(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2014/0245376 A1
`Hibbert et al.
`(43) Pub. Date:
`Aug. 28, 2014
`
`US 20140245376A1
`
`(54) SYSTEMS AND METHODS OF RISK BASED
`RULES FORAPPLICATION CONTROL
`(71) Applicant: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(52) U.S. Cl.
`CPC ............ H04L 63/1433 (2013.01); H04L 63/20
`(2013.01)
`USPC .............................................................. 726/1
`
`(72) Inventors: Brad Hibbert, Carp (CA); Chris Silva,
`Laguna Beach, CA (US)
`
`(57)
`
`ABSTRACT
`
`In various embodiments, an agent on a digital device may
`comprise a monitor module, an application identification
`module, a Vulnerability module, a rules database, and a rule
`module. The monitor module may be configured to monitor a
`device for an instruction to execute a legitimate application.
`The application identification module may be configured to
`identify one or more attributes of the legitimate application.
`The Vulnerability module may be configured to retrieve risk
`information based on the one or more attributes of the legiti
`mate application. The risk information may be determined
`from known vulnerabilities of the legitimate application. The
`rules database may be for storing a rule associated with the
`risk information. The rule module may be configured to
`retrieve the rule from the rule database based on the risk
`information and to control the legitimate application based on
`the rule.
`
`(73) Assignee: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(21) Appl. No.: 14/182,651
`
`(22) Filed:
`
`Feb. 18, 2014
`O
`O
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 14/156,375,
`filed on Jan. 15, 2014.
`(60) Provisional application No. 61/768,809, filed on Feb.
`25, 2013.
`sy- Y - s
`s
`
`Publication Classification
`
`(51) Int. Cl.
`H04L 29/06
`
`(2006.01)
`
`3-3
`
`Agent Collects
`Appication Evert
`32
`
`:
`
`Eye Sent ta.
`Centralized Server :
`304
`
`
`
`- Process .
`< immediately? :
`
`Yes
`w
`
`insert int. Databas
`38
`
`
`
`
`
`s
`
`- S.
`
`Compare to
`Winerability
`Database
`33.
`
`watch ,
`- vulnerable
`
`ax A. x-Y.
`-
`Criteria?
`:
`: Yes-
`36 .
`
`Report Finding
`33.8
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1063
`WIZ, Inc. v. Orca Security LTD.
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2014/0245376 A1
`Hibbert et al.
`(43) Pub. Date:
`Aug. 28, 2014
`
`US 20140245376A1
`
`(54) SYSTEMS AND METHODS OF RISK BASED
`RULES FORAPPLICATION CONTROL
`(71) Applicant: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(52) U.S. Cl.
`CPC ............ H04L 63/1433 (2013.01); H04L 63/20
`(2013.01)
`USPC .............................................................. 726/1
`
`(72) Inventors: Brad Hibbert, Carp (CA); Chris Silva,
`Laguna Beach, CA (US)
`
`(57)
`
`ABSTRACT
`
`In various embodiments, an agent on a digital device may
`comprise a monitor module, an application identification
`module, a Vulnerability module, a rules database, and a rule
`module. The monitor module may be configured to monitor a
`device for an instruction to execute a legitimate application.
`The application identification module may be configured to
`identify one or more attributes of the legitimate application.
`The Vulnerability module may be configured to retrieve risk
`information based on the one or more attributes of the legiti
`mate application. The risk information may be determined
`from known vulnerabilities of the legitimate application. The
`rules database may be for storing a rule associated with the
`risk information. The rule module may be configured to
`retrieve the rule from the rule database based on the risk
`information and to control the legitimate application based on
`the rule.
`
`(73) Assignee: BeyondTrust Software, Inc., Phoenix,
`AZ (US)
`
`(21) Appl. No.: 14/182,651
`
`(22) Filed:
`
`Feb. 18, 2014
`O
`O
`Related U.S. Application Data
`(63) Continuation-in-part of application No. 14/156,375,
`filed on Jan. 15, 2014.
`(60) Provisional application No. 61/768,809, filed on Feb.
