WO2020159550A1 - Corrective actions based on comparisons of changes to computer systems - Google Patents

Corrective actions based on comparisons of changes to computer systems Download PDF

Info

Publication number
WO2020159550A1
WO2020159550A1 PCT/US2019/016411 US2019016411W WO2020159550A1 WO 2020159550 A1 WO2020159550 A1 WO 2020159550A1 US 2019016411 W US2019016411 W US 2019016411W WO 2020159550 A1 WO2020159550 A1 WO 2020159550A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer system
remote computer
application
telemetry data
corrective action
Prior art date
Application number
PCT/US2019/016411
Other languages
French (fr)
Inventor
Alexandre Da Silva QUADRA
Rafael Dal ZOTTO
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2019/016411 priority Critical patent/WO2020159550A1/en
Publication of WO2020159550A1 publication Critical patent/WO2020159550A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • Companies may provide computer systems to employees to use in performing work for the company.
  • the company may monitor the computer systems and their use by the employees.
  • FIG. 1 shows a computer system with identification instructions, comparison instructions, and corrective action instructions in accordance with various examples
  • FIG. 2 shows a first computer system and a second computer system coupled via a network in accordance with various examples
  • FIG. 3 shows a method of causing a corrective action to be performed based on comparisons of a change related to applications installed on a remote computer system in accordance with various examples
  • FIG. 4 shows a method of causing a corrective action to be performed based on a comparison of a device modification to a remote computer system in accordance with various examples
  • Fig. 5 shows a method of causing a corrective action to be performed based on a determination of an unauthorized change to a remote computer system in accordance with various examples.
  • policies may be in place regarding modification of company computer systems by employees.
  • the policies may cover modification of applications installed on the computer system and electronic devices coupled to or installed on the computer system.
  • Written policies may be insufficient to ensure compliance by employees.
  • the company may monitor the computer system for changes, such as the applications installed on the computer system and electronic devices couple to or installed on the computer system.
  • the changes may be compared against lists of applications or electronic devices that are mandatory, allowed, or disallowed. Corrective actions may be taken based on the comparisons of the changes with the lists. Such corrective actions may allow a fleet management system to ensure that computer systems include the mandatory applications and electronic devices to perform their function, while identifying and correcting the installation of applications and electronic devices which are unauthorized.
  • Fig. 1 shows a computer system 100 with identification instructions 123, comparison instructions 126, and corrective action instructions 129 in accordance with various examples.
  • Computer system 100 includes a processor 1 10 and storage 120.
  • Storage 120 stores the identification instructions 123, comparison instructions 126, and corrective action instructions 129.
  • the identification instructions 123, comparison instructions 126, and corrective action instructions 129 may be instructions associated with performing the methods disclosed herein, such as the methods discussed in connection with other figures herein.
  • the identification instructions 123, comparison instructions 126, and corrective action instructions 129 may be executed by the processor 1 10.
  • the processor 1 10 may be coupled to the storage 120, such as via a bus.
  • the processor 1 10 may comprise a microprocessor, a microcomputer, a microcontroller, a field programmable gate array (FPGA), or discrete logic.
  • the storage 120 may be a computer-readable medium and may include a hard drive, solid state drive (SSD), flash memory, electrically erasable programmable read only memory (EEPROM), or random access memory (RAM).
  • Fig. 2 shows a first computer system 200 and a second computer system 250 coupled via a network 240 in accordance with various examples.
  • the first computer system 200 includes a first processor 210, a first storage 220, and a first network interface connector 230.
  • the first processor 210, first storage 220, and first network interface connector 230 may be coupled together, such as via a bus.
  • the second computer system 250 includes a second processor 260, a second storage 270, a second network interface connector 280, and an electronic device 290.
  • the second processor 260, second storage 270, second network interface connector 280, and electronic device 290 may be coupled together, such as via a bus.
  • the first network interface connector 230 may couple the first computer system 200 to the second computer system 250 via the second network interface connector 280.
  • the connection may be via the network 240.
  • the network 240 may include a wired connection, such as an Ethernet cable or Universal Serial Bus (USB) or via a wireless connection, such as WiFi.
  • the connection may be via the Internet.
  • the second storage 270 may include an application 275.
  • the application 275 may be installed on the second computer system 250.
  • the electronic device 290 may be an external device coupled to the second computer system 250, such as via USB.
  • the second computer system 250 may gather telemetry data regarding applications installed on the second computer system 250, such as the application 275.
  • the second computer system 250 may gather telemetry data regarding electronic devices installed on or coupled to the second computer system 250, such as the electronic device 290, second storage 270, second processor 260, second network interface connector 280, peripherals coupled to the second computer system 250, and so forth.
  • the telemetry data may be sent to the first computer system 200 via the network 240.
