(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2014/0245376 A1
`Hibbert et al.
`(43) Pub. Date:
`Aug. 28, 2014
`
`US 20140245376A1
`
`(54) SYSTEMS AND METHODS OF RISK BASED
`RULES FORAPPLICATION CONTROL
`(71) Applicant: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(52) U.S. Cl.
`CPC ............ H04L 63/1433 (2013.01); H04L 63/20
`(2013.01)
`USPC .............................................................. 726/1
`
`(72) Inventors: Brad Hibbert, Carp (CA); Chris Silva,
`Laguna Beach, CA (US)
`
`(57)
`
`ABSTRACT
`
`In various embodiments, an agent on a digital device may
`comprise a monitor module, an application identification
`module, a Vulnerability module, a rules database, and a rule
`module. The monitor module may be configured to monitor a
`device for an instruction to execute a legitimate application.
`The application identification module may be configured to
`identify one or more attributes of the legitimate application.
`The Vulnerability module may be configured to retrieve risk
`information based on the one or more attributes of the legiti
`mate application. The risk information may be determined
`from known vulnerabilities of the legitimate application. The
`rules database may be for storing a rule associated with the
`risk information. The rule module may be configured to
`retrieve the rule from the rule database based on the risk
`information and to control the legitimate application based on
`the rule.
`
`(73) Assignee: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(21) Appl. No.: 14/182,651
`
`(22) Filed:
`
`Feb. 18, 2014
`O
`O
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 14/156,375,
`filed on Jan. 15, 2014.
`(60) Provisional application No. 61/768,809, filed on Feb.
`25, 2013.
`sy- Y - s
`s
`
`Publication Classification
`
`(51) Int. Cl.
`H04L 29/06
`
`(2006.01)
`
`3-3
`
`Agent Collects
`Appication Evert
`32
`
`:
`
`Eye Sent ta.
`Centralized Server :
`304
`
`
`
`- Process .
`< immediately? :
`
`Yes
`w
`
`insert int. Databas
`38
`
`
`
`
`
`s
`
`- S.
`
`Compare to
`Winerability
`Database
`33.
`
`watch ,
`- vulnerable
`
`ax A. x-Y.
`-
`Criteria?
`:
`: Yes-
`36 .
`
`Report Finding
`33.8
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1063
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 1 of 16
`
`US 2014/0245376 A1
`
`
`
`
`416
`
`Report Finding |
`
`
`
`
`
`
`
`
`
`
`、
`
`SN
`
`S444
`State?
`
`
`
`
`人
`
`a
`
`1
`: Match Vulnerable. Yes»
`:
`
`gate
`
`443
`
`Target
`
`interrg
`
`~
`
`
`
`
` BUCCESSRUT Eo!
`于 connection Yes»
`
`“ie
`
`Aan
`
`“
`
`a
`
`
`
`
`
`
`
`
`
`
`Prior Art
`
`Fit. 1
`
`
`
`
`
`
`
`，
`Ri
`:
`
`via Network
`Scan Target
`Connectto
`
`108
`
`
`
`
`
`
`
`|
`、
`
`so
`
`Yes
`
`
`
`
`Checks?
`
`三 一 一 一 .
`
`Additional a
`
`ug OOS -
`
`Pan
`
`
`
`
`1
`
`No
`
`CN NO
`x
`|
`
`EndScan
`
`|
`|
`
`|
`
`Available?
`
`Ce 和
`
`104
`
`下
`
`Targets
`
`Available Scan
`
`Determine
`
`
`
`
`
`
`
`
`
`
`102
`
`Targets
`
`Select Scan
`
`
`
`
`we
`100
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 2 of 16
`
`US 2014/0245376 A1
`
`2260
`
`System
`
`Administration
`
`Security
`
`System 202
`Assessment
`
`Security
`
`FIG
`
`Server 218
`Windows
`
`216
`
`Unix Server
`
`204
`
`NETWORK
`
`COMMUNICATION
`
`/
`
`/
`
`/
`
`
`
`
`
`
`212
`
`Device
`Network
`
`PC
`
`210
`
`Laptop
`
`206
`
`Sraartphone
`
`/
`
`208
`
`Device
`Tablet
`
`200
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 3 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`318
`
`Report Finding
`
`、 “rvonnnnn
` @ Swoon
`
`>
`
`Criteria?
