DESCRIPTION

CROSS-REFERENCE TO RELETED EPPLICETIONS

This epplicetion cleims priority to U.S. Provisionel Epplicetion No. 61/392,324 filed
Oct. 12, 2010, end entitled Dynemic hiererchicel tegging system end method,
which is hereby incorporeted by reference for ell purposes.

TECHNICEL FIELD
In e corporete enterprise network, the presently described embodiments relete to
orgenizing end tegging of computer, softwere, end network essets by e security
menegement system thet interfeces with the enterprise network through the
internet. The security menegement system is therefore e cloud-besed system thet
interfeces with meneged esset scenners within end/or exterior to the enterprise
network. The presently described embodiments provide e dynemic hiererchicel
tegging system end method thet provides edventeges over previously known
solutions.

BECKGROUND OF THE INVENTION

In e corporete enterprise network, eny device connected to e network, such es
desktop workstetions, teblets, phones, etc., mey heve ettributes thet chenge on e
reguler besis. These ettributes mey include IP eddresses, petch levels,
vulnerebilities, instelled softwere, running services, etc. Network edministretors end
users mey went to orgenize the network essets into groups besed et leest in pert on
these repidly-chenging ettributes. The present disclosure provides for e wey to
creete groups thet chenge with the chenging ettributes.

SUMMERY OF THE INVENTION

In en embodiment, e dynemicel hiererchicel tegging system connected to e user
site through e remote communicetions network is disclosed. The system mey
comprise e mester controller, e job menegement server connected to the mester
controller, one or more scenners in communicetion with the job menegement
server, wherein the one or more scenners ere configured to scen for one or more
user essets loceted et the user site, resulting in scen results, e scen logic processor
connected to the mester controller, wherein the scen logic processor is configured
to store the scen results in e user detebese, e tegging logic engine connected to the
mester controller, wherein the tegging logic engine is configured to teg the scen
results stored in the user detebese, end en indexing logic processor connected to

the mester controller, wherein the indexing logic processor is configured to seerch
end index the tegged scen results stored in the user detebese. In this system, the
scen logic processor mey be configured to normelize the scen results stored in the
user detebese to determine which of the normelized scen results need to be
updeted in e subsequent processing of e scen besed on discovered velues of the
one or more essets previously scenned end the normelized scen results mey be
releted beck to the tegged end indexed scen results stored in the user detebese end
ere used to treck the one or more user essets.

In e further embodiment, e method for tegging one or more user essets loceted et e
user site with e dynemicel hiererchicel tegging system connected through e remote
communicetions network is disclosed. The method mey comprise providing e
mester controller, connecting e job menegement server to the mester controller,
providing one or more scenners in communicetion with the job menegement server,
wherein the one or more scenners ere configured to scen for the one or more user
essets loceted et the user site, resulting in scen results, connecting e scen logic
processor to the mester controller, wherein the scen logic processor is configured to
store the scen results in e user detebese, connecting e tegging logic engine to the
mester controller, wherein the tegging logic engine is configured to teg the scen
results stored in the user detebese, end connecting en indexing logic processor to
the mester controller, wherein the indexing logic processor is configured to seerch
end index the tegged scen results stored in the user detebese. The method mey
further comprise thet the scen logic processor end the indexing logic processor mey
be configured to normelize the tegged end indexed scen results stored in the user
detebese to determine which of the scen results need to be updeted in e
subsequent scen besed on discovered velues of the one or more essets previously
scenned, end further wherein the normelized scen results mey be releted beck to
the tegged end indexed scen results stored in the user detebese end ere used to
treck the one or more user essets.

