I 1111111111111111 1111111111 1111111111 1111111111 lllll 111111111111111 11111111
`
`
`
`
`
`
`USO 10609063B 1
`
`c12) United States Patent
`Oliphant et al.
`
`(10) Patent No.: US 10,609,063 Bl
`(45) Date of Patent:
`*Mar. 31, 2020
`
`(54) COMPUTER PROGRAM PRODUCT AND
`APPARATUS FOR MULTI-PATH
`REMEDIATION
`
`(58) Field of Classification Search
`None
`See application file for complete search history.
`
`(71) Applicant: SecurityProfiling, LLC, Garland, TX
`(US)
`
`(72)
`
`Inventors: Brett M. Oliphant, Plano, TX (US);
`John P. Blignaut, West Lafayette, IN
`(US)
`
`(73) Assignee: SecurityProfiling, LLC, Garland, TX
`(US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by O days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 15/608,978
`
`(22) Filed:
`
`May 30, 2017
`
`Related U.S. Application Data
`
`(63) Continuation of application No. 14/816,931, filed on
`Aug. 3, 2015, now Pat. No. 10,050,988, which is a
`(Continued)
`
`(51)
`
`Int. Cl.
`H04L 29106
`G06F 21157
`
`(2006.01)
`(2013.01)
`(Continued)
`
`(52) U.S. Cl.
`CPC .......... H04L 63/1433 (2013.01); G06F 21150
`(2013.01); G06F 21155 (2013.01);
`(Continued)
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`6,301,668 Bl*
`
`10/2001 Gleichauf
`
`6,301,699 Bl*
`
`10/2001 Hollander
`
`............... H04L 41/12
`726/22
`............... G06F 21/55
`717/131
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`Chang, Edward S., et al. "Managing cyber security vulnerabilities in
`large networks." Bell Labs technical journal 4.4 (1999): 252-272.
`(Year: 1999). *
`
`(Continued)
`
`Primary Examiner - Madhuri R Herzog
`(74) Attorney, Agent, or Firm - Patrick E. Caldwell,
`Esq.; The Caldwell Firm, LLC
`
`ABSTRACT
`(57)
`A system, method, and computer program product are
`provided for a database associating a plurality of device
`vulnerabilities to which computing devices can be subject
`with a plurality of remediation techniques that collectively
`remediate the plurality of device vulnerabilities. Each of the
`device vulnerabilities is associated with at least one reme(cid:173)
`diation technique. Each remediation technique associated
`with a particular device vulnerability remediates that par(cid:173)
`ticular vulnerability. Further, each remediation technique
`has a remediation type are selected from the type group
`consisting of patch, policy setting, and configuration option.
`Still yet, a first one of the device vulnerabilities is associated
`with at least two alternative remediation techniques.
`
`70 Claims, 12 Drawing Sheets
`
`AntiNulnerability Platform
`
`Vulnerabmties
`Database
`
`•
`
`Anti•Vitlnerability
`Engine
`SDK
`Logic Modu:e
`
`Anti-Vulnerability
`Service
`Vulflerabiiities Database
`Realt;me Updater
`Core
`CD
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 1 of 41
`
`

