The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
As used herein, a vulnerability is a weakness or flaw in computational logic found in software and some hardware components, such as firmware. When exploited, a vulnerability facilitates unauthorized access to a computing device, enables an attack to remain undetected, allows unauthorized modification of data, causes a reduction in the availability of data, and/or the like. For example, an attacker may exploit a vulnerability in a smartphone's operating system by sending, to the smartphone, a text message that includes a link for installing virtually undetectable spyware.
A vulnerability is typically detected based on scanning for particular programs that are stored on a computing device. Whether scanning is performed locally on a computing device or remotely via a network connection, scanning involves eliciting a response from software and/or hardware components of the computing device. The response is subsequently analyzed to determine whether it matches one or more pre-defined signature patterns of a known vulnerability.
However, scanning has the drawback of tying up computational and/or network resources. Not only does it involve a large amount of data processing, scanning also takes a long period of time to complete. For example, scanning may cause a computing device to execute multiple iterations of code that is varied ever so slightly for each iteration. Accordingly, scanning does not scale well to the enterprise level. For example, if scanning a single computing device takes several hours to complete, then scanning all computing devices of a large company may take days, weeks, or months to complete. And while a computing device is being scanned, it may exhibit diminished processing capabilities.
Furthermore, scanning leaves computing devices vulnerable to recently discovered attacks. As mentioned above, scanning involves eliciting a response that is subsequently matched to one or more pre-defined signature patterns of a known vulnerability. In other words, before scanning can be used to detect a known vulnerability, an analyst must write the one or more signature patterns for the known vulnerability. Thus, an attacker may exploit the delay between the time when a vulnerability becomes generally known to the public and the time when one or more signature patterns for the vulnerability are written.
While each of the drawing figures depicts a particular embodiment for purposes of depicting a clear example, other embodiments may omit, add to, reorder, and/or modify any of the elements shown in the drawing figures. For purposes of depicting clear examples, one or more figures may be described with reference to one or more other figures, but using the particular arrangement depicted in the one or more other figures is not required in other embodiments.