| HAI LAMA ATA
`T DE CATAMA TANAMAN AT MAT
`H
`
`
`
`I IIIII I IIIII IIIIIIII IIIIIIII
`
`
`IIIII IIIII 111111 IIII 111111 IIII
`
`US009749349B1
`
`( 12 ) United States Patent
`(12) United States Patent
`(12) United States Patent
`Czarny et al .
`
`Czarny et al. Czarny et al.
`
`( 10 ) Patent No . :
`
`(10) Patent No.: (10) Patent No.:
`( 45 ) Date of Patent :
`
`(45) Date of Patent: (45) Date of Patent:
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`US 9,749,349 B1
`Aug . 29 , 2017
`
`Aug. 29, 2017 Aug. 29, 2017
`
`Île E Ê
`
`( * ) Notice :
`
`( * ) Notice: ( * ) Notice:
`
`( 54 ) COMPUTER SECURITY VULNERABILITY
`
`(54) COMPUTER SECURITY VULNERABILITY (54) COMPUTER SECURITY VULNERABILITY
`ASSESSMENT
`
`ASSESSMENT ASSESSMENT
`( 71 ) Applicant : OPSWAT , Inc . , San Francisco , CA
`
`(71) Applicant: OPSWAT, Inc., San Francisco, CA (71) Applicant: OPSWAT, Inc., San Francisco, CA
`( US )
`(US)
`(US)
`( 72 ) Inventors : Benjamin Czarny , San Francisco , CA
`
`Inventors: Benjamin Czarny, San Francisco, CA Inventors: Benjamin Czarny, San Francisco, CA
`
`(72) (72)
`( US ) ; Jianpeng Mo , Burlingame , CA
`
`(US); Jianpeng Mo, Burlingame, CA (US); Jianpeng Mo, Burlingame, CA
`( US ) ; Ali Rezafard , Millbrae , CA ( US ) ;
`(US); Ali Rezafard, Millbrae, CA (US);
`(US); Ali Rezafard, Millbrae, CA (US);
`David Matthew Patt , Kansas City , MO
`
`David Matthew Patt, Kansas City, MO David Matthew Patt, Kansas City, MO
`( US )
`
`(US) (US)
`( 73 ) Assignee : OPSWAT , Inc . , San Francisco , CA
`(73) Assignee: OPSWAT, Inc., San Francisco, CA
`(73) Assignee: OPSWAT, Inc., San Francisco, CA
`( US )
`
`(US) (US)
`Subject to any disclaimer , the term of this
`
`Subject to any disclaimer, the term of this Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`
`patent is extended or adjusted under 35 patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 0 days .
`
`U.S.C. 154(b) by 0 days. U.S.C. 154(b) by 0 days.
`( 21 ) Appl . No . : 15 / 275 , 123
`
`(21) Appl. No.: 15/275,123 (21) Appl. No.: 15/275,123
`Sep . 23 , 2016
`( 22 ) Filed :
`
`(22) Filed: (22) Filed:
`
`Sep. 23, 2016 Sep. 23, 2016
`Int . Ci .
`( 51 )
`
`(51) (51) Int. Cl. Int. Cl.
`
`H04L 29 / 06
`( 2006 . 01 )
`
`(2006.01) (2006.01)
`
`H04L 29/06 H04L 29/06
`( 2006 . 01 )
`G06F 1730
`
`(2006.01) (2006.01)
`
`G06F 17/30 G06F 17/30
`G06F 21 / 57
`( 2013 . 01 )
`
`(2013.01) (2013.01)
`
`G06F 21/57 G06F 21/57
`U . S . CI .
`( 52 )
`
`
`(52) (52) U.S. Cl. U.S. Cl.
`CPC . . . . H04L 63 / 1433 ( 2013 . 01 ) ; G06F 17 / 30289
`CPC .... H04L 63/1433 (2013.01); G06F 17/30289
`CPC .... H04L 63/1433 (2013.01); G06F 17/30289
`( 2013 . 01 ) ; G06F 21 / 577 ( 2013 . 01 ) ; H04L
`
`(2013.01); G06F 21/577 (2013.01); H04L (2013.01); G06F 21/577 (2013.01); H04L
`63 / 1425 ( 2013 . 01 )
`63/1425 (2013.01)
`63/1425 (2013.01)
`( 58 ) Field of Classification Search
`
`(58) Field of Classification Search (58) Field of Classification Search
`CPC . . . . . . . . . . . . . HO4L 63 / 1433 ; H04L 63 / 1425 ; H04L
`
`CPC CPC
`
`H04L 63/1433; H04L 63/1425; H04L H04L 63/1433; H04L 63/1425; H04L
`29 / 06904 ; G06F 21 / 577 ; G06F 17 / 30289
`
`29/06904; G06F 21/577; G06F 17/30289 29/06904; G06F 21/577; G06F 17/30289
`USPC . . . . . . . . . .
`. . . . . . . . . . . . . . . . 726 / 25
`
`
` 726/25 726/25
`USPC USPC
`See application file for complete search history .
`
`See application file for complete search history. See application file for complete search history.
