Search

US-20260127293-A1 - TECHNIQUES FOR CHRONOLOGICAL VULNERABILITY EVENT RECOGNITION

US20260127293A1US 20260127293 A1US20260127293 A1US 20260127293A1US-20260127293-A1

Abstract

Techniques for identifying vulnerabilities in a computing environment, including: using at least one computer hardware processor to perform: obtaining first vulnerability data for a first event from external data source(s); associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: the first enriched vulnerability data; and enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event.

Inventors

  • Stephen Fewer

Assignees

  • RAPID7, INC.

Dates

Publication Date
20260507
Application Date
20241107

Claims (20)

  1. 1 . A method for identifying vulnerabilities in a computing environment, the method comprising: using at least one computer hardware processor to perform: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event.
  2. 2 . The method of claim 1 , wherein the one or more external data sources comprises one or more of the following: (i) data obtained from one or more vulnerability databases; (ii) data obtained from one or more cybersecurity tools via one or more application programming interfaces (APIs); (iii) RSS feeds obtained from one or more websites; (iv) content shared on one or more social media platforms; and (v) third party content identified as being referenced in any of (i)-(iv).
  3. 3 . The method of claim 1 , further comprising: obtaining second vulnerability data for each of multiple events from the one or more external data sources; and for each of the multiple events: associating the event with a particular vulnerability in the vulnerability dictionary using at least some of the corresponding second vulnerability data; enriching the second vulnerability data with second metadata comprising one or more time-based feature values to obtain second enriched vulnerability data; and storing the second enriched vulnerability data in a database.
  4. 4 . The method of claim 1 , wherein the one or more time-based feature values comprises: (i) a timestamp indicating when the first vulnerability data was obtained; and/or (ii) a timestamp indicating when the first vulnerability data was first published.
  5. 5 . The method of claim 1 , wherein the first metadata comprises: (i) a timestamp indicating when the first vulnerability data was obtained; (ii) a timestamp indicating when the first vulnerability data was first published; (iii) one or more metrics indicative of characteristics of the first vulnerability data; (iv) origin information regarding the first vulnerability data; and (v) one or more tag values identifying one or more properties that the first vulnerability data has in common with other portions of data obtained from the one or more external data sources.
  6. 6 . The method of claim 1 , wherein associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data comprises: identifying a Common Vulnerabilities and Exposures (CVE) identifier corresponding to a vulnerability referenced in the first vulnerability data; and associating the first event with the particular vulnerability in the vulnerability dictionary based on the CVE identifier.
  7. 7 . The method of claim 1 , wherein the first set of feature values for the first event comprises one or more of the following: (i) a feature value indicating a distance in time between the first event and a previous event; (ii) a feature value indicating a distance in time between the first event and an epoch event; (iii) a feature value corresponding to a tag associated with the first event; (iv) a feature value corresponding to a tag associated with the previous event; (v) a feature value indicating an origin associated with the first event; (vi) a feature value indicating an origin associated with the previous event; and (vii) a bitmap of binary values indicating an occurrence of: a prior event, a prior condition, and/or a prior feature.
  8. 8 . The method of claim 1 , wherein generating a first set of feature values for the first event comprises: generating the first set of feature values for the first event using (i) the first enriched vulnerability data associated with the first event, the first event being a current event; and (ii) enriched vulnerability data associated with a previous event.
  9. 9 . The method of claim 1 , wherein generating a first set of feature values for the first event comprises: generating the first set of feature values for the first event using (i) the first enriched vulnerability data associated with the first event, the first event being a current event; and (ii) enriched vulnerability data for multiple preceding events.
  10. 10 . The method of claim 1 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: processing the first set of feature values using one or more rules defining criteria for identifying events for which a vulnerability mitigation action is to be triggered.
  11. 11 . The method of claim 1 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: comparing, using a locality hashing technique, the first set of feature values to a second set of feature values associated with the at least some of the one or more historical events.
  12. 12 . The method of claim 1 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: analyzing, using one or more machine learning models, the first set of feature values and a second set of feature values associated with the at least some of the one or more historical events.
  13. 13 . The method of claim 1 , wherein the vulnerability mitigation action for the first event comprises at least one of: generating an alert, updating software, changing a network configuration of a resource, changing a configuration of one or more software applications executing on the resource, changing a configuration of an operating system executing on the resource, changing one or more permissions for the resource, deleting malware, removing corrupted files or data, taking a physical offline, killing an instance of a virtual resource, and blocking communications to and/or from the resource.
  14. 14 . A system for identifying vulnerabilities in a computing environment, the system comprising: at least one computer hardware processor; and at least one non-transitory computer-readable storage medium storing processor-executable instructions that, when executed by the at least one computer hardware processor, causes the at least one computer hardware processor to perform a method comprising: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event.
  15. 15 . The system of claim 14 , wherein the method further comprises: obtaining second vulnerability data for each of multiple events from the one or more external data sources; and for each of the multiple events: associating the event with a particular vulnerability in the vulnerability dictionary using at least some of the corresponding second vulnerability data; enriching the second vulnerability data with second metadata comprising one or more time-based feature values to obtain second enriched vulnerability data; and storing the second enriched vulnerability data in a database.
  16. 16 . The system of claim 14 , wherein associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data comprises: identifying a Common Vulnerabilities and Exposures (CVE) identifier corresponding to a vulnerability referenced in the first vulnerability data; and associating the first event with the particular vulnerability in the vulnerability dictionary based on the CVE identifier
  17. 17 . The system of claim 14 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: processing the first set of feature values using one or more rules defining criteria for identifying events for which a vulnerability mitigation action is to be triggered.
  18. 18 . The system of claim 14 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: comparing, using a locality hashing technique, the first set of feature values to a second set of feature values associated with the at least some of the one or more historical events.
  19. 19 . The system of claim 14 , wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: analyzing, using one or more machine learning models, the first set of feature values and a second set of feature values associated with the at least some of the one or more historical events.
  20. 20 . At least one non-transitory computer-readable storage medium storing processor executable instructions that, when executed by at least one computer hardware processor, causes the at least one computer hardware processor to perform a method for identifying vulnerabilities in a computing environment, the method comprising: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event.

