| HAI LAMA ATA
`T DE CATAMA TANAMAN AT MAT
`H
`
`
`I IIIII IIIIIIII
`IIIII 111111 IIII
`US009749349B1
`
`( 12 ) United States Patent
`(12) United States Patent
`Czarny et al .
`Czarny et al.
`
`( 10 ) Patent No . :
`(10) Patent No.:
`( 45 ) Date of Patent :
`(45) Date of Patent:
`
`US 9 , 749 , 349 B1
`US 9,749,349 B1
`Aug . 29 , 2017
`Aug. 29, 2017
`
`Île E Ê
`
`( * ) Notice :
`( * ) Notice:
`
`( 54 ) COMPUTER SECURITY VULNERABILITY
`(54) COMPUTER SECURITY VULNERABILITY
`ASSESSMENT
`ASSESSMENT
`( 71 ) Applicant : OPSWAT , Inc . , San Francisco , CA
`(71) Applicant: OPSWAT, Inc., San Francisco, CA
`( US )
`(US)
`( 72 ) Inventors : Benjamin Czarny , San Francisco , CA
`Inventors: Benjamin Czarny, San Francisco, CA
`(72)
`( US ) ; Jianpeng Mo , Burlingame , CA
`(US); Jianpeng Mo, Burlingame, CA
`( US ) ; Ali Rezafard , Millbrae , CA ( US ) ;
`(US); Ali Rezafard, Millbrae, CA (US);
`David Matthew Patt , Kansas City , MO
`David Matthew Patt, Kansas City, MO
`( US )
`(US)
`( 73 ) Assignee : OPSWAT , Inc . , San Francisco , CA
`(73) Assignee: OPSWAT, Inc., San Francisco, CA
`( US )
`(US)
`Subject to any disclaimer , the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U . S . C . 154 ( b ) by 0 days .
`U.S.C. 154(b) by 0 days.
`( 21 ) Appl . No . : 15 / 275 , 123
`(21) Appl. No.: 15/275,123
`Sep . 23 , 2016
`( 22 ) Filed :
`(22) Filed:
`Sep. 23, 2016
`( 51 )
`Int . Ci .
`(51) Int. Cl.
`H04L 29 / 06
`( 2006 . 01 )
`(2006.01)
`H04L 29/06
`( 2006 . 01 )
`G06F 1730
`(2006.01)
`G06F 17/30
`G06F 21 / 57
`( 2013 . 01 )
`(2013.01)
`G06F 21/57
`U . S . CI .
`( 52 )
`(52) U.S. Cl.
`CPC . . . . H04L 63 / 1433 ( 2013 . 01 ) ; G06F 17 / 30289
`CPC .... H04L 63/1433 (2013.01); G06F 17/30289
`( 2013 . 01 ) ; G06F 21 / 577 ( 2013 . 01 ) ; H04L
`(2013.01); G06F 21/577 (2013.01); H04L
`63 / 1425 ( 2013 . 01 )
`63/1425 (2013.01)
`( 58 ) Field of Classification Search
`(58) Field of Classification Search
`CPC . . . . . . . . . . . . . HO4L 63 / 1433 ; H04L 63 / 1425 ; H04L
`CPC
`H04L 63/1433; H04L 63/1425; H04L
`29 / 06904 ; G06F 21 / 577 ; G06F 17 / 30289
`29/06904; G06F 21/577; G06F 17/30289
`USPC . . . . . . . . . .
`. . . . . . . . . . . . . . . . 726 / 25
`USPC
` 726/25
`See application file for complete search history .
`See application file for complete search history.
`References Cited
`References Cited
`U . S . PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`8 , 127 , 354 B1 *
`2 / 2012 Bettini
`G06F 21 / 577
` G06F 21/577
`8,127,354 BI * 2/2012 Bettini
`726 / 22
`726/22
`8 , 474 , 004 B2 *
`6 / 2013 Leone . . . . . . . . . . . . . . GO6F 21 / 51
` G06F 21/51
`8,474,004 B2 * 6/2013 Leone
`380 / 59
`380/59
`
`8 , 654 , 340 B2 *
`2 / 2014 Girard . . . . . . . . . . . . . . . GO1Q 20 / 02
`G01Q 20/02
`8,654,340 B2 * 2/2014 Girard
`356 / 484
`356/484
`8 / 2014 Codreanu et al .