`25, 2013.
`sy- Y - s
`s
`
`Publication Classification
`
`(51) Int. Cl.
`H04L 29/06
`
`(2006.01)
`
`3-3
`
`Agent Collects
`Appication Evert
`32
`
`:
`
`Eye Sent ta.
`Centralized Server :
`304
`
`
`
`- Process .
`< immediately? :
`
`Yes
`w
`
`insert int. Databas
`38
`
`
`
`
`
`s
`
`- S.
`
`Compare to
`Winerability
`Database
`33.
`
`watch ,
`- vulnerable
`
`ax A. x-Y.
`-
`Criteria?
`:
`: Yes-
`36 .
`
`Report Finding
`33.8
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1063
`WIZ, Inc. v. Orca Security LTD.
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 1 of 16
`
`US 2014/0245376 A1
`
`
`
`
`416
`
`Report Finding |
`
`
`
`
`
`
`
`
`
`
`、
`
`SN
`
`S444
`State?
`
`
`
`
`人
`
`a
`
`1
`: Match Vulnerable. Yes»
`:
`
`gate
`
`443
`
`Target
`
`interrg
`
`~
`
`
`
`
` BUCCESSRUT Eo!
`于 connection Yes»
`
`“ie
`
`Aan
`
`“
`
`a
`
`
`
`
`
`
`
`
`
`
`Prior Art
`
`Fit. 1
`
`
`
`
`
`
`
`,
`Ri
`:
`
`via Network
`Scan Target
`Connectto
`
`108
`
`
`
`
`
`
`
`|
`、
`
`so
`
`Yes
`
`
`
`
`Checks?
`
`三 一 一 一 .
`
`Additional a
`
`ug OOS -
`
`Pan
`
`
`
`
`1
`
`No
`
`CN NO
`x
`|
`
`EndScan
`
`|
`|
`
`|
`
`Available?
`
`Ce 和
`
`104
`
`下
`
`Targets
`
`Available Scan
`
`Determine
`
`
`
`
`
`
`
`
`
`
`102
`
`Targets
`
`Select Scan
`
`
`
`
`we
`100
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 2 of 16
`
`US 2014/0245376 A1
`
`2260
`
`System
`
`Administration
`
`Security
`
`System 202
`Assessment
`
`Security
`
`FIG
`
`Server 218
`Windows
`
`216
`
`Unix Server
`
`204
`
`NETWORK
`
`COMMUNICATION
`
`/
`
`/
`
`/
`
`
`
`
`
`
`212
`
`Device
`Network
`
`PC
`
`210
`
`Laptop
`
`206
`
`Sraartphone
`
`/
`
`208
`
`Device
`Tablet
`
`200
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 3 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`318
`
`Report Finding
`
`、 “rvonnnnn
` @ Swoon
`
`>
`
`Criteria?
`_" Mulnerable
`
`
`
`
`
`
`
`
`
`
`
`
`314
`
`Database
`
`Vulnerability
`Compare to
`
`
`
`
`FIG. 3
`
`
`
`
`Ves
`
`
`
`
`
`
`
`、
`
`Analyze?
`_ Time To
`
`310
`
`“
`
`
`
`
`308
`
`insert Into Database
`
`
`
`
`>--—-No-—-e:
`
`Immediately?
`
`<
`
`~ 還
`
`_-” Process
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`304
`
`Centralized Server
`
`Event Sent to
`
`
`
`
`
`
`
`
`
`302
`
`Application Event
`
`Agent Collects
`
`300
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 4 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`4 人 4
`
`Database
`Application
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`412
`
`Module
`
`Authentication
`Communication
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`410
`
`Module
`
`Communication
`
`
`
`
`
`
`
`
`
`
`
`
`FIG.