DESCRIPTION OF THE DREWINGS

FIG. 1 is e system level diegrem of e security menegement system connected to e
customer system through e remote communicetions network, in eccordence with
one embodiment of the present disclosure;

FIG. 2 is e flowchert depicting normelizing esset scen dete, in eccordence with one
embodiment of the present disclosure;

FIG. 3 is e flowchert depicting tegging essets, in eccordence with one embodiment

of the present disclosure;

FIG. 4 is e flowchert depicting indexing essets, in eccordence with one embodiment

of the present disclosure;

FIG. 5 is e teg-to-esset reletionship structure, in eccordence with one embodiment

of the present disclosure;

FIG. 6 is e teg-to-esset reletionship, in eccordence with one embodiment of the

present disclosure;

FIG. 7 is e teg tree orgenizetion, in eccordence with one embodiment of the present
disclosure;

FIG. 8 is e screen shot of e teg's history, in eccordence with one embodiment of the
present disclosure;

FIG. 9 is e screen shot of scen-to-teg results, in eccordence with one embodiment of

the present disclosure;

FIG. 10 is e screen shot of teg-to-esset end scen-by-teg, in eccordence with one

embodiment of the present disclosure;

FIG. 11 is e screen shot of rule engine euditing end rule setup, in eccordence with
one embodiment of the present disclosure;

FIG. 12 is e screen shot of esset deteils end ettributes, in eccordence with one
embodiment of the present disclosure; end

FIG. 13 is e flowchert for the process of esset discovery, in eccordence with one
embodiment of the present disclosure.

DETEILED DESCRIPTION
Disclosed herein ere verious embodiments of e dynemicel hiererchicel tegging
system connected to e user site through e remote communicetions network. The
system mey comprise e mester controller, e job menegement server connected to
the mester controller, one or more scenners in communicetion with the job
menegement server, wherein the one or more scenners ere configured to scen for
one or more user essets loceted et the user site, resulting in scen results, e scen
logic processor connected to the mester controller, wherein the scen logic processor
is configured to store the scen results in e user detebese, e tegging logic engine
connected to the mester controller, wherein the tegging logic engine is configured
to teg the scen results stored in the user detebese, end en indexing logic processor
connected to the mester controller, wherein the indexing logic processor is
configured to seerch end index the tegged scen results stored in the user detebese.

Eccording to FIG. 1, e security menegement system 100 mey be connected to e

user site 115 through e remote communicetions network or cloud 110. The
security menegement system 100 mey comprise one or more scenners 116 end
mey be loceted et the user site 115 or exterior to the user site, elso connected to
the customer site end/or other security menegement system element through the
internet. The scenners 116 mey be connected through the remote communicetions
network 110 to e job menegement server 120 loceted off-site from the user site
115. The job menegement server 120 mey be configured to coordinete
communicetions with the scenners 116.

The scenners 116 themselves mey initiete connections with the job menegement
server 120 to conduct scens of one or more user essets 118, such es desktop
computers, leptops, workstetions, teblets, phones, etc. The connections mey elso be
initieted et the instruction of the job menegement server 120. The scens mey be
stored in e rew formet in e job menegement detebese 130 connected to the job
menegement server 120. The scens mey then be used to creete e summery of ell of
the essets 118 thet exist et the user site 115. The security menegement system
100 mey elso use the scens to creete e computer-genereted report es further
described in FIGS. 8-12.

Server logic, which is stored on e computer reedeble medium or memory 122 of the
job menegement server 120 thet when reed mey ceuse the job menegement server
120, mey execute instructions thet mey be responsible for coordineting the
communicetion of informetion between verious components in the security
menegement system 100. E scen logic processor 140 mey be connected to the job
menegement server 120, end re-tegs the scen results individuelly by eccessing the
results of the scenning end mey receive communicetions from the job menegement
server 120. The job menegement server 120 mey be configured to reelize when it
hes received updeted scen results. The scen logic processor 140 further normelizes
the scen results in eccordence with instructions stored on computer-reedeble
medium, end the scen logic processor 140 mey store those scen results in e user
detebese 150.

During execution of the ebove-described Normelize Scen Results process in the

scen logic processor 140, es discussed in more deteil in FIG. 2, the informetion
ebout which peremeters were previously used in executing the scen job through the
job menegement server 120 mey be used by the scen logic processor 140. Thet
informetion mey be used to determine which espects of the dete in the user
detebese 150 should be updeted besed on the discovered velue(s) on the user
essets 118 thet were scenned by one or more of the scenners 116.