`_" Mulnerable
`
`
`
`
`
`
`
`
`
`
`
`
`314
`
`Database
`
`Vulnerability
`Compare to
`
`
`
`
`FIG. 3
`
`
`
`
`Ves
`
`
`
`
`
`
`
`、
`
`Analyze?
`_ Time To
`
`310
`
`“
`
`
`
`
`308
`
`insert Into Database
`
`
`
`
`>--—-No-—-e:
`
`Immediately?
`
`<
`
`~ 還
`
`_-” Process
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`304
`
`Centralized Server
`
`Event Sent to
`
`
`
`
`
`
`
`
`
`302
`
`Application Event
`
`Agent Collects
`
`300
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 4 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`4 人 4
`
`Database
`Application
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`412
`
`Module
`
`Authentication
`Communication
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`410
`
`Module
`
`Communication
`
`
`
`
`
`
`
`
`
`
`
`
`FIG.
`
`
`
`
`
`
`
`408
`
`Module
`
`Record Collection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`406
`
`Scan Module
`
`404
`
`Module
`
`402
`
`Module
`
`Event Recordation
`
`Event Detection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Agent 400
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 5 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`S16
`
`Alert Module
`
`
`
`
`
`
`
`
`
`Database 522
`Vulnerability
`
`Database 520
`Configuration
`
`Risk Acceptance
`
`Sid
`
`212
`
`Report Module
`
`Assessment Module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`508
`
`Module
`
`Management
`
`Record
`
`
`
`
`506
`
`Scheduler
`
`Assessment
`
`Module 504
`
`Authentication
`
`Request
`
`Module 502
`
`Communication
`
`
`
`
`
`
`
`
`
`
`Security Assessment System 202
`
`FIG. 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Database 518
`Management
`
`Record
`
`
`
`
`
`
`
`510
`
`Retrieval Module
`
`information
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 6 of 16
`Aug. 28,2014 Sheet 6 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`602
`
`Scan digital device for third party event records
`Scan digital device for third party event records
`
`6O2
`
`identify third party event records
`identify third party event records
`
`Detect events of digital device
`Detect events of digital device
`
`Record detected events of digital device
`Record detected events of digital device
`
`
`
`
`
`Coitect arid optionaily consolidate third party event records and
`Collect and optionally consolidate third party event records and
`recordation of detected events to Create assessinet request
`recordation of detected events to create assessment request
`
`Prepare record information for third party event records and
`Prepare record information for third party event records and
`recordation of detected events
`recordation of detected events
`
`604
`604
`
`606
`608
`
`608
`608
`
`61
`610
`
`81.
`612
`
`Digitaly sign assessment request and record information
`Digitally sign assessment request and record information
`
`84
`614
`
`
`
`assessment system
`
`Provide assessment request and record information to sect rity
`Provide assessment request and record information to security
`assessment system
`
`68
`
`EN
`END
`
`F.G. 6
`FIG. 6
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 7 of 16
`Aug. 28,2014 Sheet 7 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`Receive assessment request and record information from digital
`Receive assessment request and record information from aigital
`device
`
`device
`
`Authenticate assessment request and record information
`At thenticate assessment request and ecord information
`
`
`
`
`
`identify records of assessment request utilizing record
`identify records of assessment request utilizing record
`ifornetic
`information
`
`732
`702
`
`O4.
`7O4
`
`O6
`706
`
`Retrieve record management information based of identified
`Retrieve record management information based on identified
`Fecords
`records
`
`78
`708
`
`
`identify applicatio aid iiie attritates for assessment request
`identify application and file attributes from assessment request
`based on record franagement into ration
`based on record management information
`
`
`Compare app:ication and file attributes to vulnerability database
`Compare application and file attributes to vulnerability database
`
`
`
`etermine risk value based on comparison
`Determine risk value based on comparison
`
`O
`71d
`
`712
`M2
`
`7 :
`744
`
`Compare determined risk waite to risk acceptance threshold
`Compare determined risk vaiue to risk acceptance threshold
`
`76
`716
`
`
`
`Serdalert based on comparison if determined risk value
`Send alert based on comparison if determined risk value
`exceeds risk acceptance threshold
`
`748 exceads risk acceptance threshold
`
`78
`
`Generate report
`Generate report
`
`72
`720
`
`ENO
`END
`
`G.
