) Attorney , Agent , or Firm — Baker & McKenzie LLP
`
`(74) Attorney, Agent, or Firm — Baker & McKenzie LLP (74) Attorney, Agent, or Firm — Baker & McKenzie LLP
`( 57 )
`ABSTRACT
`
`
`(57) (57)
`ABSTRACT ABSTRACT
`Described herein is a system and method for detecting
`
`Described herein is a system and method for detecting Described herein is a system and method for detecting
`vulnerability state deltas , the method comprising the steps
`vulnerability state deltas, the method comprising the steps
`vulnerability state deltas, the method comprising the steps
`of : receiving data related to
`a network connected device ;
`
`of: receiving data related to a network connected device; of: receiving data related to a network connected device;
`determining a vulnerability state of the network connected
`
`determining a vulnerability state of the network connected determining a vulnerability state of the network connected
`device based upon the data ; storing the vulnerability state in
`
`device based upon the data; storing the vulnerability state in device based upon the data; storing the vulnerability state in
`a vulnerability state database ; receiving additional data
`
`a vulnerability state database; receiving additional data a vulnerability state database; receiving additional data
`related to the network connected device ; determining an
`
`related to the network connected device; determining an related to the network connected device; determining an
`updated vulnerability state of the network connected device
`
`updated vulnerability state of the network connected device updated vulnerability state of the network connected device
`based upon the additional data ; determining one or more
`
`based upon the additional data; determining one or more based upon the additional data; determining one or more
`deltas based upon differences between the vulnerability stare
`
`deltas based upon differences between the vulnerability stare deltas based upon differences between the vulnerability stare
`and the updated vulnerability state ; and updating the stored
`
`and the updated vulnerability state; and updating the stored and the updated vulnerability state; and updating the stored
`vulnerability state with the updated vulnerability state .
`
`vulnerability state with the updated vulnerability state. vulnerability state with the updated vulnerability state.
`20 Claims , 3 Drawing Sheets
`20 Claims, 3 Drawing Sheets
`20 Claims, 3 Drawing Sheets
`
`CUSTOMER NETWORK
`
`CUSTOMER NETWORK CUSTOMER NETWORK
`190
`
`190 190
`
`INTERNET
`
`INTERNET INTERNET
`
`160 160
`
`
`
`I I
`
`PERIMETER NETWORK
`
`PERIMETER NETWORK PERIMETER NETWORK
`110
`110
`110
`
`INTERNAL NETWORK
`
`INTERNAL NETWORK INTERNAL NETWORK
`105
`
`105 105
`
`115
`115 115
`
`
`
`
`,y-125 ,y-125
`
`130
`
`
`
`130 130
`
`
`
`I I
`
`A
`
`-
`
`-
`
`-
`
`- +
`
`-
`
`+
`
`-
`
`-
`
`-
`
`-
`
`+
`
`-
`
`SECURITY NETWORK
`
`SECURITY NETWORK SECURITY NETWORK
`180
`
`180 180
`
`145
`145
`145
`
`146 SCANNER 148
`146 SCANNER 148146 SCANNER 148
`
`MEMORY ??