`References Cited
`
`References Cited References Cited
`U . S . PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS U.S. PATENT DOCUMENTS
`
`8 , 127 , 354 B1 *
`2 / 2012 Bettini
`G06F 21 / 577
` G06F 21/577
`8,127,354 BI * 2/2012 Bettini
` G06F 21/577
`8,127,354 BI * 2/2012 Bettini
`726 / 22
`726/22
`726/22
`8 , 474 , 004 B2 *
`6 / 2013 Leone . . . . . . . . . . . . . . GO6F 21 / 51
` G06F 21/51
`8,474,004 B2 * 6/2013 Leone
` G06F 21/51
`8,474,004 B2 * 6/2013 Leone
`380 / 59
`
`380/59 380/59
`
`8 , 654 , 340 B2 *
`2 / 2014 Girard . . . . . . . . . . . . . . . GO1Q 20 / 02
`8,654,340 B2 * 2/2014 Girard 8,654,340 B2 * 2/2014 Girard
`
`
`G01Q 20/02 G01Q 20/02
`356 / 484
`356/484
`356/484
`8 / 2014 Codreanu et al .
`8 , 813 , 222 B1
`
`
`8,813,222 BI 8,813,222 BI
`8/2014 Codreanu et al. 8/2014 Codreanu et al.
`8 , 850 , 583 B1 *
`9 / 2014 Nelson . . . . . . . . . . . . . . . . HO4L 63 / 1416
`
`
`8,850,583 BI * 9/2014 Nelson 8,850,583 BI * 9/2014 Nelson
`H04L 63/1416 H04L 63/1416
`380 / 44
`380/44
`380/44
`8 , 863 , 288 B1 *
`10 / 2014 Savage . . . . . . . . . . . . . . . . . . GO6F 21 / 56
`8,863,288 Bl* 10/2014 Savage 8,863,288 Bl* 10/2014 Savage
`
`
`G06F 21/56 G06F 21/56
`713 / 188
`
`713/188 713/188
`4 / 2016 Hartsook . . . . . . . . . . . . . GO6F 21 / 577
`9 , 304 , 980 B1 *
`
`
`G06F 21/577 G06F 21/577
`4/2016 Hartsook 4/2016 Hartsook
`
`9,304,980 BI * 9,304,980 BI *
`1 / 2004 Dahlstrom . . . . . . . . . . . . G06F 21 / 577
`2004 / 0006704 A1 *
`
`1/2004 Dahlstrom 1/2004 Dahlstrom
`
`G06F 21/577 G06F 21/577
`
`2004/0006704 Al * 2004/0006704 Al *
`726 / 25
`
`726/25 726/25
`( Continued )
`
`(Continued) (Continued)
`OTHER PUBLICATIONS
`
`OTHER PUBLICATIONS OTHER PUBLICATIONS
`Mellor , FlashMate hybrid hard drive works without Windows ,
`
`Mellor, FlashMate hybrid hard drive works without Windows, Mellor, FlashMate hybrid hard drive works without Windows,
`InfoWorld , Oct . 11 , 2007 . pp . 1 - 2 .
`
`InfoWorld, Oct. 11, 2007. pp. 1-2. InfoWorld, Oct. 11, 2007. pp. 1-2.
`( Continued )
`
`(Continued) (Continued)
`
`Primary Examiner — Hadi Armouche
`
`Primary Examiner — Hadi Armouche Primary Examiner — Hadi Armouche
`Assistant Examiner — Shahriar Zarrineh
`
`Assistant Examiner — Shahriar Zarrineh Assistant Examiner — Shahriar Zarrineh
`( 74 ) Attorney , Agent , or Firm — The Mueller Law Office ,
`(74) Attorney, Agent, or Firm — The Mueller Law Office,
`(74) Attorney, Agent, or Firm — The Mueller Law Office,
`P . C .
`P.C.
`P.C.
`
`ABSTRACT
`( 57 )
`
`ABSTRACT ABSTRACT
`
`(57) (57)
`Computer security vulnerability assessment is performed
`
`Computer security vulnerability assessment is performed Computer security vulnerability assessment is performed
`with product binary data and product vulnerability data that
`
`with product binary data and product vulnerability data that with product binary data and product vulnerability data that
`correspond with product identification data . A correspon
`correspond with product identification data. A correspon-
`correspond with product identification data. A correspon-
`dence between the product binary data and the product
`
`dence between the product binary data and the product dence between the product binary data and the product
`vulnerability data is determined , and a binaries - to - vulner
`
`vulnerability data is determined, and a binaries-to-vulner-vulnerability data is determined, and a binaries-to-vulner-
`abilities database is generated . The binaries - to - vulnerabili
`abilities database is generated. The binaries-to-vulnerabili-
`abilities database is generated. The binaries-to-vulnerabili-
`ties database is used to scan binary data from a target device
`
`ties database is used to scan binary data from a target device ties database is used to scan binary data from a target device
`to find matches with the product binary data . A known
`
`to find matches with the product binary data. A known to find matches with the product binary data. A known
`security vulnerability of the target device is determined
`
`security vulnerability of the target device is determined security vulnerability of the target device is determined
`based on the scanning and the correspondence between the
`
`based on the scanning and the correspondence between the based on the scanning and the correspondence between the
`product binary data and the vulnerability data . In some
`
`product binary data and the vulnerability data. In some product binary data and the vulnerability data. In some
`embodiments , the target device is powered off and used as
`
`embodiments, the target device is powered off and used as embodiments, the target device is powered off and used as
`an external storage device to receive the binary data there
`
`an external storage device to receive the binary data there-an external storage device to receive the binary data there-
`from .