`FIG. 7
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet80f16
`
`US 2014/0245376 A1
`
`
`
`
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 9 of 16
`Aug. 28,2014 Sheet 9 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`Digital Device 302
`Digital Device 902
`
`240 Frocessor
`
`input Device
`Input Device
`90
`
`Processor
`34
`204
`
`908
`
`Corr. Network
`Com. Network
`interface
`interface
`92
`912
`
`918
`918
`
`Output Device
`Output Device
`94
`14
`
`Storage
`Storage
`908
`
`FG.
`FIG. §
`
`

`

`Patent Application Publication
`
`Aug. 28,2014 Sheet 10 of 16
`
`US 2014/0245376 Al
`
`
`
`
`
`
`
`
`
`Anti-Malware 1608
`
`
`
`
`
`
`
`1004
`Agent
`
`
`
`FIG. 10
`
`
`
`
`
`ns 1002
`
`|
`
`]
`
`Applicatio
`
`
`
`
`
`1010
`
`Operating System
`
`
`
`
`
`06 o
`
`m
`
`Maiware 1
`
`
`
`
`
`
`
`
`
`
` |
`
`
`
`
`
`User Device 1000
`
`
`
`
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 11 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`1116
`
`Rules Database
`
`
`
`
`
`
`
`
`
`
`
`11144
`
`Database
`
`Vulnerability
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 11
`
`
`
`
`1112
`
`Update Madule
`
`1710
`
`Control Modtile
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1108
`
`Rules Module
`
`1106
`
`Checker Module
`
`Vuinerability
`
`1104
`
`identifier Module
`
`1162
`
`Monitor Module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` |
`
`Agent 10 Q
`
` 4
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 12 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1208
`
`Recard Module
`
`
`
`
`
`
`
`
`
`
`1206
`
`Module
`
`Rules Generation
`
`
`
`
`
`
`
`
`
`
`1204
`
`Risk AP} Module
`
`4202
`
`Module
`
`Risk Assessment
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1200
`
`Security Server
`
`FIG. 12
`
`
`
`
`Module 1210
`Rules Update
`
`Module 1208
`
`Vulnerability Update
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 13 of 16
`Aug. 28,2014 Sheet 13 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`Monitor device for instruction to execute legitimate application
`Monitor device for instruction to execute legitimate application
`
`identify attributes of legitimate application
`identify attributes of egitimate application
`
`
`
`
`
`Retrieve risk information associated with altributes
`Retrieve risk irforator associated with attributes
`
`3O2
`1302
`
`1304
`3O4.
`
`1306
`
`identify risk of application based on risk information
`identify risk of application based on risk information
`
`1308
`38
`
`13
`1310
`
`32
`4342
`
`
`
`
`
`Retrieve Lies associated with risk information
`Retrieve rules associated with risk information
`
`Contro execution of legitimate application based on retrieved
`Contro! execution of legitimate application based on retrieved
`rules
`rules
`
`EN
`END
`
`... 3
`FIG. 13
`
`

`

`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 14 of 16
`Aug. 28,2014 Sheet 14 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`1402
`
`identifying vulnerabilities of one of more legitimate applications
`Identifying vulnerabilities of one or more legitimate applications
`
`402
`
`Generate risk info fration associated with the identified
`Generate risk information associated with the identified
`Weratiities
`vulnerabilities
`
`44
`4404
`
`ENO
`END
`
`Fig. 4
`FiG. 14
`
`

`

`Patent Application Publication
`
`Aug. 28,2014 Sheet 15 of 16
`
`US 2014/0245376 Al
`
`FIG. 15
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Aug. 28, 2014 Sheet 16 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`US 2014/024537.6 A1
`US 2014/0245376 Al
`
`Aug. 28, 2014
`Aug. 28, 2014
`
`SYSTEMS AND METHODSOF RISK BASED
`SYSTEMIS AND METHODS OF RISK BASED
`RULES FOR APPLICATION CONTROL
`RULES FORAPPLICATION CONTROL
`
`0001. The present application claims the benefit of U.S.