  • the identification instructions 223 may cause the first processor 210 to operate on the telemetry data to identify changes in the second computer system 250, such as the installation or uninstallation of the application 275, or the installation or removal of the electronic device 290.
  • the comparison instructions 226 may cause the first processor 210 to compare the identified changes with lists regarding the authorized configuration of the second computer system 250.
  • the lists may include a list of mandatory applications or mandatory electronic devices.
  • the lists may include a list of blacklisted applications or blacklisted electronic devices.
  • the lists may include a list of approved applications or approved electronic devices.
  • the lists may include a changelist of applications or electronic devices which are scheduled to be modified on the second computer system 250. For example, a changelist may indicate that the second storage 270 is to be replaced with a new storage.
  • the telemetry data may include data regarding applications or electronic devices installed temporarily on the second computer system 250. For example, if the telemetry data is sent once per day, an application or electronic device that is installed and then uninstalled within the same reporting time period may still be tracked and reported in the telemetry data. This may prevent users from circumventing the fleet management system.
  • the telemetry data may include a set of changes to applications and electronic devices of the second computer system 250 rather than sending a list of all applications and electronic devices 290 of the second computer system 250.
  • the identification instructions 223 may include identifying the changes included in the telemetry data. Sending a set of changes from the last set of telemetry data may reduce network congestion or data overload for processing by the fleet management system.
  • a list of mandatory applications or mandatory electronic devices may be called a mandatory list, a mandatory application list, or a mandatory electronic devices list.
  • the list may be specific to the second computer system 250, specific to a group of computer systems in a fleet of computer systems, or mandatory across the fleet of computer systems.
  • the mandatory application list may include a list of applications that are mandatory for the second computer system 250.
  • the mandatory application list may identify the application via an application identifier.
  • the application identifier may include a name of the application, a version of the application, or a unique numeric or alpha-numeric identification of the application.
  • the mandatory electronic device list may include a list of electronic devices that are mandatory for the second computer system 250.
  • the mandatory electronic device list may include an identifier of electronic devices.
  • the identifier may include a class of devices, such as a second network interface connector 280.
  • the identifier may include a particular manufacturer and model identification.
  • the identifier may include a device identifier to uniquely identify a
  • the changes may be compared against a blacklist of applications or electronic devices.
  • the blacklist indicates applications or electronic devices that are not to be installed on the second computer system 250.
  • the blacklist may be specific to the second computer system 250, specific to a group of computer systems in a fleet of computer systems, or mandatory across the fleet of computer systems.
  • the blacklist may include applications that affect security, such as malware or a virus.
  • the blacklist may include applications that affect productivity of the employee or use of resources of the second computer system 250 or network 240, such as a game or file sharing program.
  • the blacklist may include applications that cause stability issues, such as a particular version of a word processing program that is incompatible with a document management system.
  • the blacklist may include electronic devices that affect security, such as a removable storage device that may be used to copy confidential data.
  • the blacklist may include electronic devices that affect productivity of the employee or performance of the second computer system 250 or network, such as a graphics processing unit (GPU) or headphones.
  • the blacklist may include applications or electronic devices for various other reasons.
  • An application blacklist includes a blacklist of applications.
  • Enforcement of the blacklist and mandatory list may be performed, with any other applications or electronic devices being allowed for installation.
  • an allowed list or approved list of applications or electronic devices may be used. Such applications or electronic devices may be allowed to be installed on the second computer system 250.
  • An approved list may be used in place of a blacklist. In such cases, any application or electronic device not on the mandatory list or the approved list may be treated as unauthorized, as if it appeared on a blacklist.
  • An approved list may be used in conjunction with a blacklist. Any application or electronic device that is not on the mandatory list, approved list, or blacklist may be flagged for attention by a systems administrator.
  • the systems administrator may investigate further and determine if the application or electronic device should be added to the blacklist or the approved list. This may allow users to install the applications and electronic devices, with the systems administrator verifying after-the-fact whether the application or electronic device may continue being used.
  • a changelist may be used.
  • a changelist may include changes that are to be performed to the second computer system 250, such as automated updates, installation, or uninstallation of applications.
  • the changelist may include changes to electronic devices that have been authorized, such as the replacement of the second storage 270.
  • the authorized change may be part of a corrective action request caused by the corrective action instructions 229.