Description

BACKGROUND Modern computing environments are exposed to many cybersecurity vulnerabilities. These vulnerabilities can be identified and analyzed to determine the risk posed to computing environments and any corrective actions to be taken. Cybersecurity vulnerabilities vary in their potential impact on computing systems, may be exploited in cyber-attacks to varying degrees, and are constantly evolving and being exploited in new cyber-attacks. Cybersecurity vulnerability identification and analysis is important in a variety of computing environments including, but not limited to, (e.g., computer infrastructure operated for one organization), public computing environments (e.g., computer infrastructure made available for use by others, for example, over the Internet or any other network, e.g., via subscription, to multiple organizations), a hybrid computing environment (a combination of publicly-accessible and private infrastructure) and/or using any other type of computing environment. Non-limiting examples of cloud computing environments include GOOGLE Cloud Platform (GCP), ORACLE Cloud Infrastructure (OCI), AMAZON Web Services (AWS), IBM Cloud, and MICROSOFT Azure. SUMMARY Some embodiments provide for a method identifying vulnerabilities in a computing environment, the method including: using at least one computer hardware processor to perform: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event. Some embodiments provide for a system for identifying vulnerabilities in a computing environment, the system including: at least one computer hardware processor; and at least one non-transitory computer-readable storage medium storing processor-executable instructions that, when executed by the at least one computer hardware processor, causes the at least one computer hardware processor to perform a method comprising: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event. Some embodiments provide for at least one non-transitory computer-readable storage medium storing processor executable instructions that, when executed by at least one computer hardware processor, causes the at least one computer hardware processor to perform a method for identifying vulnerabilities in a computing environment, the method including: obtaining first vulnerability data for a first event from one or more external data sources; associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events; enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data; generating a first set of feature values for the first event using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events; determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event; and triggering performance of the vulnerability mitigation action for the first event. BRIEF DESCRIPTION OF DRAWINGS Various aspects and embodiments will be described with reference to the following figures. It should be appreciated that the figures are