`

`US 10,609,063 Bl
`Page 2
`
`7,181,769 Bl*
`
`7,257,630 B2 *
`
`7,509,681 B2 *
`
`7,712,138 B2 *
`
`2003/0126472 Al*
`
`Related U.S. Application Data
`
`continuation of application No. 14/499,230, filed on
`Sep. 28, 2014, now Pat. No. 9,100,431, which is a
`continuation-in-part of application No. 14/138,014,
`filed on Dec. 21, 2013, now Pat. No. 9,117,069, which
`is a continuation of application No. 10/882,852, filed
`on Jul. 1, 2004, now abandoned.
`(60) Provisional application No. 60/484,085, filed on Jul.
`1, 2003.
`
`(51)
`
`(2013.01)
`(2013.01)
`
`Int. Cl.
`G06F 21155
`G06F 21150
`(52) U.S. Cl.
`CPC ............ G06F 211554 (2013.01); G06F 21157
`(2013.01); G06F 211577 (2013.01); H04L
`63102 (2013.01); H04L 6310227 (2013.01);
`H04L 63/14 (2013.01); H04L 63/145
`(2013.01); H04L 63/1408 (2013.01); H04L
`63/1416 (2013.01); H04L 63/1441 (2013.01);
`H04L 63/20 (2013.01); H04L 63/0263
`(2013.01)
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`6,415,321 Bl*
`
`7/2002 Gleichauf
`
`6,550,012 Bl*
`
`4/2003 Villa
`
`6,990,660 B2 *
`
`1/2006 Moshir
`
`7,152,105 B2 * 12/2006 McClure
`
`............... H04L 41/00
`709/224
`................... H04L 63/0218
`713/168
`..................... G06F 8/62
`709/223
`................. H04L 41/12
`709/224
`
`2/2007 Keanini
`
`8/2007 Cole
`
`3/2009 Flowers
`
`7/2003 Banzhof
`
`.............. H04L 63/1416
`713/166
`G02B 5/3083
`709/224
`................ G06F 21/552
`713/151
`5/2010 Zobel .................... G06F 21/577
`709/224
`............... G06F 21/577
`726/25
`
`2003/0204632 Al * 10/2003 Willebeek-LeMair
`
`2005/0193430 Al*
`
`2005/0235360 Al*
`
`2006/0101517 Al*
`
`2007/0011319 Al*
`
`H04L 29/06
`709/249
`9/2005 Cohen ................... G06F 21/577
`726/25
`.................. H04L 29/06
`726/23
`............... G06F 21/577
`726/25
`G02B 6/105
`709/224
`
`10/2005 Pearson
`
`5/2006 Banzhof
`
`1/2007 McClure
`
`.
`
`OTHER PUBLICATIONS
`
`Action Sununary for U.S. Appl. No. 14/834,102 dated Aug. 24,
`2918.
`Action Sununary for U.S. Appl. No. 15/608,981 dated Nov. 05,
`2018.
`Action Sununary for U.S. Appl. No. 15/608,983 dated Sep. 11,
`2018.
`Notice of Allowance for U.S. Appl. No. 15/608,983 dated Feb. 4,
`2019.
`Notice of Appeal Filed Nov. 25, 2019 for U.S. Appl. No. 15/608,981.
`Advisory Action Filed Aug. 13, 2019 for U.S. Appl. No. 15/608,981.
`Notice of Allowance dated Sep. 24, 2019 for U.S. Appl. No.
`15/608,983.
`
`* cited by examiner
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 2 of 41
`
`

`

`U.S. Patent
`
`Mar.31,2020
`
`Sheet 1 of 12
`
`US 10,609,063 Bl
`
`SECURITY
`SERVER
`
`) COMPUTER 137 i
`
`,
`
`------····-i
`
`/
`
`FIG. 1
`
`COMPUTER 139 !
`
`____________
`
`j
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 3 of 41
`
`

`

`U.S. Patent
`
`Mar. 31, 2020
`
`Sheet 2 of 12
`
`US 10,609,063 Bl
`
`I FIREWALL .1..i_i"·---··1
`l__PROCi~-s·~:~-~···Jiz]
`
`·1
`
`/)
`
`,.........-----------····7
`
`1 PROCESSOR JAZ !
`
`'••••••~••-•••••••-••1-U•••••••••••• .. ••-••• ••••••)
`
`
`
`r·Mi~·MORY· __ ···.1.:H
`1
`.
`
`... ✓
`---✓
`
`•
`
`: /
`
`...
`
`,... ..... •------······---..,
`
`~-
`
`.. ·---·-·-·~---
`
`----·-·-·-·-··-1
`
`l
`
`! STORAGE 174 !
`~·······-I = =---=-•
`I ROUTER 133
`.
`,
`........ .
`
`
`
`'-----------... _ r-·P·riocEss-oR-.....
`i·s2J
`SECURITY r:~~~;.;~;;==
`j STORAGE J21 l
`I
`
`--·•"'·-····J·•-··--~--. __
`
`r
`
`SERVER
`1.35
`
`'Ai'
`r~O
`,
`
`....... ,
`,.,. ..... -✓
`-.........
`~ ...............
`
`............... .......,.,_~~--········--··-·-.,...----~",..
`
`1'······• ............... __ . ________ ,
`/7-----'
`.
`;·,.,. ....... :;;
`
`/,.,.......
`.,....,,./
`
`I
`I
`
`/
`I
`,1
`/
`
`•
`1 ••••••••••..•••••••••••••• ·-··•·················-•~······················-·············
`
`.. -·.···············•-'
`
`I
`
`,./
`,.,..
`/;•
`...,..........
`.,......
`...........
`..,.....,...,.....
`
`/
`,./
`/
`.,.....,../'
`............. ✓-....... ✓
`/'
`r················-······················____________,,,,,, ..... --
`
`/
`
`' COMPUTER 1.37
`
`II
`I
`I
`I
`I
`1'1·
`·i ~·---·····-·-·-·-·--·------····
`: ! COMPUTER 139
`! PRC?CESSOR J.§.2.
`
`:
`
`.......•.
`
`r·········-··"··
`
`···········-··1
`
`·-•·······
`
`········-J············-······1
`_ MEMORY .1.64 !
`
`··············--················•--.-
`
`..... t
`
`'
`
`DATABASE
`166
`
`
`
`
`
`
`·,, _________ ····-····• .. ·······-·-·····-····--·-· .... ·· l
`
`1
`
`'------··························--
`
`··············-•·····················-·
`
`FIG. 2
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 4 of 41
`
`