`[0001] The present application claims the benefit of U.S.
`Provisional Patent Application Ser. No. 61/768,809, filed
`Provisional Patent Application Ser. No. 61/768,809, filed
`Feb. 25, 2013 and entitled “Systems and Methods of Risk
`Feb. 25, 2013 and entitled “Systems and Methods of Risk
`Based Rules for Application Control and is a continuation
`Based Rules for Application Control,” and is a continuation-
`in-part of U.S. Nonprovisional Patent Application Ser. No.
`in-part of U.S. Nonprovisional Patent Application Ser. No.
`14/156,375, filed Jan. 15, 2014 and entitled “Systems and
`14/156,375, filed Jan. 15, 2014 and entitled “Systems and
`Methods for Identifying and Reporting Application and File
`Methods for Identifying and Reporting Application and File
`Vulnerabilities, both of which are incorporated by reference
`Vulnerabilities,” both of which are incorporated by reference
`herein.
`herein.
`
`COPYRIGHT NOTICE
`COPYRIGHT NOTICE
`
`0002. A portion of the disclosure of this patent document
`[0002] A portion of the disclosure of this patent document
`contains material that is subject to copyright protection. The
`contains material that is subject to copyright protection. The
`copyright owner has no objection to the facsimile reproduc
`copyright owner has no objection to the facsimile reproduc-
`tion by anyone of the patent document or the patent disclo
`tion by anyone of the patent documentorthe patent disclo-
`sure, as it appears in the Patent and Trademark Office patent
`sure, as it appears in the Patent and Trademark Office patent
`file or records, but otherwise reserves all copyright rights
`file or records, but otherwise reserves all copyright rights
`whatsoever.
`whatsoever.
`
`BACKGROUND
`BACKGROUND
`
`SUMMARY
`SUMMARY
`0008. In various embodiments, a method comprises
`[0008]
`In various embodiments, a method comprises
`receiving a plurality of records from a first digital device, each
`receiving a plurality ofrecords fromafirst digital device, each
`CROSS-REFERENCE TO RELATED
`CROSS-REFERENCE TO RELATED
`of the plurality of records generated during execution or
`of the plurality of records generated during execution or
`APPLICATIONS
`APPLICATIONS
`termination of a different executable and containing informa
`termination ofa different executable and containing informa-
`tion related to execution or termination of the different
`tion related to execution or termination of the different
`executable, retrieving at least one segment from at least one of
`executable,retrieving at least one segmentfrom atleast one of
`the plurality of records, the at least one segment being less
`the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`than all of the at least one of the plurality of records, the
`segment including an application or file attribute related to the
`segment including an applicationorfile attribute related to the
`different executable, comparing the application or file
`different executable, comparing the application or
`file
`attribute to a vulnerability database, identifying a risk based
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`on the comparison, and generating a report identifying the
`risk.
`risk.
`0009. In various embodiments, the plurality of records
`[0009]
`In various embodiments, the plurality of records
`comprises log files associated with different executables. The
`compriseslogfiles associated with different executables. The
`application or file attributes may comprise, for example, an
`application or file attributes may comprise, for example, an
`application or file version, an execution time, or a calling
`application or file version, an execution time, or a calling
`process.
`process.
`0010. The method may further comprise identifying a type
`[0010] The method mayfurther comprise identifying a type
`of the at least one of the plurality of records, retrieving record
`ofthe at least one of the plurality of records, retrieving record
`information from a record information database based on the
`information from a record information database based on the
`identified type of the at least one of the plurality of records,
`identified type of the at least one of the plurality of records,
`and identifying a position of the at least one segment within
`and identifying a position ofthe at least one segment within
`the at least one of the plurality of records, wherein retrieving
`the at least one ofthe plurality of records, wherein retrieving
`the at least one segment comprises retrieving the at least one
`the at least one segment comprises retrieving the at least one
`segment from the identified position.
`segment from the identified position.