`8 , 813 , 222 B1
`8/2014 Codreanu et al.
`8,813,222 BI
`8 , 850 , 583 B1 *
`9 / 2014 Nelson . . . . . . . . . . . . . . . . HO4L 63 / 1416
`H04L 63/1416
`8,850,583 BI * 9/2014 Nelson
`380 / 44
`380/44
`8 , 863 , 288 B1 *
`10 / 2014 Savage . . . . . . . . . . . . . . . . . . GO6F 21 / 56
`8,863,288 Bl* 10/2014 Savage
`G06F 21/56
`713 / 188
`713/188
`4 / 2016 Hartsook . . . . . . . . . . . . . GO6F 21 / 577
`9 , 304 , 980 B1 *
`4/2016 Hartsook
`G06F 21/577
`9,304,980 BI *
`1 / 2004 Dahlstrom . . . . . . . . . . . . G06F 21 / 577
`2004 / 0006704 A1 *
`1/2004 Dahlstrom
`G06F 21/577
`2004/0006704 Al *
`726 / 25
`726/25
`( Continued )
`(Continued)
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Mellor , FlashMate hybrid hard drive works without Windows ,
`Mellor, FlashMate hybrid hard drive works without Windows,
`InfoWorld , Oct . 11 , 2007 . pp . 1 - 2 .
`InfoWorld, Oct. 11, 2007. pp. 1-2.
`( Continued )
`(Continued)
`
`Primary Examiner — Hadi Armouche
`Primary Examiner — Hadi Armouche
`Assistant Examiner — Shahriar Zarrineh
`Assistant Examiner — Shahriar Zarrineh
`( 74 ) Attorney , Agent , or Firm — The Mueller Law Office ,
`(74) Attorney, Agent, or Firm — The Mueller Law Office,
`P . C .
`P.C.
`
`ABSTRACT
`( 57 )
`ABSTRACT
`(57)
`Computer security vulnerability assessment is performed
`Computer security vulnerability assessment is performed
`with product binary data and product vulnerability data that
`with product binary data and product vulnerability data that
`correspond with product identification data . A correspon
`correspond with product identification data. A correspon-
`dence between the product binary data and the product
`dence between the product binary data and the product
`vulnerability data is determined , and a binaries - to - vulner
`vulnerability data is determined, and a binaries-to-vulner-
`abilities database is generated . The binaries - to - vulnerabili
`abilities database is generated. The binaries-to-vulnerabili-
`ties database is used to scan binary data from a target device
`ties database is used to scan binary data from a target device
`to find matches with the product binary data . A known
`to find matches with the product binary data. A known
`security vulnerability of the target device is determined
`security vulnerability of the target device is determined
`based on the scanning and the correspondence between the
`based on the scanning and the correspondence between the
`product binary data and the vulnerability data . In some
`product binary data and the vulnerability data. In some
`embodiments , the target device is powered off and used as
`embodiments, the target device is powered off and used as
`an external storage device to receive the binary data there
`an external storage device to receive the binary data there-
`from .
`from.
`
`10 Claims , 8 Drawing Sheets
`10 Claims, 8 Drawing Sheets
`
`I Community 1
`Conommity
`Client
`Client
`Devices
`Devices
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`168
`
`108
`
`106 /
`06
`
`101
`
`107
`
`107
`
`Vulnerability
`Vulnerability
`Database System
`Doaboe System
`Products - to
`Binae mo-
`Products-to-
`Binaries - to
`Vulnerabilities
`Products
`Prodn is
`Vulnerabilities 4_
`Mapping
`Mapping
`Mappi g
`Mapping
`Database
`Database
`Database
`Database
`
`Binaries - to
`105
`Binar. s/I°/
`Vulnerabilities
`Vulnerabilit es A./
`Mapping Database
`Mapping Database
`
`105
`
`200
`
`f "
`
`Products and
`Products and
`Vulnerabilities
`Vulnerabilities
`Information
`Informed.