`
`MEMORY MEMORY
`
`I/O I/O
`
`147 -(PROCESSOR 147 -(PROCESSOR
`PROCESSOR
`
`153
`153 153
`
`
`151 STATE
`
`STATE STATE
`151 151
`
`ASSEMBLER
`
`ASSEMBLER ASSEMBLER
`MEMORY
`10
`
`MEMORY I MEMORY I
`
`I/O I/O
`152
`
`152-1 PROCESSOR 152-1 PROCESSOR
`PROCESSOR
`A
`A
`
`
`
`150 150
`
`VULN STATE
`VULN STATE
`VULN STATE
`DATABASE
`DATABASE
`DATABASE
`
`155
`155
`155
`
`136
`WEB
`
`136 WEB 136 WEB
`S SERVER
`
`SERVERSERVER
`
`MEMORY MEMORY
`MEMORY
`PROCESSOR
`
`I PROCESSOR I PROCESSOR
`
`138
`138 138
`
`
`
`I/O I/O
`137
`
`137 137
`
`135
`135 135
`
`
`143
`
`143 143
`
`
`141 WEB 141 WEB
`141 WEB WEB
`
`k„, SERVER k„, SERVER
`SERVER
`MEMORY
`
`MEMORY MEMORY
`I PROCESSOR k_142
`I PROCESSOR k_142
`ROCESSOR
`142 142
`PROCESSOR
`
`I/O
`I/O
`
`
`
`140140
`
`-
`
`-
`
`-
`
`+
`
`-
`
`-
`
`-
`
`-
`
`116 SERVER 118
`
`116 116
`
`118 118
`SERVER
`SERVER
`MEMORY | 10
`
`MEMORY MEMORY
`
`I/O I/O
`117
`
`117 117
`PROCESSOR
`
`PROCESSOR PROCESSOR
`| 126 COLLECTOR 128 | 125
`126 COLLECTOR 128
`126 COLLECTOR 128
`10
`MEMORY
`
`MEMORY MEMORY
`
`I/O I/O
`127
`PROCESSOR
`
`127 127
`
`I PROCESSOR I PROCESSOR
`| 131 AGENT 133
`
`131 AGENT 133131 AGENT 133
`1 / 0
`MEMORY
`MEMORY MEMORY
`
`
`I/O I/O
`I PROCESSOR k_ 132
`I PROCESSOR k_ 132
`PROCESSOR | _ 132
`121 SERVER 123
`
`121 SERVER 123121 SERVER 123
`MEMORY
`MEMORY
`MEMORY
`PROCESSOR | _ 122 ( ^ _ 120
`I PROCESSOR
`I PROCESSOR
`
`10
`I/O
`I/O
`
`
`
`.."\-120 .."\-120
`
`122
`122
`
`WIZ, Inc. EXHIBIT - 1065
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1065
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`lualud °S11
`
`atent
`
`Feb . 20 , 2018
`8102 `OZ 'VI
`
`75
`
`I / O 117
`MEMORY
`
`I/O
`117
`
`MEMORY
`
`PROCESSOR
`
`PROCESSOR
`
`125
`
`126
`COLLECTOR
`128
`
`126 COLLECTOR 128
`
`MEMORY
`
`CUSTOMER
`NETWORK 190
`
`CUSTOMER NETWORK
`190
`
`INTERNAL NETWORK
`105
`A
`
`INTERNAL
`NETWORK 105
`
`i
`
`118
`
`116
`118
`SERVER
`
`SERVER
`
`116
`
`PERIMETER NETWORK
`110
`A
`
`PERIMETER
`NETWORK 110
`
`i
`
`136 WEB
`SERVER
`
`136
`
`138
`WEB SERVER
`
`138
`
`I
`
`‘
`
`21
`
`I
`
`I INTERNET
`
`1
`
`INTERNET
`160
`,_A_
`
`-
`
`-
`
`-
`
`N
`
`I/O
`137
`
`I / O
`
`MEMORY
`
`MEMORY
`
`PROCESSOR
`
`PROCESSOR
`
`1D
`135
`
`135
`
`-
`
`-
`
`
`
`SECURITY NETWORK
`180
` A
`
`SECURITY
`NETWORK 180
`
`145
`
`145
`
`146
`SCANNER
`148
`
`146 SCANNER 148
`
`MEMORY
`147
`
`I/O
`
`10
`
`MEMORY
`
`PROCESSOR
`
`PROCESSOR
`
`Sheet 1 of 3
`£ jo 1 WIN
`
`US 9 , 900 , 333 B2
`Zll £££`006% Sfl
`
`- 130
`
`130
`
`120
`
`20
`
`VO
`
`I/O
`127
`
`MEMORY
`
`PROCESSOR
`
`PROCESSOR
`
`131
`AGENT 133
`
`131 AGENT 133
`
`110
`
`I/O
`
`MEMORY
`
`MEMORY
`
`132
`
`PROCESSOR
`
`PROCESSOR
`
`121 SERVER 123
`
`121
`SERVER 123
`
`MEMORY
`
`I/O
`
`1 / 0 PROCESSORI - 122
`MEMORY
`
`PROCESSOR
`
`122
`
`-
`
`-
`
`-
`
`143
`SERVER
`141
`WEB
`
`141 WEB
`SERVER
`
`143
`
`I/O
`
`VO
`
`MEMORY
`
`MEMORY
`
`142
`
`A Ill-i-P.-
`
`i
`
`PROCESSOR
`
`PROCESSOR
`
`FIG . 1 140
`
`FIG. 1 140
`
`-
`
`-
`
`-
`
`-
`
`-
`
`i
`
`151
`STATE
`l \ ASSEMBLER
`
`151
`
`STATE 153 ASSEMBLER
`
`153
`
`MEMORY 10 152
`PROCESSOR
`
`MEMORY
`I/O
`1521 PROCESSOR
`
`•
`
`150
`
`STATE DATABASE
`VULN
`
`...