`0011. In some embodiments, the method further com
`[0011]
`In some embodiments, the method further com-
`0003 1. Field of the Invention(s)
`prises scheduling when the comparison of the application or
`[0003]
`1. Field of the Invention(s)
`prises scheduling when the comparisonofthe application or
`file attribute to the Vulnerability database is to occur and
`0004. The present invention(s) relate generally to applica
`file attribute to the vulnerability database is to occur and
`[0004] The present invention(s) relate generally to applica-
`waiting to compare the application or file attribute to the
`tion control. More particularly, the invention(s) relate to sys
`waiting to compare the application or file attribute to the
`tion control. Moreparticularly, the invention(s) relate to sys-
`tems and methods for controlling applications utilizing risk
`Vulnerability database based on the schedule. In various
`vulnerability database based on the schedule. In various
`tems and methods for controlling applications utilizing risk
`embodiments, the method further comprises comprising
`basedrules.
`based rules.
`embodiments,
`the method further comprises comprising
`authenticating the plurality of records, wherein the applica
`0005 2. Description of Related Art
`authenticating the plurality of records, wherein the applica-
`[0005]
`2. Description of Related Art
`tion or file attribute is compared to the Vulnerability database
`tion orfile attribute is compared to the vulnerability database
`0006 Recent computer attack trends target software vul
`only after Successful authentication.
`[0006] Recent computer attack trends target software vul-
`only after successful authentication.
`nerabilities of home and corporate networks. These client
`0012 Comparing the application or file attribute to a Vul
`nerabilities of home and corporate networks. These client-
`[0012] Comparing the applicationorfile attribute to a vul-
`side attacks have proven fruitful for cyber criminals. Clients
`nerability database may comprise comparing the application
`side attacks have proven fruitful for cyber criminals. Clients
`nerability database may comprise comparingthe application
`are an easier target than servers as servers tend to be more
`or file attribute to a whitelist. In some embodiments, compar
`are an easier target than servers as servers tend to be more
`orfile attribute to a whitelist. In some embodiments, compar-
`highly secured than workstations, with less end user interac
`ing the application or file attribute to a vulnerability database
`highly secured than workstations, with less end userinterac-
`ing the applicationorfile attribute to a vulnerability database
`tion. As such, these client-side attacks offer the low-hanging
`may comprise comparing the application or file attribute to a
`tion. As such, these client-side attacks offer the low-hanging
`may comprise comparing the applicationorfile attribute to a
`fruit that hackers are seeking. By targeting end-users, hackers
`blacklist. In various embodiments, comparing the application
`fruit that hackers are seeking. By targeting end-users, hackers
`blacklist. In various embodiments, comparing the application
`gain easier access to a larger number of computers, thereby
`or file attribute to a vulnerability database may comprise the
`gain easier access to a larger number of computers, thereby
`or file attribute to a vulnerability database may comprise the
`producing the greater yield with the least amount of effort. A
`application or file attribute to a greylist, the greylist compris
`producing the greater yield with the least amountof effort. A
`application orfile attribute to a greylist, the greylist compris-
`single Vulnerability in a workstation's client applications may
`ing application or file attributes associated with Suspicious
`single vulnerability in a workstation’s client applications may
`ing application orfile attributes associated with suspicious
`afford access to more important information assets on the
`applications or files.
`afford access to more important information assets on the
`applicationsorfiles.
`same network. A client-side exploit can therefore leverage a
`0013 The method may further comprise determining a
`same network. A client-side exploit can therefore leverage a
`[0013] The method may further comprise determining a
`compromised workstation as a launching point for attacks
`risk value based on the comparison of the application or file
`compromised workstation as a launching point for attacks
`risk value based on the comparison of the applicationorfile
`against other workstations or servers otherwise protected by
`attribute to the greylist and providing an alert based on the risk
`against other workstations or servers otherwise protected by
`attribute to the greylist and providing an alert based on the risk
`perimeter defenses and accessible only via internal network.
`value. Further, the method may also comprise comprising
`perimeter defenses and accessible only via internal network.
`value. Further, the method may also comprise comprising
`comparing the risk value to a user threshold wherein provid
`0007 Client-side exploits take advantage of Vulnerabili
`comparing the risk value to a user threshold wherein provid-
`[0007] Client-side exploits take advantage of vulnerabili-
`ing the alert based on the risk value comprises providing the
`ties in client software. Such as web browsers, email applica
`ing the alert based on the risk value comprises providing the
`ties in client software, such as web browsers, email applica-
`alert based on the comparison.