`

`U.S. Patent
`
`Mar. 31, 2020
`
`Sheet 3 of 12
`
`US 10,609,063 Bl
`
`211H
`•,l .,
`
`SECURITY
`SERVER
`
`I COMPUTER 12Z 1
`
`FIG. 3
`
`j
`I
`23s
`S~~~VR~~ J.35 ···· '::
`~{ ROUTER~
`233
`."'
`/
`
`.. /4 ? 31
`"""'··
`'\
`/</
`.._TE-R _1~z]
`f COMPUTER m I
`_c_o_M-_P-u
`
`....
`
`1.
`
`FIG.4
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 5 of 41
`
`

`

`U.S. Patent
`
`Mar. 31, 2020
`
`Sheet 4 of 12
`
`US 10,609,063 Bl
`
`''0'~
`L· ,J
`}
`;
`
`,,;s/
`
`__
`PROXY RECEIVES
`CONNECTION REQUEST ··,. ____ 203
`
`(,~
`
`')()'9
`1
`, .. /
`'
`ALLOW
`
`I
`
`J
`
`CONNECTION ~
`
`21:)-····,., _ ___J REDJR~CT TO
`1 EXPLANATION
`
`---·~··---··--·-····-•--·····-•·····-···T----·---·---
`
`rE·~-bJ-~
`~l< q
`·•,.
`, .. L; ~
`
`\.,_.......,.
`
`FIG. 5A
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 6 of 41
`
`

`

`U.S. Patent
`
`Mar.31,2020
`
`Sheet 5 of 12
`
`US 10,609,063 Bl
`
`.
`(.9
`LL
`
`§-z w
`~ w
`C)
`<t
`z
`<(
`~
`>
`§-
`~
`;
`~
`w
`z
`,.J
`::,
`>
`
`(I)
`
`e
`z
`~
`Li:
`0
`C:
`A. w
`>~
`!:: Q
`C: A.
`::) ::,
`om
`W (cid:141)
`~®
`
`...I
`...I
`
`;
`
`w
`t.t:
`i!
`
`(I)
`Q
`
`-
`
`C:
`
`·s
`
`0..
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 7 of 41
`
`

`

`'"=
`"'""'
`d r.,;_
`
`0--, = \0 = 0--, w = "'""'
`
`FIG. 6
`
`co
`Core
`
`Rea!time Updater
`
`Vulnerabilities Database
`
`Service
`
`Anti~Vulnerabmty
`
`Logic Module
`
`SOK
`Engine
`
`Anti~ Vulnerability
`
`....
`0 ....
`O'I
`('D .....
`rJJ =(cid:173)
`
`('D
`
`N
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`Core I
`
`Anti00Vulnerability Platform
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 8 of 41
`
`

`

`'"=
`"'""'
`rJl.
`d
`
`0--, = \0 = 0--, w = "'""'
`
`XP
`
`98
`
`706
`
`....
`0 ....
`-....J
`('D .....
`rJJ =(cid:173)
`
`('D
`
`N
`
`Console
`
`IDS
`
`~
`.., __ ~~····
`·-. *
`
`So!aris
`
`704
`
`I'
`\landrake
`
`',,,
`
`..
`
`... -··1···....... Q
`
`•••
`
`',
`
`Sensor
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`703b [gJ
`
`Hotfixes, & Patches
`Secudty Updates,
`
`[I ~2 [i
`
`Center (NOC) Servers
`
`Off-Site Network Operations
`
`OnSite Server
`
`705
`
`701
`
`AES Encryption
`
`[I
`.-·
`, .. ·
`[I __
`= ~3aI
`
`FIG. 7
`
`Turbo
`
`,
`
`,•·
`
`,
`
`......
`
`, .. ,
`NT
`
`RedHat
`
`[I
`[I 706
`
`Soiaris
`
`704
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 9 of 41
`
`