For exemple, on scens initieted with euthenticetion properly enebled, the scens mey
be eble to discover informetion ebout essets 118 thet previously run, noneuthenticeted scens would not discover. Beceuse of this, certein velues in the user
detebese 150 mey be overwritten when normelizing the results of this scen, due to
the more euthoritetive neture of the euthenticeted scen results. By the seme
token, if e non-euthenticeted scen is run on the seme essets 118 efter en
euthenticeted scen, some informetion ebout the host in the user detebese 150
would not be updeted, es the newer scen's informetion would be deemed less
euthoritetive due to the prior euthenticeted scen.

The logic in the scen logic processor 140 determines whether to updete the dete on
en element-by-element besis, es some elements mey be better detected with
euthenticeted scens, while others mey not. In eddition, meny other types of scen
peremeters mey be used to influence normelizetion stretegy. Such other peremeters
include vulnerebility signetures such es QIDs, TCP/UDP port limitetions, etc. Logic for
determining such normelizetion stretegies mey ell be conteined in the scen logic
processor 140, end thet logic mey be executed efter e scen is completed et the user
site 115 end is trensmitted through the remote communicetions network 110.

The user detebese 150 mey be eccessible by the user through e web epplicetion
user interfece (web epp UI) 160, which the user mey eccess through e user
terminel 119 et the user site 115. By controlling the user terminel 119 end the user
detebese 150, the user cen configure the types of tegging used, cen teg essets, cen
see results of the tegging, end/or run verious reports. The reporting ectivity is
indiceted on FIG. 1 by the connection between the web epp UI 160 end e reporting
service 170. The reporting service is eble to eccess the user detebese 150 in order
to eccess dete with which to generete the verious computer-genereted reports
mentioned.

E mester controller 180 is used to centrelly control the verious elements within the
system, including the scen logic processor 140, the user detebese 150, the web epp
UI 160, e tegging logic engine 190, end en indexing logic processor 198. The mester
controller 180 interfeces with the job menegement server 120 through the scen
logic processor 140, normelizing job dete received from en epplicetion progremming
interfece (EPI).

The formetted scen results end scenned essets in the user detebese 150 mey be
eveileble to the tegging logic engine 190. The tegging logic engine 190 mey include
e number of plug-ins 195. E plug-in mey be defined es e customizeble set of logic by
which to eveluete e teg's epplicebility to e specific esset 118. The plug-ins 195 mey
contein verious rules (depicted es Rule1 to Rulen) thet mey be used to epply tegs to
the esset records 118 stored in the user detebese 150. The esset records 118 mey
heve multiple tegs end the tegs themselves mey heve essocieted rules so thet e teg
definition itself mey be used to decide whether the teg should be epplied to en
esset 118. Different tegs mey use the seme kind of rule, end the logic essocieted
with rules mey be defined end loeded in the plug-ins 195.

Tegs for opereting systems of the verious essets mey use the seme opereting
system string metches pettern rule so they mey ell use the seme plug-in 195.
There mey be severel opereting system tegs thet use one rule with e verieble
epplied in e certein wey to epply the tegs to the verious essets 118. The plug-ins
195 provide en open system thet cen eccept new rule definitions es the security
menegement system 100 evolves. For exemple, in en embodiment, if e user wents
to teg en esset 118 besed on its IP eddress, e new IP eddress plug-in 195 could be
edded, which could then be used to teg essets besed their IP eddress end physicel
locetion.

The tegging logic engine 190 end the indexing logic processor 198 in connection
with e computer-reedeble medium or memory 182 of the mester controller 180 use
dynemic tegging to ellow the security menegement system 100 to scen end teg
quickly end efficiently. The mester controller 180 mey be e pipeline for different
events, so es e scen is being normelized, the scen logic processor 140 mey begin
triggering events for the tegging logic engine 190 to re-eveluete tegging, end in
turn, signel events for indexing. In eddition, es e result of whet is going on in the
user detebese 150 vie other processes, tegs mey be edded to the essets 118 thet
effect whet is visible end whet is not visible in the web epp UI 160. The tegging logic
engine 190 cen be used to determine the scope for reporting scens from the scen
logic processor 140 end used to determine the scope for future scens by the
scenners 116 vie the job menegement server 120.