`
`
`
`
`
`
`
`408
`
`Module
`
`Record Collection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`406
`
`Scan Module
`
`404
`
`Module
`
`402
`
`Module
`
`Event Recordation
`
`Event Detection
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Agent 400
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 5 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`S16
`
`Alert Module
`
`
`
`
`
`
`
`
`
`Database 522
`Vulnerability
`
`Database 520
`Configuration
`
`Risk Acceptance
`
`Sid
`
`212
`
`Report Module
`
`Assessment Module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`508
`
`Module
`
`Management
`
`Record
`
`
`
`
`506
`
`Scheduler
`
`Assessment
`
`Module 504
`
`Authentication
`
`Request
`
`Module 502
`
`Communication
`
`
`
`
`
`
`
`
`
`
`Security Assessment System 202
`
`FIG. 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Database 518
`Management
`
`Record
`
`
`
`
`
`
`
`510
`
`Retrieval Module
`
`information
`
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 6 of 16
`Aug. 28,2014 Sheet 6 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`602
`
`Scan digital device for third party event records
`Scan digital device for third party event records
`
`6O2
`
`identify third party event records
`identify third party event records
`
`Detect events of digital device
`Detect events of digital device
`
`Record detected events of digital device
`Record detected events of digital device
`
`
`
`
`
`Coitect arid optionaily consolidate third party event records and
`Collect and optionally consolidate third party event records and
`recordation of detected events to Create assessinet request
`recordation of detected events to create assessment request
`
`Prepare record information for third party event records and
`Prepare record information for third party event records and
`recordation of detected events
`recordation of detected events
`
`604
`604
`
`606
`608
`
`608
`608
`
`61
`610
`
`81.
`612
`
`Digitaly sign assessment request and record information
`Digitally sign assessment request and record information
`
`84
`614
`
`
`
`assessment system
`
`Provide assessment request and record information to sect rity
`Provide assessment request and record information to security
`assessment system
`
`68
`
`EN
`END
`
`F.G. 6
`FIG. 6
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 7 of 16
`Aug. 28,2014 Sheet 7 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`Receive assessment request and record information from digital
`Receive assessment request and record information from aigital
`device
`
`device
`
`Authenticate assessment request and record information
`At thenticate assessment request and ecord information
`
`
`
`
`
`identify records of assessment request utilizing record
`identify records of assessment request utilizing record
`ifornetic
`information
`
`732
`702
`
`O4.
`7O4
`
`O6
`706
`
`Retrieve record management information based of identified
`Retrieve record management information based on identified
`Fecords
`records
`
`78
`708
`
`
`identify applicatio aid iiie attritates for assessment request
`identify application and file attributes from assessment request
`based on record franagement into ration
`based on record management information
`
`
`Compare app:ication and file attributes to vulnerability database
`Compare application and file attributes to vulnerability database
`
`
`
`etermine risk value based on comparison
`Determine risk value based on comparison
`
`O
`71d
`
`712
`M2
`
`7 :
`744
`
`Compare determined risk waite to risk acceptance threshold
`Compare determined risk vaiue to risk acceptance threshold
`
`76
`716
`
`
`
`Serdalert based on comparison if determined risk value
`Send alert based on comparison if determined risk value
`exceeds risk acceptance threshold
`
`748 exceads risk acceptance threshold
`
`78
`
`Generate report
`Generate report
`
`72
`720
`
`ENO
`END
`
`G.
`FIG. 7
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet80f16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 9 of 16
`Aug. 28,2014 Sheet 9 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`Digital Device 302
`Digital Device 902
`
`240 Frocessor
`
`input Device
`Input Device
`90
`
`Processor
`34
`204
`
`908
`
`Corr. Network
`Com. Network
`interface
`interface
`92
`912
`
`918
`918
`
`Output Device
`Output Device
`94
`14
`
`Storage
`Storage
`908
`
`FG.