`
`/
`150
`c"------- ------>
`VULN STATE
`DATABASE
`/
`155
`
`...
`
`155
`
`

`

`U . S . Patent
`U.S. Patent
`
`Feb . 20 , 2018
`Feb. 20, 2018
`
`Sheet 2 of 3
`Sheet 2 of 3
`
`US 9 , 900 , 333 B2
`US 9,900,333 B2
`
`235-N.
`-
`
`2354 SATA
`
`230-N_
`_
`
`SCAN
`SCAN
`DATA
`DATA
`AGENT
`AGENT
`DATA
`DATA
`OTHER
`OTHER
`DATA
`DATA
`COLLECTOR
`220-N_
`_ COLLECTOR
`DATA
`DATA
`AGENT
`AGENT
`DATA
`DATA
`SCAN
`SCAN
`DATA
`DATA
`
`225-N.
`_
`
`215-\._
`_
`
`210-N.
`_
`
`r
`
`L
`
`COMPOSITE
`COMPOSITE
`GENERATOR
`GENERATOR
`/
`205
`205
`-
`
`-
`
`-
`
`-
`
`260
`260
`
`150
`150
`1 -
`
`-
`
`-
`
`-
`
`-
`-
`240
`240
`
`225 220 215
`210
`225 220 215 / 210
`
`-
`
`270
`
`-
`
`-
`
`-
`
`-
`
`FIG . 2
`FIG. 2
`
`DELTA
`DELTA
`ALERT
`ALERT
`
`
`
`255
`255
`
`V
`
`7
`
`d VULN STATE
`
`VULN STATE
`MONITOR -
`MONITOR
`
`-
`
`_I
`
`245
`wTh
`....
`VULN STATE
`VULN STATE
`155
`DATABASE -- 155
`DATABASE
`
`

`

`U . S . Patent
`U.S. Patent
`
`Feb . 20 , 2018
`Feb. 20, 2018
`
`Sheet 3 of 3
`Sheet 3 of 3
`
`US 9 , 900 , 333 B2
`US 9,900,333 B2
`
`310
`3101
`
`320H
`
`DETERMINE VULN STATE
`
`RECEIVE MACHINE DATA
`RECEIVE MACHINE DATA
`3204 DETERMINE VULN STATE
`3307 STORE VULN STATE
`3301
`
`STORE VULN STATE
`
`3401
`340
`
`RECEIVE ADDITIONAL
`RECEIVE ADDITIONAL
`MACHINE DATA
`MACHINE DATA
`
`UPDATE VULN STATE
`UPDATE VULN STATE
`
`350
`350A
`2007 DETERMINE DELTAS
`360A
`DETERMINE DELTAS
`
`370A
`
`REPORT DELTAS
`REPORT DELTAS
`
`FIG . 3
`FIG. 3
`
`

`

`US 9 , 900 , 333 B2
`US 9,900,333 B2
`
`5
`5
`
`1
`2
`DETAILED DESCRIPTION
`SYSTEM AND METHOD FOR DETECTING
`SYSTEM AND METHOD FOR DETECTING
`DETAILED DESCRIPTION
`VULNERABILITY STATE DELTAS
`VULNERABILITY STATE DELTAS
`In an embodiment , a vulnerability state of a machine may
`In an embodiment, a vulnerability state of a machine may
`be determined . A vulnerability may be any type of weakness
`FIELD OF THE INVENTION
`be determined. A vulnerability may be any type of weakness
`FIELD OF THE INVENTION
`in a machine or network . For example , vulnerabilities may
`in a machine or network. For example, vulnerabilities may
`The presently described embodiments relate to vulner
`be found if certain ports are left open on a internet facing
`be found if certain ports are left open on a internet facing
`The presently described embodiments relate to vulner-
`device ; certain versions of operating systems may also be
`device; certain versions of operating systems may also be
`ability states of computing devices . The presently described
`ability states of computing devices. The presently described
`considered vulnerabilities ; and any other potential weakness
`considered vulnerabilities; and any other potential weakness
`embodiments disclose a system and method for detecting
`embodiments disclose a system and method for detecting
`that may be exploited may be considered a vulnerability .
