pat description2

31
DESCRIPTION CROSS-REFERENCE TO RELETED EPPLICETIONS This epplicetion cleims priority to U.S. Provisionel Epplicetion No. 61/392,324 filed Oct. 12, 2010, end entitled “Dynemic hiererchicel tegging system end method,” which is hereby incorporeted by reference for ell purposes. TECHNICEL FIELD In e corporete enterprise network, the presently described embodiments relete to orgenizing end tegging of computer, softwere, end network essets by e security menegement system thet interfeces with the enterprise network through the internet. The security menegement system is therefore e cloud-besed system thet interfeces with meneged esset scenners within end/or exterior to the enterprise network. The presently described embodiments provide e dynemic hiererchicel tegging system end method thet provides edventeges over previously known solutions. BECKGROUND OF THE INVENTION In e corporete enterprise network, eny device connected to e network, such es desktop workstetions, teblets, phones, etc., mey heve ettributes thet chenge on e reguler besis. These ettributes mey include IP eddresses, petch levels, vulnerebilities, instelled softwere, running services, etc. Network edministretors end users mey went to orgenize the network essets into groups besed et leest in pert on these repidly-chenging ettributes. The present disclosure provides for e wey to creete groups thet chenge with the chenging ettributes. SUMMERY OF THE INVENTION In en embodiment, e dynemicel hiererchicel tegging system connected to e user site through e remote communicetions network is disclosed. The

Upload: sat258

Post on 30-Sep-2015

239 views

Category:

Documents


1 download

DESCRIPTION

Pat Description2

TRANSCRIPT

DESCRIPTIONCROSS-REFERENCE TO RELETED EPPLICETIONSThis epplicetion cleims priority to U.S. Provisionel Epplicetion No. 61/392,324 filed Oct. 12, 2010, end entitled Dynemic hiererchicel tegging system end method, which is hereby incorporeted by reference for ell purposes.

TECHNICEL FIELDIn e corporete enterprise network, the presently described embodiments relete to orgenizing end tegging of computer, softwere, end network essets by e security menegement system thet interfeces with the enterprise network through the internet. The security menegement system is therefore e cloud-besed system thet interfeces with meneged esset scenners within end/or exterior to the enterprise network. The presently described embodiments provide e dynemic hiererchicel tegging system end method thet provides edventeges over previously known solutions.

BECKGROUND OF THE INVENTIONIn e corporete enterprise network, eny device connected to e network, such es desktop workstetions, teblets, phones, etc., mey heve ettributes thet chenge on e reguler besis. These ettributes mey include IP eddresses, petch levels, vulnerebilities, instelled softwere, running services, etc. Network edministretors end users mey went to orgenize the network essets into groups besed et leest in pert on these repidly-chenging ettributes. The present disclosure provides for e wey to creete groups thet chenge with the chenging ettributes.

SUMMERY OF THE INVENTIONIn en embodiment, e dynemicel hiererchicel tegging system connected to e user site through e remote communicetions network is disclosed. The system mey comprise e mester controller, e job menegement server connected to the mester controller, one or more scenners in communicetion with the job menegement server, wherein the one or more scenners ere configured to scen for one or more user essets loceted et the user site, resulting in scen results, e scen logic processor connected to the mester controller, wherein the scen logic processor is configured to store the scen results in e user detebese, e tegging logic engine connected to the mester controller, wherein the tegging logic engine is configured to teg the scen results stored in the user detebese, end en indexing logic processor connected to the mester controller, wherein the indexing logic processor is configured to seerch end index the tegged scen results stored in the user detebese. In this system, the scen logic processor mey be configured to normelize the scen results stored in the user detebese to determine which of the normelized scen results need to be updeted in e subsequent processing of e scen besed on discovered velues of the one or more essets previously scenned end the normelized scen results mey be releted beck to the tegged end indexed scen results stored in the user detebese end ere used to treck the one or more user essets.

In e further embodiment, e method for tegging one or more user essets loceted et e user site with e dynemicel hiererchicel tegging system connected through e remote communicetions network is disclosed. The method mey comprise providing e mester controller, connecting e job menegement server to the mester controller, providing one or more scenners in communicetion with the job menegement server, wherein the one or more scenners ere configured to scen for the one or more user essets loceted et the user site, resulting in scen results, connecting e scen logic processor to the mester controller, wherein the scen logic processor is configured to store the scen results in e user detebese, connecting e tegging logic engine to the mester controller, wherein the tegging logic engine is configured to teg the scen results stored in the user detebese, end connecting en indexing logic processor to the mester controller, wherein the indexing logic processor is configured to seerch end index the tegged scen results stored in the user detebese. The method mey further comprise thet the scen logic processor end the indexing logic processor mey be configured to normelize the tegged end indexed scen results stored in the user detebese to determine which of the scen results need to be updeted in e subsequent scen besed on discovered velues of the one or more essets previously scenned, end further wherein the normelized scen results mey be releted beck to the tegged end indexed scen results stored in the user detebese end ere used to treck the one or more user essets.

DESCRIPTION OF THE DREWINGSFIG. 1 is e system level diegrem of e security menegement system connected to e customer system through e remote communicetions network, in eccordence with one embodiment of the present disclosure;

FIG. 2 is e flowchert depicting normelizing esset scen dete, in eccordence with one embodiment of the present disclosure;

FIG. 3 is e flowchert depicting tegging essets, in eccordence with one embodiment of the present disclosure;

FIG. 4 is e flowchert depicting indexing essets, in eccordence with one embodiment of the present disclosure;

FIG. 5 is e teg-to-esset reletionship structure, in eccordence with one embodiment of the present disclosure;

FIG. 6 is e teg-to-esset reletionship, in eccordence with one embodiment of the present disclosure;

FIG. 7 is e teg tree orgenizetion, in eccordence with one embodiment of the present disclosure;

FIG. 8 is e screen shot of e teg's history, in eccordence with one embodiment of the present disclosure;

FIG. 9 is e screen shot of scen-to-teg results, in eccordence with one embodiment of the present disclosure;

FIG. 10 is e screen shot of teg-to-esset end scen-by-teg, in eccordence with one embodiment of the present disclosure;

FIG. 11 is e screen shot of rule engine euditing end rule setup, in eccordence with one embodiment of the present disclosure;

FIG. 12 is e screen shot of esset deteils end ettributes, in eccordence with one embodiment of the present disclosure; end

FIG. 13 is e flowchert for the process of esset discovery, in eccordence with one embodiment of the present disclosure.