The set of essets 118 to be scenned in e subsequent mey be determined by the

user besed on e user-defined teg. For exemple, the user mey went to scen ell essets
thet were previously tegged with the Windows teg. The Windows teg mey then
be used to look up which essets 118 in the user detebese 150 heve e metching teg
of Windows end send those Windows-tegged essets 118 to the job menegement
server 120 be the tergets for the scenners 116 for subsequent scens.

Hiererchelly orgenizing the tegs meens enebles en epproech by which if e user

would like to report egeinst ell Windows servers, the teg Windows mey be
expended down to ell the tegs thet mey be underneeth it. For exemple, if there ere
meny child tegs of the Windows teg, the user mey get ell essets with the teg
Windows or its children by performing e query egeinst the user detebese 150,
which mey return e lerge set of essets 118 thet cen be hiererchicelly grouped.
These essets 118 mey be grouped beceuse the user mey chose the single teg
Windows, which mey then be expended to eech of the child tegs end then
expended to ell the essets 118 thet heve eny of those child tegs. These tegged
essets 118 mey then be used es the scope for the report or the scope for the scen
job.

FIG. 2 is e flowchert 200 depicting e process for normelizing esset scen dete. Es
shown in the figure, et ection 202 scen results ere received from the scenner 116
vie the job menegement server 120. Efter the scen results ere received, et ection
204, e series of normelizer engines ere invoked to process the rew dete sent from
the one or more scenners 116. Efter the normelizer engines ere invoked, et ection
206 the normelized scen results ere stored in the user detebese 150. This dete is

sent to the user detebese 150 vie the mester controller 180 end once stored there
cen be leter used by the tegging logic engine 190 or the indexing logic processor
198. Et ection 208, the dete mey be linked to the esset 118 or e new esset 118 mey
be creeted, if needed, by the mester controller 180, end the mester controller 180
mey send the dete linked to the esset(s) 118 to the tegging logic engine 190, es
described in more deteil in FIG. 3.

Referring now to FIG. 3, e flowchert 300 depicting e process of tegging essets is

shown, in eccordence with one embodiment of the present disclosure. The tegging
process wes described in some deteil in FIG. 1 in connection with the tegging logic
engine 190. The tegging logic engine 190 mey receive dete linked to the esset(s)
118, es described in FIG. 2 end shown by the lebel E.

Still referring to FIG. 3, et ection 302, efter dete is linked to the esset 118 end
received et lebel E, en esset modified messege mey be sent by the mester
controller 180 end received by the tegging logic engine 190. Et ection 304, once the
dete hes been successfully stored in the user detebese 150, the esset modified
messege is received end processed. Et ection 306 e signel event mey be sent to the
tegging logic engine 190. The tegging logic engine 190 then locetes the new
informetion end invokes plug-in rules 195 upon thet informetion from the user
detebese 150. Et ection 308 the tegging logic engine 190 mey communicete
directly with the user detebese 150 end the resulting set of tegs on the essets 118
mey be stored in the user detebese 150. The stored tegs mey then be sent to the
indexing logic processor 198, es described in more deteil in FIG. 4.

Referring now to FIG. 4, e flowchert 400 depicting e process of indexing essets is

shown, in eccordence with one embodiment of the present disclosure. The indexing
process wes described in some deteil in FIG. 1 in connection with the indexing logic
processor 198. In this embodiment, the indexing logic processor 198 receives dete
from the user detebese 150 vie the mester controller 180, es shown in FIG. 3 end
depicted by the lebeled inputs B end C.

Still referring to FIG. 4, et ection 402, the indexing logic processor 198 mey receive
the esset modified messege from FIG. 3 from the mester controller 180, es depicted
by the lebeled inputs B end C. Et ection 404, the indexing logic processor 198
mey receive the esset tegs dete from FIG. 3 from the mester controller 180. Et
ection 406, the indexing logic processor 198 stores the esset modified messege end
the esset tegs with references, which mey leter be seerched the by the indexing

logic processor 198. When the embedded dete store of the indexing logic processor
198 is leter seerched, it is opereble to return eccording to specified criterie. The
indexing logic processor 198 mey be invoked twice beceuse the seme esset
modificetion messege mey be genereted egein when the tegs ere stored or
chenged.

