-
公开(公告)号:US09794223B2
公开(公告)日:2017-10-17
申请号:US15179933
申请日:2016-06-10
发明人: Ron Gula , Marcus Ranum
IPC分类号: G06F21/64 , G06F17/30 , H04L29/06 , G06F12/0864
CPC分类号: H04L63/0236 , G06F12/0864 , G06F17/30097 , G06F17/30109 , G06F21/64 , H04L63/0876 , H04L63/1408
摘要: Systems and methods for facilitating data leakage and/or propagation tracking are provided. In some embodiments, a set of hashes associated with files of a user device and a reference set of hashes associated with files of a reference system may be obtained. An additional subset of hashes included in the set of hashes and not included in the reference set of hashes may be determined. The user device may be classified into a group based on the additional subset of hashes comprising a hash that is the same as a hash associated with a file of at least another user device classified into the group. A prediction that the file is exclusive for the group may be effectuated. Other user devices not classified into the group may be scanned. An alert indicating unauthorized activity may be generated responsive to the scan indicating that the other user devices contain the file.
-
2.发明授权System and method for correlating log data to discover network vulnerabilities and assets 有权将日志数据相关联以发现网络漏洞和资产的系统和方法公开(公告)号:US09467464B2
公开(公告)日:2016-10-11
申请号:US13858367
申请日:2013-04-08
发明人: Ron Gula , Marcus Ranum , Renaud Deraison
IPC分类号: H04L29/06
CPC分类号: H04L63/1433 , H04L63/1408
摘要: The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.
摘要翻译: 本公开涉及可以以可扩展的方式交叉引用或以其他方式利用现有漏洞数据以支持网络漏洞和资产发现的日志关联引擎。 特别地,日志相关引擎可以接收包含描述观察到的网络活动的事件的各种日志,并且响应于包含指示脆弱性的至少一个相关规则中包含与正则表达式匹配的至少一个事件的日志来发现网络漏洞。 然后,日志相关引擎可以从相关规则中交叉引用的至少一个数据源获得关于指示的漏洞的信息,并生成在网络中发现所指示的漏洞的报告,其中该报告可以包括关于指示的漏洞的信息 从相关规则中交叉引用的至少一个数据源获得。
-
3.发明授权System and method for using file hashes to track data leakage and document propagation in a network 有权使用文件散列来跟踪网络中的数据泄漏和文档传播的系统和方法公开(公告)号:US09367707B2
公开(公告)日:2016-06-14
申请号:US13403108
申请日:2012-02-23
申请人: Ron Gula , Marcus Ranum
发明人: Ron Gula , Marcus Ranum
CPC分类号: H04L63/0236 , G06F12/0864 , G06F17/30097 , G06F17/30109 , G06F21/64 , H04L63/0876 , H04L63/1408
摘要: The system and method described herein may use file hashes to track data leakage and document propagation in a network. For example, file systems associated with known reference systems and various user devices may be compared to classify the user devices into various groups based on differences between the respective file systems, identify files unique to the various groups, and detect potential data leakage or document propagation if user devices classified in certain groups include any files that are unique to other groups. Additionally, various algorithms may track locations, movements, changes, and other events that relate to normal or typical activity in the network, which may be used to generate statistics that can be compared to subsequent activities that occur in the network to detect potentially anomalous activity that may represent potential data leakage or document propagation.
摘要翻译: 本文描述的系统和方法可以使用文件哈希来跟踪网络中的数据泄漏和文档传播。 例如,可以比较与已知参考系统和各种用户设备相关联的文件系统,以便基于各个文件系统之间的差异,识别各个组所特有的文件以及检测潜在数据泄漏或文档传播来将用户设备分类成各种组 如果分类为某些组的用户设备包含其他组别的唯一的文件。 此外,各种算法可以跟踪与网络中的正常或典型活动相关的位置,移动,改变和其他事件,其可以用于生成可以与网络中发生的后续活动进行比较以检测潜在的异常活动的统计信息 这可能代表潜在的数据泄漏或文档传播。
-
4.发明申请公开(公告)号:US20140007241A1
公开(公告)日:2014-01-02
申请号:US13653834
申请日:2012-10-17
发明人: Ron Gula , Renaud Deraison
IPC分类号: G06F21/00
CPC分类号: H04L63/1433 , H04L41/12 , H04L67/10
摘要: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.