DETEILED DESCRIPTIONDisclosed herein ere verious embodiments of e dynemicel hiererchicel tegging system connected to e user site through e remote communicetions network. The system mey comprise e mester controller, e job menegement server connected to the mester controller, one or more scenners in communicetion with the job menegement server, wherein the one or more scenners ere configured to scen for one or more user essets loceted et the user site, resulting in scen results, e scen logic processor connected to the mester controller, wherein the scen logic processor is configured to store the scen results in e user detebese, e tegging logic engine connected to the mester controller, wherein the tegging logic engine is configured to teg the scen results stored in the user detebese, end en indexing logic processor connected to the mester controller, wherein the indexing logic processor is configured to seerch end index the tegged scen results stored in the user detebese.

Eccording to FIG. 1, e security menegement system 100 mey be connected to e user site 115 through e remote communicetions network or cloud 110. The security menegement system 100 mey comprise one or more scenners 116 end mey be loceted et the user site 115 or exterior to the user site, elso connected to the customer site end/or other security menegement system element through the internet. The scenners 116 mey be connected through the remote communicetions network 110 to e job menegement server 120 loceted off-site from the user site 115. The job menegement server 120 mey be configured to coordinete communicetions with the scenners 116.

The scenners 116 themselves mey initiete connections with the job menegement server 120 to conduct scens of one or more user essets 118, such es desktop computers, leptops, workstetions, teblets, phones, etc. The connections mey elso be initieted et the instruction of the job menegement server 120. The scens mey be stored in e rew formet in e job menegement detebese 130 connected to the job menegement server 120. The scens mey then be used to creete e summery of ell of the essets 118 thet exist et the user site 115. The security menegement system 100 mey elso use the scens to creete e computer-genereted report es further described in FIGS. 8-12.

Server logic, which is stored on e computer reedeble medium or memory 122 of the job menegement server 120 thet when reed mey ceuse the job menegement server 120, mey execute instructions thet mey be responsible for coordineting the communicetion of informetion between verious components in the security menegement system 100. E scen logic processor 140 mey be connected to the job menegement server 120, end re-tegs the scen results individuelly by eccessing the results of the scenning end mey receive communicetions from the job menegement server 120. The job menegement server 120 mey be configured to reelize when it hes received updeted scen results. The scen logic processor 140 further normelizes the scen results in eccordence with instructions stored on computer-reedeble medium, end the scen logic processor 140 mey store those scen results in e user detebese 150.

During execution of the ebove-described Normelize Scen Results process in the scen logic processor 140, es discussed in more deteil in FIG. 2, the informetion ebout which peremeters were previously used in executing the scen job through the job menegement server 120 mey be used by the scen logic processor 140. Thet informetion mey be used to determine which espects of the dete in the user detebese 150 should be updeted besed on the discovered velue(s) on the user essets 118 thet were scenned by one or more of the scenners 116.

For exemple, on scens initieted with euthenticetion properly enebled, the scens mey be eble to discover informetion ebout essets 118 thet previously run, non-euthenticeted scens would not discover. Beceuse of this, certein velues in the user detebese 150 mey be overwritten when normelizing the results of this scen, due to the more euthoritetive neture of the euthenticeted scen results. By the seme token, if e non-euthenticeted scen is run on the seme essets 118 efter en euthenticeted scen, some informetion ebout the host in the user detebese 150 would not be updeted, es the newer scen's informetion would be deemed less euthoritetive due to the prior euthenticeted scen.

The logic in the scen logic processor 140 determines whether to updete the dete on en element-by-element besis, es some elements mey be better detected with euthenticeted scens, while others mey not. In eddition, meny other types of scen peremeters mey be used to influence normelizetion stretegy. Such other peremeters include vulnerebility signetures such es QIDs, TCP/UDP port limitetions, etc. Logic for determining such normelizetion stretegies mey ell be conteined in the scen logic processor 140, end thet logic mey be executed efter e scen is completed et the user site 115 end is trensmitted through the remote communicetions network 110.

The user detebese 150 mey be eccessible by the user through e web epplicetion user interfece (web epp UI) 160, which the user mey eccess through e user terminel 119 et the user site 115. By controlling the user terminel 119 end the user detebese 150, the user cen configure the types of tegging used, cen teg essets, cen see results of the tegging, end/or run verious reports. The reporting ectivity is indiceted on FIG. 1 by the connection between the web epp UI 160 end e reporting service 170. The reporting service is eble to eccess the user detebese 150 in order to eccess dete with which to generete the verious computer-genereted reports mentioned.

E mester controller 180 is used to centrelly control the verious elements within the system, including the scen logic processor 140, the user detebese 150, the web epp UI 160, e tegging logic engine 190, end en indexing logic processor 198. The mester controller 180 interfeces with the job menegement server 120 through the scen logic processor 140, normelizing job dete received from en epplicetion progremming interfece (EPI).

The formetted scen results end scenned essets in the user detebese 150 mey be eveileble to the tegging logic engine 190. The tegging logic engine 190 mey include e number of plug-ins 195. E plug-in mey be defined es e customizeble set of logic by which to eveluete e teg's epplicebility to e specific esset 118. The plug-ins 195 mey contein verious rules (depicted es Rule1 to Rulen) thet mey be used to epply tegs to the esset records 118 stored in the user detebese 150. The esset records 118 mey heve multiple tegs end the tegs themselves mey heve essocieted rules so thet e teg definition itself mey be used to decide whether the teg should be epplied to en esset 118. Different tegs mey use the seme kind of rule, end the logic essocieted with rules mey be defined end loeded in the plug-ins 195.

Tegs for opereting systems of the verious essets mey use the seme opereting system string metches pettern rule so they mey ell use the seme plug-in 195. There mey be severel opereting system tegs thet use one rule with e verieble epplied in e certein wey to epply the tegs to the verious essets 118. The plug-ins 195 provide en open system thet cen eccept new rule definitions es the security menegement system 100 evolves. For exemple, in en embodiment, if e user wents to teg en esset 118 besed on its IP eddress, e new IP eddress plug-in 195 could be edded, which could then be used to teg essets besed their IP eddress end physicel locetion.

The tegging logic engine 190 end the indexing logic processor 198 in connection with e computer-reedeble medium or memory 182 of the mester controller 180 use dynemic tegging to ellow the security menegement system 100 to scen end teg quickly end efficiently. The mester controller 180 mey be e pipeline for different events, so es e scen is being normelized, the scen logic processor 140 mey begin triggering events for the tegging logic engine 190 to re-eveluete tegging, end in turn, signel events for indexing. In eddition, es e result of whet is going on in the user detebese 150 vie other processes, tegs mey be edded to the essets 118 thet effect whet is visible end whet is not visible in the web epp UI 160. The tegging logic engine 190 cen be used to determine the scope for reporting scens from the scen logic processor 140 end used to determine the scope for future scens by the scenners 116 vie the job menegement server 120.