`
`from. from.
`
`10 Claims , 8 Drawing Sheets
`
`10 Claims, 8 Drawing Sheets 10 Claims, 8 Drawing Sheets
`
`I Community 1
`
`Conommity Conommity
`Client
`
`Client Client
`Devices
`
`Devices Devices
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`168
`
`108
`108
`
`106 /
`06
`06
`
`101
`
`107
`
`107
`107
`
`Vulnerability
`
`Vulnerability Vulnerability
`Database System
`
`Doaboe System Doaboe System
`Products - to
`
`Binae mo- Binae mo-
`
`Products-to-Products-to-
`Binaries - to
`Vulnerabilities
`Products
`
`Prodn is Prodn is
`
`Vulnerabilities 4_Vulnerabilities 4_
`Mapping
`Mapping
`
`Mappi g Mappi g
`
`Mapping Mapping
`Database
`Database
`
`Database Database
`
`Database Database
`
`Binaries - to
`105
`105
`
`Binar. s/I°/ Binar. s/I°/
`Vulnerabilities
`
`Vulnerabilit es A./ Vulnerabilit es A./
`Mapping Database
`Mapping Database
`Mapping Database
`
`105
`
`200
`
`f "
`f "
`
`Products and
`
`Products and Products and
`Vulnerabilities
`
`Vulnerabilities Vulnerabilities
`Information
`
`Informed. Informed.
`
`
`
`109 109
`
`110
`,-110
`,-110
`
`Offline
`
`Offline Offline
`Vulnerability
`
`VW erabil VW erabil
`Database
`Dat ears
`Dat ears
`
`
`
`102 102
`
`
`
`; 103 ; 103
`
`111 ,
`
`1149
`
`11a 11a
`
`Target Device 112
`
`Target De Target De
`2
`2
`Software
`sonware
`sonware
`Components
`115 - 4 Hardware
`
`Hardware Hardware
`
`115 115
`Components
`
`ICamponc ICamponc
`
`Validation Server
`
`lidation Server lidation Server
`Target Binary
`
`Target Binary Target Binary
`Data
`Date
`Date
`Binary Data
`
`Binary D Binary D
`File Paths
`File P
`File P
`Software /
`
`Software/ Software/
`Hardware
`Hardware
`Hardware
`16M Configuration
`6
`6
`
`onfiguratio onfiguratio
`
`Offline H
`Offline
`Offline
`Vulnerability
`ulnerability
`ulnerability
`Database
`Database
`Database
`
`110
`10
`10
`
`104
`
`Secure
`
`Secure Secure
`Environment
`Environment
`Environment
`Access
`
`Access Access
`Control
`
`120
`120
`
`
`8 8
`sl—:1Access
`sl—:1Access
`Access
`Control
`
`ControlControl
`
`Target Device
`
`Target Device Target Device
`Vulnerability
`Vulnerability
`Vulnerability
`Report
`
`Report Report
`
`+ - 117
`
`System
`119
`
`System ~.a~119 System ~.a~119
`
`Aammisvmor Aammisvmor
`Administrator
`
`WIZ, Inc. EXHIBIT - 1084
`WIZ, Inc. v. Orca Security LTD.
`
`( 56 )
`
`(56) (56)
`
`WIZ, Inc. EXHIBIT - 1084
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 9 , 749 , 349 B1
`US 9,749,349 B1
`Page 2
`Page 2
`
`(56)
`
`( 56 )
`
`References Cited
`References Cited
`U . S . PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`2005 / 0022021 A1 *
`1 / 2005 Bardsley . . . . . . . . . . . . . G06F 21 / 577
`G06F 21/577
`2005/0022021 Al *
`1/2005 Bardsley
`726 / 4
`726/4
`2005 / 0132206 A1 *
`6 / 2005 Palliyil
`. . . . . . . . . . . . .
`G06F 21 / 566
`G06F 21/566
`2005/0132206 Al * 6/2005 Palliyil
`713 / 188
`713/188
`3 / 2007 McFarlane . . . . . . . . . . H04L 63 / 1433
`2007 / 0067846 A1 *
`H04L 63/1433
`2007/0067846 Al * 3/2007 McFarlane
`726 / 25
`726/25
`2007 / 0271360 A1 * 11 / 2007 Sahita
`GO6F 21 / 577
`G06F 21/577
`2007/0271360 Al * 11/2007 Sahita
`709 / 223
`709/223
`2010 / 0083346 A1 *
`4 / 2010 Forman . . . . . . . . . . . . . . . G06F 21 / 55
`G06F 21/55
`2010/0083346 Al *
`4/2010 Forman
`726 / 1
`726/1
`2011 / 0179477 A1 *
`7 / 2011 Starnes . . . . . . . . . . . . .