`
`109
`
`110
`,-110
`
`Offline
`Offline
`Vulnerability
`VW erabil
`Database
`Dat ears
`
`102
`
`; 103
`
`111 ,
`
`1149
`11a
`
`Target Device 112
`Target De
`2
`Software
`sonware
`Components
`115 - 4 Hardware
`Hardware
`115
`Components
`ICamponc
`
`Validation Server
`lidation Server
`Target Binary
`Target Binary
`Data
`Date
`Binary Data
`Binary D
`File Paths
`File P
`Software /
`Software/
`Hardware
`Hardware
`16M Configuration
`6
`onfiguratio
`
`Offline H
`Offline
`Vulnerability
`ulnerability
`Database
`Database
`
`110
`10
`
`104
`
`Secure
`Secure
`Environment
`Environment
`Access
`Access
`Control
`
`120
`
`8
`sl—:1Access
`Access
`Control
`Control
`
`Target Device
`Target Device
`Vulnerability
`Vulnerability
`Report
`Report
`
`+ - 117
`
`System
`119
`System ~.a~119
`Aammisvmor
`Administrator
`
`( 56 )
`(56)
`
`WIZ, Inc. EXHIBIT - 1084
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 9,749,349 B1
`Page 2
`
`(56)
`
`References Cited
`
`2015/0213272 Al *
`
`7/2015 Shezaf
`
`U.S. PATENT DOCUMENTS
`
`2015/0363294 Al * 12/2015 Carback, III
`
` H04L 63/1433
`726/25
` G06F 8/37
`717/132
`
` G06F 21/577
`726/25
` G06F 21/577
` G06F 21/566
`
`2005/0022021 Al *
`
`1/2005 Bardsley
`
`2005/0132206 Al * 6/2005 Palliyil
`
`2007/0067846 Al * 3/2007 McFarlane
`
`2007/0271360 Al * 11/2007 Sahita
`
`2010/0083346 Al *
`
`4/2010 Forman
`
`2011/0179477 Al *
`
`7/2011 Starnes
`
`2013/0191919 Al * 7/2013 Basavapatna
`
`2014/0173737 Al * 6/2014 Toback
`
`2015/0127607 Al *
`
`5/2015 Savage
`
`2015/0207811 Al* 7/2015 Feher
`
`G06F 21/577
`726/4
`G06F 21/566
`713/188
`H04L 63/1433
`726/25
`G06F 21/577
`709/223
`G06F 21/55
`726/1
`G06F 21/52
`726/9
`G06F 21/577
`726/25
`G06F 21/57
`726/25
`G06F 17/30194
`707/610
`G06F 21/577
`726/25
`
`4/2016 Palumbo et al.
`2016/0112444 Al
`2016/0188882 Al * 6/2016 Mahrous
`
`8/2016 Grieco
`2016/0232358 Al *
`2016/0300063 Al * 10/2016 Daymont
`
`OTHER PUBLICATIONS
`
`Mitchell, Web Security Pop-Up Trojan Making Rounds Again, This
`Time Attacking Both Windows and Macs, The Internet Patrol, May
`9, 2011, pp. 1-4, Accessed on May 30, 2016, https://www.
`theinternetpatrol.com/
`websecuritypopuptrojanmakingroundsagainthistimeat-
`tackingbothwindowsandmacs/.
`OS X EI Capitan [OT], NeoGAF, May 27, 2016, p. 34, 3 pages,
`Accessed on May 30, 2016, http://www.neogaf.com/forum/
`showthread.php?p=204835278.
`
`* cited by examiner
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 1 of 8
`
`US 9,749,349 B1
`
`Fig. 1
`
`106
`
`101
`
`107
`
`100
`ori
`
`Vulnerability
`Database System
`
`Binaries-to-
`Products
`Mapping
`
`Products-to-
`Vulnerabilities
`Mapping
`Database
`
`Database I
`
`Binaries-to-
`Vulnerabilities
`Mapping Database
`
`105
`fsi
`
`-'
`
`110
`
`Offline
`Vulnerability
`Database
`
`fi /102
`
`Validation Server
`Target Binary
`Data
`Binary Data
`File Paths
`Software/
`Hardware
`116^'
`Configuration
`
`Offline
`Vulnerability
`Database
`
`Community
`Client
`Devices
`
`I
`
`108
`
`115
`
`111-
`
`103
`ij
`Target Device 112-L
`114—L1 Software
`
`IP.
