公开(公告)号：US09043920B2

公开(公告)日：2015-05-26

申请号：US13653834

申请日：2012-10-17

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Renaud Deraison

IPC: G06F21/00 ,  H04L29/06

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

Abstract translation: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点，其中可利用的弱点可以包括具有可利用的服务，可利用的客户端软件和/或可利用的信任关系的主机。 此外，可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击，以枚举可能危及网络的远程网络地址，并确定枚举的远程网络地址可以使用的利用路径 妥协网络

公开(公告)号：US20140007241A1

公开(公告)日：2014-01-02

申请号：US13653834

申请日：2012-10-17

Applicant: TENABLE NETWORK SECURITY, INC.

Inventor： Ron Gula ,  Renaud Deraison

IPC: G06F21/00

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

Abstract translation: 本文所述的系统和方法可以利用被动和主动的漏洞发现来识别与网络中观察到的一个或多个被动扫描仪的连接相关联的网络地址和打开的端口以及在网络中列举的一个或多个主动扫描器的当前连接。 观察和列举的当前连接可以用于建立信任关系并且识别网络中的可利用的弱点，其中可利用的弱点可以包括具有可利用的服务，可利用的客户端软件和/或可利用的信任关系的主机。 此外，可以模拟使用建模的信任关系来攻击网络中所选主机上的可利用弱点的攻击，以枚举可能危及网络的远程网络地址，并确定枚举的远程网络地址可以使用的利用路径 妥协网络

公开(公告)号：US09794223B2

公开(公告)日：2017-10-17

申请号：US15179933

申请日：2016-06-10

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Marcus Ranum

IPC: G06F21/64 ,  G06F17/30 ,  H04L29/06 ,  G06F12/0864

CPC classification number: H04L63/0236 ,  G06F12/0864 ,  G06F17/30097 ,  G06F17/30109 ,  G06F21/64 ,  H04L63/0876 ,  H04L63/1408

Abstract: Systems and methods for facilitating data leakage and/or propagation tracking are provided. In some embodiments, a set of hashes associated with files of a user device and a reference set of hashes associated with files of a reference system may be obtained. An additional subset of hashes included in the set of hashes and not included in the reference set of hashes may be determined. The user device may be classified into a group based on the additional subset of hashes comprising a hash that is the same as a hash associated with a file of at least another user device classified into the group. A prediction that the file is exclusive for the group may be effectuated. Other user devices not classified into the group may be scanned. An alert indicating unauthorized activity may be generated responsive to the scan indicating that the other user devices contain the file.

公开(公告)号：US09467464B2

公开(公告)日：2016-10-11

申请号：US13858367

申请日：2013-04-08

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Marcus Ranum ,  Renaud Deraison

IPC: H04L29/06

CPC classification number: H04L63/1433 ,  H04L63/1408

Abstract: The disclosure relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule.

Abstract translation: 本公开涉及可以以可扩展的方式交叉引用或以其他方式利用现有漏洞数据以支持网络漏洞和资产发现的日志关联引擎。 特别地，日志相关引擎可以接收包含描述观察到的网络活动的事件的各种日志，并且响应于包含指示脆弱性的至少一个相关规则中包含与正则表达式匹配的至少一个事件的日志来发现网络漏洞。 然后，日志相关引擎可以从相关规则中交叉引用的至少一个数据源获得关于指示的漏洞的信息，并生成在网络中发现所指示的漏洞的报告，其中该报告可以包括关于指示的漏洞的信息 从相关规则中交叉引用的至少一个数据源获得。

公开(公告)号：US08972571B2

公开(公告)日：2015-03-03

申请号：US13887822

申请日：2013-05-06

Applicant: Tenable Network Security, Inc.

Inventor： Jason Nappier ,  Ron Gula

IPC: G06F15/173 ,  H04L29/06

CPC classification number: H04L63/08 ,  H04L63/1433

Abstract: The system and method for correlating network identities and addresses described herein may include a log correlation engine distributed on a network that identifies relationships between certain network identities and Internet Protocol (IP) and Ethernet addresses in the network. In particular, the log correlation engine may analyze various event logs that describe activity in a network to learn relationships between network identities and network addresses and generate alerts in response to discovering changes in the learned relationships. For example, the log correlation engine may identify authentication events described in the logs to map network identities to IP addresses, and may further analyze the logs to map the IP addresses to Ethernet addresses. Thus, the log correlation engine may discover new and changed relationships between the network identities, the IP addresses, and the Ethernet addresses.