`that may be exploited may be considered a vulnerability.
`vulnerability state deltas .
`vulnerability state deltas.
`10 Data regarding the machine ' s vulnerability state may be
`10 Data regarding the machine's vulnerability state may be
`received from various sources . The various sources may
`received from various sources. The various sources may
`BACKGROUND OF THE INVENTION
`BACKGROUND OF THE INVENTION
`include port scanners , network vulnerability scanners , data
`include port scanners, network vulnerability scanners, data-
`base security scanners , host based vulnerability scanners , or
`base security scanners, host based vulnerability scanners, or
`Computers and other network connected devices are often
`Computers and other network connected devices are often
`other vulnerability testing devices . The data received from
`other vulnerability testing devices. The data received from
`scanned to determine vulnerabilities . Typically the scans are 15 the various sources may be combined to determine a vul
`scanned to determine vulnerabilities. Typically the scans are
`15 the various sources may be combined to determine a vul-
`performed once a week and result in large lists of vulner
`performed once a week and result in large lists of vulner-
`nerability state of the machine that has been scanned . In
`nerability state of the machine that has been scanned. In
`abilities . Sometimes the scans are performed from outside of
`abilities. Sometimes the scans are performed from outside of
`some cases the data received may be a vulnerability . In some
`some cases the data received may be a vulnerability. In some
`the network , other times the scans are performed from
`the network, other times the scans are performed from
`other cases , rather than identifying the vulnerabilities during
`other cases, rather than identifying the vulnerabilities during
`within the network . The resulting list of vulnerabilities may
`within the network. The resulting list of vulnerabilities may
`a scan of the machine , the machine ' s current state may be
`a scan of the machine, the machine's current state may be
`used to improve the security of the scanned network . The list 20 received and the state data may be evaluated for vulnerabili
`used to improve the security of the scanned network. The list
`20 received and the state data may be evaluated for vulnerabili-
`is often very long and may report on items that are not
`is often very long and may report on items that are not
`ties .
`ties.
`vulnerabilities every time the scan is run . The system and
`The data used in determining vulnerabilities may come
`vulnerabilities every time the scan is run. The system and
`The data used in determining vulnerabilities may come
`directly from the scanned machine , or may be retrieved from
`method described herein introduce novel methods to address
`method described herein introduce novel methods to address
`directly from the scanned machine, or may be retrieved from
`an echo of the machine stored in cloud storage . An echo is
`these issues and others .
`these issues and others.
`an echo of the machine stored in cloud storage. An echo is
`25 a snapshot of the machine ' s state that may be stored in cloud
`25 a snapshot of the machine's state that may be stored in cloud
`SUMMARY OF THE INVENTION
`based storage or some other remotely accessible storage .
`SUMMARY OF THE INVENTION
`based storage or some other remotely accessible storage.
`The machine state may be characteristics and attributes of
`The machine state may be characteristics and attributes of
`the machine or other information relevant for use in deter
`The technology described herein provides a novel system
`the machine or other information relevant for use in deter-
`The technology described herein provides a novel system
`mining vulnerabilities of the machine . Scanning the echo for
`and method for detecting vulnerability state deltas . Admin -
`mining vulnerabilities of the machine. Scanning the echo for
`and method for detecting vulnerability state deltas. Admin-
`istrators of mature networks may desire to receive only a list 30 vulnerabilities rather than scanning the actual machine may
`30 vulnerabilities rather than scanning the actual machine may
`istrators of mature networks may desire to receive only a list
`of deltas ( changes in state ) when a network vulnerability
`free up resources at the machine and may allow scanning
`free up resources at the machine and may allow scanning
`of deltas (changes in state) when a network vulnerability
`scan is completed , rather than the complete list of detected
`even if the machine is currently offline , e . g . not connected to
`even if the machine is currently of line, e.g. not connected to
`scan is completed, rather than the complete list of detected
`vulnerabilities . It may be desirable to run pseudo - continuous
`a network .