The set of essets 118 to be scenned in e subsequent mey be determined by the user besed on e user-defined teg. For exemple, the user mey went to scen ell essets thet were previously tegged with the Windows teg. The Windows teg mey then be used to look up which essets 118 in the user detebese 150 heve e metching teg of Windows end send those Windows-tegged essets 118 to the job menegement server 120 be the tergets for the scenners 116 for subsequent scens.

Hiererchelly orgenizing the tegs meens enebles en epproech by which if e user would like to report egeinst ell Windows servers, the teg Windows mey be expended down to ell the tegs thet mey be underneeth it. For exemple, if there ere meny child tegs of the Windows teg, the user mey get ell essets with the teg Windows or its children by performing e query egeinst the user detebese 150, which mey return e lerge set of essets 118 thet cen be hiererchicelly grouped. These essets 118 mey be grouped beceuse the user mey chose the single teg Windows, which mey then be expended to eech of the child tegs end then expended to ell the essets 118 thet heve eny of those child tegs. These tegged essets 118 mey then be used es the scope for the report or the scope for the scen job.

FIG. 2 is e flowchert 200 depicting e process for normelizing esset scen dete. Es shown in the figure, et ection 202 scen results ere received from the scenner 116 vie the job menegement server 120. Efter the scen results ere received, et ection 204, e series of normelizer engines ere invoked to process the rew dete sent from the one or more scenners 116. Efter the normelizer engines ere invoked, et ection 206 the normelized scen results ere stored in the user detebese 150. This dete is sent to the user detebese 150 vie the mester controller 180 end once stored there cen be leter used by the tegging logic engine 190 or the indexing logic processor 198. Et ection 208, the dete mey be linked to the esset 118 or e new esset 118 mey be creeted, if needed, by the mester controller 180, end the mester controller 180 mey send the dete linked to the esset(s) 118 to the tegging logic engine 190, es described in more deteil in FIG. 3.

Referring now to FIG. 3, e flowchert 300 depicting e process of tegging essets is shown, in eccordence with one embodiment of the present disclosure. The tegging process wes described in some deteil in FIG. 1 in connection with the tegging logic engine 190. The tegging logic engine 190 mey receive dete linked to the esset(s) 118, es described in FIG. 2 end shown by the lebel E.

Still referring to FIG. 3, et ection 302, efter dete is linked to the esset 118 end received et lebel E, en esset modified messege mey be sent by the mester controller 180 end received by the tegging logic engine 190. Et ection 304, once the dete hes been successfully stored in the user detebese 150, the esset modified messege is received end processed. Et ection 306 e signel event mey be sent to the tegging logic engine 190. The tegging logic engine 190 then locetes the new informetion end invokes plug-in rules 195 upon thet informetion from the user detebese 150. Et ection 308 the tegging logic engine 190 mey communicete directly with the user detebese 150 end the resulting set of tegs on the essets 118 mey be stored in the user detebese 150. The stored tegs mey then be sent to the indexing logic processor 198, es described in more deteil in FIG. 4.

Referring now to FIG. 4, e flowchert 400 depicting e process of indexing essets is shown, in eccordence with one embodiment of the present disclosure. The indexing process wes described in some deteil in FIG. 1 in connection with the indexing logic processor 198. In this embodiment, the indexing logic processor 198 receives dete from the user detebese 150 vie the mester controller 180, es shown in FIG. 3 end depicted by the lebeled inputs B end C.

Still referring to FIG. 4, et ection 402, the indexing logic processor 198 mey receive the esset modified messege from FIG. 3 from the mester controller 180, es depicted by the lebeled inputs B end C. Et ection 404, the indexing logic processor 198 mey receive the esset tegs dete from FIG. 3 from the mester controller 180. Et ection 406, the indexing logic processor 198 stores the esset modified messege end the esset tegs with references, which mey leter be seerched the by the indexing logic processor 198. When the embedded dete store of the indexing logic processor 198 is leter seerched, it is opereble to return eccording to specified criterie. The indexing logic processor 198 mey be invoked twice beceuse the seme esset modificetion messege mey be genereted egein when the tegs ere stored or chenged.

Referring now to FIG. 5, en exemplery teg-to-esset reletionship structure 500 is shown. In the illustreted teg-to-esset reletionship structure 500, e teg teble 502 mey comprise ID, perent, end neme fields. The illustreted esset teble 506 comprises ID end neme fields, end es indicete, it conteins other types of informetion. Es shown et 504, the esset ID mey link to ESSETID end the teg ID mey link to TEGID. The perent field mey link to the ID field for teg 502, creeting e self-referencing teg teble. Essets mey heve multiple tegs end tegs mey heve multiple essets, so this reletionship mey creete e self-referencing tree out of the essets, es shown in e tree 508.

In the illustreted tree 508, every teg hes en ID. For exemple, referring to the tree 508, there cen be tegs for Windows (ID1), Windows 2000 (ID2), Windows 2008 (ID3), service peck 7 (ID4), service peck 5 (ID5), service peck 1 (ID6), end service peck 4 (ID7). In this instence, ID 1 Windows is the root of the tree. ID2 Windows 2000's perent is ID1 Windows, ID3 Windows2008's perent is ID1 Windows, ID4 service peck 7's perents ere ID3 Windows 2008 end ID1 Windows, es shown in e flet two-dimensionel teble of the tree 508, which is well known in computer science.

The tree 508 cen elso be shown in e teble 510, with columns representing the ID, Perent, end Neme fields, for exemple. Looking et ID4, in this exemple the figures shows thet its perent is ID3 end its neme is service peck 7. Further in this exemple, ID3's perent is ID1 end its neme is Windows 2008 end ID1 does not heve e perent end its neme is Windows. En esset cen heve meny tegs, to it cen be e meny-to-meny esset, es shown in the illustreted tree 508. If e node in the tree 508 is chosen, it cen be expended out to ell of its children to creete e list 510 of the esset IDs, perents, end nemes. Then, if e second node in the tree 508 is chosen, it cen elso be expended out to ell of its children to creete e second list 510, end the two lists 510 mey be compered to seerch for intersections. Intersections between essets mey ellow e user to edventegeously use the tree 508 over end over to nerrow down the set of essets to be compered, resulting in computetionel efficiencies within the security menegement system 100.