`Components
`113
`Hardware
`Components
`
`Products and
`Vulnerabilities
`Information
`
`t
`109
`
`110
`
`104 \
`
`V
`Secure
`Environment
`Access
`Control
`
`120
`
`118
`
`Access
`Control
`
`Target Device
`-117
`Vulnerability
`Report
`
`k__11 9
`System
`Administrator I
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 2 of 8
`
`US 9,749,349 B1
`
`Fig. 2
`
`106
`
`Product
`Version
`Binary Files
`ESET Endpoint Security 5.0.2214.4 Exel_sha256, Exe2_sha256, D113_sha256, ...
`ESET Endpoint Security 5.0.1055.2 Exel_sha256, Exe4 sha256, D115_sha256, ...
`ESET Endpoint Security 4.2.3330.1 Exel_sha256, Exe2_sha256, D115_sha256, ...
`ESET Endpoint Security 4.0.1211.2 D113_sha256, D115_sha256, Excl sha256, ...
`JAVA
`7.11
`D119_sha256, D1112_sha256, D1113_sha256, ...
`...
`...
`...
`
`Fig. 3
`
`107
`
`Product
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Security
`ESET Endpoint Security
`Adobe Flash
`.
`
`Version
`Known Vulnerabilities
`5.0.2214.4 Vulncr 1, Vulner_2, Vulner_3, Vulner_4, ...
`5.0.1055.2 Vulner_1, Vulner_2, Vulner_5, Vulner_6. ...
`4.2.4230.1 Vulner_1, Vulncr_2, Vulner_7, Vulner_8, ...
`4.0.1211.2 Vulner_l, Vulner_2, Vulner_3, Vulner_6. ...
`3.0.5
`Vulner_2, Vulncr 9, Vulner_10, ...
`...
`
`Fig. 4
`
`Product
`ESET Endpoint
`Security
`ESET Endpoint
`Security
`ESET Endpoint
`Security
`ESET Endpoint
`Security
`
`JAVA
`
`400
`
`Binary Files
`Version
`5.0.2214.4 Exel_sha256, Exe2_sha256,
`D113_sha256, ...
`5.0.1055.2 Exel_sha256. Exe4_sha256,
`D115_sha256, ...
`4.2.3330.1 Exel_sha256, Exe2_sha256,
`D115_sha256, ...
`D113_sha256, D115_sha256,
`Exel_sha256, ...
`D119_sha256, D1112_sha256,
`D1113_sha256, ...
`
`4.0.1211.2
`
`7.11
`
`Adobe Flash
`
`3.0.5
`
`..
`
`..
`
`Known Vulnerabilities
`Vulner_l, Vulner_2,
`Vulner_3, Vulner_4, ...
`Vulner_1, Vulner_2,
`Vulner_5, Vulner_6, ...
`Vulner_l, Vulner_2,
`Vulner_4, Vulner_6. ...
`Vulner_1, Vulner_2,
`Vulner_3, Vulner_6, ...
`
`Vulner_2, Vulner_9,
`Vulner_10, ...
`...
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 3 of 8
`
`US 9,749,349 B1
`
`Fig. 5
`
`105
`
`Binary File
`Exel sha256
`Exe2sha256
`Exe4sha256
`D113 sha256
`D115 sha256
`..
`
`Known Vulnerabilities
`Vulner_1, Vulner_2, ...
`Vulner_4, ...
`Vulner_5, .. .
`Vulner 3, ...
`Vulner 6, ...
`.. .
`
`Fig. 6
`
`117
`4)
`Target Device Vulnerability Report
`1. Binary_l, Hash_1, Filepath 1, [Vulner_1, Vulner_2, . . . ]
`2. Binary_2, Hash_2, Filepath 2, [Vulner_2, Vulner_4, . . . ]
`3. Binary_3, Hash_3, Filepath 3, [Vulner 3, Vulner_5,
`]
`
`N. Binary_N, Hash N, Filepath N, [Vulner_*, Vulner **,
`
`]
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 4 of 8
`
`US 9,749,349 B1
`
`Fig. 7
`
`0//00
`
`701--r-{ Start 1
`702H Detect installed
`i
`
`applications.
`
`703 .....id Collect relevant
`binary information.
`
`704
`
`Map binary data to
`product/version
`combination.
`
`1
`
`705,j, Submit binary-to-
`product/version
`information.
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 5 of 8
`
`US 9,749,349 B1
`
`Fig. 8
`
`801--r<
`
`start
`
`c/ 800
`
`Receive binary-to-
`802, product/version
`information.