`FIG. §
`
`
`
`Patent Application Publication
`
`Aug. 28,2014 Sheet 10 of 16
`
`US 2014/0245376 Al
`
`
`
`
`
`
`
`
`
`Anti-Malware 1608
`
`
`
`
`
`
`
`1004
`Agent
`
`
`
`FIG. 10
`
`
`
`
`
`ns 1002
`
`|
`
`]
`
`Applicatio
`
`
`
`
`
`1010
`
`Operating System
`
`
`
`
`
`06 o
`
`m
`
`Maiware 1
`
`
`
`
`
`
`
`
`
`
` |
`
`
`
`
`
`User Device 1000
`
`
`
`
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 11 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`1116
`
`Rules Database
`
`
`
`
`
`
`
`
`
`
`
`11144
`
`Database
`
`Vulnerability
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 11
`
`
`
`
`1112
`
`Update Madule
`
`1710
`
`Control Modtile
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1108
`
`Rules Module
`
`1106
`
`Checker Module
`
`Vuinerability
`
`1104
`
`identifier Module
`
`1162
`
`Monitor Module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` |
`
`Agent 10 Q
`
` 4
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 12 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1208
`
`Recard Module
`
`
`
`
`
`
`
`
`
`
`1206
`
`Module
`
`Rules Generation
`
`
`
`
`
`
`
`
`
`
`1204
`
`Risk AP} Module
`
`4202
`
`Module
`
`Risk Assessment
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1200
`
`Security Server
`
`FIG. 12
`
`
`
`
`Module 1210
`Rules Update
`
`Module 1208
`
`Vulnerability Update
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 13 of 16
`Aug. 28,2014 Sheet 13 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`Monitor device for instruction to execute legitimate application
`Monitor device for instruction to execute legitimate application
`
`identify attributes of legitimate application
`identify attributes of egitimate application
`
`
`
`
`
`Retrieve risk information associated with altributes
`Retrieve risk irforator associated with attributes
`
`3O2
`1302
`
`1304
`3O4.
`
`1306
`
`identify risk of application based on risk information
`identify risk of application based on risk information
`
`1308
`38
`
`13
`1310
`
`32
`4342
`
`
`
`
`
`Retrieve Lies associated with risk information
`Retrieve rules associated with risk information
`
`Contro execution of legitimate application based on retrieved
`Contro! execution of legitimate application based on retrieved
`rules
`rules
`
`EN
`END
`
`... 3
`FIG. 13
`
`
`
`Patent Application Publication
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 14 of 16
`Aug. 28,2014 Sheet 14 of 16
`
`US 2014/0245376 A1
`US 2014/0245376 Al
`
`
`
`1402
`
`identifying vulnerabilities of one of more legitimate applications
`Identifying vulnerabilities of one or more legitimate applications
`
`402
`
`Generate risk info fration associated with the identified
`Generate risk information associated with the identified
`Weratiities
`vulnerabilities
`
`44
`4404
`
`ENO
`END
`
`Fig. 4
`FiG. 14
`
`
`
`Patent Application Publication
`
`Aug. 28,2014 Sheet 15 of 16
`
`US 2014/0245376 Al
`
`FIG. 15
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`Aug. 28, 2014 Sheet 16 of 16
`
`US 2014/0245376 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2014/024537.6 A1
`US 2014/0245376 Al
`
`Aug. 28, 2014
`Aug. 28, 2014
`
`SYSTEMS AND METHODSOF RISK BASED
`SYSTEMIS AND METHODS OF RISK BASED
`RULES FOR APPLICATION CONTROL
`RULES FORAPPLICATION CONTROL
`
`0001. The present application claims the benefit of U.S.
`[0001] The present application claims the benefit of U.S.
`Provisional Patent Application Ser. No. 61/768,809, filed
`Provisional Patent Application Ser. No. 61/768,809, filed
`Feb. 25, 2013 and entitled “Systems and Methods of Risk
`Feb. 25, 2013 and entitled “Systems and Methods of Risk
`Based Rules for Application Control and is a continuation
`Based Rules for Application Control,” and is a continuation-
`in-part of U.S. Nonprovisional Patent Application Ser. No.
`in-part of U.S. Nonprovisional Patent Application Ser. No.
`14/156,375, filed Jan. 15, 2014 and entitled “Systems and
`14/156,375, filed Jan. 15, 2014 and entitled “Systems and
`Methods for Identifying and Reporting Application and File
`Methods for Identifying and Reporting Application and File
`Vulnerabilities, both of which are incorporated by reference
`Vulnerabilities,” both of which are incorporated by reference
`herein.