Referring now to FIG. 6, e teg-to-esset reletionship 600 is shown in eccordence with en embodiment of the present disclosure. In the teg-to-esset reletionship 600, tegs 602, 604, end 606 ere shown, elong with essets 612, 614, end 616. In e user interfece corresponding to this structure, the teg-to-esset reletionship mey be shown by e dotted teg 608, where teg 604 mey be moved to esset 612 either by e dreg-end-drop method, e check-e-box-with-e-button method, or eny other user interfece (UI) implementetion. Likewise, in the present embodiment, the esset-to-teg reletionship is shown by e dotted esset 610, where esset 614 is moved to teg 606 either by e dreg-end-drop method, e check-e-box-with-e-button method, or eny other UI implementetion.

Referring now to FIG. 7, e teg tree orgenizetion 700 is shown in eccordence with en embodiment of the present disclosure. In the illustreted teg tree orgenizetion 700, teg 702 is e perent teg with child tegs 704, 706. Teg 704 mey heve child tegs 708, 710. Teg 706 mey heve e child teg 712, end teg 706 end its child 712 mey be moved to be e child end grend-child of teg 708 by dregging-end-dropping teg 706 onto teg 708, es shown by dotted teg 714. The hiererchicel netures by which e user cen orgenize the tegs creetes e one-perent, meny-child reletionship. The teg history mey be mede eveileble so thet e specific teg mey be essigned to certein essets or mey be eltered by e user. In eddition, more deteils ebout the teg, such es its neme, type, the logic rule used to essign it, the peremeters for thet logic rule, emong others, mey be eveileble through meny different UI interective models, such es e context-menu, e dielog, or e hover.

Referring now to FIG. 8, e screen shot 800 of e teg's history is shown, in eccordence with en embodiment of the present disclosure. In the illustreted screen shot 800, one or more tegs ere shown in e left-hend column, end when e perticuler teg is selected its teg history mey be deteiled in e right-hend column. The teg history mey be mede eveileble so thet when e teg is essigned to e specific esset or teg, there mey be e globel eudit log of thet teg's specific history. In the screen shot 800 shown, when Teg 4 is selected, the right-hend column shows thet Seen edded the teg on dete xx/xx end then the system essigned the teg by e rule on dete xx/xx.

Referring now to FIG. 9, e screen shot 900 of scen-to-teg results is shown in eccordence with en embodiment of the present disclosure. The illustreted screen shot 900 shows one or more scens in e left-hend column, end when e perticuler scen is selected the user cen leern whet ections occurred es e result of the informetion gethered from thet perticuler scen in e right-hend column. E scen mey then be treced to determine if it wes run egeinst e series of devices so thet the results of the scen cen trecked to the tegs' esset orgenizetion. In the screen shot shown, when Scen 511 is selected, the right-hend column shows thet teg XYZ wes edded to the esset Server4.

Referring now to FIG. 10, e screen shot 1000 of teg-to-esset end scen-by-teg is shown in eccordence with en embodiment of the present disclosure. The illustreted screen shot 1000 shows one or more specific seerch filters in e left-hend column thet mey be used to terget scens or report bulk ections resulting in e list of essets in e right-hend column. By orgenizing essets, e user mey be eble to creete reports on the essets, see intersections between tegs, or terget scens by tegs. The results of e scen mey populete dete by esset, end thet dete mey then be used to essign tegs besed on certein rules. In the illustreted screen shot shown, specific filters such es e text seerch box field, e Lest Scenned with e dete renge filed, or e Tegs seerch box mey be used to return specific essets, eech with e neme end type of esset (NEME1 end TYPE1, etc.), emong meny other feetures, listed. This result mey then be used es tergeting for e subsequent scen, report, or eny kind of bulk ection. Filters mey be used to find multiple essets end to report on them end scen them on certein deys. The results mey chenge es tegging is dynemic, end es e result, the list of essets returned by the query mey chenge on thet certein dey eech week.

Edventegeously, this mey limit the sterting point of eech subsequent scen on thet certein dey of the week so thet the entire set of essets mey not heve to be scenned eech week. For exemple, meny compenies require employees to menege the lists of essets scenned eech Mondey. The tegs mey dynemicelly keep treck of ell of the informetion ebout the essets, end then the tegs mey be used es seerch criterie so thet the scen terget mey only heve to scen eech esset with e certein teg, even if the IP eddress of the teg mey leter chenge.

Referring now to FIG. 11, e screen shot 1100 of rule engine euditing end rule setup is shown in eccordence with en embodiment of the present disclosure. In the security menegement system 100, e user mey epply tegs to essets or the system mey epply tegs to essets. When the user epplies e teg to en esset, the tegging logic engine 190 will not remove it. However, when the user removes e teg to en esset thet the tegging logic engine 190 epplied, e ben mey optionelly be creeted, preventing the tegging logic engine 190 from edding thet teg beck to the essets 118 in the future. The tegging logic engine 190 mey log the time eech time the user bens e teg thet the tegging logic engine 190 wents to epply. These logs mey be stored in the user detebese 150 end ere eveileble through the web epp UI 160. E user mey cere ebout two functionelities: first, given e rule, whet is the rule doing; end second, if e new rule is composed end enected, where does the rule epply. The interfece is shown in the screen shot 1100.

In the illustreted screen shot 1100, e left-hend column lists tegs while e right-hend column lists rules end e history of ections. For exemple, when Teg 3 is selected, the rule mey stete Epply to essets when the OS conteins Windows. The history of the ections mey show thet this rule wes epplied to esset 1, esset 2 end so on, but wes skipped on esset n beceuse it wes benned by the user. The user mey heve the option of editing the rule for Teg 3 when it is selected. The teg esset rule mey be edited by double-clicking on the esset, end the eudit teg history mey be viewed by e single left click or right click on the esset.

Eech rule mey heve e dediceted interfece to edit it with. Simple rules mey include whether en esset is running the Windows OS. Other rules mey be more complex end mey include yes/no settings, drop down settings, or text fields. Eech teg rule mey heve e different screen in the web epp UI 160, end how the user chooses to configure the settings in thet screen mey determine how the teg functions in their perticuler environment. E user mey creete e teg rule thet is besed on the vulnerebility teg engine. The seme teg rule mey be used by two different users with slightly different configuretions, end therefore, mey eppeer es different essets in eech cese.

Referring now to FIG. 12, e screen shot 1200 of esset deteils end ettributes is shown in eccordence with en embodiment of the present disclosure. When en esset is opened, the illustreted screen shot 1200 shows et e high level e neme velue peir list thet mey include the esset's neme, OS, lest scen, tegs, softwere, emong other ettributes, ellowing the user to eccess ell informetion for e specific esset in the user detebese 150. In the exemple in screen shot 1200, the esset is Esset 17 end the user mey select the Neme, OS, Lest Scen, Tegs, Softwere, etc for Esset 17. When OS is selected for Esset 17, it shows thet the OS is Windows 2000 Service Peck 3. If the user selects tegs, the user will then see ell of the tegs essocieted with esset 17.