  • the authorized change may be part of preventative or scheduled maintenance of the second computer system 250.
  • the corrective action may include uninstallation of the unauthorized application or unauthorized electronic device.
  • the corrective action may include execution of an anti-virus or anti-malware application.
  • the corrective action may include locking the second computer system 250 or locking a specific user or group of users out of the second computer system 250.
  • the corrective action may include scheduling an appointment for service by a technician.
  • the corrective action may include sending a warning, such as by a pop-up, an e-mail, or a text message via a mobile phone.
  • the warning may be sent to a user of the second computer system 250 indicating that the change is unauthorized, and instructing the user to revert the change.
  • the corrective action may include disabling execution of the application or disabling the electronic device.
  • the corrective action may include disabling execution of a different application or disabling another electronic device on the second computer system 250, such as disabling the second network interface connector 280 to prevent network communications by the second computer system 250.
  • implementation of this disclosure by a fleet management system may assist in correcting unintentional issues or intentionally harmful actions by users.
  • a user may copy confidential data to the second storage 270 and remove the second storage 270 to take it home and make a copy.
  • the second computer system 250 may collect telemetry data indicating the second storage 270 was removed and report the data to the first computer system 200, even if the second storage 270 is replaced shortly thereafter.
  • the fleet management system may alert a systems administrator or security professionals to the potential data breach for further investigation.
  • the fleet management system may instruct a surveillance system to save video footage or other data for the building where the potential breach occurred, to prevent overwriting the video footage or other data.
  • the user of the second computer system 250 may be locked out of a corporate network or the second computer system 250 to prevent additional data breaches. Action may be taken if a removable storage is detected as being used with the second computer system 250.
  • a user may install a gaming application on the second computer system 250 in violation of corporate policy.
  • a corrective action may include uninstalling the gaming application or sending a message to the user’s manager.
  • a virus may be installed on the second computer system 250.
  • the virus may be on an application blacklist.
  • the corrective action may include disabling the second network interface connector 280 of the second computer system 250 to minimize spread of the virus.
  • the corrective action may include executing a virus scan and cleaning of the second computer system 250 or scheduling an appointment for a restore of the second storage 270 to a known good state.
  • a user may have access to multiple computer systems.
  • the user may swap electronic devices, such as RAM between the computer systems.
  • the fleet management system may identify the changes.
  • the corrective action may include tracking the changes to keep track of where the memory components currently are.
  • the corrective action may include requisitioning more memory for the computer systems.
  • the corrective action may include messaging the user to return the memory components to the original computer systems.
  • Fig. 3 shows a method 300 of causing a corrective action to be performed based on comparisons of a change related to applications installed on a remote computer system in accordance with various examples.
  • the method 300 includes identifying a change related to applications installed on a remote computer system based on telemetry data from the remote computer system (310).
  • the method 300 includes comparing the change against an application blacklist and against a mandatory application list (320).
  • the method 300 includes causing the remote computer system to perform a corrective action based on the comparisons (330).
  • the remote computer system may include any computer system other than the computer system executing the method 300.
  • the remote computer system may be accessible across a network.
  • the remote computer system may be physically remote, such as in another city, or it may be physically located next to the computer executing method 300.
  • the remote computer system may be a server, a laptop or desktop computer, a tablet, a cell phone, internet of things device, or other computer system.
  • the blacklist or mandatory application list may include specific versions of applications. For example, a version of an application may be on the blacklist, as it may be incompatible with other applications or systems or may cause a security issue. Other versions of the application may be allowed.
  • the mandatory application list may list a specific version to be installed.
  • the application blacklist and mandatory application list may include a checksum to use in the comparison.
  • the checksum may be used to detect an inconsistency with other application identifiers, such as may be caused by corruption of the application.
  • a checksum may be created by a checksum function.
  • the checksum function may perform a bitwise operation across the application to produce an identifier.
  • the checksum function may include a parity check, a cyclical redundancy check (CRC), or other checksum functions.
  • a checksum may be of various sizes, depending on the application and the checksum function used.
  • a developer may provide a checksum and checksum function to use with the developer’s application.
  • the remote computer system may apply a particular checksum function to applications installed on the remote computer system.
  • the particular checksum may be specified by the fleet management system.