`
`Periodically download
`and process public
`vulnerability data.
`
`804
`
`803, Store binary data
`with index of
`product/version
`combination.
`
`106
`
`Binaries-to-
`Products Mapping
`Database
`
`Store vulnerability
`data with index of
`product/version
`combination.
`
`Products-to-
`Vulnerabilities
`Mapping
`Database
`
`--r-107
`
`Process data from the two
`databases to generate binaries-
`to-vulnerabilities relationships.
`Binaries-to-
`Vulnerabilities
`Mapping Database
`
`--r-806
`
`105
`
`Fig. 9
`901--r-{start)
`
`902
`
`Connect to validation server
`as file storage device.
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 6 of 8
`
`US 9,749,349 B1
`
`Fig. 10
`
`c/ 1000
`
`1002
`
`Download binaries-to-
`vulnerabilities database as
`offline update package.
`
`1001--r( start ) 1
`1
` t
`
`1003--r-I
`
`Load target device as
`file storage device.
`
`Scan binary file in the target device
`1004,j1
`against the offline binaries-to-
`vulnerabilities database.
`
`1005
`
`Binary
`file contains known
`vulnerability?
`
`1
`
`Log the binary file
`name, file path, and
`vulnerability info.
`
`1006
`
`Last
`binary
`file?
`
`1007
`
`1008, —. Next
`binary
`file.
` 1
`
`Consolidate the scan
`result into target device
`vulnerability report.
`
`1009
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 7 of 8
`
`US 9,749,349 B1
`
`Fig. 11
`
`1100
`
`Computing
`System(s)
`
`107
`
`1102
`
`1101
`
`Processor
`
`Electronic
`Memory
`
`Data Storage
`
`Binaries-to-
`Products
`Mapping
`Database
`
`Products-to-
`Vulnerabilities
`Mapping
`Database
`
`Parsing
`
`Searching
`
`Comparing
`
`Reading
`
`Storing
`
` kJ-1108
`
`-1109
` Ey-1110
` Ey-1111
` Ey-1112
`
`Binaries-to-
`Vulnerabilities
`Mapping Database
`
`1113
`
`Network
`F
`Y -
`Communication
`Database H1114
`Management
`
`105
`
`1104
`
`User
`I/O
`
`Network
`I/O
`
`j - 1105
`
`1106
`
`

`

`U.S. Patent
`
`Aug. 29, 2017
`
`Sheet 8 of 8
`
`US 9,749,349 B1
`
`Fig. 12
`
`Computing
`System(s)
`
`1 00
`
`1203
`
`111
`
`110
`
`1201
`
`1202
`
`1172
`
`Processor
`
`Electronic
`Memory
`
`Data Storage
`
`
`Target Binary
`Data
`
`Offline
`Vulnerability
`Database
`
`Target Device
`Vulnerability
`Report
`
`Access
`Control
`
`118
`
`Parsing Lc-1209
`Searching 1._/-1210
`Comparing 1./---1211
`l_p-1212
`l_c- 1213
`
`Reading
`
`Storing
`
`Network
`1214 fr ---
`Communication
`
`
`
`Vulnerability
`Assessment
`
`1215
`
`1204
`
`User
`I/O
`
`Network
`I/O
`
`Peripheral
`I/O
`
`1207
`
`1205
`
`1206
`
`

`

`1
`COMPUTER SECURITY VULNERABILITY
`ASSESSMENT
`
`BACKGROUND OF THE INVENTION
`
`Vulnerability assessment and malware detection are two
`fields or industries that deal with issues of computer security.
`A positive malware detection generally requires an imme-
`diate response to eliminate a threat to the computer device
`of a potentially imminent malicious event. Typically, the
`response is to quarantine, remove, or replace the software
`file of the malware. With a positive vulnerability assessment,
`on the other hand, the computer device can usually continue
`to operate without concern for a threat to the computer
`device, since a malicious event is not necessarily imminent.
`However, if the computer device is going to be used in an
`environment that has a particular security standard, then
`there is considerable concern over whether the computer
`device meets that security standard or would present a
`security problem for the environment. For example, if the
`computer device is to be used in a medical facility with a
`secure network through which the computer device will
`have access to confidential patient records, then it is very
`important to determine whether the computer device is
`hosting or executing any binary files that are known to be
`easy targets for hackers to gain access to the computer
`device and from there to any other computer or data storage
`device accessible through the secure network. Therefore,
`before the computer device can be granted access to the
`secure network, the vulnerability to malicious events of the
`computer device must be assessed, and any known vulner-
`abilities must be remedied or eliminated. The assessment
`must be thorough, robust, secure, quick and efficient, in
`order to prevent security problems, while allowing business
`operations to proceed with minimal interruption.