`

`'"=
`"'""'
`rJl.
`d
`
`0--, = \0 = 0--, w = "'""'
`
`XP
`
`<t}98
`
`.
`.
`.
`
`806 ~
`
`2k
`
`~
`
`804
`
`Soiaris
`
`....
`0 ....
`('D .....
`rJJ =(cid:173)
`
`QO
`
`('D
`
`N
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`Consoie(s)
`Management
`
`AES Encryption
`
`:03 ~
`
`OnSlte Server
`
`Jl~ ·,<~ (cid:143)
`i~2 [i
`
`Hotfixes, & Patches
`Security Updates,
`
`(NOC) Servers
`
`Network Operations Center
`
`FIG. 8
`
`RedHat ~
`
`2k
`
`Turbo
`===
`
`·~
`
`"-
`
`I
`
`ff:::]
`
`NT
`
`1
`
`===
`
`804
`
`Solaris
`
`~ 8{ 1~11
`~ ~
`
`_Do
`
`805
`
`801
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 10 of 41
`
`

`

`-..=
`"'""'
`rJl.
`d
`
`0--, = \0 = 0--, w = "'""'
`
`....
`0 ....
`('D .....
`rJJ =(cid:173)
`
`1,0
`
`('D
`
`N
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`~
`Jh
`902 I) .
`
`Laptop
`
`.
`
`. .
`.
`
`laptop
`
`~
`
`Workstation
`
`Workstation
`
`~
`
`~
`
`Workstation
`
`FIG. 9
`
`Data Storage Server
`
`File Server
`
`E-Mail Ser✓er
`
`19]
`
`Database Server
`
`19]
`
`19]
`
`¥
`
`Web Server
`
`~
`
`902
`
`19]
`
`~
`
`Console
`Viewer
`
`904
`
`903
`
`On-Site Server
`
`LogBossrM
`
`901 1111
`
`d II t>
`
`IIIIl~!lii!iI!liilmiill!liIMiiitfilID!~m1mttIII!
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 11 of 41
`
`

`

`'"=
`"'""'
`rJl.
`d
`
`0--, = \0 = 0--, w = "'""'
`
`....
`0 ....
`0
`....
`('D .....
`rJJ =(cid:173)
`
`('D
`
`N
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`"
`~
`~
`
`Lk
`
`J:)
`
`XP
`.
`
`.
`.
`
`NT
`
`~
`
`1004
`
`Soiaris
`
`F!G.10
`
`Turbo
`
`I 2k
`
`NT
`
`I RedHat
`
`1004
`
`Soairis
`
`[I
`[1 ,0061
`
`2k
`
`1006 J' •
`
`Console(s)
`fv1anagement
`
`1003 ~
`7')
`
`(cid:143)
`
`Updates
`
`Templates, Rules, &
`
`.. IT
`<'>
`
`On-Site Server
`
`[I ~2 I Security Policy
`
`(NOC) Servers
`
`Network Operations Center
`
`1001.tl3
`
`~
`
`I(cid:127)
`
`1005
`
`AES Encryption
`
`i i*~~~%twr~
`
`j
`
`~11~m1m
`
`i, ~~* ~ir,~
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 12 of 41
`
`

`

`-..=
`"'""'
`d r.,;_
`
`0--, = \0 = 0--, w = "'""'
`
`....
`0 ....
`....
`....
`('D .....
`rJJ =(cid:173)
`
`('D
`
`N
`
`(,H ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`r:J).
`
`e •
`
`Updates & Patches
`
`Security Rules,
`
`..--L=
`
`·1·102.
`
`Center (NOC) S
`
`Off-Site Network Operations
`
`1103b
`
`11103a
`
`OnSite Server
`
`1101
`
`AES Encryption
`
`2k
`
`Mandrake
`
`Firewa!I
`Perimeter
`I
`Jcocc
`
`Console
`
`!PS
`
`1106
`
`J' 2
`
`••••••••••••••••••••••••••••••••••
`
`s 1104 ~ .
`
`~
`
`pca
`•••••••••••••••••••••(cid:141)ooaool--···················----.,----
`
`Hub
`
`I
`
`'I
`
`Srr
`
`In line
`
`• • t
`:
`•
`:
`
`98
`
`So!aris
`
`.
`
`.
`
`FIG. 11
`
`Turbo
`
`1104
`
`RedHat
`
`I==== I I
`
`==== I
`J
`[00
`
`Solaris
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 13 of 41
`
`

