| Universal patching machine -> Monitor Keywords |
|
|
  Universal patching machineUSPTO Application #: 20080052703Title: Universal patching machine Abstract: A universal patching machine is used to provide security for a computer system. A conversion function is generated for the patching machine that modifies input data to the computer system so that the computer system has an output and state that match the output and state that would be produced by a vendor-patched version of the computer system. The universal patching machine detects security vulnerabilities in intercepted data traffic. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic. (end of abstract)
Agent: G. Victor Treyz - San Francisco, CA, US Inventor: Dileep Kumar Panjwani USPTO Applicaton #: 20080052703 - Class: 717171000 (USPTO) Related Patent Categories: Data Processing: Software Development, Installation, And Management, Software Upgrading Or Updating, Network The Patent Description & Claims data below is from USPTO Patent Application 20080052703. Brief Patent Description - Full Patent Description - Patent Application Claims
[0001] This application is a division of patent application Ser. No. 11/029,098, filed Jan. 3, 2005, which is hereby incorporated by reference herein in its entirety. BACKGROUNDS OF THE INVENTION [0002] This invention relates to computer security, and more particularly, to applying patches to fix security vulnerabilities. [0003] Security vulnerabilities in deployed software are discovered with regularity. Both operating systems and application software are affected. As vulnerabilities are identified by the computer security community, they are often included in a list of common vulnerabilities and exposures (CVE). The CVE list attempts to standardize the names of known vulnerabilities. [0004] Computers in which vulnerabilities are not addressed become exposed to security risks. Often these risks are intolerable, so it becomes necessary to install security patches. Patches (also sometimes called "updates" or "bug fixes") are used to fix the portion of the software that gave rise to the security vulnerability. When appropriate patches are in place, the security risk associated with the vulnerability is reduced or eliminated. [0005] In modern computer system environments, patch management can be exceedingly complex. In a typical business enterprise, there are often hundreds or thousands of networked computers, each with a potentially different software configuration. As a result, it is practically impossible to test new patches exhaustively. System administrators are reluctant to install patches without testing, particularly on critical machines, so in practice many patches are not installed or are not installed in a timely fashion. This leaves many computer systems at risk of attack. [0006] It is therefore an object of the present invention to provide improved techniques for applying security patches to computer systems. SUMMARY OF THE INVENTION [0007] A universal patching machine is provided that protects data networks from security vulnerabilities. The universal patching machine may be implemented on a network appliance located at the edge of a data network. In this location, the universal patching machine and network appliance can intercept data traffic flowing between a communications network such as the internet and the data network. The universal patching machine modifies the intercepted data traffic so that the vulnerabilities cannot be exploited by an attacker. [0008] The universal patching machine is formed from patch processors and a packet controller. The patch processors work at higher network layers such as network layers 6 and 7, whereas the packet controllers operate at lower network layers such as network layers 3-5. [0009] The patch processors and packet controller work together to efficiently detect vulnerability violations and modify data traffic where needed. Efficient processing is ensured by bypassing the higher-network-layer processing of the patch processors when the vulnerability violation detection and fixing operations of the patch processors are not needed. These bypassing operations may be performed using the packet controller. [0010] The patch processors are formed from network patches that address various different security vulnerabilities. As new vulnerabilities are discovered, the functionality of the universal patching machine is updated. The update process involves identifying the vulnerabilities that require attention and determining which network patches are needed to detect and fix these vulnerabilities. The universal patching machine is updated using these network patches. [0011] Each network patch includes state machine logic and one or more associated vulnerability violation detection and fixing functions. To ensure efficiency, duplication is avoided when combining the state machine logic of the network patches. The universal patching machine may have machine code libraries of helper functions. These helper functions may be used to merge the state machines of network patches into a unified state machine. During the formation of the unified state machine for the patch processors, the overall size of the state machine logic is reduced. [0012] As the capabilities of the universal patching machine are updated by adding or removing network patches for the unified state machine in real time, the flow of data traffic through the universal patching machine is not disrupted. With one arrangement, disruption to the data flow is avoided by handling old data traffic sessions with an old version of the universal patching machine processes and new data traffic sessions with a new version of the universal patching machine processes. With another arrangement, data traffic disruption is avoided by selecting a point in time at which to switch over to the new network patches that does not affect the handling of the data traffic by the universal patching machine. [0013] Further features of the invention, its nature and various advantages will be more apparent from the accompanying drawings and the following detailed description of the preferred embodiments. BRIEF DESCRIPTION OF THE DRAWINGS [0014] FIG. 1A is a diagram showing the behavior of a patched computer system to an illustrative input. [0015] FIG. 1B is a diagram showing how a universal patching machine alters the input applied in FIG. 1A in accordance with the present invention. [0016] FIG. 2 is a flow chart of illustrative steps involved in using a universal patching machine to provide security for an unpatched computer system in accordance with the present invention. [0017] FIG. 3 is a diagram of an illustrative system in which a network appliance is used to implement a universal patching machine for protecting a computer network in accordance with the present invention. [0018] FIG. 4 is a diagram of an illustrative network appliance showing components that may be used to apply security patches in accordance with the present invention. [0019] FIG. 5 is a diagram showing how a universal patching machine may handle an illustrative vulnerability related to authentication evasion in accordance with the present invention. [0020] FIG. 6 is a diagram showing how a universal patching machine may handle an illustrative buffer overflow vulnerability in accordance with the present invention. [0021] FIG. 7 is a diagram showing how a universal patching machine may have a number of associated patch processors in accordance with the present invention. Continue reading... Full patent description for Universal patching machine Brief Patent Description - Full Patent Description - Patent Application Claims Click on the above for other options relating to this Universal patching machine patent application. ###  How KEYWORD MONITOR works... a FREE service from FreshPatents1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored. 3. Each week you receive an email with patent applications related to your keywords. Start now! - Receive info on patent apps like Universal patching machine or other areas of interest. ### Previous Patent Application: System and method for fine grain method update of an application to provide continuous availability Next Patent Application: Media management system for management of games acquired from a media server Industry Class: Data processing: software development, installation, and management ### FreshPatents.com Support Thank you for viewing the Universal patching machine patent info. IP-related news and info Results in 0.42889 seconds Other interesting Feshpatents.com categories: Daimler Chrysler , DirecTV , Exxonmobil Chemical Company , Goodyear , Intel , Kyocera Wireless , |
||