`a network.
`vulnerabilities. It may be desirable to run pseudo-continuous
`network scans in order to provide the most current deltas .
`The data may be gathered by devices outside the network
`The data may be gathered by devices outside the network
`network scans in order to provide the most current deltas.
`The scans may take place within and without the network 35 the machine resides in , e . g . , from outside a corporate net
`35 the machine resides in, e.g., from outside a corporate net-
`The scans may take place within and without the network
`and may provide data from various sources . The data may be
`work firewall , or from inside the network the machine
`work firewall, or from inside the network the machine
`and may provide data from various sources. The data may be
`compiled from the various sources into a vulnerability state .
`resides in , e . g . , from inside a corporate network firewall .
`resides in, e.g., from inside a corporate network firewall.
`compiled from the various sources into a vulnerability state.
`As new data comes in , deltas may be determined and
`Data gathered from outside of the network that the machine
`Data gathered from outside of the network that the machine
`As new data comes in, deltas may be determined and
`resides in , for example by scanning , may provide insight
`reported as necessary .
`resides in, for example by scanning, may provide insight
`reported as necessary.
`These and other refinements provide various advantages 40 into how outsiders and potential hackers see the customer ' s
`40 into how outsiders and potential hackers see the customer's
`These and other refinements provide various advantages
`over currently deployed systems and methods . Further
`network . Data gathered from inside of the network that the
`network. Data gathered from inside of the network that the
`over currently deployed systems and methods. Further
`refinements and novel solutions in the detection of vulner
`machine resides in , for example from an agent or other
`machine resides in, for example from an agent or other
`refinements and novel solutions in the detection of vulner-
`scanner deployed in the network , may help with detecting
`scanner deployed in the network, may help with detecting
`ability state delta detection are described herein .
`ability state delta detection are described herein.
`vulnerabilities that may only be found from within the
`vulnerabilities that may only be found from within the
`BRIEF DESCRIPTION OF THE DRAWINGS
`45 network . For example , vulnerabilities may be caused by
`45 network. For example, vulnerabilities may be caused by
`BRIEF DESCRIPTION OF THE DRAWINGS
`newly installed machines in the network , as well as other
`newly installed machines in the network, as well as other
`Reference is now made to the following detailed descrip
`hard to scan areas inside the network . Data may also be
`hard to scan areas inside the network. Data may also be
`Reference is now made to the following detailed descrip-
`gathered by a collector . A collector may receive data from
`tion of the preferred embodiments , taken in conjunction with
`gathered by a collector. A collector may receive data from
`tion of the preferred embodiments, taken in conjunction with
`devices that manage an environment , e . g . , the customer ' s
`the accompanying drawings . It is emphasized that various
`devices that manage an environment, e.g., the customer's
`the accompanying drawings. It is emphasized that various
`features may not be drawn to scale . In fact , the dimensions 50 network . Thus , a device that manages a network where the
`so network. Thus, a device that manages a network where the
`features may not be drawn to scale. In fact, the dimensions
`of various features may be arbitrarily increased or reduced
`scanned machine resides may be able to provide data for use
`of various features may be arbitrarily increased or reduced
`scanned machine resides may be able to provide data for use
`for clarity of discussion . In addition , it is emphasized that
`in determining vulnerabilities of the machine . As an
`for clarity of discussion. In addition, it is emphasized that
`in determining vulnerabilities of the machine. As an
`some components be omitted in certain figures for clarity of
`example , when using virtualization software such as
`some components be omitted in certain figures for clarity of
`example, when using virtualization software such as
`discussion . Reference is now made to the following descrip -
`VMware , there may be a machine inside a VMware server .
`discussion. Reference is now made to the following descrip-
`VMware, there may be a machine inside a VMware server.