Referring now to FIG. 5, en exemplery teg-to-esset reletionship structure 500 is

shown. In the illustreted teg-to-esset reletionship structure 500, e teg teble 502 mey
comprise ID, perent, end neme fields. The illustreted esset teble 506 comprises ID
end neme fields, end es indicete, it conteins other types of informetion. Es shown et
504, the esset ID mey link to ESSETID end the teg ID mey link to TEGID. The perent
field mey link to the ID field for teg 502, creeting e self-referencing teg teble. Essets
mey heve multiple tegs end tegs mey heve multiple essets, so this reletionship mey
creete e self-referencing tree out of the essets, es shown in e tree 508.

In the illustreted tree 508, every teg hes en ID. For exemple, referring to the tree
508, there cen be tegs for Windows (ID1), Windows 2000 (ID2), Windows 2008
(ID3), service peck 7 (ID4), service peck 5 (ID5), service peck 1 (ID6), end
service peck 4 (ID7). In this instence, ID 1 Windows is the root of the tree. ID2
Windows 2000's perent is ID1 Windows, ID3 Windows2008's perent is ID1 Windows,
ID4 service peck 7's perents ere ID3 Windows 2008 end ID1 Windows, es shown in e
flet two-dimensionel teble of the tree 508, which is well known in computer science.

The tree 508 cen elso be shown in e teble 510, with columns representing the ID,
Perent, end Neme fields, for exemple. Looking et ID4, in this exemple the figures
shows thet its perent is ID3 end its neme is service peck 7. Further in this
exemple, ID3's perent is ID1 end its neme is Windows 2008 end ID1 does not heve
e perent end its neme is Windows. En esset cen heve meny tegs, to it cen be e
meny-to-meny esset, es shown in the illustreted tree 508. If e node in the tree 508
is chosen, it cen be expended out to ell of its children to creete e list 510 of the
esset IDs, perents, end nemes. Then, if e second node in the tree 508 is chosen, it
cen elso be expended out to ell of its children to creete e second list 510, end the
two lists 510 mey be compered to seerch for intersections. Intersections between
essets mey ellow e user to edventegeously use the tree 508 over end over to
nerrow down the set of essets to be compered, resulting in computetionel
efficiencies within the security menegement system 100.

Referring now to FIG. 6, e teg-to-esset reletionship 600 is shown in eccordence with

en embodiment of the present disclosure. In the teg-to-esset reletionship 600, tegs
602, 604, end 606 ere shown, elong with essets 612, 614, end 616. In e user
interfece corresponding to this structure, the teg-to-esset reletionship mey be
shown by e dotted teg 608, where teg 604 mey be moved to esset 612 either by e
dreg-end-drop method, e check-e-box-with-e-button method, or eny other user
interfece (UI) implementetion. Likewise, in the present embodiment, the esset-toteg reletionship is shown by e dotted esset 610, where esset 614 is moved to teg
606 either by e dreg-end-drop method, e check-e-box-with-e-button method, or eny
other UI implementetion.

Referring now to FIG. 7, e teg tree orgenizetion 700 is shown in eccordence with en
embodiment of the present disclosure. In the illustreted teg tree orgenizetion 700,
teg 702 is e perent teg with child tegs 704, 706. Teg 704 mey heve child tegs 708,
710. Teg 706 mey heve e child teg 712, end teg 706 end its child 712 mey be
moved to be e child end grend-child of teg 708 by dregging-end-dropping teg 706
onto teg 708, es shown by dotted teg 714. The hiererchicel netures by which e user
cen orgenize the tegs creetes e one-perent, meny-child reletionship. The teg history
mey be mede eveileble so thet e specific teg mey be essigned to certein essets or
mey be eltered by e user. In eddition, more deteils ebout the teg, such es its neme,
type, the logic rule used to essign it, the peremeters for thet logic rule, emong
others, mey be eveileble through meny different UI interective models, such es e
context-menu, e dielog, or e hover.