`
`SUMMARY OF THE INVENTION
`
`In some embodiments, a more thorough, more robust,
`more flexible and more secure computer security vulner-
`ability assessment is achieved with a method in which a
`computerized system receives product binary data and first
`product identification data that correspond to each other. The
`computerized system receives product vulnerability data and
`second product identification data that correspond to each
`other. The computerized system determines a correspon-
`dence between the product binary data and the product
`vulnerability data based on matching the first product iden-
`tification data with the second product identification data.
`The computerized system generates a binaries-to-vulner-
`abilities database based on the determined correspondence
`between the product binary data and the product vulnerabil-
`ity data. Additionally, the binaries-to-vulnerabilities data-
`base can be used with a scan of target binary data from a
`target device to determine a known security vulnerability of
`the target device.
`In some embodiments, a more thorough, more robust,
`more flexible and more secure computer security vulner-
`ability assessment is achieved with a method in which a
`computerized system receives a binaries-to-vulnerabilities
`database that provides a correspondence between binary
`data and vulnerability data. The computerized system estab-
`lishes a communication connection to a target device. The
`computerized system receives binary files from the target
`device. The computerized system uses the binaries-to-vul-
`nerabilities database to scan the binary files to find matches
`between the binary files and the binary data. The comput-
`
`US 9,749,349 B1
`
`5
`
`10
`
`2
`erized system determines a known security vulnerability of
`the target device based on 1) results of the scanning and 2)
`the correspondence between the binary data and the vulner-
`ability data.
`In some embodiments, a more thorough, more robust,
`more flexible and more secure computer security vulner-
`ability assessment is achieved with a method in which a
`computerized system receives product binary data and first
`product identification data that correspond to each other. The
`computerized system receives product vulnerability data and
`second product identification data that correspond to each
`other. The computerized system determines a correspon-
`dence between the product binary data and the product
`vulnerability data based on matching the first product iden-
`tification data with the second product identification data.
`15 The computerized system establishes a communication con-
`nection to a target device. The computerized system receives
`target binary files from the target device. The computerized
`system uses the product binary data to scan the target binary
`files to find matches between the target binary files and the
`20 product binary data. The computerized system determines a
`known security vulnerability of the target device based on 1)
`results of the scanning and 2) the correspondence between
`the product binary data and the product vulnerability data.
`In some embodiments, the computerized system 1) grants
`25 access by the target device to a secure environment based on
`determining that the target device has no known security
`vulnerability; and 2) denies access by the target device to the
`secure environment based on determining that the target
`device has the known security vulnerability. In some
`embodiments, the product vulnerability data describes a
`30 vulnerability to a malicious event of a computer device that
`contains a software product corresponding to the product
`binary data, regardless of whether the software product is
`infected with malicious code. In some embodiments, the
`product binary data contains strings of bits, bytes, words or
`35 characters extracted from files of software products. In some
`embodiments, the product binary data contains hashes of
`strings of bits, bytes, words or characters extracted from files
`of software products. In some embodiments, the computer-
`ized system collects the product binary data and the first
`4o product identification data from a plurality of client devices;
`and each client device collects the product binary data and
`the first product identification data related to software prod-
`ucts that are on that client device and maps the product
`binary data to the corresponding first product identification
`45 data for each of the software products. In some embodi-
`ments, the target device is a computer that has been turned
`off; and the computerized system loads the target device as
`an external storage device. In some embodiments, the com-
`puterized system generates a report containing at least a
`listing of 1) designations of the binary data that was found
`50 to match the binary files, and 2) designations of the vulner-
`ability data that correspond to the binary data that was found
`to match the binary files. In some embodiments, the com-
`puterized system receives an indication of one of a first,
`second or third level of vulnerability assessment to be
`55 performed on the target device; wherein: in the first level of
`vulnerability assessment, the target binary files are execut-
`able binary files; in the second level of vulnerability assess-
`ment, the target binary files are the executable binary files
`and library files used by the executable binary files; and in
`60 the third level of vulnerability assessment, the target binary
`files are all binary files stored on the target device.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`65
`
`FIG. 1 is a simplified schematic diagram of an example
`computer security vulnerability assessment system, in accor-
`dance with some embodiments.