`herein.
`
`COPYRIGHT NOTICE
`COPYRIGHT NOTICE
`
`0002. A portion of the disclosure of this patent document
`[0002] A portion of the disclosure of this patent document
`contains material that is subject to copyright protection. The
`contains material that is subject to copyright protection. The
`copyright owner has no objection to the facsimile reproduc
`copyright owner has no objection to the facsimile reproduc-
`tion by anyone of the patent document or the patent disclo
`tion by anyone of the patent documentorthe patent disclo-
`sure, as it appears in the Patent and Trademark Office patent
`sure, as it appears in the Patent and Trademark Office patent
`file or records, but otherwise reserves all copyright rights
`file or records, but otherwise reserves all copyright rights
`whatsoever.
`whatsoever.
`
`BACKGROUND
`BACKGROUND
`
`SUMMARY
`SUMMARY
`0008. In various embodiments, a method comprises
`[0008]
`In various embodiments, a method comprises
`receiving a plurality of records from a first digital device, each
`receiving a plurality ofrecords fromafirst digital device, each
`CROSS-REFERENCE TO RELATED
`CROSS-REFERENCE TO RELATED
`of the plurality of records generated during execution or
`of the plurality of records generated during execution or
`APPLICATIONS
`APPLICATIONS
`termination of a different executable and containing informa
`termination ofa different executable and containing informa-
`tion related to execution or termination of the different
`tion related to execution or termination of the different
`executable, retrieving at least one segment from at least one of
`executable,retrieving at least one segmentfrom atleast one of
`the plurality of records, the at least one segment being less
`the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`than all of the at least one of the plurality of records, the
`segment including an application or file attribute related to the
`segment including an applicationorfile attribute related to the
`different executable, comparing the application or file
`different executable, comparing the application or
`file
`attribute to a vulnerability database, identifying a risk based
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`on the comparison, and generating a report identifying the
`risk.
`risk.
`0009. In various embodiments, the plurality of records
`[0009]
`In various embodiments, the plurality of records
`comprises log files associated with different executables. The
`compriseslogfiles associated with different executables. The
`application or file attributes may comprise, for example, an
`application or file attributes may comprise, for example, an
`application or file version, an execution time, or a calling
`application or file version, an execution time, or a calling
`process.
`process.
`0010. The method may further comprise identifying a type
`[0010] The method mayfurther comprise identifying a type
`of the at least one of the plurality of records, retrieving record
`ofthe at least one of the plurality of records, retrieving record
`information from a record information database based on the
`information from a record information database based on the
`identified type of the at least one of the plurality of records,
`identified type of the at least one of the plurality of records,
`and identifying a position of the at least one segment within
`and identifying a position ofthe at least one segment within
`the at least one of the plurality of records, wherein retrieving
`the at least one ofthe plurality of records, wherein retrieving
`the at least one segment comprises retrieving the at least one
`the at least one segment comprises retrieving the at least one
`segment from the identified position.
`segment from the identified position.
`0011. In some embodiments, the method further com
`[0011]
`In some embodiments, the method further com-
`0003 1. Field of the Invention(s)
`prises scheduling when the comparison of the application or
`[0003]
`1. Field of the Invention(s)
`prises scheduling when the comparisonofthe application or
`file attribute to the Vulnerability database is to occur and
`0004. The present invention(s) relate generally to applica
`file attribute to the vulnerability database is to occur and
`[0004] The present invention(s) relate generally to applica-
`waiting to compare the application or file attribute to the
`tion control. More particularly, the invention(s) relate to sys
`waiting to compare the application or file attribute to the
`tion control. Moreparticularly, the invention(s) relate to sys-
`tems and methods for controlling applications utilizing risk
`Vulnerability database based on the schedule. In various
`vulnerability database based on the schedule. In various
`tems and methods for controlling applications utilizing risk
`embodiments, the method further comprises comprising
`basedrules.
`based rules.