`G06F 21 / 52
`G06F 21/52
`2011/0179477 Al *
`7/2011 Starnes
`726 / 9
`726/9
`2013 / 0191919 A1 *
`7 / 2013 Basavapatna . . . . . . . . . GO6F 21 / 577
`G06F 21/577
`2013/0191919 Al * 7/2013 Basavapatna
`726 / 25
`726/25
`2014 / 0173737 A1 *
`6 / 2014 Toback . . . . . . . . . . . . . . . . . . GO6F 21 / 57
`G06F 21/57
`2014/0173737 Al * 6/2014 Toback
`726 / 25
`726/25
`2015 / 0127607 A1 *
`5 / 2015 Savage . . . . . . . . . . . . GO6F 17 / 30194
`G06F 17/30194
`2015/0127607 Al *
`5/2015 Savage
`707 / 610
`707/610
`G06F 21 / 577
`2015 / 0207811 A1 *
`7 / 2015 Feher
`G06F 21/577
`2015/0207811 Al* 7/2015 Feher
`726 / 25
`726/25
`
`7 / 2015 Shezaf . . . . . . . . . . . . . H04L 63 / 1433
`2015 / 0213272 A1 *
`7/2015 Shezaf
` H04L 63/1433
`2015/0213272 Al *
`726 / 25
`726/25
`2015 / 0363294 A1 * 12 / 2015 Carback , III . . . . . . . . . . . G06F 8 / 37
` G06F 8/37
`2015/0363294 Al * 12/2015 Carback, III
`717 / 132
`717/132
`4 / 2016 Palumbo et al .
`2016 / 0112444 AL
`4/2016 Palumbo et al.
`2016/0112444 Al
`2016 / 0188882 A1 *
`6 / 2016 Mahrous . . . . . . . . . . . . . . . GO6F 21 / 577
` G06F 21/577
`2016/0188882 Al * 6/2016 Mahrous
`726 / 25
`726/25
`GO6F 21 / 577
`8 / 2016 Grieco . . . . . . . . . . . . .
`2016 / 0232358 A1 *
` G06F 21/577
`8/2016 Grieco
`2016/0232358 Al *
`2016 / 0300063 A1 * 10 / 2016 Daymont
`GO6F 21 / 566
` G06F 21/566
`2016/0300063 Al * 10/2016 Daymont
`. . . . . .
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Mitchell , Web Security Pop - Up Trojan Making Rounds Again , This
`Mitchell, Web Security Pop-Up Trojan Making Rounds Again, This
`Time Attacking Both Windows and Macs , The Internet Patrol , May
`Time Attacking Both Windows and Macs, The Internet Patrol, May
`9 , 2011 , pp . 1 - 4 , Accessed on May 30 , 2016 , https : / / www .
`9, 2011, pp. 1-4, Accessed on May 30, 2016, https://www.
`theinternetpatrol . com
`theinternetpatrol.com/
`websecuritypopuptrojanmakingroundsagainthistimeat
`websecuritypopuptrojanmakingroundsagainthistimeat-
`tackingbothwindowsandmacs / .
`tackingbothwindowsandmacs/.
`OS X El Capitan [ OT ] , NeoGAF , May 27 , 2016 , p . 34 , 3 pages ,
`OS X EI Capitan [OT], NeoGAF, May 27, 2016, p. 34, 3 pages,
`Accessed on May 30 , 2016 , http : / / www . neogaf . com / forum /
`Accessed on May 30, 2016, http://www.neogaf.com/forum/
`showthread . php ? p = 204835278 .
`showthread.php?p=204835278.
`* cited by examiner
`* cited by examiner
`
`

`

`U.S. Patent
`atent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 1 of 8
`Sheet 1 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`I Community |
`Community
`Client
`Client
`Devices
`Devices
`
`Fig . 1
`Fig. 1
`106
`106
`
`101
`
`107
`
`100
`ori
`
`Vulnerability
`Vulnerability
`Database System
`Database System
`Binaries - to
`Products - to
`Binaries-to-
`Products-to-
`Products
`Vulnerabilities
`Products
`Vulnerabilities
`Mapping
`Mapping
`Mapping
`Mapping
`Database
`Database
`Database
`
`Binaries - to
`Binaries-to-
`105
`Vulnerabilities
`fsi
`Vulnerabilities
`Mapping Database
`Mapping Database
`
`SETS 109
`Database I
`
`Products and
`Products and
`Vulnerabilities
`Vulnerabilities
`Information
`Information
`
`t
`109
`
`I
`
`108
`108
`
`104 \
`
`-'
`110
`Offline he
`Offline
`Vulnerability
`Vulnerability
`Database
`Database
`103 111
`103
`Validation Server
`Validation Server
`Target Binary
`ij
`Target Binary
`Data
`Data
`Target Device
`Target Device 112-L
`Binary Data
`Binary Data
`1140 Software
`114—L1 Software
`
`IP.