摘要翻译: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点,其中可利用的弱点可以包括具有可利用的服务,可利用的客户端软件和/或可利用的信任关系的主机。 此外,可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击,以枚举可能危及网络的远程网络地址,并确定枚举的远程网络地址可以使用的利用路径 妥协网络
-
公开(公告)号:US07761918B2
公开(公告)日:2010-07-20
申请号:US11016761
申请日:2004-12-21
IPC分类号: H04L9/00
CPC分类号: H04L63/1408 , H04L63/1433
摘要: Systems and methods to passively scan a network are disclosed herein. The passive scanner sniffs a plurality of packets traveling across the network. The passive scanner analyzes information from the sniffed packets to build a topology of network devices and services that are active on the network. In addition, the passive scanner analyzes the information to detect vulnerabilities in network devices and services. Finally, the passive scanner prepares a report containing the detected vulnerabilities and the topology when it observes a minimum number of sessions. Because the passive scanner operates passively, it may operate continuously without burdening the network. Similarly, it also may obtain information regarding client-side and server side vulnerabilities.
摘要翻译: 本文公开了被动扫描网络的系统和方法。 被动扫描仪嗅探穿过网络传播的多个数据包。 被动扫描仪分析来自嗅探数据包的信息,以构建在网络上处于活动状态的网络设备和服务的拓扑。 此外,被动扫描仪分析信息以检测网络设备和服务中的漏洞。 最后,当被动扫描仪观察到最少数量的会话时,被动扫描仪将准备一个包含检测到的漏洞和拓扑的报告。 由于被动扫描仪被动地进行操作,因此可以不间断地运行网络。 同样,它也可能获得有关客户端和服务器端漏洞的信息。
-
6.发明授权公开(公告)号:US09043920B2
公开(公告)日:2015-05-26
申请号:US13653834
申请日:2012-10-17
发明人: Ron Gula , Renaud Deraison
CPC分类号: H04L63/1433 , H04L41/12 , H04L67/10
摘要: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.
摘要翻译: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点,其中可利用的弱点可以包括具有可利用的服务,可利用的客户端软件和/或可利用的信任关系的主机。 此外,可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击,以枚举可能危及网络的远程网络地址,并确定枚举的远程网络地址可以使用的利用路径 妥协网络
-
7.发明申请公开(公告)号:US20140013436A1
公开(公告)日:2014-01-09
申请号:US13665077
申请日:2012-10-31
发明人: Renaud Deraison
IPC分类号: G06F21/57
CPC分类号: G06F21/577 , H04L63/1433
摘要: The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.
摘要翻译: 用于启用本文描述的远程注册服务安全审核的系统和方法可以包括扫描网络以构建网络的模型或拓扑。 特别地,网络的模型或拓扑可以包括描述网络中的各种设备的特征,其可以被分析以确定是否已经在设备上启用了远程注册表服务。 例如,安全审核可以包括执行一个或多个经凭证的策略扫描,以对已禁用远程注册表服务的某些设备启用远程注册表服务,响应启用远程注册表服务来审核设备,然后禁用远程注册表 设备上的服务。 因此,本文所述的系统和方法可以实现在安全审核期间远程扫描包含在设备注册表中的信息,而不会使设备注册表暴露于恶意活动。
-
8.发明授权公开(公告)号:US08302198B2
公开(公告)日:2012-10-30
申请号:US12695659
申请日:2010-01-28
申请人: Renaud Deraison
发明人: Renaud Deraison
IPC分类号: H04L29/06
CPC分类号: G06F21/577 , H04L63/1433
摘要: The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.
摘要翻译: 用于启用本文描述的远程注册服务安全审核的系统和方法可以包括扫描网络以构建网络的模型或拓扑。 特别地,网络的模型或拓扑可以包括描述网络中的各种设备的特征,其可以被分析以确定是否已经在设备上启用远程注册表服务。 例如,安全审核可以包括执行一个或多个经凭证的策略扫描,以对已禁用远程注册表服务的某些设备启用远程注册表服务,响应启用远程注册表服务来审核设备,然后禁用远程注册表 设备上的服务。 因此,本文所述的系统和方法可以实现在安全审核期间远程扫描包含在设备注册表中的信息,而不会使设备注册表暴露于恶意活动。
-
公开(公告)号:US09860265B2
公开(公告)日:2018-01-02
申请号:US14689762
申请日:2015-04-17
发明人: Ron Gula , Renaud Deraison
CPC分类号: H04L63/1433 , H04L41/12 , H04L67/10
摘要: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.
-
公开(公告)号:US09088606B2
公开(公告)日:2015-07-21
申请号:US13692200
申请日:2012-12-03
发明人: Marcus J. Ranum , Ron Gula
IPC分类号: H04L29/06
CPC分类号: H04L63/145 , G06F17/30964 , H04L61/1511 , H04L63/1416 , H04L63/1433 , H04L67/02 , H04L67/10
摘要: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.
摘要翻译: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地,本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件,其中散列可以传达到聚集所有已知病毒的云数据库, 各种防病毒供应商编目检测恶意软件感染的恶意软件签名,而不需要主机拥有本地或驻留的防病毒代理。 此外,可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外,网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机,并且审核部署在网络中的防病毒策略。
-
-
-
-
-
-
-
-
-
搜索结果
24 条记录 (耗时 0.023 秒)