  • the fleet management may specify particular checksums be used with particular applications or versions of applications.
  • the remote computer system may provide the checksum and an association with the corresponding application to the fleet management system.
  • the fleet management system may compare the checksum from the remote computer system with an expected checksum. Any difference may be flagged as a change of the corresponding application on the remote computer system.
  • the change may indicate the application has been corrupted, such as by a virus or a storage error.
  • a corrective action may include uninstalling and reinstalling the application.
  • a user login for the remote computer system may be deactivated. This may prevent a specific user from logging in, prevent a class of users from logging in, or prevent any user from logging in.
  • the remote computer system may still initialize and perform other functions, such as automated operations.
  • the remote computer system may be reimaged to use a known good image of a storage device.
  • the remote computer system may perform an uninstallation of unauthorized applications, virus or malware checks, or system checks while the user login is deactivated.
  • a systems administrator may remotely connect with the remote computer system and diagnose or correct any issues while the user login is deactivated.
  • the user login of the remote computer system may be reactivated once corrective actions are performed.
  • an issue may be detected with an application and with an electronic device of the remote computer system.
  • the telemetry data may identify a different unique identifier of a storage device than was present in the previous report, as well as a new device driver for the storage device. This may indicate that the storage device was replaced.
  • the replacement may have been part of a scheduled maintenance, such as due to anticipated storage failure, or it may have been an unauthorized replacement.
  • the change in the unique identifier may be compared against a changelist corresponding to the remote computer system.
  • the changelist may include information that the storage was scheduled for replacement.
  • the changelist may include a device identifier of the old storage device and a device identifier of the new storage device.
  • various corrective actions may take place. If the device identifier of the new storage device matches a device identifier in the changelist, no action may be taken. If no change in storage was scheduled, a warning of a potential data breach may be sent to security personnel and the second computer system may be locked out. If a change to the storage was indicated in the changelist, but no change to the applications, it may suggest that an incorrect storage device was installed. Installation of an incorrect storage device may also be detected by use of a device identifier corresponding to the storage device. A corrective action may include scheduling an appointment for a technician to inspect the remote computer system.
  • Fig. 4 shows a method 400 of causing a corrective action to be performed based on a comparison of a device modification to a remote computer system in accordance with various examples.
  • Method 400 includes identifying a device modification to a remote computer system based on telemetry data from the remote computer system (410).
  • Method 400 includes comparing the device modification against a list of authorized devices for the remote computer system (420).
  • Method 400 includes causing the remote computer system to perform a corrective action based on the comparison (430).
  • Fig. 5 shows a method 500 of causing a corrective action to be performed based on a determination of an unauthorized change to a remote computer system in accordance with various examples.
  • Method 500 includes analyzing telemetry data from a remote computer system to identify a change to the remote computer system (510).
  • Method 500 includes determining that the change is an unauthorized change to the remote computer system (520).
  • Method 500 includes causing the remote computer system to perform a corrective action in response to the determination (530).
  • the change may be determined to be an unauthorized change by comparing the changes against a blacklist, mandatory list, authorized list, or changelist.
  • a device identifier is an identifier used to identify the device.
  • the device identifier may uniquely identify that specific device.
  • the device identifier may identify the manufacturer and model number.
  • An application identifier may identify an application.
  • the application identifier may be a collection of metadata for the application and may include an indication of the name of the application, the version of the application, and a checksum of the application.
  • the telemetry data may include a list of application identifiers for applications installed on the remote computer system. If an application is present in an earlier set of telemetry data but absent from a later set of telemetry data, it may indicate the application has been uninstalled. If the application identifier is included in a mandatory application list, a corrective action may be performed that included installation of the application on the remote computer.
  • the telemetry data may include a device identifier in a later telemetry data that was not present in an earlier telemetry data. This may indicate that an electronic device was installed on the remote computer system. If the device identifier is not on a list of authorized devices for the remote computer system, the corrective action may include causing the removal of the corresponding device from the remote computer system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A computer-readable medium is provided to store machine-readable instructions. When executed, the instructions may cause a processor to identify a change related to applications installed on a remote computer system. The changes may be compared against application lists. Corrective actions may be performed based on the comparisons.