`tions taken in conjunction with the accompanying drawings , 55 There may also be VMware software that manages the
`tions taken in conjunction with the accompanying drawings,
`55 There may also be VMware software that manages the
`in which :
`VMware environment . The collector may talk
`to the
`in which:
`VMware environment. The collector may talk to the
`FIG . 1 is a block diagram of an embodiment of a system
`VMware software to gather information about what the
`FIG. 1 is a block diagram of an embodiment of a system
`VMware software to gather information about what the
`for detecting vulnerability state deltas in accordance with the
`VMware software knows about the machine . Thus , the data
`for detecting vulnerability state deltas in accordance with the
`VMware software knows about the machine. Thus, the data
`disclosed principles ;
`gathered is about the machine , but not gathered directly by
`disclosed principles;
`gathered is about the machine, but not gathered directly by
`FIG . 2 is a data flow diagram of an embodiment of a 60 the collector from the machine .
`FIG. 2 is a data flow diagram of an embodiment of a
`60 the collector from the machine.
`In some embodiments , the data that may be analyzed for
`system for detecting vulnerability state deltas ; and
`system for detecting vulnerability state deltas; and
`In some embodiments, the data that may be analyzed for
`FIG . 3 is a flow diagram of an embodiment of a method
`vulnerabilities may be gathered in a pseudo - continuous
`FIG. 3 is a flow diagram of an embodiment of a method
`vulnerabilities may be gathered in a pseudo-continuous
`for detecting vulnerability state deltas .
`fashion . The vulnerability state may also be updated in a
`for detecting vulnerability state deltas.
`fashion. The vulnerability state may also be updated in a
`Although similar reference numbers may be used to refer
`pseudo - continuous fashion . Continuous scanning of a sys
`Although similar reference numbers may be used to refer
`pseudo-continuous fashion. Continuous scanning of a sys-
`to similar elements for convenience , it can be appreciated 65 tem may cause problems with the availability of the system
`to similar elements for convenience, it can be appreciated
`65 tem may cause problems with the availability of the system
`that each of the various example embodiments may be
`for its intended purpose . Continuous scanning may result in
`that each of the various example embodiments may be
`for its intended purpose. Continuous scanning may result in
`the network being unavailable for its intended users , similar
`considered distinct variations .
`considered distinct variations.
`the network being unavailable for its intended users, similar
`
`

`

`US 9 , 900 , 333 B2
`US 9,900,333 B2
`
`4
`3
`configure the system such that only specific deltas are
`to a denial of service ( DoS ) network attack . Thus , pseudo
`configure the system such that only specific deltas are
`to a denial of service (DoS) network attack. Thus, pseudo
`alerted on . Thus , only a subset of deltas may be sent to the
`continuous scanning , in other words , as much scanning as
`alerted on. Thus, only a subset of deltas may be sent to the
`continuous scanning, in other words, as much scanning as
`possible without adversely affecting availability of the
`end user as alerts .
`end user as alerts.
`possible without adversely affecting availability of the
`As used herein , processors may control actions of a device
`machine or network may be used . Pseudo - continuous scan
`As used herein, processors may control actions of a device
`machine or network may be used. Pseudo-continuous scan-
`ning may be different than the scanning employed by many 5 or machine . Any actions described as being taken by a
`5 or machine. Any actions described as being taken by a
`ning may be different than the scanning employed by many
`processor might be taken by the processor alone or by the
`network scanning systems , which may use a weekly scan
`processor might be taken by the processor alone or by the
`network scanning systems, which may use a weekly scan
`processor in conjunction with one or more additional com
`that returns one large data set . Weekly scans present a
`processor in conjunction with one or more additional com-
`that returns one large data set. Weekly scans present a
`problem of one very large result set . Large result sets require
`ponents . Additionally , while only one processor may be
`ponents. Additionally, while only one processor may be
`problem of one very large result set. Large result sets require
`more time and processing power to analyze and may result
`shown in certain devices , multiple processors may be pres
`shown in certain devices, multiple processors may be pres-
`more time and processing power to analyze and may result
`ent . Thus , while instructions may be discussed as being
`in vulnerabilities being missed . Further , periodic scanning "
`to ent. Thus, while instructions may be discussed as being
`in vulnerabilities being missed. Further, periodic scanning
`may result in vulnerabilities that exist for several hours or
`executed by a processor , the instructions may be executed
`may result in vulnerabilities that exist for several hours or
`executed by a processor, the instructions may be executed
`days before detection . Some embodiments may use continu
`simultaneously , serially , or otherwise by one or multiple
`days before detection. Some embodiments may use continu-
`simultaneously, serially, or otherwise by one or multiple
`ous scanning if the scanned machine and network are
`processors . A processor may be implemented as one or more
`ous scanning if the scanned machine and network are
`processors. A processor may be implemented as one or more
`capable of handling the increased traffic and processing that 1 CPU chips and may be a hardware device capable of
`capable of handling the increased traffic and processing that
`15 CPU chips and may be a hardware device capable of
`executing computer instructions . The processor may execute
`results from a continuous scan .