`File Paths
`File Paths
`Components 111311
`Components
`113
`Software /
`Software/
`Hardware
`Hardware
`Hardware
`Hardware
`Components
`Components
`Configuration
`116^'
`Configuration
`
`fi /102
`
`110
`
`Offline
`Offline
`Vulnerability
`Vulnerability
`Database
`Database
`
`+ 119
`
`Access
`Access
`Control
`Control
`
`Target Device
`Target Device
`1117
`-117
`Vulnerability
`Vulnerability
`Report
`Report
`
`System
`k__11 9
`System
`Administrator
`Administrator I
`
`111-
`
`1150
`115
`
`118
`
`V
`Secure
`Environment
`Environment
`Access
`Access
`Control
`Control
`
`120
`
`G Secure
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 2 of 8
`Sheet 2 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`106
`106
`
`Fig . 2
`Fig. 2
`Version
`Product
`Binary Files
`Product
`Version
`Binary Files
`ESET Endpoint Security 5 . 0 . 2214 . 4
`Exel _ sha256 , Exe2 _ sha256 , D113 _ sha256 , . . .
`ESET Endpoint Security 5.0.2214.4 Exel_sha256, Exe2_sha256, D113_sha256, ...
`ESET Endpoint Security 5 . 0 . 1055 . 2
`Exel _ sha256 , Exe4 _ sha256 , D115 _ sha256 , . . .
`ESET Endpoint Security 5.0.1055.2 Exel_sha256, Exe4 sha256, D115_sha256, ...
`ESET Endpoint Security | 4 . 2 . 3330 . 1
`Exel _ sha256 , Exe2 _ sha256 , D115 _ sha256 , . . .
`ESET Endpoint Security 4.2.3330.1 Exel_sha256, Exe2_sha256, D115_sha256, ...
`ESET Endpoint Security 4 . 0 . 1211 . 2
`D113 _ sha256 , D115 _ sha256 , Excl _ sha256 , . . .
`ESET Endpoint Security 4.0.1211.2 D113_sha256, D115_sha256, Exel sha256, ...
`JAVA
`7 . 11
`D119 _ sha256 , D1112 _ sha256 , D1113 _ sha256 , . . .
`JAVA
`7.11
`D119_sha256, D1112_sha256, D1113_sha256, ...
`...
`...
`...
`
`Fig . 3
`Fig. 3
`int
`Product
`Product
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Sccurity
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Security
`Adobe Flash
`Adobe Flash
`.
`
`107
`
`Known Vulnerabilities
`Version
`Version
`Known Vulnerabilities
`5 . 0 . 2214 . 4
`Vulner _ 1 , Vulner _ 2 , Vulner _ 3 , Vulner _ 4 , . . .
`5.0.2214.4 Vulner 1, Vulner_2, Vulner_3, Vulner_4, ...
`5 . 0 . 1055 . 2 | Vulner _ 1 , Vulner _ 2 , Vulner _ 5 , Vulner _ 6 , . . .
`5.0.1055.2 Vulner_1, Vulner_2, Vulner_5, Vulner_6. ...
`4 . 2 . 4230 . 1
`Vulner _ 1 , Vulner _ 2 , Vulner _ 7 , Vulner _ 8 , . . .
`4.2.4230.1 Vulner_1, Vulner_2, Vulner_7, Vulner_8, ...
`4 . 0 . 1211 . 2
`Vulner _ 1 , Vulner _ 2 , Vulner _ 3 , Vulner _ 6 , . . .
`4.0.1211.2 Vulner_l, Vulner_2, Vulner_3, Vulner_6. ...
`3 . 0 . 5
`Vulner _ 2 , Vulner _ 9 , Vulner _ 10 , . . .
`3.0.5
`Vulner_2, Vulncr 9, Vulner_10, ...
`...
`
`400
`400
`
`Known Vulnerabilities
`Known Vulnerabilities
`Vulner _ 1 , Vulner _ 2 ,
`Vulner_l, Vulner_2,
`Vulner _ 3 , Vulner _ 4 , . . .
`Vulner_3, Vulner_4, ...
`Vulner _ 1 , Vulner _ 2 ,
`Vulner_1, Vulner_2,
`Vulner _ 5 , Vulner _ 6 , . . .
`Vulner_5, Vulner_6, ...
`Vulner _ 1 , Vulner _ 2 ,
`Vulner_l, Vulner_2,
`Vulner _ 4 , Vulner _ 6 . . . .
`Vulner_4, Vulner_6. ...
`Vulner _ 1 , Vulner _ 2 ,
`Vulner_1, Vulner_2,
`Vulner _ 3 , Vulner _ 6 , . . .
`Vulner_3, Vulner_6, ...
`
`Vulner _ 2 , Vulner _ 9 ,
`Vulner_2, Vulner_9,
`Vulner _ 10 , . . .
`Vulner_10, ...
`...
`
`Fig . 4
`Fig. 4
`Binary Files
`Product
`| Version
`Binary Files
`Version
`Product
`ESET Endpoint 5 . 0 . 2214 . 4
`Exel _ sha256 , Exe2 _ sha256 ,
`ESET Endpoint
`5.0.2214.4 Exel_sha256, Exe2_sha256,
`Security
`D113 _ sha256 , . . .