Description

CORRECTIVE ACTIONS BASED ON
COMPARISONS OF CHANGES TO COMPUTER SYSTEMS
BACKGROUND
[0001] Companies may provide computer systems to employees to use in performing work for the company. The company may monitor the computer systems and their use by the employees.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] Various examples will be described below referring to the following figures:
[0003] Fig. 1 shows a computer system with identification instructions, comparison instructions, and corrective action instructions in accordance with various examples;
[0004] Fig. 2 shows a first computer system and a second computer system coupled via a network in accordance with various examples;
[0005] Fig. 3 shows a method of causing a corrective action to be performed based on comparisons of a change related to applications installed on a remote computer system in accordance with various examples;
[0006] Fig. 4 shows a method of causing a corrective action to be performed based on a comparison of a device modification to a remote computer system in accordance with various examples; and
[0007] Fig. 5 shows a method of causing a corrective action to be performed based on a determination of an unauthorized change to a remote computer system in accordance with various examples.
DETAILED DESCRIPTION
[0008] Companies may have policies in place regarding modification of company computer systems by employees. The policies may cover modification of applications installed on the computer system and electronic devices coupled to or installed on the computer system. Written policies may be insufficient to ensure compliance by employees.
[0009] The company may monitor the computer system for changes, such as the applications installed on the computer system and electronic devices couple to or installed on the computer system. The changes may be compared against lists of applications or electronic devices that are mandatory, allowed, or disallowed. Corrective actions may be taken based on the comparisons of the changes with the lists. Such corrective actions may allow a fleet management system to ensure that computer systems include the mandatory applications and electronic devices to perform their function, while identifying and correcting the installation of applications and electronic devices which are unauthorized.
[0010] Fig. 1 shows a computer system 100 with identification instructions 123, comparison instructions 126, and corrective action instructions 129 in accordance with various examples. Computer system 100 includes a processor 1 10 and storage 120. Storage 120 stores the identification instructions 123, comparison instructions 126, and corrective action instructions 129. The identification instructions 123, comparison instructions 126, and corrective action instructions 129 may be instructions associated with performing the methods disclosed herein, such as the methods discussed in connection with other figures herein. The identification instructions 123, comparison instructions 126, and corrective action instructions 129 may be executed by the processor 1 10.
[0011] The processor 1 10 may be coupled to the storage 120, such as via a bus. The processor 1 10 may comprise a microprocessor, a microcomputer, a microcontroller, a field programmable gate array (FPGA), or discrete logic. The storage 120 may be a computer-readable medium and may include a hard drive, solid state drive (SSD), flash memory, electrically erasable programmable read only memory (EEPROM), or random access memory (RAM).
[0012] Fig. 2 shows a first computer system 200 and a second computer system 250 coupled via a network 240 in accordance with various examples. The first computer system 200 includes a first processor 210, a first storage 220, and a first network interface connector 230. The first processor 210, first storage 220, and first network interface connector 230 may be coupled together, such as via a bus. The second computer system 250 includes a second processor 260, a second storage 270, a second network interface connector 280, and an electronic device 290. The second processor 260, second storage 270, second network interface connector 280, and electronic device 290 may be coupled together, such as via a bus.
[0013] The first network interface connector 230 may couple the first computer system 200 to the second computer system 250 via the second network interface connector 280. The connection may be via the network 240. The network 240 may include a wired connection, such as an Ethernet cable or Universal Serial Bus (USB) or via a wireless connection, such as WiFi. The connection may be via the Internet.
[0014] The second storage 270 may include an application 275. The application 275 may be installed on the second computer system 250. The electronic device 290 may be an external device coupled to the second computer system 250, such as via USB.
[0015] In various examples, the second computer system 250 may gather telemetry data regarding applications installed on the second computer system 250, such as the application 275. The second computer system 250 may gather telemetry data regarding electronic devices installed on or coupled to the second computer system 250, such as the electronic device 290, second storage 270, second processor 260, second network interface connector 280, peripherals coupled to the second computer system 250, and so forth. The telemetry data may be sent to the first computer system 200 via the network 240. The identification instructions 223 may cause the first processor 210 to operate on the telemetry data to identify changes in the second computer system 250, such as the installation or uninstallation of the application 275, or the installation or removal of the electronic device 290. The comparison instructions 226 may cause the first processor 210 to compare the identified changes with lists regarding the authorized configuration of the second computer system 250. The lists may include a list of mandatory applications or mandatory electronic devices. The lists may include a list of blacklisted applications or blacklisted electronic devices. The lists may include a list of approved applications or approved electronic devices. The lists may include a changelist of applications or electronic devices which are scheduled to be modified on the second computer system 250. For example, a changelist may indicate that the second storage 270 is to be replaced with a new storage. The telemetry data may include data regarding applications or electronic devices installed temporarily on the second computer system 250. For example, if the telemetry data is sent once per day, an application or electronic device that is installed and then uninstalled within the same reporting time period may still be tracked and reported in the telemetry data. This may prevent users from circumventing the fleet management system.
[0016] In various examples, the telemetry data may include a set of changes to applications and electronic devices of the second computer system 250 rather than sending a list of all applications and electronic devices 290 of the second computer system 250. The identification instructions 223 may include identifying the changes included in the telemetry data. Sending a set of changes from the last set of telemetry data may reduce network congestion or data overload for processing by the fleet management system.