`

`'"=
`"""'
`d r.,;_
`
`0--, = \0 = 0--, w = """'
`
`....
`0 ....
`N
`....
`('D .....
`rJJ =(cid:173)
`
`('D
`
`N
`
`~ ....
`~ :-:
`~
`
`0
`N
`0
`N
`'"
`
`~ = ~
`
`~
`~
`~
`•
`00
`
`e •
`
`I
`'
`
`(cid:127)
`
`., I
`,
`..
`
`-~~~c (cid:127)
`11:::;~~>
`
`Data Warehouse
`
`Anti ... Vulnerabmty Platform
`
`FIG. 12
`
`-And answer via the SDK to the Point Product
`-Returns data to Logic Module
`
`Data warehouse queries its databases
`
`• • Logic queries the Data Warehouse
`
`· -
`
`-
`
`· -
`
`-
`
`-
`
`-
`
`-------------
`• • -
`
`-
`
`• -SDK queries the Logic Module
`
`Point Product uses SDK functionality query
`
`-
`
`'
`,c
`
`,'
`
`f
`'
`
`• . .... .... . ....
`---
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 14 of 41
`
`

`

`US 10,609,063 Bl
`
`1
`COMPUTER PROGRAM PRODUCT AND
`APPARATUS FOR MULTI-PATH
`REMEDIATION
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`2
`FIG. 12 illustrates an SDK function call flow, in accor(cid:173)
`dance with one embodiment.
`
`DETAILED DESCRIPTION
`
`Glossary
`
`This application is a continuation of, and claims priority
`to, U.S. application Ser. No. 14/816,931, filed Aug. 3, 2015,
`which, in tum, is a continuation of U.S. application Ser. No. 10
`14/499,230, now U.S. Pat. No. 9,100,431, filed Sep. 28,
`2014 which, in tum, is a continuation-in-part of U.S. appli(cid:173)
`cation Ser. No. 14/138,014 filed Dec. 21, 2013, now U.S.
`Pat. No. 9,117,069, which, in turn, is a continuation of U.S.
`application Ser. No. 10/882,852 filed Jul. 1, 2004 which, in
`turn, claims priority to U.S. App. No. 60/484,085 filed Jul.
`1, 2003, which are all incorporated herein by reference in
`their entirety for all purposes.
`
`that
`
`data warehouse=a component that contains vulnerabilities
`and updates for devices that operate on at least one network
`NOC server=network operations center server that peri(cid:173)
`odically synchronize latest vulnerability and update data
`with other servers.
`SDK=software development kit that allows progranmiers
`to develop security applications that access data collected in
`15 a database
`CM application=change management application
`controls documentation and logging of change.
`For the purpose of promoting an understanding of the
`principles of the present invention, reference will now be
`20 made to the embodiment illustrated in the drawings and
`specific language will be used to describe the same. It will,
`nevertheless, be understood that no limitation of the scope of
`the invention is thereby intended; any alterations and further
`modifications of the described or illustrated embodiments,
`25 and any further applications of the principles of the inven(cid:173)
`tion as illustrated therein are contemplated as would nor(cid:173)
`mally occur to one skilled in the art to which the invention
`relates.
`Generally, the present invention in one embodiment oper-
`30 ates in the context of a network as shown in FIG. 1. System
`100 includes a vulnerability and remediation database 110
`connected by Internet 120 to subnet 130. In this exemplary
`embodiment, firewall 131 serves as the gateway between
`Internet 120 and the rest of subnet 130. Router 133 directs
`35 connections between computers 137 and each other and
`other devices on Internet 120. Server 135 collects certain
`information and provides certain data services that will be
`discussed in further detail herein.
`In particular, security server 135 includes processor 142,
`and memory 144 encoded with programming instructions
`executable by processor 142 to perform several important