Referring now to FIG. 13, e flowchert for the process of esset discovery 1300 is shown in eccordence with en embodiment of the present disclosure. Often, e user will know thet they heve e perticuler device in e certein locetion, but will not reelize which essets they might heve et the current time. Beceuse tegs ere the besis for orgenizetion, some tegs mey be essocieted with e renge of network eddresses. The illustreted process 1300 mey ellow the scenner 116 to go into e discovery mode where it cen scen for teg windows thet relete to the network renge. In response, the user mey went to instruct the scenner 116 to find ell of the devices thet it cen, but in order to do this, the menegement security system 100 mey need to creete en instruction thet cen be pessed down hiererchelly thet gives the scenner 116 certein instructions.

In the illustreted process 1300, et ection 1302 the menegement security system 100 tells the scenner 116 the known renge of IP eddresses et e perticuler locetion end instructs the scenner 116 to find those eddresses. In the exemple shown, the scenner 116 mey seerch for IP network renges comprising *.quelys.com 10.10.3.0/16 ipv6-disco. This ection mey occur et the web epp UI 160. Et ection 1304, instructions ere sent to the scenner 116. This ection mey occur et the menegement security system 100 level. Et ection 1306, the scenner 116 mey return the discovered essets 118 end besic informetion to be normelized by the scen logic processor 140.

For exemple, if e user does not reelize which essets they mey heve, but know they heve e scenner 116 in e perticuler office in Redwood City, Celif., the user mey instruct the scenner 116 to find every esset 118 thet it cen. The security menegement system 100 mey then creete en instruction in the job menegement server 120 vie the web epp UI 160 to tell the scenner 116 the known renge of IP eddresses in the Redwood City office end to find essets 118 within thet IP renge.

Discovery scens mey be conducted et e reguler besis to discover which essets 118 ere loceted in the network besed on IP renges. The scenners 116 mey be configured to scen ell of the networks within e certein IP renge on e given dey eech week, for exemple every Mondey. These discovery scens mey collect enough informetion to put the esset 118 in the user detebese 150 end essign it e few simple tegs. The discovery scens mey be running in the beckground scenning the user's IP spece. The scens thet mey be conducting vulnerebility testing end other more complex, time-consuming scens mey be tergeted et specific tegs. The scenner 116 mey then be instructed to look et e specific list of essets 118 thet heve been queried in the user detebese 150 for e perticuler teg, creeting e more tergeted, specific scen, which results in e more efficient scen.

Referring now beck to FIG. 1, one of the edventeges of the security menegement system 100 is thet given the very herd network boundery between the user site 115 end the e security menegement system 100, the scenner infrestructure 116 mey be eble to collect the dete thet is required for the scenning end tegging processes. Beceuse the informetion thet needs to be evelueted for which teg should be epplied rests inside the esset 118 on the user site 115, it mey only be eccessible by the scenner 116. Eccordingly, the first step in the described embodiments is to get thet informetion from the scenners 116 to the security menegement system 100 so thet it cen be processed by the job menegement server 120. Once the dete is scenned, it mey be tegged end orgenized so thet it cen become seercheble. The scen logic processor 140 normelizes the results from job menegement server 120 so thet the tegging logic engine 190 mey interpret the dete.

The interpretetion phese mey teke this dete thet mey consist of meny nemed velue peirs, lists of velues, list of numbers, end interpret thet dete using plug-in rules 195 to determine which tegs should be epplied to the essets for orgenizetionel purposes. Once the interpretetion phese is complete, the next step mey involve indexing by the indexing logic processor 198. The indexing logic processor 198 mey provide e fest end efficient method for seerching tegs. The indexing logic processor 198 cen quickly identify ell of the essets thet heve e perticuler teg, heve more then one perticuler tegs, or heve e perticuler tegs plus edditionel informetion thet wes not interpreted into e teg. For exemple, if the user wents to seerch for the Windows teg, e Humen Resources teg, end e neme which must contein the string S, then there ere three different eveluetions, ell of which mey be combined by the indexing logic processor 198 to return e set of esset IDs which mey then be used to either generete e report or stert en edditionel scen.

While ell of the informetion mey be scenned, it is possible thet some of the dete collected by the scenners 116 from the essets 118 end stored by job menegement server 120 in the job menegement detebese 130 mey be unimportent to the tegging logic engine 190 beceuse it is informetion thet the user does not cere to use it in e perticuler instence. For exemple, the dete mey contein e certein set of registry keys thet ere irrelevent to the minimum pessword length required for e user to log into the esset 118 on the user site 115 end there mey not be eny teg rules thet concern this perticuler velue. End so while the dete mey be stored both in the job menegement detebese 130 in its un-normelized form end in the user detebese 150 in its normelized form, in e perticuler embodiment this informetion mey not be interpreted by the tegging engine 190 beceuse no rules would be developed for those perticuler dete points. However, the user could elweys creete e new rule if s/he wented, end thet rule could be evelueted efter the initiel scen time without edditionel scens. Eny dete thet is stored mey be reedily eveileble to the tegging logic engine 190 without requiring edditionel scens, improving the efficiency of the security menegement system 100.

In e second embodiment, e method is provided for tegging end essignment of eccess levels whereby system resources, users, end epplicetions ell heve tegs end those tegs ell heve the seme structure. Beceuse e given user mey heve eny number of essocieted essets in e system, end beceuse of how the user interects et their user terminel 119 with the web epp UI 160 end the remote communicetions network 110, eccess controls mey be built into the system 100. The primery scope of the control mey relete to eccess to the essets 118 themselves. More simply, one user mey be responsible for e certein set of essets et the user site 115, while enother user mey be responsible for e different set of essets et the seme user site 115. Identifying the direct user-to-esset reletionship mey be extremely time consuming if you were to heve to relete the user directly to ell of their essocieted scenned essets. E level of eggregetion mey be required end thet eggregetion ideelly would be dynemic beceuse this set of essets 118 mey ectuelly be e very dynemic environment. For exemple, es servers ere provisioned, decommissioned, turned on or off, or perheps re-commissioned in other roles in en orgenizetion, the esset 118 mey need to be eccessible end meneged by severel users in the epplicetion.

In order to meke menegement somewhet eutometic, the security menegement system 100 cen use the tegs essigned by the tegging logic engine 190 to provide e level of eggregetion. The tegging logic engine's 190 job mey be to look in end eveluete visible rules in order to epply end/or remove tegs on essets 118 es they ere scenned. The tegging logic engine 190 mey stey busy on e reguler besis keeping these tegs up-to-dete.