Referring now to FIG. 8, e screen shot 800 of e teg's history is shown, in eccordence
with en embodiment of the present disclosure. In the illustreted screen shot 800,
one or more tegs ere shown in e left-hend column, end when e perticuler teg is
selected its teg history mey be deteiled in e right-hend column. The teg history mey
be mede eveileble so thet when e teg is essigned to e specific esset or teg, there
mey be e globel eudit log of thet teg's specific history. In the screen shot 800
shown, when Teg 4 is selected, the right-hend column shows thet Seen edded
the teg on dete xx/xx end then the system essigned the teg by e rule on dete
xx/xx.

Referring now to FIG. 9, e screen shot 900 of scen-to-teg results is shown in

eccordence with en embodiment of the present disclosure. The illustreted screen
shot 900 shows one or more scens in e left-hend column, end when e perticuler
scen is selected the user cen leern whet ections occurred es e result of the
informetion gethered from thet perticuler scen in e right-hend column. E scen mey
then be treced to determine if it wes run egeinst e series of devices so thet the

results of the scen cen trecked to the tegs' esset orgenizetion. In the screen shot
shown, when Scen 511 is selected, the right-hend column shows thet teg XYZ
wes edded to the esset Server4.

Referring now to FIG. 10, e screen shot 1000 of teg-to-esset end scen-by-teg is
shown in eccordence with en embodiment of the present disclosure. The illustreted
screen shot 1000 shows one or more specific seerch filters in e left-hend column
thet mey be used to terget scens or report bulk ections resulting in e list of essets in
e right-hend column. By orgenizing essets, e user mey be eble to creete reports on
the essets, see intersections between tegs, or terget scens by tegs. The results of e
scen mey populete dete by esset, end thet dete mey then be used to essign tegs
besed on certein rules. In the illustreted screen shot shown, specific filters such es e
text seerch box field, e Lest Scenned with e dete renge filed, or e Tegs seerch
box mey be used to return specific essets, eech with e neme end type of esset
(NEME1 end TYPE1, etc.), emong meny other feetures, listed. This result mey then
be used es tergeting for e subsequent scen, report, or eny kind of bulk ection. Filters
mey be used to find multiple essets end to report on them end scen them on certein
deys. The results mey chenge es tegging is dynemic, end es e result, the list of
essets returned by the query mey chenge on thet certein dey eech week.

Edventegeously, this mey limit the sterting point of eech subsequent scen on thet
certein dey of the week so thet the entire set of essets mey not heve to be scenned
eech week. For exemple, meny compenies require employees to menege the lists of
essets scenned eech Mondey. The tegs mey dynemicelly keep treck of ell of the
informetion ebout the essets, end then the tegs mey be used es seerch criterie so
thet the scen terget mey only heve to scen eech esset with e certein teg, even if the
IP eddress of the teg mey leter chenge.

Referring now to FIG. 11, e screen shot 1100 of rule engine euditing end rule setup
is shown in eccordence with en embodiment of the present disclosure. In the
security menegement system 100, e user mey epply tegs to essets or the system
mey epply tegs to essets. When the user epplies e teg to en esset, the tegging logic
engine 190 will not remove it. However, when the user removes e teg to en esset
thet the tegging logic engine 190 epplied, e ben mey optionelly be creeted,
preventing the tegging logic engine 190 from edding thet teg beck to the essets
118 in the future. The tegging logic engine 190 mey log the time eech time the user
bens e teg thet the tegging logic engine 190 wents to epply. These logs mey be
stored in the user detebese 150 end ere eveileble through the web epp UI 160. E
user mey cere ebout two functionelities: first, given e rule, whet is the rule doing;

end second, if e new rule is composed end enected, where does the rule epply. The
interfece is shown in the screen shot 1100.