`embodiments,
`the method further comprises comprising
`authenticating the plurality of records, wherein the applica
`0005 2. Description of Related Art
`authenticating the plurality of records, wherein the applica-
`[0005]
`2. Description of Related Art
`tion or file attribute is compared to the Vulnerability database
`tion orfile attribute is compared to the vulnerability database
`0006 Recent computer attack trends target software vul
`only after Successful authentication.
`[0006] Recent computer attack trends target software vul-
`only after successful authentication.
`nerabilities of home and corporate networks. These client
`0012 Comparing the application or file attribute to a Vul
`nerabilities of home and corporate networks. These client-
`[0012] Comparing the applicationorfile attribute to a vul-
`side attacks have proven fruitful for cyber criminals. Clients
`nerability database may comprise comparing the application
`side attacks have proven fruitful for cyber criminals. Clients
`nerability database may comprise comparingthe application
`are an easier target than servers as servers tend to be more
`or file attribute to a whitelist. In some embodiments, compar
`are an easier target than servers as servers tend to be more
`orfile attribute to a whitelist. In some embodiments, compar-
`highly secured than workstations, with less end user interac
`ing the application or file attribute to a vulnerability database
`highly secured than workstations, with less end userinterac-
`ing the applicationorfile attribute to a vulnerability database
`tion. As such, these client-side attacks offer the low-hanging
`may comprise comparing the application or file attribute to a
`tion. As such, these client-side attacks offer the low-hanging
`may comprise comparing the applicationorfile attribute to a
`fruit that hackers are seeking. By targeting end-users, hackers
`blacklist. In various embodiments, comparing the application
`fruit that hackers are seeking. By targeting end-users, hackers
`blacklist. In various embodiments, comparing the application
`gain easier access to a larger number of computers, thereby
`or file attribute to a vulnerability database may comprise the
`gain easier access to a larger number of computers, thereby
`or file attribute to a vulnerability database may comprise the
`producing the greater yield with the least amount of effort. A
`application or file attribute to a greylist, the greylist compris
`producing the greater yield with the least amountof effort. A
`application orfile attribute to a greylist, the greylist compris-
`single Vulnerability in a workstation's client applications may
`ing application or file attributes associated with Suspicious
`single vulnerability in a workstation’s client applications may
`ing application orfile attributes associated with suspicious
`afford access to more important information assets on the
`applications or files.
`afford access to more important information assets on the
`applicationsorfiles.
`same network. A client-side exploit can therefore leverage a
`0013 The method may further comprise determining a
`same network. A client-side exploit can therefore leverage a
`[0013] The method may further comprise determining a
`compromised workstation as a launching point for attacks
`risk value based on the comparison of the application or file
`compromised workstation as a launching point for attacks
`risk value based on the comparison of the applicationorfile
`against other workstations or servers otherwise protected by
`attribute to the greylist and providing an alert based on the risk
`against other workstations or servers otherwise protected by
`attribute to the greylist and providing an alert based on the risk
`perimeter defenses and accessible only via internal network.
`value. Further, the method may also comprise comprising
`perimeter defenses and accessible only via internal network.
`value. Further, the method may also comprise comprising
`comparing the risk value to a user threshold wherein provid
`0007 Client-side exploits take advantage of Vulnerabili
`comparing the risk value to a user threshold wherein provid-
`[0007] Client-side exploits take advantage of vulnerabili-
`ing the alert based on the risk value comprises providing the
`ties in client software. Such as web browsers, email applica
`ing the alert based on the risk value comprises providing the
`ties in client software, such as web browsers, email applica-
`alert based on the comparison.
`tions and media players (e.g., Internet Explorer, Firefox,
`alert based on the comparison.