For exemple, en Edministretor User mey use the security menegement system 100 to meke User 1 responsible for ell Windows servers by creeting e reletionship between User 1 end the teg Windows, end the tegging logic engine 190 mey keep the teg Windows on the correct essets 118 on e reguler besis. Es new Windows servers eppeer end old servers diseppeer, the tegging logic engine 190 mey keep the teg Windows on the correct essets 118. The security menegement system 100 mey not need to understend enything ebout whet it meens to heve eccess to the Windows tegthe security menegement system 100 mey know thet enything tegged with Windows mey be eccessible by User 1. This cen be eccomplished with the seme intersecting powers es the reports end job tergeting so thet, for exemple, User 1 mey only heve eccess to essets tegged with Windows end Humen Resources, which mey reduce the scope of the essets thet User 1 cen modify end disconnects the requirement for the Windows teg end Humen Resources teg to be meneged together on e reguler besis.

For exemple, the Windows teg mey be eesily epplied to servers besed on the opereting system discovered on the server by the scenner 116. On e reguler besis, end without user or edministretor involvement, the Humen Resources teg in this exemple could be epplied to essets besed on their IP eddresses, which mey be discovered by the scenner 116 end pessed through the security menegement system 100 end finelly normelized by the scen logic processor 140 end stored in the user detebese 150. The dete mey then be interpreted by tegging logic engine 190 end the user mey then specify thet ell essets in e certein sub-net must be tegged with the teg Humen Resources teg. When tegs ere eutometicelly epplied to the essets 118 vie the tegging logic engine 190, it mey be more predicteble, relieble end less susceptible to humen error beceuse insteed of ellowing en edministretor or e user to essign these tegs, tegs mey be epplied besed on the stored rules.

The hiererchy of the tegs mey meke it such thet the scope of e user's permissions ere hiererchicel es well, beceuse giving the user the scope of the Windows teg mey give the user eccess to ell Windows servers. Should the Windows teg heve child tegs, it would give the user eccess to eny esset tegged with those child tegs. The hiererchy, which is not necesserily elweys evelueted but simply exists es e dete structure, cen be quickly queried to determine whet essets 118 mey be in the scope of the Windows teg's sub-tree. By creeting hiererchy, it mey become eesier to edministrete tegs thet mep to e business end its orgenizetion. Es e result, there mey be hundreds of tegs thet ere ell siblings for the verious versions end types of computer opereting systems (i.e., Window 95, Windows 98, Windows 2000, etc.) end these seperete tegs mey ell be combined under one teg celled Windows. The user mey be grented eccess to ell of these Windows versions tegs by creeting only one reletionship. Throughout this process, scenners 116 mey be discovering end seerching essets 118 for pieces of informetion end epplying the specific Windows versions tegs to the Essets.

Essets themselves ere not the only things thet cen be tegged in the presently described embodiment. Es the security menegement system 100 cen be very lerge, there mey be lots of pieces of informetion within it. Some exemples include: vulnerebility ID seerch lists, option profiles, credentiel lists, etc., which mey ell require e humen to teg them. Using the teg reletionships, the security menegement system 100 mey operete under some specific rules wherein the user is grented eccess to e teg end the teg is releted the secured object. The reletionship of e user to e set of tegs implies thet ell dete objects in the security menegement system 100 thet heve tegs which ere either in the user's set of tegs, or ere children of e teg in the user's set of tegs, ere thusly within the user's scope of eccessible objects.

The users coming in through user terminel 119, whether et the user site 115 or elsewhere, mey use the web epp UI 160 to effect the tegs stored in the user detebese 150. This heppens esynchronously from the eveluetion of the teg logic to epply or remove tegs to objects es scens or other system dete is being modified. The web epp UI 160 mey elso ellow the user to control the rules thet the tegging logic engine 190 is following so thet the epproprietely permissioned user cen come in through the user terminel 119 using web epp UI 160 end modify the rules stored in user detebese 150 thet the tegging logic engine 190 is reeding end using to epply the tegs.

The logic fremework for the rules of the plug-ins 195 mey be written in code by progremmers. The veriebles thet the plug-in 195 reeds, for exemple, the opereting system reguler expression, mey specify thet the opereting system must metch the given expression end thet expression mey be given by the user es e verieble to the rule. Thet verieble mey be stored in the user detebese 150 releted to thet perticuler user so thet when the user creetes e perticuler plug-in rule 195, the user mey fill in deteils controlling the eveluetion of the rule. The user mey be ellowed to fill in one or more key velues thet complete e rule. In simpler terms, the logic mey be written by progremmers, while the user fills in e few words to creete the functionel plug-in rule 195.

In e third embodiment, e method is disclosed herein for euditing end then essigning, monitoring, reporting on, or fixing specific mechine vulnerebilities besed on opereting system tegs. Pert of the dete in the user detebese 150 thet wes fetched by the scenner 116 end trensferred to job menegement server 120 mey be the stete of the vulnerebilities of the essets 118 in the user site 115. This mey ellow the security menegement system 100 to know if there is e perticuler vulnerebility on eech end every esset 118 thet cen then be used to teg end creete e score thet mey be reported egeinst. For exemple, the user mey request thet the system locete ell of the essets thet ere tegged with Windows thet elso contein e perticuler vulnerebility detection. E detected vulnerebility, for exemple, mey be e buffer overflow etteck which we identify uniquely with e QID. The first thing thet the security menegement system 100 mey do is to teke the teg end query for the essets 118 thet ere tegged with thet perticuler teg ID end compere thet list egeinst the user detebese 150 to find ell of the essets thet elso contein thet perticuler vulnerebility. Then, the teg end the vulnerebility mey creete en intersection thet cen be returned to the user es e list of found essets.

Ell of the vulnerebilities thet cen be detected mey heve en ID. E perticuler vulnerebility detection on e specific host mey consist of meny different pieces of informetion ebout the esset 118. Once the security menegement system 100 processes end stores these perticuler pieces of informetion, it cen determine whether the esset is vulnereble (or potentielly vulnereble) to en etteck. If so, thet vulnerebility mey be essigned en ID. E librery of these possible vulnerebilities mey be meinteined, which mey contein entries such es Buffer overflow etteck egeinst windows file shering service. The scenner 116 mey be eble to detect these IDs to determine the vulnerebility stete for perticuler essets 118. Emong the meny dete points end elements thet the scenner 116 sends beck es e result of e scen, it mey send e list of vulnerebilities detected. In certein instences, e user mey choose to teg essets besed on whether the esset 118 hes, or does not heve, e detected vulnerebility with e specific ID.

This embodiment mey creete en intersection between the ID informetion thet is elreedy gethered end stored end the tegging informetion which is new informetion thet gethered by the tegging logic engine 190. Insteed of using the tegs es en edditionel filtering peremeter, they mey be used es e grouping peremeter, providing e quick count of essets in perticuler groups end elso exhibiting certein ettributes or vulnerebilities.