`tions and media players (e.g., Internet Explorer, Firefox,
`alert based on the comparison.
`tions and media players (e.g., Internet Explorer, Firefox,
`0014. An exemplary system comprises a communication
`Microsoft Outlook, Microsoft Media Player and RealNet
`[0014] An exemplary system comprises a communication
`Microsoft Outlook, Microsoft Media Player and RealNet-
`works RealPlayer). Client-side exploits can also exploit vul
`module, an information retrieval module, an assessment mod
`module, an information retrieval module, an assessment mod-
`works’ RealPlayer). Client-side exploits can also exploit vul-
`nerabilities in system-wide libraries used by client applica
`ule, and a report module. The communication module may be
`ule, and a report module. The communication module may be
`nerabilities in system-wide libraries used by client applica-
`tions. For example, a Vulnerability in an image library that
`configured to receive a plurality of records from a first digital
`
`tions. For example, a vulnerability in an image library that configured to receive a plurality of records fromafirst digital
`device, each of the plurality of records generated during
`renders JPEG images might be exploitable via a web browser
`renders JPEG images mightbe exploitable via a web browser
`device, each of the plurality of records generated during
`or an email application. Client-side exploits are not prevented
`execution or termination of a different executable and con-
`execution or termination of a different executable and con
`or an email application. Client-side exploits are not prevented
`by traditional perimeter defenses, such as firewalls and web
`taining information related to execution or termination of the
`by traditional perimeter defenses, such as firewalls and web
`taining informationrelated to execution or termination of the
`proxies. Trends monitored by the SANS Institute (http://
`different executable. The information retrieval module may
`proxies. Trends monitored by the SANS Institute (http://
`different executable. The information retrieval module may
`www.sans.org) and other industry organizations indicate that
`be configured to retrieve at least one segment from at least one
`www.sans.org) and other industry organizations indicate that
`be configuredto retrieve at least one segmentfrom at least one
`of the plurality of records, the at least one segment being less
`client-side vulnerabilities began to offset server-side vulner
`client-side vulnerabilities began to offset server-side vulner-
`of the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`abilities in 2005.
`abilities in 2005.
`than all of the at least one of the plurality of records, the
`
`

`

`US 2014/024537.6 A1
`US 2014/0245376 Al
`
`Aug. 28, 2014
`Aug. 28, 2014
`
`segment including an application or file attribute related to the
`0021. In various embodiments, the rule comprises an
`[0021]
`In various embodiments,
`the rule comprises an
`segment including an applicationorfile attribute related to the
`different executable. The assessment module may be config
`instruction to block all or part of the execution of the legiti
`instruction to block all or part of the execution ofthe legiti-
`different executable. The assessment module maybe config-
`ured to compare the application or file attribute to a vulner
`mate application ifrisk information indicates, at least in part,
`mate applicationif risk information indicates, at leastin part,
`ured to compare the application or file attribute to a vulner-
`that a Vulnerability associated with the legitimate application
`ability database and identify a risk based on the comparison.
`that a vulnerability associated with the legitimate application
`ability database andidentify a risk based on the comparison.
`The report module may be configured to generate a report
`was identified before a predetermined period of time. The rule
`wasidentified before a predeterminedperiod oftime. The rule
`The report module may be configured to generate a report
`may be applicable to multiple different legitimate applica
`identifying the risk.
`may be applicable to multiple different legitimate applica-
`identifying therisk.
`tions on the device. The rule module may be configured to
`0015. A computer readable medium may comprise
`tions on the device. The rule module may be configured to
`[0015] A computer
`readable medium may comprise
`retrieve a plurality of rules from the rule database, each of the
`executable instructions. The computer readable medium may
`retrieve a plurality of rules from the rule database, each of the
`executable instructions. The computer readable medium may
`plurality of rules associated with the risk information. The
`be nontransitive. The instructions being executable by a pro
`plurality of rules associated with the risk information. The
`be nontransitive. The instructions being executable by a pro-
`rule module configured to control the legitimate application
`cessor to perform a method. The method may comprise
`rule module configured to control the legitimate application
`cessor to perform a method. The method may comprise
`based on the rule may comprise controlling the legitimate
`receiving a plurality of records from a first digital device, each
`based on the rule may comprise controlling the legitimate
`receiving a plurality ofrecords fromafirst digital device, each
`application based on the strictest rule of the plurality of rules.