`security-related functions. For example, security server 135
`collects data from devices 131, 133, 137, and 139, including
`the software installed on those devices, their configuration
`45 and policy settings, and patches that have been installed.
`Security server 135 also obtains from vulnerability and
`remediation database 110 a regularly updated list of security
`vulnerabilities in software for a wide variety of operating
`systems, and even in the operating systems themselves.
`50 Security server 135 also downloads a regularly updated list
`of remediation techniques that can be applied to protect a
`device from damage due to those vulnerabilities. In one
`embodiment, each vulnerability in remediation database 110
`is identified by a vulnerability identifier, and the vulnerabil-
`55 ity identifier can be used to retrieve remediation information
`from database 110 (and from database 146, discussed below
`in relation to FIG. 2).
`In one embodiment, computers 137 and 139 each com(cid:173)
`prise a processor 152, 162, memory 154, 164, and storage
`60 156, 166. Computer 137 executes a client-side program
`into memory 154, and
`in storage 156, loaded
`(stored
`executed by processor 152) that maintains an up-todate
`collection of information regarding the operating system,
`service pack (if applicable), software, and patches installed
`65 on computer 137, and the policies and configuration data
`(including configuration files, and elements that may be
`contained in files, such as * .ini and * .conf files and registry
`
`40
`
`FIELD OF THE INVENTION
`
`The present invention relates to computer systems, and
`more particularly to management of security of computing
`and network devices that are connected
`to other such
`devices.
`
`SUMMARY
`
`A system, method, and computer program product are
`provided for a database associating a plurality of device
`vulnerabilities to which computing devices can be subject
`with a plurality of remediation techniques that collectively
`remediate the plurality of device vulnerabilities. Each of the
`device vulnerabilities is associated with at least one reme(cid:173)
`diation technique. Each remediation technique associated
`with a particular device vulnerability remediates that par(cid:173)
`ticular vulnerability. Further, each remediation
`technique
`has a remediation type are selected from the type group
`consisting of patch, policy setting, and configuration option.
`Still yet, a first one of the device vulnerabilities is associated
`with at least two alternative remediation techniques.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram of a networked system of
`computers in one embodiment of the present invention.
`FIG. 2 is a block diagram showing components of several
`computing devices in the system of FIG. 1.
`FIGS. 3 and 4 trace signals that travel through the system
`of FIGS. 1 and 2 and the present invention is applied to
`them.
`FIG. SA is a flow chart of a filtering proxy method
`according to one embodiment of the present invention.
`FIGS. 5B and 6 illustrate a platform, in accordance with
`possible embodiments.
`FIG. 7 illustrates an intelligent IDS, in accordance with
`one embodiment.
`FIG. 8 illustrates an update system, in accordance with
`one embodiment.
`FIG. 9 shows a configured network, in accordance with
`one embodiment.
`FIG. 10 shows policy compliance and enforcement, in
`accordance with one embodiment.
`FIG. 11 illustrates an intelligent IPS, in accordance with
`one embodiment.
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 15 of 41
`
`