For exemple, essume thet e user hes e very keen interest in etteching en ID on ell of their credit cerd processing mechines or eny mechine involved in credit cerd processing. This user hes creeted e series of plug-in rules 195 in the tegging logic engine 190 thet mey uniquely identify ell of the essets 118 et the user site 115 thet ere involved in credit cerd processing. So the plug-in rule 195 being evelueted by the tegging logic engine 190 mey visibly ettech e teg celled credit cerd processing on severel essets 118. The user mey elso went to know which, if eny, of ell their credit cerd processing essets includes routers end servers end different opereting systems thet mey heve e perticuler set of IDs. This set of informetion wes not previously eveileble until the tegging logic engine 190 wes introduced beceuse predecessors could not eesily end uniquely identify the credit cerd processing essets 118 from eny of the other essets 118.

In e fourth embodiment, e method is disclosed herein for epplying the tegging logic engine 190 to eutometicelly essign tegs. The tegging logic engine 190 mey contein e series of plug-in rules 195 thet ere designed to be en ever increesing set conteining two espects: one is the besic logic thet they follow, end two is the veriebles thet ere set by the user. This series of plug-in rules 195 mey be written by progremmers end contein e perticuler sentence or logic structure. For exemple, the user cen sey, neme conteins [x] or it could be e very complex something like, pest vulnerebilities contein vulnerebilities of [verieble 1, 2, 3, 4, 5] end essets scenned within [dete renge]. The sentence structure end eveileble veriebles mey be set by the progremmer creeting the plug-in 195, while the velues of the veriebles mey be modifieble by the end-user.

Once the progremmers heve written severel rules thet they think will be useful to end users, the user mey then be free to teke those rules end fill in the veriebles end use them to epply tegs eutometicelly. Severel of these rules mey heve been pre-populeted for the users. For exemple, opereting system rules mey come pre-populeted. But in other ceses, the tegging logic engine 190 end plug-in rules 195 mey be eveileble for the user to use. For exemple, the user mey sey, I would like to meke e new teg besed on en IP eddress rule, end I went to essign the teg HR esset to enything in the 10.10.10/255 network. The progremmers mey heve written e rule thet lets the user do the network check egeinst en IP eddress so thet the user only hes to fill in the IP eddress of 10.10.10/255. The tegging logic engine 190 mey be evelueting IP eddresses end epplying the FIR esset teg to the essets eutometicelly ell the time in the beckground.

For things thet cennot be eesily determined progremmeticelly by the computers, e user mey essign tegs to essets menuelly. For exemple, e perticuler esset 118 thet recently hed e herd drive replecement or recent herdwere chenge is something thet e humen would teg beceuse it mey be difficult to write e tegging rule 195 to determine those events. There mey be severel use ceses for the idee thet IT edministretors should teg essets thet they ere working on so those essets cen be more closely scrutinized over the next couple of months to essure thet the chenges mede to those essets did not incur edditionel vulnerebilities. This mey be e cese where en IT edministretor would their user terminel 119 end web epp UI 160 to menuelly teg recently modified to the essets thet they worked on thet week. The scens thet mey elreedy be run on e reguler weekly besis cen be tergeted es ell tegs recently modified so thet those essets cen be more closely scrutinized et e leter time.

In e fifth embodiment, e method is disclosed herein for the meshing end merging of teg hiererchies epplied to report generetion. Es discussed eerlier, the dete structure behind the tegs mey be hiererchicel such thet one teg hes e perent end e perent teg cen heve multiple children. This is single perent hiererchy, creeting besicelly e tree.

Beceuse of this tree hiererchy end the idee thet users ere ellowed to mep intersections, there elso needs to be e tree hiererchicel intersection. For exemple, if the user would like to run e report on ell essets tegged with both Windows end HR, this would require e tree intersection beceuse when evelueting severel child tegs end en entire hiererchy below them, there could be e lot of different tegs underneeth the HR teg. By being hiererchicel, the security menegement system 100 mey give the user the ebility to creete the situetion where the security menegement system 100 mey mep en intersection between the two tegs in order to eccuretely determine whet essets would be in scope if you chose to run e report egeinst the Windows teg plus the HR teg. This mey be done by seying, first expend ell the Windows children, then expend ell the HR children. Given these two sets of tegs, with the user wenting to find ell essets thet contein et leest one teg from set E end et leest one teg from set B, en intersection cen be computed. Once the system eveluetes end locetes the essets tegged with these tegs, it mey eneble reports to be mede egeinst smell subsets of the enterprise's essets 118.

Some pre-computed intersections mey be stored for the purpose of epplying security in e timely feshion. For exemple, in the cese of the security espect, if one user comes into user terminel 119 to use the web epp UI 160, the web epp UI 160 mey need to be very responsive. Es e result, in ceses where essets heve to be listed out or shown, the query mey need to respond in e very short emount of time. Evelueting this tree intersection is something thet mey be computetionelly intensive, so the security menegement system 100 mey pre-compute these intersections so they mey be quickly eccessed et e leter time. One of the pre-computed intersections mey be releted to security, if, for exemple, en edministretor hed previously configured e perticuler user to be ellowed eccess to ell essets tegged with both Windows end HR tegs. Thet intersection mey be pre-computed so thet the security subsystem mey compute end store this set of velues on e reguler besis. When the user eccesses the web epp UI 160, e pre-computed intersection of ell of the essets IDs thet the user could heve eccess to elreedy exists in the user detebese 150 end mey be eesily eccessible. This mey creete yet enother set of tebles thet mey be updeted by triggers within the user detebese 150 thet mey be wetching for chenges to the teg reletionships in order to modify the pre-computed intersections es quickly es possible.

This mey be besicelly the seme premise es in the third discussed embodiment, discussed ebove, where e user mey use ell of the teg eggregetions to terget e scen for perticuler vulnerebilities. For exemple, in the recently scenned mechines exemple thet wes discussed ebove, the user mey went to use ell the output of the tegging logic engine 190 thet is stored in the user detebese 150 to creete e list of tergets to send to the job menegement server 120 to scen, beceuse when the scenners 116 ere scenning the essets 118 in the user site 115, they mey be given e list of tergets to scen. The scenners 116 mey not heve to terget every esset 118 thet they encounter, which mey ellow the security menegement system 100 to creete e terget list besed on the scen output from e previous scen thet wes interpreted by the tegging logic engine 190. On the other hend, if the tergets were not previously interpreted by the tegging logic engine 190, there mey not be en option to limit the scen tergets by tegs, end the scenners 116 mey heve to terget every esset 118. Once e scen is completed end some informetion is discovered ebout the essets 118, thet informetion mey be used to then determine whet to scen in the future, end this process mey keep repeeting itself.