Abstract translation: 用于关联本文描述的网络身份和地址的系统和方法可以包括分布在网络上的标识关联引擎，该引擎识别网络中的某些网络身份与网络协议（IP）和以太网地址之间的关系。 特别地，日志相关引擎可以分析描述网络中的活动的各种事件日志，以了解网络身份和网络地址之间的关系，并响应于发现学习关系中的变化而生成警报。 例如，日志相关引擎可以识别日志中描述的认证事件，以将网络身份映射到IP地址，并且可以进一步分析日志以将IP地址映射到以太网地址。 因此，日志相关引擎可以发现网络标识，IP地址和以太网地址之间的新的和改变的关系。

公开(公告)号：US10171490B2

公开(公告)日：2019-01-01

申请号：US14738216

申请日：2015-06-12

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: G06F21/56 ,  H04L29/06 ,  G06F17/30 ,  H04L29/12 ,  H04L29/08

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have cataloged to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

公开(公告)号：US09860265B2

公开(公告)日：2018-01-02

申请号：US14689762

申请日：2015-04-17

Applicant: Tenable Network Security, Inc.

Inventor： Ron Gula ,  Renaud Deraison

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/24

CPC classification number: H04L63/1433 ,  H04L41/12 ,  H04L67/10

Abstract: The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

公开(公告)号：US20150281259A1

公开(公告)日：2015-10-01

申请号：US14738216

申请日：2015-06-12

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: H04L29/06 ,  H04L29/08 ,  G06F17/30 ,  H04L29/12

CPC classification number: H04L63/145 ,  G06F17/30964 ,  G06F21/56 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1433 ,  H04L67/02 ,  H04L67/10

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Abstract translation: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地，本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件，其中散列可以传达到聚集所有已知病毒的云数据库， 各种防病毒供应商编目检测恶意软件感染的恶意软件签名，而不需要主机拥有本地或驻留的防病毒代理。 此外，可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外，网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机，并且审核部署在网络中的防病毒策略。

公开(公告)号：US09088606B2

公开(公告)日：2015-07-21

申请号：US13692200

申请日：2012-12-03

Applicant: Tenable Network Security, Inc.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: H04L29/06

CPC classification number: H04L63/145 ,  G06F17/30964 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1433 ,  H04L67/02 ,  H04L67/10

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Abstract translation: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地，本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件，其中散列可以传达到聚集所有已知病毒的云数据库， 各种防病毒供应商编目检测恶意软件感染的恶意软件签名，而不需要主机拥有本地或驻留的防病毒代理。 此外，可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外，网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机，并且审核部署在网络中的防病毒策略。

公开(公告)号：US20140013434A1

公开(公告)日：2014-01-09

申请号：US13692200

申请日：2012-12-03

Applicant: TENABLE NETWORK SECURITY, INC.

Inventor： Marcus J. Ranum ,  Ron Gula

IPC: H04L29/06

CPC classification number: H04L63/145 ,  G06F17/30964 ,  H04L61/1511 ,  H04L63/1416 ,  H04L63/1433 ,  H04L67/02 ,  H04L67/10

Abstract: The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.

Abstract translation: 本文描述的系统和方法可以利用主动网络扫描和被动网络监控来在网络中提供战略性反恶意软件监视。 特别地，本文描述的系统和方法可以远程连接到网络中的被管理的主机以计算与其上运行的进程相关联的哈希或其他签名以及托管在其上的可疑文件，其中散列可以传达到聚集所有已知病毒的云数据库， 各种防病毒供应商编目检测恶意软件感染的恶意软件签名，而不需要主机拥有本地或驻留的防病毒代理。 此外，可以在网络中监视运行进程和文件系统活动以进一步检测恶意软件感染。 此外，网络扫描和网络监控可用于检测可能参与主动僵尸网络或托管僵尸网络内容的主机，并且审核部署在网络中的防病毒策略。