[0017] In various examples, a list of mandatory applications or mandatory electronic devices may be called a mandatory list, a mandatory application list, or a mandatory electronic devices list. The list may be specific to the second computer system 250, specific to a group of computer systems in a fleet of computer systems, or mandatory across the fleet of computer systems. The mandatory application list may include a list of applications that are mandatory for the second computer system 250. The mandatory application list may identify the application via an application identifier. The application identifier may include a name of the application, a version of the application, or a unique numeric or alpha-numeric identification of the application. The mandatory electronic device list may include a list of electronic devices that are mandatory for the second computer system 250. The mandatory electronic device list may include an identifier of electronic devices. The identifier may include a class of devices, such as a second network interface connector 280. The identifier may include a particular manufacturer and model identification. The identifier may include a device identifier to uniquely identify a specific electronic device.
[0018] In various examples, the changes may be compared against a blacklist of applications or electronic devices. The blacklist indicates applications or electronic devices that are not to be installed on the second computer system 250. The blacklist may be specific to the second computer system 250, specific to a group of computer systems in a fleet of computer systems, or mandatory across the fleet of computer systems. The blacklist may include applications that affect security, such as malware or a virus. The blacklist may include applications that affect productivity of the employee or use of resources of the second computer system 250 or network 240, such as a game or file sharing program. The blacklist may include applications that cause stability issues, such as a particular version of a word processing program that is incompatible with a document management system. The blacklist may include electronic devices that affect security, such as a removable storage device that may be used to copy confidential data. The blacklist may include electronic devices that affect productivity of the employee or performance of the second computer system 250 or network, such as a graphics processing unit (GPU) or headphones. The blacklist may include applications or electronic devices for various other reasons. An application blacklist includes a blacklist of applications.
[0019] Enforcement of the blacklist and mandatory list may be performed, with any other applications or electronic devices being allowed for installation. In various examples, an allowed list or approved list of applications or electronic devices may be used. Such applications or electronic devices may be allowed to be installed on the second computer system 250. An approved list may be used in place of a blacklist. In such cases, any application or electronic device not on the mandatory list or the approved list may be treated as unauthorized, as if it appeared on a blacklist. An approved list may be used in conjunction with a blacklist. Any application or electronic device that is not on the mandatory list, approved list, or blacklist may be flagged for attention by a systems administrator. In such a case, the systems administrator may investigate further and determine if the application or electronic device should be added to the blacklist or the approved list. This may allow users to install the applications and electronic devices, with the systems administrator verifying after-the-fact whether the application or electronic device may continue being used.
[0020] In various examples, a changelist may be used. A changelist may include changes that are to be performed to the second computer system 250, such as automated updates, installation, or uninstallation of applications. The changelist may include changes to electronic devices that have been authorized, such as the replacement of the second storage 270. The authorized change may be part of a corrective action request caused by the corrective action instructions 229. The authorized change may be part of preventative or scheduled maintenance of the second computer system 250.
[0021] In various examples, the corrective action may include uninstallation of the unauthorized application or unauthorized electronic device. The corrective action may include execution of an anti-virus or anti-malware application. The corrective action may include locking the second computer system 250 or locking a specific user or group of users out of the second computer system 250. The corrective action may include scheduling an appointment for service by a technician. The corrective action may include sending a warning, such as by a pop-up, an e-mail, or a text message via a mobile phone. For example, the warning may be sent to a user of the second computer system 250 indicating that the change is unauthorized, and instructing the user to revert the change. The corrective action may include disabling execution of the application or disabling the electronic device. The corrective action may include disabling execution of a different application or disabling another electronic device on the second computer system 250, such as disabling the second network interface connector 280 to prevent network communications by the second computer system 250.
[0022] In various examples, implementation of this disclosure by a fleet management system may assist in correcting unintentional issues or intentionally harmful actions by users. For example, a user may copy confidential data to the second storage 270 and remove the second storage 270 to take it home and make a copy. The second computer system 250 may collect telemetry data indicating the second storage 270 was removed and report the data to the first computer system 200, even if the second storage 270 is replaced shortly thereafter. The fleet management system may alert a systems administrator or security professionals to the potential data breach for further investigation. The fleet management system may instruct a surveillance system to save video footage or other data for the building where the potential breach occurred, to prevent overwriting the video footage or other data. The user of the second computer system 250 may be locked out of a corporate network or the second computer system 250 to prevent additional data breaches. Action may be taken if a removable storage is detected as being used with the second computer system 250.
[0023] In various examples, a user may install a gaming application on the second computer system 250 in violation of corporate policy. A corrective action may include uninstalling the gaming application or sending a message to the user’s manager.
[0024] In various examples, a virus may be installed on the second computer system 250. The virus may be on an application blacklist. The corrective action may include disabling the second network interface connector 280 of the second computer system 250 to minimize spread of the virus. The corrective action may include executing a virus scan and cleaning of the second computer system 250 or scheduling an appointment for a restore of the second storage 270 to a known good state.
[0025] In various examples, a user may have access to multiple computer systems. The user may swap electronic devices, such as RAM between the computer systems. The fleet management system may identify the changes. The corrective action may include tracking the changes to keep track of where the memory components currently are. The corrective action may include requisitioning more memory for the computer systems. The corrective action may include messaging the user to return the memory components to the original computer systems.
[0026] Fig. 3 shows a method 300 of causing a corrective action to be performed based on comparisons of a change related to applications installed on a remote computer system in accordance with various examples. The method 300 includes identifying a change related to applications installed on a remote computer system based on telemetry data from the remote computer system (310). The method 300 includes comparing the change against an application blacklist and against a mandatory application list (320). The method 300 includes causing the remote computer system to perform a corrective action based on the comparisons (330).