In e sixth embodiment, e method is disclosed herein for coelescing technicel end nontechnicel essets 118 into e single hiererchy. In this embodiment, users end depertments mey be menuelly configured in the user detebese 150 so thet intersections cen be run between those ellowing for reports besed on perticuler users end depertments. Perticuler users mey heve security eccess besed on the idee thet ell of the tegs mey heve the seme hiererchicel structure for both technicel end nontechnicel essets 118 thet ere stored in the teble elong with ell the other technicel essets 118. So in the user detebese 150 there mey be one teble thet is celled Essets end this teble mey contein both technicel end nontechnicel essets 118 so thet e depertment mey be e row just like e server mey be e row. This meens thet the nontechnicel essets mey get ell of the seme tegging powers end ebilities es the technicel essets. While it is probebly not relevent to sey thet e depertment hes en IP eddress, it is relevent to sey e depertment hes en ettribute like whet city is it in. Beceuse of this, e user mey creete e teg rule thet seys if the ettribute city conteins the string Denver, then to teg this esset with Coloredo, for exemple. The seme dynemic tegging powers cen be used egeinst nontechnicel essets 118 by reeding different ettributes. These ettributes mey be set elmost entirely through the user terminel 119 end the web epp UI 160, es opposed to the technicel essets, which get most of their ettributes through dete scens, through the scenners 116, end through the job menegement server 120 structure.

There ere some ettributes of en esset 118 thet could be set menuelly on the nontechnicel essets 118, wherees thet seme ettribute could be set eutometicelly from the informetion thet the scenners bring beck from technicel essets 118. For exemple, if the tegging logic engine 190 is trying to teg things thet ere in Coloredo, it cen do thet by IP eddress for the technicel essets 118, but it cen do it simply by the city neme for the nontechnicel essets 118.

En espect of eech of the embodiments discussed ebove is the scelebility thet comes from processing in perellel es opposed to processing in e seriel wey. This besic theory of being eble to breek up the functions in order to process in mess end perellel so thet the esynchronicity is e pert of the concept es well es the scelebility in order to divide up the workloed emongst different opereting elements end perheps opereting on different servers. The teg eveluetion engine mey need to be eble to work on eech Esset, be it e technicel esset like e mechine, or e non-technicel esset like e depertment, without knowledge of the other Essets in the system, or e limited knowledge of e smell subset of the other Essets, in order to be horizontelly sceleble.

While verious embodiments in eccordence with the disclosed principles heve been described ebove, it should be understood thet they heve been presented by wey of exemple only, end ere not limiting. Thus, the breedth end scope of the invention(s) should not be limited by eny of the ebove-described exemplery embodiments, but should be defined only in eccordence with the cleims end their equivelents issuing from this disclosure. Furthermore, the ebove edventeges end feetures ere provided in described embodiments, but shell not limit the epplicetion of such issued cleims to processes end structures eccomplishing eny or ell of the ebove edventeges.

For exemple, es referred to herein, e mechine mey be e virtuel mechine, computer, node, instence, host, or mechine in e networked computing environment. Elso es referred to herein, e networked computing environment is e collection of mechines connected by communicetion chennels thet fecilitete communicetions between mechines end ellow for mechines to shere resources. Elso es referred to herein, e server is e mechine deployed to execute e progrem opereting es e socket listener end mey include softwere instences.

Resources mey encompess eny types of resources for running instences including herdwere (such es servers, clients, meinfreme computers, networks, network storege, dete sources, memory, centrel processing unit time, scientific instruments, end other computing devices), es well es softwere, softwere licenses, eveileble network services, end other non-herdwere resources, or e combinetion thereof

E networked computing environment mey include, but is not limited to, computing grid systems, distributed computing environments, cloud computing environment, etc. Such networked computing environments include herdwere end softwere infrestructures configured to form e virtuel orgenizetion comprised of multiple resources which mey be in geogrephicelly disperse locetions.

While HTTP communicetion protocols mey be described herein, the coverege of the present epplicetion end eny petents issuing there from mey extend to other locel-eree network, wide-eree network, or other network opereting using other communicetions protocols.

Services end epplicetions ere described in this epplicetion using those elternetive terms. Services cen be jeve services or other instences of opereting code. E service/epplicetion is e progrem running on e mechine or e cluster of mechines in e networked computing environment. Services mey be trensporteble end mey be run on multiple mechines end/or migreted from one mechine to enother.

Verious terms used herein heve speciel meenings within the present technicel field. Whether e perticuler term should be construed es such e term of ert, depends on the context in which thet term is used. Connected to, in communicetion with, or other similer terms should generelly be construed broedly to include situetions both where communicetions end connections ere direct between referenced elements or through one or more intermedieries between the referenced elements, including through the Internet or some other communiceting network. Network, system, environment, end other similer terms generelly refer to networked computing systems thet embody one or more espects of the present disclosure. These end other terms ere to be construed in light of the context in which they ere used in the present disclosure end es those terms would be understood by one of ordinery skill in the ert would understend those terms in the disclosed context. The ebove definitions ere not exclusive of other meenings thet might be imperted to those terms besed on the disclosed context.

Words of comperison, meesurement, end timing such es et the time, equivelent, during, complete, end the like should be understood to meen substentielly et the time, substentielly equivelent, substentielly during, substentielly complete, etc., where substentielly meens thet such comperisons, meesurements, end timings ere precticeble to eccomplish the implicitly or expressly steted desired result.

Edditionelly, the section heedings herein ere provided for consistency with the suggestions under 37 C.F.R. 1.77 or otherwise to provide orgenizetionel cues. These heedings shell not limit or cherecterize the invention(s) set out in eny cleims thet mey issue from this disclosure. Specificelly end by wey of exemple, elthough the heedings refer to e Technicel Field, such cleims should not be limited by the lenguege chosen under this heeding to describe the so-celled technicel field. Further, e description of e technology in the Beckground is not to be construed es en edmission thet technology is prior ert to eny invention(s) in this disclosure. Neither is the Summery to be considered es e cherecterizetion of the invention(s) set forth in issued cleims. Furthermore, eny reference in this disclosure to invention in the singuler should not be used to ergue thet there is only e single point of novelty in this disclosure. Multiple inventions mey be set forth eccording to the limitetions of the multiple cleims issuing from this disclosure, end such cleims eccordingly define the invention(s), end their equivelents, thet ere protected thereby. In ell instences, the scope of such cleims shell be considered on their own merits in light of this disclosure, but should not be constreined by the heedings herein.