`of the plurality of records generated during execution or
`application basedonthestrictestrule ofthe plurality of rules.
`of the plurality of records generated during execution or
`0022. The risk information may comprise a risk value and
`termination of a different executable and containing informa
`[0022] The risk information may comprise a risk value and
`termination of a different executable and containing informa-
`the rule comprises instructions regarding control of the appli
`tion related to execution or termination of the different
`tion related to execution or termination of the different
`the rule comprises instructions regarding control ofthe appli-
`executable, retrieving at least one segment from at least one of
`cation based onthe risk value.
`cation based on the risk value.
`executable, retrieving at least one segmentfrom at least one of
`0023. An exemplary method may comprise monitoring a
`the plurality of records, the at least one segment being less
`[0023] An exemplary method may comprise monitoring a
`the plurality of records, the at least one segment being less
`device for an instruction to execute a legitimate application,
`than all of the at least one of the plurality of records, the
`device for an instruction to execute a legitimate application,
`than all of the at least one of the plurality of records, the
`identifying one or more attributes of the legitimate applica
`segment including an application or file attribute related to the
`identifying one or moreattributes of the legitimate applica-
`segment including an applicationorfile attribute related to the
`tion, retrieving risk information based on the one or more
`different executable, comparing the application or file
`tion, retrieving risk information based on the one or more
`different executable, comparing the application or
`file
`attributes of the legitimate application, the risk information
`attribute to a vulnerability database, identifying a risk based
`attributes of the legitimate application, the risk information
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`determined from known vulnerabilities of the legitimate
`determined from known vulnerabilities of the legitimate
`on the comparison, and generating a report identifying the
`application, storing a rule associated with the risk informa
`risk.
`risk.
`application, storing a rule associated with the risk informa-
`tion, retrieving the rule from the rule database based on the
`0016 Invarious embodiments, an agent on a digital device
`tion, retrieving the rule from the rule database based on the
`[0016]
`Invarious embodiments, an agent on a digital device
`risk information, and controlling the legitimate application
`may comprise a monitor module, an application identification
`risk information, and controlling the legitimate application
`may comprise a monitor module, an applicationidentification
`based ontherule.
`based on the rule.
`module, a Vulnerability module, a rules database, and a rule
`module, a vulnerability module, a rules database, and a rule
`0024. An exemplary non-transitory computer readable
`module. The monitor module may be configured to monitor a
`[0024] An exemplary non-transitory computer readable
`module. The monitor module may be configured to monitor a
`medium may comprise instructions executable by a processor
`device for an instruction to execute a legitimate application.
`medium may comprise instructions executable by a processor
`device for an instruction to execute a legitimate application.
`to perform a method. The exemplary method may comprise
`The application identification module may be configured to
`to perform a method. The exemplary method may comprise
`The application identification module may be configured to
`monitoring a device for an instruction to execute a legitimate
`identify one or more attributes of the legitimate application.
`monitoring a device for an instruction to execute a legitimate
`identify one or more attributes of the legitimate application.
`application, identifying one or more attributes of the legiti
`The Vulnerability module may be configured to retrieve risk
`application, identifying one or moreattributes of the legiti-
`The vulnerability module may be configuredto retrieve risk
`mate application, retrieving risk information based on the one
`information based on the one or more attributes of the legiti
`mate application, retrievingrisk information based on the one
`information based on the one or moreattributes of the legiti-
`or more attributes of the legitimate application, the risk infor
`mate application. The risk information may be determined
`or moreattributes of the legitimate application, the risk infor-
`mate application. The risk information may be determined
`mation determined from known vulnerabilities of the legiti
`from known vulnerabilities of the legitimate application. The
`mation determined from known vulnerabilities of the legiti-
`from known vulnerabilities ofthe legitimate application. The
`mate application, storing a rule associated with the risk infor
`rules database may be for storing a rule associated with the
`mate application, storing a rule associated withthe risk infor-
`rules database may be for storing a rule associated with the
`mation, retrieving the rule from the rule database based on the
`risk information. The rul