[0027] The remote computer system may include any computer system other than the computer system executing the method 300. The remote computer system may be accessible across a network. The remote computer system may be physically remote, such as in another city, or it may be physically located next to the computer executing method 300. The remote computer system may be a server, a laptop or desktop computer, a tablet, a cell phone, internet of things device, or other computer system.
[0028] The blacklist or mandatory application list may include specific versions of applications. For example, a version of an application may be on the blacklist, as it may be incompatible with other applications or systems or may cause a security issue. Other versions of the application may be allowed. The mandatory application list may list a specific version to be installed.
[0029] In various examples, the application blacklist and mandatory application list may include a checksum to use in the comparison. The checksum may be used to detect an inconsistency with other application identifiers, such as may be caused by corruption of the application. A checksum may be created by a checksum function. The checksum function may perform a bitwise operation across the application to produce an identifier. The checksum function may include a parity check, a cyclical redundancy check (CRC), or other checksum functions. A checksum may be of various sizes, depending on the application and the checksum function used. A developer may provide a checksum and checksum function to use with the developer’s application. The remote computer system may apply a particular checksum function to applications installed on the remote computer system. The particular checksum may be specified by the fleet management system. The fleet management may specify particular checksums be used with particular applications or versions of applications. The remote computer system may provide the checksum and an association with the corresponding application to the fleet management system. The fleet management system may compare the checksum from the remote computer system with an expected checksum. Any difference may be flagged as a change of the corresponding application on the remote computer system. The change may indicate the application has been corrupted, such as by a virus or a storage error. A corrective action may include uninstalling and reinstalling the application.
[0030] In various examples, a user login for the remote computer system may be deactivated. This may prevent a specific user from logging in, prevent a class of users from logging in, or prevent any user from logging in. The remote computer system may still initialize and perform other functions, such as automated operations. The remote computer system may be reimaged to use a known good image of a storage device. The remote computer system may perform an uninstallation of unauthorized applications, virus or malware checks, or system checks while the user login is deactivated. A systems administrator may remotely connect with the remote computer system and diagnose or correct any issues while the user login is deactivated. The user login of the remote computer system may be reactivated once corrective actions are performed.
[0031] In various examples, an issue may be detected with an application and with an electronic device of the remote computer system. For example, the telemetry data may identify a different unique identifier of a storage device than was present in the previous report, as well as a new device driver for the storage device. This may indicate that the storage device was replaced. The replacement may have been part of a scheduled maintenance, such as due to anticipated storage failure, or it may have been an unauthorized replacement. The change in the unique identifier may be compared against a changelist corresponding to the remote computer system. The changelist may include information that the storage was scheduled for replacement. The changelist may include a device identifier of the old storage device and a device identifier of the new storage device. Depending on a comparison of the change with the changelist, various corrective actions may take place. If the device identifier of the new storage device matches a device identifier in the changelist, no action may be taken. If no change in storage was scheduled, a warning of a potential data breach may be sent to security personnel and the second computer system may be locked out. If a change to the storage was indicated in the changelist, but no change to the applications, it may suggest that an incorrect storage device was installed. Installation of an incorrect storage device may also be detected by use of a device identifier corresponding to the storage device. A corrective action may include scheduling an appointment for a technician to inspect the remote computer system.
[0032] Fig. 4 shows a method 400 of causing a corrective action to be performed based on a comparison of a device modification to a remote computer system in accordance with various examples. Method 400 includes identifying a device modification to a remote computer system based on telemetry data from the remote computer system (410). Method 400 includes comparing the device modification against a list of authorized devices for the remote computer system (420). Method 400 includes causing the remote computer system to perform a corrective action based on the comparison (430).
[0033] Fig. 5 shows a method 500 of causing a corrective action to be performed based on a determination of an unauthorized change to a remote computer system in accordance with various examples. Method 500 includes analyzing telemetry data from a remote computer system to identify a change to the remote computer system (510). Method 500 includes determining that the change is an unauthorized change to the remote computer system (520). Method 500 includes causing the remote computer system to perform a corrective action in response to the determination (530).
[0034] In various examples, the change may be determined to be an unauthorized change by comparing the changes against a blacklist, mandatory list, authorized list, or changelist.
[0035] A device identifier is an identifier used to identify the device. The device identifier may uniquely identify that specific device. The device identifier may identify the manufacturer and model number. An application identifier may identify an application. The application identifier may be a collection of metadata for the application and may include an indication of the name of the application, the version of the application, and a checksum of the application.
[0036] In various examples, the telemetry data may include a list of application identifiers for applications installed on the remote computer system. If an application is present in an earlier set of telemetry data but absent from a later set of telemetry data, it may indicate the application has been uninstalled. If the application identifier is included in a mandatory application list, a corrective action may be performed that included installation of the application on the remote computer.
[0037] In various examples, the telemetry data may include a device identifier in a later telemetry data that was not present in an earlier telemetry data. This may indicate that an electronic device was installed on the remote computer system. If the device identifier is not on a list of authorized devices for the remote computer system, the corrective action may include causing the removal of the corresponding device from the remote computer system.
[0038] The above discussion is meant to be illustrative of the principles and various examples of the present disclosure. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.

