INTELLIGENT RISK AND VULNERABILITY MANAGEMENT SYSTEM FOR INFRASTRUCTURE ELEMENTS Russian patent published in 2021 - IPC G06F17/00 G06F21/00 

FIELD: information security.

SUBSTANCE: invention relates to a system of intelligent risk and vulnerability management of infrastructure elements. The system contains a processor; a storage device; associated with the said processor: a data collection module from sources, made with the ability to obtain information from data sources containing information about vulnerabilities of infrastructure elements (IE), including functional and logical IE, while functional IE are infrastructure assets (IA) containing terminal physical or virtual equipment providing a service, and network IE, representing devices that provide network interaction between all functional IE; logical IEs are a combination of functional IE and logical IE, including entities that interact with the network infrastructure and are selected from the group: automated systems or functional subsystems; data management module, designed to normalize data collected by the data collection module, providing the formation of a unified type of data and the formation of an attribute composition depending on the type of IE; forming an IE profile containing the IE attribute composition; IE profile enrichment module, designed to receive scan data from the data collection module to supplement the attribute composition of the generated IE profiles with information that includes: information about the possibility of network interaction between IA, based on the data of security rules (ACL), as well as translation rules (NAT) and routing defined on network IE; vulnerabilities found on IA; data on the criticality of the operation of logical IE; information about the identified risks, as well as measures to eliminate them; an analytics module designed to account for, analyze, and monitor the external perimeter of the network infrastructure; search by the attribute composition of IE profiles; analyze raw data coming from data sources; manage risks based on vulnerabilities found; search and analyze network routes between IA to determine possible ways of spreading the threat; based on the data of the enriched IE profiles, calculate the criticality of the vulnerable IA by determining the impact of vulnerabilities on the network infrastructure and its functioning; generate a list of vulnerable IE and information about the elimination of identified vulnerabilities with the calculation of the rating and registration of the risk of identified vulnerabilities; process the incoming data flow from the data management module and transfer the list of IE through the integration module to the security scanner that scans and detects IE based on the said list of IE; an integration module designed to control the mode of eliminating identified vulnerabilities, in which data about IE is transmitted to an external update management system based on the list of vulnerable IE generated by the analytics module for performing updates of vulnerable IE.

EFFECT: invention is aimed at identifying and eliminating vulnerabilities in the infrastructure elements.

16 cl, 3 dwg