`tions and media players (e.g., Internet Explorer, Firefox,
`0014. An exemplary system comprises a communication
`Microsoft Outlook, Microsoft Media Player and RealNet
`[0014] An exemplary system comprises a communication
`Microsoft Outlook, Microsoft Media Player and RealNet-
`works RealPlayer). Client-side exploits can also exploit vul
`module, an information retrieval module, an assessment mod
`module, an information retrieval module, an assessment mod-
`works’ RealPlayer). Client-side exploits can also exploit vul-
`nerabilities in system-wide libraries used by client applica
`ule, and a report module. The communication module may be
`ule, and a report module. The communication module may be
`nerabilities in system-wide libraries used by client applica-
`tions. For example, a Vulnerability in an image library that
`configured to receive a plurality of records from a first digital
`
`tions. For example, a vulnerability in an image library that configured to receive a plurality of records fromafirst digital
`device, each of the plurality of records generated during
`renders JPEG images might be exploitable via a web browser
`renders JPEG images mightbe exploitable via a web browser
`device, each of the plurality of records generated during
`or an email application. Client-side exploits are not prevented
`execution or termination of a different executable and con-
`execution or termination of a different executable and con
`or an email application. Client-side exploits are not prevented
`by traditional perimeter defenses, such as firewalls and web
`taining information related to execution or termination of the
`by traditional perimeter defenses, such as firewalls and web
`taining informationrelated to execution or termination of the
`proxies. Trends monitored by the SANS Institute (http://
`different executable. The information retrieval module may
`proxies. Trends monitored by the SANS Institute (http://
`different executable. The information retrieval module may
`www.sans.org) and other industry organizations indicate that
`be configured to retrieve at least one segment from at least one
`www.sans.org) and other industry organizations indicate that
`be configuredto retrieve at least one segmentfrom at least one
`of the plurality of records, the at least one segment being less
`client-side vulnerabilities began to offset server-side vulner
`client-side vulnerabilities began to offset server-side vulner-
`of the plurality of records, the at least one segment being less
`than all of the at least one of the plurality of records, the
`abilities in 2005.
`abilities in 2005.
`than all of the at least one of the plurality of records, the
`
`
`
`US 2014/024537.6 A1
`US 2014/0245376 Al
`
`Aug. 28, 2014
`Aug. 28, 2014
`
`segment including an application or file attribute related to the
`0021. In various embodiments, the rule comprises an
`[0021]
`In various embodiments,
`the rule comprises an
`segment including an applicationorfile attribute related to the
`different executable. The assessment module may be config
`instruction to block all or part of the execution of the legiti
`instruction to block all or part of the execution ofthe legiti-
`different executable. The assessment module maybe config-
`ured to compare the application or file attribute to a vulner
`mate application ifrisk information indicates, at least in part,
`mate applicationif risk information indicates, at leastin part,
`ured to compare the application or file attribute to a vulner-
`that a Vulnerability associated with the legitimate application
`ability database and identify a risk based on the comparison.
`that a vulnerability associated with the legitimate application
`ability database andidentify a risk based on the comparison.
`The report module may be configured to generate a report
`was identified before a predetermined period of time. The rule
`wasidentified before a predeterminedperiod oftime. The rule
`The report module may be configured to generate a report
`may be applicable to multiple different legitimate applica
`identifying the risk.
`may be applicable to multiple different legitimate applica-
`identifying therisk.
`tions on the device. The rule module may be configured to
`0015. A computer readable medium may comprise
`tions on the device. The rule module may be configured to
`[0015] A computer
`readable medium may comprise
`retrieve a plurality of rules from the rule database, each of the
`executable instructions. The computer readable medium may
`retrieve a plurality of rules from the rule database, each of the
`executable instructions. The computer readable medium may
`plurality of rules associated with the risk information. The
`be nontransitive. The instructions being executable by a pro
`plurality of rules associated with the risk information. The
`be nontransitive. The instructions being executable by a pro-
`rule module configured to control the legitimate application
`cessor to perform a method. The method may comprise
`rule module configured to control the legitimate application
`cessor to perform a method. The method may comprise
`based on the rule may comprise controlling the legitimate
`receiving a plurality of records from a first digital device, each
`based on the rule may comprise controlling the legitimate
`receiving a plurality ofrecords fromafirst digital device, each
`application based on the strictest rule of the plurality of rules.
`of the plurality of records generated during execution or
`application basedonthestrictestrule ofthe plurality of rules.