Claims

CLAIMS What is claimed is:
1. A non-transitory computer-readable medium to store machine-readable instructions that, when executed by a processor, cause the processor to:
identify a change related to applications installed on a remote computer system based on telemetry data from the remote computer system; compare the change against an application blacklist and against a mandatory application list; and
cause the remote computer system to perform a corrective action based on the comparisons.
2. The computer-readable medium of claim 1 , wherein the change includes an addition of an added application to the remote computer system, the added application being present in the application blacklist, and wherein the corrective action includes uninstallation of the added application from the remote computer system.
3. The computer-readable medium of claim 1 , wherein the corrective action includes deactivating a user login for the remote computer system.
4. The computer-readable medium of claim 1 , wherein the machine-readable instructions, when executed by the processor, cause the processor to:
identify a device change related to electronic devices in the remote computer system based on telemetry data gathered from the remote computer system;
compare the device change against a changelist corresponding to the remote computer system; and
cause the remote computer system to perform a second corrective action based on the comparison of the device change against the changelist.
5. The computer-readable medium of claim 1 , wherein the changelist includes a device identifier of an electronic device to be installed on the remote computer system.
6. A non-transitory computer-readable medium to store machine-readable instructions that, when executed by a processor, cause the processor to:
identify a device modification to a remote computer system based on telemetry data from the remote computer system;
compare the device modification against a list of authorized devices for the remote computer system; and
cause the remote computer system to perform a corrective action based on the comparison.
7. The computer-readable medium of claim 6, wherein the device modification includes a removal of an electronic device from the remote computer system.
8. The computer-readable medium of claim 7, wherein the corrective action includes a display of a warning on the remote computer system.
9. The computer-readable medium of claim 6, wherein the machine-readable instructions, when executed by the processor, cause the processor to:
identify an added application installed on the remote computer system based on the telemetry data;
compare the added application against an application blacklist; and perform an application corrective action based on the comparison of the added application against the application blacklist.
10. The computer-readable medium of claim 9, wherein the application corrective action includes a disablement of a network interface connection of the remote computer system.
1 1 . A method comprising:
analyzing telemetry data from a remote computer system to identify a change to the remote computer system;
determining that the change is an unauthorized change to the remote computer system; and
causing the remote computer system to perform a corrective action in response to the determination.
12. The method of claim 1 1 , wherein the analyzing telemetry data includes comparing a first set of device identifiers from a first set of telemetry data against a second set of device identifiers from a second set of telemetry data, the first set of telemetry data from a first point in time and the second telemetry data from a second point in time.
13. The method of claim 12, where the analyzing telemetry data includes comparing a first set of application identifiers from the first set of telemetry data against a second set of application identifiers from the second set of telemetry data.
14. The method of claim 13, wherein the first set of telemetry data includes an application identifier not present in the second set of telemetry data and the change includes the uninstallation of an application from the remote computer system, the application corresponding to the application identifier, wherein the determining includes comparing the application identifier against a list of mandatory application identifiers, and wherein the corrective action includes installing the application on the remote computer system.
15. The method of claim 12, wherein the first set of telemetry data includes a device identifier not present in the second set of telemetry data and the change includes the removal of a device from the remote computer system, the device corresponding to the device identifier.
PCT/US2019/016411 2019-02-01 2019-02-01 Corrective actions based on comparisons of changes to computer systems WO2020159550A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2019/016411 WO2020159550A1 (en) 2019-02-01 2019-02-01 Corrective actions based on comparisons of changes to computer systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2019/016411 WO2020159550A1 (en) 2019-02-01 2019-02-01 Corrective actions based on comparisons of changes to computer systems

Publications (1)

Publication Number Publication Date
WO2020159550A1 true WO2020159550A1 (en) 2020-08-06

Family

ID=71840973

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/016411 WO2020159550A1 (en) 2019-02-01 2019-02-01 Corrective actions based on comparisons of changes to computer systems

Country Status (1)

Country Link
WO (1) WO2020159550A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150970A1 (en) * 2007-12-05 2009-06-11 Sybase, Inc. Data Fading to Secure Data on Mobile Client Devices
US20140007222A1 (en) * 2011-10-11 2014-01-02 Zenprise, Inc. Secure execution of enterprise applications on mobile devices
US20150026827A1 (en) * 2013-07-17 2015-01-22 Industrial Technology Research Institute Method for application management, corresponding system, and user device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150970A1 (en) * 2007-12-05 2009-06-11 Sybase, Inc. Data Fading to Secure Data on Mobile Client Devices
US20140007222A1 (en) * 2011-10-11 2014-01-02 Zenprise, Inc. Secure execution of enterprise applications on mobile devices
US20150026827A1 (en) * 2013-07-17 2015-01-22 Industrial Technology Research Institute Method for application management, corresponding system, and user device

Similar Documents

Publication Publication Date Title
US11797684B2 (en) Methods and systems for hardware and firmware security monitoring
CA2924845C (en) Method and system for dynamic and comprehensive vulnerability management
US8533818B1 (en) Profiling backup activity
US8612398B2 (en) Clean store for operating system and software recovery
US8850587B2 (en) Network security scanner for enterprise protection
US7308712B2 (en) Automated computer vulnerability resolution system
EP2667314B1 (en) System and method for detection and treatment of malware on data storage devices
US8037290B1 (en) Preboot security data update
US20100175108A1 (en) Method and system for securing virtual machines by restricting access in connection with a vulnerability audit
US20100199351A1 (en) Method and system for securing virtual machines by restricting access in connection with a vulnerability audit
US8607339B2 (en) Systems and methods for improved identification and analysis of threats to a computing system
EP3236354A1 (en) System analysis and management
CN104662517A (en) Techniques for detecting a security vulnerability
CN108292342B (en) Notification of intrusions into firmware
KR101649909B1 (en) Method and apparatus for virtual machine vulnerability analysis and recovery
US11477232B2 (en) Method and system for antivirus scanning of backup data at a centralized storage
CN113411302B (en) Network security early warning method and device for local area network equipment
WO2021121382A1 (en) Security management of an autonomous vehicle
US20180267889A1 (en) System and method for altering application functionality
US20220147839A1 (en) Comparisons of knowledge graphs representing computer systems
WO2020159550A1 (en) Corrective actions based on comparisons of changes to computer systems
US9231969B1 (en) Determining file risk based on security reputation of associated objects
KR100512145B1 (en) Method for inspecting file faultless in invasion detection system
CN115470479A (en) Authority control method of application program, electronic device and storage medium
CN116975841A (en) Android device inspection method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19913434

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19913434

Country of ref document: EP

Kind code of ref document: A1