`Security
`D113_sha256, ...
`ESET Endpoint
`Exel _ sha256 , Exe4 _ sha256 ,
`ESET Endpoint
`5.0.1055.2 Exel_sha256. Exe4_sha256,
`5 . 0 . 1055 . 2
`Security
`D115 _ sha256 , . . .
`Security
`D115_sha256, ...
`ESET Endpoint
`Exel _ sha256 , Exe2 _ sha256 ,
`4.2.3330.1 Exel_sha256, Exe2_sha256,
`ESET Endpoint
`4 . 2 . 3330 . 1
`Security
`D115 _ sha256 , . . .
`Security
`D115_sha256, ...
`ESET Endpoint
`D113 _ sha256 , D115 _ sha256 ,
`ESET Endpoint
`D113_sha256, D115_sha256,
`4.0.1211.2
`4 . 0 . 1211 . 2
`Security
`Exel _ sha256 , . . .
`Security
`Exel_sha256, ...
`D119 _ sha256 , D1112 _ sha256 ,
`D119_sha256, D1112_sha256,
`JAVA
`JAVA
`D1113 _ sha256 , . . .
`D1113_sha256, ...
`Adobe Flash
`Adobe Flash
`..
`
`7 . 11
`7.11
`
`3 . 0 . 5
`3.0.5
`..
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`
`Aug. 29, 2017
`
`Sheet 3 of 8
`
`Sheet 3 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`Fig. 5
`
`105
`105
`
`Binary File
`Exel _ sha256
`Exel sha256
`Exe2 _ sha256
`Exe2sha256
`Exe4 _ sha256
`Exe4sha256
`D113 _ sha256
`D113 sha256
`D115 _ sha256
`D115 sha256
`..
`
`Known Vulnerabilities
`Known Vulnerabilities
`Vulner _ 1 , Vulner _ 2 , . . .
`Vulner_1, Vulner_2, ...
`Vulner _ 4 , . . .
`Vulner_4, ...
`Vulner _ 5 , . . .
`Vulner_5, .. .
`Vulner _ 3 , . . .
`Vulner 3, ...
`Vulner _ 6 , . . .
`Vulner 6, ...
`.. .
`
`Fig . 5 A Binary File
`Fig . 6 EBÉSZET
`
`Fig. 6
`
`117
`117
`4)
`Target Device Vulnerability Report
`Target Device Vulnerability Report
`1 . Binary _ 1 , Hash _ 1 , Filepath _ 1 , [ Vulner _ 1 , Vulner _ 2 , . . . ]
`1. Binary_l, Hash_1, Filepath 1, [Vulner_1, Vulner_2, . . . ]
`2 . Binary _ 2 , Hash _ 2 , Filepath _ 2 , [ Vulner _ 2 , Vulner _ 4 , . . . ]
`2. Binary_2, Hash_2, Filepath 2, [Vulner_2, Vulner_4, . . . ]
`3 . Binary _ 3 , Hash _ 3 , Filepath _ 3 , [ Vulner _ 3 , Vulner _ 5 , . . . ]
`3. Binary_3, Hash_3, Filepath 3, [Vulner 3, Vulner_5,
`]
`N . Binary _ N , Hash _ N , Filepath _ N , [ Vulner _ * , Vulner _ * * , . . . ]
`N. Binary_N, Hash N, Filepath N, [Vulner_*, Vulner **,
`]
`
`. . .
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`
`Aug. 29, 2017
`
`Sheet 4 of 8
`
`Sheet 4 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`0//00
`
`702
`
`Detect installed
`applications ,
`applications.
`
`703 .....id Collect relevant
`703
`Collect relevant
`binary information .
`binary information.
`
`Start mos
`Fig . 7 .
`Fig . 7
`200
`Fig. 7
`701
`701--r-{ Start 1
`702H Detect installed
`so you
`i
`
`704
`704
`
`Map binary data to
`Map binary data to
`product / version
`product/version
`combination .
`combination.
`
`1
`
`705
`Submit binary - to
`705,j, Submit binary-to-
`product / version
`product/version
`information .
`information.
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 5 of 8
`Sheet 5 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`Fig . 8
`Fig. 8
`
`801 -
`Start
`801--r< start
`
`800
`c/ 800
`
`8020 Receive binary - to
`Receive binary-to-
`802, product/version
`product / version
`information .
`information.
`
`Periodically download
`Periodically download
`and process public
`and process public
`vulnerability data .
`vulnerability data.
`
`804
`804
`
`Store binary data
`803, Store binary data
`803
`with index of
`with index of
`product / version
`product/version
`combination .
`combination.
`Binaries - to
`Binaries-to-
`Products Mapping
`Products Mapping
`Database
`Database
`
`106
`106
`
`Store vulnerability
`Store vulnerability
`data with index of
`data with index of
`product / version
`product/version
`combination .
`combination.