`
`

`

`US 9,749,349 B1
`
`3
`FIGS. 2-5 are simplified database structures for use by, or
`generated by, the example computer security vulnerability
`assessment system shown in FIG. 1, in accordance with
`some embodiments.
`FIG. 6 is a simplified report generated by the example
`computer security vulnerability assessment system shown in
`FIG. 1, in accordance with some embodiments.
`FIGS. 7-10 are simplified flowcharts of processes per-
`formed by components of the example computer security
`vulnerability assessment system shown in FIG. 1, in accor-
`dance with some embodiments.
`FIG. 11 is a simplified schematic diagram of a vulner-
`ability database system for use in the example computer
`security vulnerability assessment system shown in FIG. 1, in
`accordance with some embodiments.
`FIG. 12 is a simplified schematic diagram of a validation
`server for use in the example computer security vulnerability
`assessment system shown in FIG. 1, in accordance with
`some embodiments.
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`
`Reference now will be made in detail to embodiments of
`the disclosed invention, one or more examples of which are
`illustrated in the accompanying drawings. Each example is
`provided by way of explanation of the present technology,
`not as a limitation of the present technology. In fact, it will
`be apparent to those skilled in the art that modifications and
`variations can be made in the present technology without
`departing from the spirit and scope thereof. For instance,
`features illustrated or described as part of one embodiment
`may be used with another embodiment to yield a still further
`embodiment. Thus, it is intended that the present subject
`matter covers all such modifications and variations within
`the scope of the appended claims and their equivalents.
`FIG. 1 shows an example computer security vulnerability
`assessment system 100 that provides a more thorough,
`robust, flexible and secure computer security vulnerability
`assessment, in accordance with some embodiments. The
`illustrated embodiment with the components shown is pro-
`vided for explanatory purposes only, and other embodiments
`could use other specific components or combinations of
`components. In the illustrated embodiment, the computer
`security vulnerability assessment system 100 generally
`includes a vulnerability database system 101 and a valida-
`tion server 102. The validation server 102 generally uses
`data generated by the vulnerability database system 101 to
`assess a security vulnerability of a target device 103, e.g., as
`a means for network or domain access control for determin-
`ing whether to grant access by the target device 103 to a
`secure environment 104, for determining whether to transfer
`the target device 103 from a lower security domain or
`environment to a higher security domain, for a security
`compliance check procedure, for performing a data security
`transfer, or for determining a computer device's "health." To
`do so, the vulnerability database system 101 generally
`associates binary data (related to software products, or
`specific versions of the software products, i.e. "product
`binary data") with known security vulnerabilities (of the
`same software products, or specific versions thereof, i.e.
`"product vulnerability data"). The validation server 102 then
`scans (i.e., reads and searches through) binary data from the
`target device 103 (i.e. "target binary data") to determine
`whether any of the target binary data matches the product
`binary data, thereby establishing a link to the product
`vulnerability data. Known security vulnerabilities of the
`
`25
`
`4
`target device 103 are thus determined by this scan of binary
`data. Based on this security vulnerability determination, the
`computer security vulnerability assessment system 100, or
`an administrator thereof, can further determine whether to
`5 grant access by the target device 103 to the secure environ-
`ment 104.
`The binary data (for the product binary data or the target
`binary data) generally contains 1) binary hashes of binary
`level files of the software products, 2) binary hashes of
`10 strings of bits, bytes, words or characters extracted from the
`files of the software products, 3) the unprocessed strings of
`bits, bytes, words or characters that were extracted, 4) the
`complete binary level files of the software products, or 5)
`any other appropriate binary-level representation of the
`15 software products. In various embodiments, therefore, the
`scanning of the target binary data and the matching with the
`product binary data is done at the individual bit, byte, word,
`character, string, etc. level, e.g., as can be performed with
`the "find" or "findstr" command available in the WindowsTM
`20 command prompt or other string, binary, or file matching or
`comparing type of function. The scanning and matching
`searches for a match between two files or two strings within
`two files at the low level of binary data, rather than matching
`a file name or other higher level meta data of two files.