`of the plurality of records generated during execution or
`0022. The risk information may comprise a risk value and
`termination of a different executable and containing informa
`[0022] The risk information may comprise a risk value and
`termination of a different executable and containing informa-
`the rule comprises instructions regarding control of the appli
`tion related to execution or termination of the different
`tion related to execution or termination of the different
`the rule comprises instructions regarding control ofthe appli-
`executable, retrieving at least one segment from at least one of
`cation based onthe risk value.
`cation based on the risk value.
`executable, retrieving at least one segmentfrom at least one of
`0023. An exemplary method may comprise monitoring a
`the plurality of records, the at least one segment being less
`[0023] An exemplary method may comprise monitoring a
`the plurality of records, the at least one segment being less
`device for an instruction to execute a legitimate application,
`than all of the at least one of the plurality of records, the
`device for an instruction to execute a legitimate application,
`than all of the at least one of the plurality of records, the
`identifying one or more attributes of the legitimate applica
`segment including an application or file attribute related to the
`identifying one or moreattributes of the legitimate applica-
`segment including an applicationorfile attribute related to the
`tion, retrieving risk information based on the one or more
`different executable, comparing the application or file
`tion, retrieving risk information based on the one or more
`different executable, comparing the application or
`file
`attributes of the legitimate application, the risk information
`attribute to a vulnerability database, identifying a risk based
`attributes of the legitimate application, the risk information
`attribute to a vulnerability database, identifying a risk based
`on the comparison, and generating a report identifying the
`determined from known vulnerabilities of the legitimate
`determined from known vulnerabilities of the legitimate
`on the comparison, and generating a report identifying the
`application, storing a rule associated with the risk informa
`risk.
`risk.
`application, storing a rule associated with the risk informa-
`tion, retrieving the rule from the rule database based on the
`0016 Invarious embodiments, an agent on a digital device
`tion, retrieving the rule from the rule database based on the
`[0016]
`Invarious embodiments, an agent on a digital device
`risk information, and controlling the legitimate application
`may comprise a monitor module, an application identification
`risk information, and controlling the legitimate application
`may comprise a monitor module, an applicationidentification
`based ontherule.
`based on the rule.
`module, a Vulnerability module, a rules database, and a rule
`module, a vulnerability module, a rules database, and a rule
`0024. An exemplary non-transitory computer readable
`module. The monitor module may be configured to monitor a
`[0024] An exemplary non-transitory computer readable
`module. The monitor module may be configured to monitor a
`medium may comprise instructions executable by a processor
`device for an instruction to execute a legitimate application.
`medium may comprise instructions executable by a processor
`device for an instruction to execute a legitimate application.
`to perform a method. The exemplary method may comprise
`The application identification module may be configured to
`to perform a method. The exemplary method may comprise
`The application identification module may be configured to
`monitoring a device for an instruction to execute a legitimate
`identify one or more attributes of the legitimate application.
`monitoring a device for an instruction to execute a legitimate
`identify one or more attributes of the legitimate application.
`application, identifying one or more attributes of the legiti
`The Vulnerability module may be configured to retrieve risk
`application, identifying one or moreattributes of the legiti-
`The vulnerability module may be configuredto retrieve risk
`mate application, retrieving risk information based on the one
`information based on the one or more attributes of the legiti
`mate application, retrievingrisk information based on the one
`information based on the one or moreattributes of the legiti-
`or more attributes of the legitimate application, the risk infor
`mate application. The risk information may be determined
`or moreattributes of the legitimate application, the risk infor-
`mate application. The risk information may be determined
`mation determined from known vulnerabilities of the legiti
`from known vulnerabilities of the legitimate application. The
`mation determined from known vulnerabilities of the legiti-
`from known vulnerabilities ofthe legitimate application. The
`mate application, storing a rule associated with the risk infor
`rules database may be for storing a rule associated with the
`mate application, storing a rule associated withthe risk infor-
`rules database may be for storing a rule associated with the
`mation, retrieving the rule from the rule database based on the
`risk information. The rul
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