`Products - to
`Products-to-
`Vulnerabilities
`Vulnerabilities
`Mapping
`Mapping
`Database
`Database
`
`6 - 805
`
`107
`--r-107
`
`Process data from the two
`Process data from the two
`databases to generate binaries
`databases to generate binaries-
`to - vulnerabilities relationships .
`to-vulnerabilities relationships.
`1806
`--r-806
`Binaries - to
`Binaries-to-
`Vulnerabilities
`Vulnerabilities
`Mapping Database
`Mapping Database
`
`105
`
`Fig . 9
`Fig. 9
`901 -
`Start
`901--r-{start)
`
`002 -
`
`902
`902
`
`Connect to validation server |
`Connect to validation server
`as file storage device .
`as file storage device.
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 6 of 8
`Sheet 6 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`1000
`c/ 1000
`
`Start
`
`1002
`1002
`
`Download binaries-to-
`Download binaries - to
`vulnerabilities database as
`vulnerabilities database as
`offline update package .
`offline update package.
`
`1001
`1003--r-I
`
`Load target device as
`Load target device as
`file storage device.
`file storage device .
`
`Fig . 10
`Fig. 10
`1001
`1001--r( start ) 1
`1
` t
`
`Scan binary file in the target device
`10041 Scan binary file in the target device
`1004,j1
`against the offline binaries-to-
`against the offline binaries - to
`vulnerabilities database.
`vulnerabilities database .
`
`1005 .
`1005
`Binary
`y
`Binary
`< file contains known
`file contains known
`vulnerability ?
`vulnerability?
`
`1
`
`Log the binary file
`Log the binary file
`name, file path, and
`name , file path , and
`vulnerability info .
`vulnerability info.
`
`( 141006
`1006
`
`N .
`
`Last
`Last
`binary
`binary
`file?
`file ?
`
`1007
`1007
`
`1008, —. Next
`1008
`Next
`binary
`binary
`file.
`file .
` 1
`
`Consolidate the scan
`Consolidate the scan
`result into target device M
`result into target device
`vulnerability report .
`vulnerability report.
`
`1009
`TOS
`
`

`

`atent
`U.S. Patent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 7 of 8
`Sheet 7 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`Fig . 11
`Fig. 11
`
`Computing
`Computing
`System ( s )
`System(s)
`
`1100
`
`1100
`
`1103
`
`106
`
`107
`107
`
`1102
`1102
`
`1101
`1101
`
`Processor
`Processor
`
`Electronic
`Electronic
`Memory
`Memory
`
`N
`
`Data Storage
`Data Storage
`- 1107
`Binaries - to
`O
`Binaries-to-
`71108
`Parsing
`Products
` kJ-1108
`Products
`Parsing
`Mapping
`Mapping
`71109
`Database
`Searching
`
`-1109
`Searching
`Database
`1110
`Comparing
` Ey-1110
`Comparing
`Reading
`71111
` Ey-1111
`Reading
`- 1112
` Ey-1112
`Storing
`Storing
`Network
`171113
`Network
`F
`1113
`Y -
`Communication
`Communication
`Database
`1114
`Database H1114
`Management
`Management
`
`Products - to
`Products-to-
`Vulnerabilities
`Vulnerabilities
`Mapping
`Mapping
`Database
`Database
`Binaries - to
`Binaries-to-
`Vulnerabilities
`Vulnerabilities
`Mapping Database
`Mapping Database
`
`105
`
`User
`User
`I / O
`I/O
`
`Network
`Network
`I / O
`I/O
`
`1104
`1104
`
`hey
`
`- 1105
`j - 1105
`
`1106
`1106
`
`as lite
`
`

`

`U . S . Patent
`U.S. Patent
`
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Sheet 8 of 8
`Sheet 8 of 8
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`Fig . 12
`Fig. 12
`
`1200
`1 00
`
`1203
`1203
`
`Computing
`Computing
`System ( s )
`System(s)
`
`1201
`1201
`
`1202
`1202
`
`Processor
`Processor
`
`Electronic
`Electronic
`Memory
`Memory
`
`Data Storage
`Data Storage
`Target Binary
`
`Target Binary
`Data
`111 - 11
`111
`Data
`11047
`Offline
`Offline
`110
`Vulnerability
`Vulnerability
`Database
`Database
`1172 Target Device
`1172
`Target Device
`Vulnerability
`Vulnerability
`Report
`Report
`Access
`Access
`Control
`Control
`
`201208
`Parsing H71209
`Parsing Lc-1209
`Scarching
`1210
`Searching 1._/-1210
`| Comparing
`1211
`Comparing 1./---1211
`Reading
`1212
`l_p-1212
`Reading
`Storing
`1213
`l_c- 1213
`Storing
`Network
`Network
`1214
`1214 fr ---
`
`Communication
`Communication
`Vulnerability
`Vulnerability
`Assessment
`Assessment
`
`1215
`1215
`
`118
`
`1204
`1204
`
`User
`User
`I / O
`I/O
`
`Network
`Network
`I / O
`I/O
`
`Peripheral
`Peripheral
`I / 0
`I/O
`
`1207
`1207
`
`1205
`1205
`
`1206
`1206
`
`

`

`US 9 , 749 , 349 B1
`US 9,749,349 B1
`
`5
`5
`
`10
`
`1
`2
`erized system determines a known security vulnerability of
`COMPUTER SECURITY VULNERABILITY
`COMPUTER SECURITY VULNERABILITY
`erized system determines a known security vulnerability of
`ASSESSMENT
`the target device based on 1 ) results of the scanning and 2 )
`the target device based on 1) results of the scanning and 2)
`ASSESSMENT
`the correspondence between the binary data and the vulner
`the correspondence between the binary data and the vulner-
`ability data .