`

`US 10,609,063 Bl
`
`25
`
`3
`information, for example), and communicates that informa(cid:173)
`tion on a substantially real-time basis to security server 135.
`In an alternative embodiment, the collection of information
`is not retained on computer 137, but is only communicated
`once to security server 135, then is updated in real time as 5
`changes to that collection occur.
`Computer 139 stores, loads, and executes a similar soft(cid:173)
`ware program that communicates configuration information
`pertaining to computer 139 to security server 135, also
`in real time. Changes to the configuration 10
`substantially
`in computer 139 are monitored, and selected
`registry
`changes are communicated to security server 135 so that
`relevant information is always available. Security server 135
`may connect directly to and request software installation 15
`status and configuration information from firewall 131 and
`router 133, for embodiments wherein firewall 131 and router
`133 do not have a software program executing on them to
`communicate this information directly.
`This collection of information is made available at secu- 20
`rity server 135, and combined with the vulnerability and
`remediation data from source 110. The advanced function(cid:173)
`ality of system 100 is thereby enabled as discussed further
`herein.
`Turning to FIG. 2, one sees additional details and com-
`ponents of the devices in subnet 130. Computers 137 and
`139 are traditional client or server machines, each having a
`processor 152, 162, memory 154, 164, and storage 156, 166.
`Firewall 131 and router 133 also have processors 172, 182
`and storage 17 4, 184, respectively, as is known in the art. In 30
`this embodiment, devices 137 and 139 each execute a
`client-side program that continuously monitors the software
`installation and configuration status for that device. Changes
`to that status are communicated in substantially real time to 35
`security server 135, which continuously maintains the infor(cid:173)
`in database 146. Security server 135 connects
`mation
`directly to firewall 131 and router 133 to obtain software
`installation and configuration status for those devices in the
`absence of a client-side program running thereon.
`Processors 142, 152, 162 may each be comprised of one
`or more components configured as a single unit. Alterna(cid:173)
`tively, when ofa multi-component form, processor 142,152,
`162 may each have one or more components
`located
`remotely relative to the others. One or more components of 45
`processor 142, 152, 162 may be of the electronic variety
`defining digital circuitry, analog circuitry, or both. In one
`embodiment, processor 142, 152, 162 are of a conventional,
`integrated circuit microprocessor arrangement, such as one
`or more PENTIUM 4 or XEON processors from INTEL 50
`Corporation of 2200 Mission College Boulevard, Santa
`Clara, Calif., 95052, USA, or ATHLON XP processors from
`Advanced Micro Devices, One AMD Place, Sunnyvale,
`Calif., 94088, USA.
`Memories 144, 154, 164 may include one or more types 55
`of solid-state electronic memory, magnetic memory, or
`optical memory, just to name a few. By way of non-limiting
`example, memory 40b may include solid-state electronic
`Random Access Memory (RAM), Sequentially Accessible
`Memory (SAM) (such as the First-In, First-Out (FIFO) 60
`variety or the Last-In First-Out (LIFO) variety), Program(cid:173)
`mable Read Only Memory (PROM), Electrically Program(cid:173)
`mable Read Only Memory (EPROM), or Electrically Eras(cid:173)
`able Programmable Read Only Memory (EEPROM); an
`optical disc memory (such as a DVD or CD ROM); a 65
`magnetically encoded hard drive, floppy disk, tape, or car(cid:173)
`tridge media; or a combination of any of these memory
`
`4
`types. Also, memories 144, 154, 164 may be volatile,
`nonvolatile, or a hybrid combination of volatile and non(cid:173)
`volatile varieties.
`In this exemplary embodiment, storage 146, 156, 166
`comprises one or more of the memory types just given for
`memories 144, 154, 164, preferably selected from the non(cid:173)
`volatile types.
`This collection of information is used by system 100 in a
`wide variety of ways. With reference to FIG. 3, assume for
`example that a connection request 211 arrives at firewall 131
`requesting that data be transferred to computer 137. The
`payload of request 211 is, in this example, a probe request
`for a worm that takes advantage of a particular security
`vulnerability in a certain computer operating system. Based
`on characteristics of the connection request 211, firewall 131
`sends a query 213 to security server 135. Query 213 includes
`information that security server 135 uses to determine (1)
`the intended destination of connection request 211, and (2)
`some characterization of the payload of connection request
`211, such as a vulnerability identifier. Security server 135
`uses this information
`to determine whether connection
`request 211 is attempting to take advantage of a particular
`known vulnerability of destination machine 137, and uses
`information from database 146 (see FIG. 2) to determine
`whether the destination computer 137 has the vulnerable
`software installed, and whether the vulnerability has been
`patched on computer 137, or whether computer 137 has been
`configured so as to be invulnerable to a particular attack.
`Security server 135 sends result signal 217 back to
`firewall 131 with an indication of whether the connection
`request should be granted or rejected. If it is to be granted,
`firewall 131 passes the request to router 133 as request 219,
`and router 133 relays the request as request 221 to computer
`137, as is understood in the art. If, on the other hand, signal
`217 indicates that connection request 211 is to be rejected,
`firewall 133 drops or rejects the connection request 211 as is
`understood in the art.
`Analogous operation can protect computers within subnet
`40 130 from compromised devices within subnet 130 as well.
`For example, FIG. 4 illustrates subnet 130 with computer
`137 compromised. Under the control of a virus or worm, for
`example, computer 137 sends connection attempt 231 to
`router 133 in an attempt to probe or take advantage of a
`potential vulnerability in computer 139. On receiving con(cid:173)
`nection request 231, router 133 sends relevant information
`about request 231 in a query 233 to security server 135.
`Similarly to the operation discussed above in relation to FIG.
`3, security server 135 determines whether connection
`request 231 poses any threat, and in particular any threat to
`software on computer 139. If so, security server 135 deter-
`mines whether the vulnerability has been patched, and if not,
`it determines whether computer 139 has been otherwise
`configured to avoid damage due to that vulnerability. Secu(cid:173)
`rity server 135 replies with signal 235 to query 233 with that
`answer. Router 133 uses response 235 to determine whether
`to allow the connection attempt.
`In some embodiments, upon a determination by security
`server 135 that a connection attempt or other attack has
`occurred against a computer that is vulnerable (based on its
`current software, patch, policy, and configuration status),
`security server 135 selects one or more remediation tech(cid:173)
`niques from database 146 that remediate
`the particular
`vulnerability. Based on a prioritization previously selected
`by an administrator or the system designer, the remediation
`technique(s) are applied (1) to the machine
`that was
`attacked, (2) to all devices subject to the same vulnerability
`
`Ex. 1001
`CISCO SYSTEMS, INC. / Page 16 of 41
`
`