`results from a continuous scan.
`executing computer instructions. The processor may execute
`instructions , codes , computer programs , or scripts . The
`In some embodiments , to reduce the impact of scanning
`In some embodiments, to reduce the impact of scanning
`instructions, codes, computer programs, or scripts. The
`on a network or device , the network or device may be
`instructions , codes , computer programs , or scripts may be
`on a network or device, the network or device may be
`instructions, codes, computer programs, or scripts may be
`scanned in a piecemeal fashion . For example , a customer
`received from an I / O module or from memory .
`scanned in a piecemeal fashion. For example, a customer
`received from an I/O module or from memory.
`may decide to scan a first portion of a machine or network 20
`As used herein , an I / O module may include modems ,
`may decide to scan a first portion of a machine or network
`20 As used herein, an I/O module may include modems,
`modem banks , Ethernet devices , universal serial bus ( USB )
`at time A and then the remaining portion at time B . Scanning
`at time A and then the remaining portion at time B. Scanning
`modem banks, Ethernet devices, universal serial bus (USB)
`only a part of the device or network may result in a lower
`interface devices , serial interfaces , token ring devices , fiber
`only a part of the device or network may result in a lower
`interface devices, serial interfaces, token ring devices, fiber
`impact to network resources . In this case , scan A and scan B
`distributed data interface ( FDDI ) devices , wireless local area
`distributed data interface (FDDI) devices, wireless local area
`impact to network resources. In this case, scan A and scan B
`would need to be combined in order to have a complete
`network ( WLAN ) devices , radio transceiver devices such as
`network (WLAN) devices, radio transceiver devices such as
`would need to be combined in order to have a complete
`25 code division multiple access ( CDMA ) devices , global
`status of the network .
`25 code division multiple access (CDMA) devices, global
`status of the network.
`Sometimes , the data related to a scanned network or
`system for mobile communications ( GSM ) radio transceiver
`system for mobile communications (GSM) radio transceiver
`Sometimes, the data related to a scanned network or
`devices , universal mobile telecommunications system
`devices, universal mobile
`telecommunications system
`machine received from a first source may overlap with data
`machine received from a first source may overlap with data
`( UMTS ) radio transceiver devices , long term evolution
`(UMTS) radio transceiver devices, long term evolution
`related to the scanned network or machine received from a
`related to the scanned network or machine received from a
`( LTE ) radio transceiver devices , worldwide interoperability
`(LTE) radio transceiver devices, worldwide interoperability
`second source . For example , a first scan may indicate that a
`second source. For example, a first scan may indicate that a
`port is closed , while a second scan may indicate that the he 30 for microwave access ( WiMAX ) devices , and / or other well
`30 for microwave access (WiMAX) devices, and/or other well-
`port is closed, while a second scan may indicate that the
`known devices for connecting to networks . I / O modules
`known devices for connecting to networks. I/O modules
`same port is open . When conflicting data is received , a
`same port is open. When conflicting data is received, a
`may also include liquid crystal displays ( LCDs ) , touch
`may also include liquid crystal displays (LCDs), touch
`determination may be made as to which source is more
`determination may be made as to which source is more
`screen displays , keyboards , keypads , switches , dials , mice ,
`screen displays, keyboards, keypads, switches, dials, mice,
`reliable , and the data from the more reliable source may be
`reliable, and the data from the more reliable source may be
`track balls , voice recognizers , card readers , paper tape
`track balls, voice recognizers, card readers, paper tape
`used for determining the vulnerability state . Continuing the 35 readers , printers , video monitors , or other well - known input /
`used for determining the vulnerability state. Continuing th