`The binary data is distinguished from data that simply
`identifies the software products or applications, e.g., the
`name and version of the software products or the file names
`or meta data of application files associated with, or mapped
`to, the software products. Conventional security vulnerabil-
`30 ity assessment systems use such file identification data (to
`determine which software products are on the target device
`103 and then to assess the security vulnerability of the target
`device 103 in accordance therewith). However, this conven-
`tional technique is less thorough, robust or flexible than the
`35 present system, because it could potentially miss some
`known vulnerabilities, since the actual binary level data in
`the files of the software product could be different from the
`official version of the software product. For example, some
`of the files could be corrupted or infected with malware,
`40 which would not be detected by a conventional vulnerability
`assessment system that simply looks at file identification
`data. The computer security vulnerability assessment system
`100, thus, can be used in place of a conventional security
`vulnerability assessment system, or in combination there-
`45 with, to enable a more thorough, robust and flexible level of
`functionality that is not available in conventional security
`vulnerability assessment systems.
`Additionally, a vulnerability scan or assessment is distin-
`guished from a malware scan or detection procedure. Vul-
`50 nerability assessment attempts to determine whether a com-
`puter device is vulnerable to a malicious event, such as
`malware infection, hacking, intrusion, data corruption, data
`theft, spoofing, phishing, etc., regardless of whether the
`computer device is actually compromised by any type of
`55 malicious code or software. In a sense, vulnerability is
`similar to a security defect in the software that an external
`third party could take advantage of to take control of or
`damage the computer device. Thus, a vulnerability may
`render the computer device susceptible to malware. How-
`60 ever, a vulnerability is not necessarily a problem, since no
`malicious event may have occurred, and the computer
`device and the software products can continue to perform in
`an acceptable manner. Malware detection, on the other hand,
`generally attempts to determine whether a computer device
`65 or software product has been infected with any known type
`of malicious code or software, such as a virus, a trojan, etc.,
`and usually results in a recommendation of whether the
`
`

`

`US 9,749,349 B1
`
`5
`software product or malicious code should be removed
`from, or not be allowed to run on, the computer device.
`Thus, although a malware scan may look at binary data, the
`result is a determination of whether a file or computer device
`is actually infected, rather than being simply vulnerable to
`infection, such that there is a clear and present danger that
`renders the computer device or the software products inca-
`pable of performing in an acceptable manner. Additionally,
`in some situations, it is possible to find malware on a
`computer without necessarily finding a security vulnerabil-
`ity. The computer security vulnerability assessment system
`100, thus, performs a different function than, and takes a
`distinctly different view of security issues from, a malware
`detection system.
`The vulnerability database system 101 is generally a
`computerized system (e.g., one or more computer devices or
`a central server implemented in a cloud-based computing
`environment) for generating and maintaining a large bina-
`ries-to-vulnerabilities mapping database 105. The binaries-
`to-vulnerabilities mapping database 105 associates binary
`data with known security vulnerabilities by establishing
`links between the binary data (related to software products,
`or specific versions of the software products) and the known
`security vulnerabilities (of the same software products, or
`specific versions thereof). Thus, formation of the binaries-
`to-vulnerabilities mapping database 105 is based on a deter-
`mined correspondence between the product binary data and
`the product vulnerability data.
`In some embodiments, the vulnerability database system
`101 collects or gathers information to generate the binaries-
`to-vulnerabilities mapping database 105. The collected
`information is generally in the form of a binaries-to-products
`mapping database 106 and a products-to-vulnerabilities
`mapping database 107. The binaries-to-products mapping
`database 106 contains links between the product binary data
`and corresponding product version identification data (e.g.,
`the binary data may be linked to the product version iden-
`tification data of according to each binary file's absolute file
`path, file property information, digital signature, copyright,
`etc.). The products-to-vulnerabilities mapping database 107
`contains links between product vulnerability data (e.g.,
`known security vulnerabilities) and the corresponding prod-
`uct version identification data.
`A conventional vulnerability assessment system, for
`example, typically uses data similar to that in the products-
`to-vulnerabilities mapping database 107. The vulnerability
`database system 100, however, goes further by matching the
`product version identification data in the two databases 106
`and 107 to determine links or correspondences between the
`product binary data and the product vulnerability data and to
`generate the binaries-to-vulnerabilities mapping dat