`BACKGROUND OF THE INVENTION
`ability data.
`BACKGROUND OF THE INVENTION
`In some embodiments , a more thorough , more robust ,
`In some embodiments, a more thorough, more robust,
`more flexible and more secure computer security vulner
`more flexible and more secure computer security vulner-
`Vulnerability assessment and malware detection are two
`Vulnerability assessment and malware detection are two
`ability assessment is achieved with a method in which a
`ability assessment is achieved with a method in which a
`fields or industries that deal with issues of computer security .
`fields or industries that deal with issues of computer security.
`computerized system receives product binary data and first
`computerized system receives product binary data and first
`A positive malware detection generally requires an imme
`A positive malware detection generally requires an imme-
`product identification data that correspond to each other . The
`product identification data that correspond to each other. The
`diate response to eliminate a threat to the computer device
`diate response to eliminate a threat to the computer device
`computerized system receives product vulnerability data and
`computerized system receives product vulnerability data and
`of a potentially imminent malicious event . Typically , the 10 second product identification data that correspond to each
`of a potentially imminent malicious event. Typically, the
`second product identification data that correspond to each
`response is to quarantine , remove , or replace the software
`response is to quarantine, remove, or replace the software
`other . The computerized system determines a correspon
`other. The computerized system determines a correspon-
`file of the malware . With a positive vulnerability assessment ,
`file of the malware. With a positive vulnerability assessment,
`dence between the product binary data and the product
`dence between the product binary data and the product
`on the other hand , the computer device can usually continue
`vulnerability data based on matching the first product iden
`on the other hand, the computer device can usually continue
`vulnerability data based on matching the first product iden-
`t ification data with the second product identification data .
`to operate without concern for a threat to the computer
`to operate without concern for a threat to the computer
`tification data with the second product identification data.
`device , since a malicious event is not necessarily imminent . 15 The computerized system establishes a communication con
`device, since a malicious event is not necessarily imminent.
`15 The computerized system establishes a communication con-
`However , if the computer device is going to be used in an
`n ection to a target device . The computerized system receives
`However, if the computer device is going to be used in an
`nection to a target device. The computerized system receives
`environment that has a particular security standard , then
`target binary files from the target device . The computerized
`environment that has a particular security standard, then
`target binary files from the target device. The computerized
`there is considerable concern over whether the computer
`system uses the product binary data to scan the target binary
`there is considerable concern over whether the computer
`system uses the product binary data to scan the target binary
`device meets that security standard or would present a
`files to find matches between the target binary files and the
`files to find matches between the target binary files and the
`device meets that security standard or would present a
`security problem for the environment . For example , if the 20 product binary data . The computerized system determines a
`20 product binary data. The computerized system determines a
`security problem for the environment. For example, if the
`computer device is to be used in a medical facility with a
`known security vulnerability of the target device based on 1 )
`known security vulnerability of the target device based on 1)
`computer device is to be used in a medical facility with a
`secure network through which the computer device will
`results of the scanning and 2 ) the correspondence between
`results of the scanning and 2) the correspondence between
`secure network through which the computer device will
`have access to confidential patient records , then it is very
`the product binary data and the product vulnerability data .
`the product binary data and the product vulnerability data.
`have access to confidential patient records, then it is very
`In some embodiments , the computerized system 1 ) grants
`In some embodiments, the computerized system 1) grants
`important to determine whether the computer device is
`important to determine whether the computer device is
`nown to be 25 access by the target device to a secure environment based on
`25 access by the target device to a secure environment based on
`hosting or executing any binary files that are known to be 25 ac
`hosting or executing any binary files that are known to be
`determining that the target device has no known security
`determining that the target device has no known security
`easy targets for hackers to gain access to the computer
`easy targets for hackers to gain access to the computer
`vulnerability ; and 2 ) denies access by the target device to the
`vulnerability; and 2) denies access by the target device to the
`device and from there to any other computer or data storage
`device and from there to any other computer or data storage
`secure environment based on determining that the target
`secure environment based on determining that the target
`device accessible through the secure network . Therefore ,
`device accessible through the secure network. Therefore,
`device has the known security vulnerability .
`In some
`device has the known security vulnerability. In some
`before the computer device can be granted access to the
`before the computer device can be granted access to the
`embodiments , the product vulnerability data describes a
`embodiments, the product vulnerability data describes a
`secure network , the vulnerability to malicious events of the 30 vulnerability to a malicious event of a computer device that
`secure network, the vulnerability to malicious events of the
`30 vulnerabili