公开(公告)号：US09043920B2

公开(公告)日：2015-05-26

申请号：US13653834

申请日：2012-10-17

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Renaud Deraison

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

Abstract translation: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点，其中可利用的弱点可以包括具有可利用的服务，可利用的客户端软件和/或可利用的信任关系的主机。 此外，可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击，以枚举可能危及网络的远程网络地址，并确定枚举的远程网络地址可以使用的利用路径 妥协网络

公开(公告)号：US20140013436A1

公开(公告)日：2014-01-09

申请号：US13665077

申请日：2012-10-31

Applicant: Tenable Network Security, Inc.

Inventor： Renaud Deraison

IPC: G06F21/57

CPC classification number: G06F21/577 ,  H04L63/1433

Abstract: The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.

Abstract translation: 用于启用本文描述的远程注册服务安全审核的系统和方法可以包括扫描网络以构建网络的模型或拓扑。 特别地，网络的模型或拓扑可以包括描述网络中的各种设备的特征，其可以被分析以确定是否已经在设备上启用了远程注册表服务。 例如，安全审核可以包括执行一个或多个经凭证的策略扫描，以对已禁用远程注册表服务的某些设备启用远程注册表服务，响应启用远程注册表服务来审核设备，然后禁用远程注册表 设备上的服务。 因此，本文所述的系统和方法可以实现在安全审核期间远程扫描包含在设备注册表中的信息，而不会使设备注册表暴露于恶意活动。

公开(公告)号：US20180019971A1

公开(公告)日：2018-01-18

申请号：US15718370

申请日：2017-09-28

Applicant: Tenable Network Security, Inc.

Inventor： Ron GULA ,  Marcus RANUM

IPC: H04L29/06 ,  G06F21/64 ,  G06F17/30

CPC classification number: H04L63/0236 ,  G06F12/0864 ,  G06F16/137 ,  G06F16/152 ,  G06F21/64 ,  H04L63/0876 ,  H04L63/1408

Abstract: In some embodiments, a set of hashes that are associated with files of a user system, and a reference set of hashes that are associated with files of a reference system, may be obtained. An additional subset of hashes (included in the set of hashes and not included in the reference set of hashes) may be obtained based on a comparison between the set of hashes and the reference set of hashes. A file may be predicted to be exclusive for certain users or user systems, where the file is associated with a hash included in the additional subset of hashes. Other user systems may be scanned to determine what files are on the other user systems, where each of the other user systems is assigned to another user or is not one of the user systems. An alert indicating unauthorized activity may be generated based on the scan.

公开(公告)号：US20160285827A1

公开(公告)日：2016-09-29

申请号：US15179933

申请日：2016-06-10

Applicant: Tenable Network Security, Inc.

Inventor： Ron GULA ,  Marcus RANUM

IPC: H04L29/06

CPC classification number: H04L63/0236 ,  G06F12/0864 ,  G06F17/30097 ,  G06F17/30109 ,  G06F21/64 ,  H04L63/0876 ,  H04L63/1408

Abstract: Systems and methods for facilitating data leakage and/or propagation tracking are provided. In some embodiments, a set of hashes associated with files of a user device and a reference set of hashes associated with files of a reference system may be obtained. An additional subset of hashes included in the set of hashes and not included in the reference set of hashes may be determined. The user device may be classified into a group based on the additional subset of hashes comprising a hash that is the same as a hash associated with a file of at least another user device classified into the group. A prediction that the file is exclusive for the group may be effectuated. Other user devices not classified into the group may be scanned. An alert indicating unauthorized activity may be generated responsive to the scan indicating that the other user devices contain the file.

Abstract translation: 提供了用于促进数据泄漏和/或传播跟踪的系统和方法。 在一些实施例中，可以获得与用户设备的文件相关联的一组散列以及与参考系统的文件相关联的参考散列集合。 可以确定包括在该组散列中并且不包括在参考散列集中的散列的附加子集。 用户设备可以基于哈希的附加子集分类为一组，该散列子集包括与分类为该组的至少另一个用户设备的文件相关联的哈希相同的散列。 可以实现文件对该组排他的预测。 可能会扫描未分类到组中的其他用户设备。 可以响应于指示其他用户设备包含文件的扫描来生成指示未经授权的活动的警报。

公开(公告)号：US20140007241A1

公开(公告)日：2014-01-02

申请号：US13653834

申请日：2012-10-17

Applicant: TENABLE NETWORK SECURITY, INC.

Inventor： Ron Gula ,  Renaud Deraison

IPC: G06F21/00

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

Abstract translation: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点，其中可利用的弱点可以包括具有可利用的服务，可利用的客户端软件和/或可利用的信任关系的主机。 此外，可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击，以枚举可能危及网络的远程网络地址，并确定枚举的远程网络地址可以使用的利用路径 妥协网络

公开(公告)号：US10171490B2

公开(公告)日：2019-01-01

申请号：US14738216

申请日：2015-06-12

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: G06F21/56 ,  H04L29/06 ,  G06F17/30 ,  H04L29/12 ,  H04L29/08

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have cataloged to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

公开(公告)号：US09860265B2

公开(公告)日：2018-01-02

申请号：US14689762

申请日：2015-04-17

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Renaud Deraison

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/24

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

公开(公告)号：US20150281259A1

公开(公告)日：2015-10-01

申请号：US14738216

申请日：2015-06-12

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: H04L29/06 ,  H04L29/08 ,  G06F17/30 ,  H04L29/12

CPC classification number: H04L63/145 ,  G06F17/30964 ,  G06F21/56 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1433 ,  H04L67/02 ,  H04L67/10

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Abstract translation: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地，本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件，其中散列可以传达到聚集所有已知病毒的云数据库， 各种防病毒供应商编目检测恶意软件感染的恶意软件签名，而不需要主机拥有本地或驻留的防病毒代理。 此外，可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外，网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机，并且审核部署在网络中的防病毒策略。

公开(公告)号：US20150222655A1

公开(公告)日：2015-08-06

申请号：US14689762

申请日：2015-04-17

Applicant: Tenable Network Security, Inc.

Inventor： Ron GULA ,  Renaud DERAISON

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

Abstract translation: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点，其中可利用的弱点可以包括具有可利用的服务，可利用的客户端软件和/或可利用的信任关系的主机。 此外，可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击，以枚举可能危及网络的远程网络地址，并确定枚举的远程网络地址可以使用的利用路径 妥协网络

公开(公告)号：US09088606B2

公开(公告)日：2015-07-21

申请号：US13692200

申请日：2012-12-03

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: H04L29/06

CPC classification number: H04L63/145 ,  G06F17/30964 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1433 ,  H04L67/02 ,  H04L67/10

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Abstract translation: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地，本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件，其中散列可以传达到聚集所有已知病毒的云数据库， 各种防病毒供应商编目检测恶意软件感染的恶意软件签名，而不需要主机拥有本地或驻留的防病毒代理。 此外，可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外，网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机，并且审核部署在网络中的防病毒策略。