`

`US 10,609,063 Bl
`
`10
`
`20
`
`5
`(based on their real-time software, patch, policy, and con(cid:173)
`figuration status), or (3) to all devices to which the selected
`remediation can be applied.
`In various embodiments, remediation techniques include
`the closing of open ports on the device; installation of a 5
`patch that is known to correct the vulnerability; changing the
`device's configuration; stopping, disabling, or removing
`services; setting or modifying policies; and the like. Fur(cid:173)
`thermore, in various embodiments, events and actions are
`logged (preferably in a non-volatile medium) for later analy-
`sis and review by system administrators. In these embodi(cid:173)
`ments, the log also stores information describing whether
`the target device was vulnerable to the attack.
`A real-time status database according
`to the present 15
`invention has many other applications as well. In some
`the database 146 is made available to an
`embodiments,
`administrative console running on security server 135 or
`other administrative terminal. When a vulnerability is newly
`discovered in software that exists in subnet 130, adminis-
`trators can immediately see whether any devices in subnet
`130 are vulnerable to it, and if so, which ones. If a means of
`remediation of the vulnerability is known, the remediation
`can be selectively applied to only those devices subject to
`the vulnerability.
`In some embodiments, the database 146 is integrated into
`another device, such as firewall 131 or router 133, or an
`individual device on the network. While some of these
`embodiments might avoid some failures due to network
`instability, they substantially increase the complexity of the
`device itself. For this reason, as well as the complexity of
`maintaining security database functions when integrated
`with other functions, the network-attached device embodi(cid:173)
`ment described above in relation to FIGS. 1-4 is one possible
`embodiment.
`In one embodiment, a software development kit (SDK)
`allows programmers to develop security applications that
`access the data collected in database 146. The applications
`developed with the SDK access information using a defined
`application progrannning interface (API) to retrieve vulner(cid:173)
`ability, remediation, and device status information available
`to the system. The applications then make security-related
`determinations and are enabled to take certain actions based
`on the available data.
`In these exemplary systems, "configuration information"
`for each device may take the form of initialization files
`(often named *.ini or *.conf), configuration registry (such
`as, the Windows Registry on Microsoft WINDOWS oper(cid:173)
`ating systems), or configuration data held in volatile or
`non-volatile memory. Such configuration information often
`determines what and how data is accepted from other
`devices, sent to other devices, processed, stored, or other(cid:173)
`wise handled, and in many cases determines what routines
`and sub-routines are executed in a particular application or
`operating system.
`In one embodiment, security information management
`system is provided, wherein a database of potential vulner(cid:173)
`abilities is maintained, along with data describing remedia(cid:173)
`tion techniques (patches, policy settings, and configuration
`options) available to protect against them. At least one 60
`vulnerability
`is associated in the database with multiple
`available remediation techniques. In one embodiment, the
`system presents a user with the list of remediation tech(cid:173)
`niques available to protect against a known vulnerability,
`accepts the user's selection from the list, and executes the 65
`selected technique. In other embodiments, the system uses a
`predetermined prioritization schedule to automatically select
`
`6
`among the available remediation techniques, then automati(cid:173)
`cally executes the selected technique.
`One embodiment of the present invention is a database of
`information about a plurality of devices, updated in real(cid:173)
`time and used by an application to make a security-related
`decision. The database stores data indicating the installed
`operating system(s), installed software, patches that have
`been applied, system policies that are in place, and configu(cid:173)
`ration information for each device. The database answers
`queries by one or more devices or applications attached by
`a network to facilitate security-related decision making. In
`one form of this embodiment, a firewall or router handles a
`connection request or maintenance of a connection based on
`the configuration information stored in the database that
`relates to one or both of the devices involved in the trans(cid:173)
`m1ss10n.
`In one embodiment, database 146 includes vulnerability
`and remediation
`information such that, for at least one
`vulnerability, multiple methods of remediating the vulner(cid:173)
`ability are specified. When the system has occasion to
`implement or offer remediation of a vulnerability, all known
`alternatives are presented that are relevant to the device or
`machine's particular configuration or setup. For example,
`when a vulnerability of a device is presented to an admin-
`25 istrator, the administrator
`is given a choice among the
`plurality ofremediation options to remediate the vulnerabil(cid:173)
`ity. In some embodiments, the administrator can select a
`preferred type of remediation that will be applied if available
`and a fallback type. For example, an administrator may
`30 select application of a policy setting over installation of a
`software patch, so that the risk of disruption of critical
`business systems is minimized.
`In other embodiments, an administrator or other user is
`presented with a set of user interface elements that identify
`35 multiple options for remediating and identifying the vulner(cid:173)
`ability. The administrator or user selects the method to be
`used, and that remediation
`is applied to the vulnerable
`device(s).
`FIG. SA is a flow chart of a filtering proxy method
`40 according to one embodiment of the