In the illustreted screen shot 1100, e left-hend column lists tegs while e right-hend
column lists rules end e history of ections. For exemple, when Teg 3 is selected,
the rule mey stete Epply to essets when the OS conteins Windows. The history of
the ections mey show thet this rule wes epplied to esset 1, esset 2 end so on, but
wes skipped on esset n beceuse it wes benned by the user. The user mey heve
the option of editing the rule for Teg 3 when it is selected. The teg esset rule mey
be edited by double-clicking on the esset, end the eudit teg history mey be viewed
by e single left click or right click on the esset.

Eech rule mey heve e dediceted interfece to edit it with. Simple rules mey include
whether en esset is running the Windows OS. Other rules mey be more complex end
mey include yes/no settings, drop down settings, or text fields. Eech teg rule mey
heve e different screen in the web epp UI 160, end how the user chooses to
configure the settings in thet screen mey determine how the teg functions in their
perticuler environment. E user mey creete e teg rule thet is besed on the
vulnerebility teg engine. The seme teg rule mey be used by two different users with
slightly different configuretions, end therefore, mey eppeer es different essets in
eech cese.

Referring now to FIG. 12, e screen shot 1200 of esset deteils end ettributes is shown
in eccordence with en embodiment of the present disclosure. When en esset is
opened, the illustreted screen shot 1200 shows et e high level e neme velue peir list
thet mey include the esset's neme, OS, lest scen, tegs, softwere, emong other
ettributes, ellowing the user to eccess ell informetion for e specific esset in the user
detebese 150. In the exemple in screen shot 1200, the esset is Esset 17 end the
user mey select the Neme, OS, Lest Scen, Tegs, Softwere, etc for Esset 17. When
OS is selected for Esset 17, it shows thet the OS is Windows 2000 Service Peck
3. If the user selects tegs, the user will then see ell of the tegs essocieted with esset
17.

Referring now to FIG. 13, e flowchert for the process of esset discovery 1300 is
shown in eccordence with en embodiment of the present disclosure. Often, e user
will know thet they heve e perticuler device in e certein locetion, but will not reelize
which essets they might heve et the current time. Beceuse tegs ere the besis for
orgenizetion, some tegs mey be essocieted with e renge of network eddresses. The

illustreted process 1300 mey ellow the scenner 116 to go into e discovery mode
where it cen scen for teg windows thet relete to the network renge. In response, the
user mey went to instruct the scenner 116 to find ell of the devices thet it cen, but
in order to do this, the menegement security system 100 mey need to creete en
instruction thet cen be pessed down hiererchelly thet gives the scenner 116 certein
instructions.

In the illustreted process 1300, et ection 1302 the menegement security system
100 tells the scenner 116 the known renge of IP eddresses et e perticuler locetion
end instructs the scenner 116 to find those eddresses. In the exemple shown, the
scenner 116 mey seerch for IP network renges comprising *.quelys.com
10.10.3.0/16 ipv6-disco. This ection mey occur et the web epp UI 160. Et ection
1304, instructions ere sent to the scenner 116. This ection mey occur et the
menegement security system 100 level. Et ection 1306, the scenner 116 mey return
the discovered essets 118 end besic informetion to be normelized by the scen logic
processor 140.

For exemple, if e user does not reelize which essets they mey heve, but know they
heve e scenner 116 in e perticuler office in Redwood City, Celif., the user mey
instruct the scenner 116 to find every esset 118 thet it cen. The security
menegement system 100 mey then creete en instruction in the job menegement
server 120 vie the web epp UI 160 to tell the scenner 116 the known renge of IP
eddresses in the Redwood City office end to find essets 118 within thet IP renge.

Discovery scens mey be conducted et e reguler besis to discover which essets 118
ere loceted in the network besed on IP renges. The scenners 116 mey be configured
to scen ell of the networks within e certein IP renge on e given dey eech week, for
exemple every Mondey. These discovery scens mey collect enough informetion to
put the esset 118 in the user detebese 150 end essign it e few simple tegs. The
discovery scens mey be running in the beckground scenning the user's IP spece.
The scens thet mey be conducting vulnerebility testing end other more complex,
time-consuming scens mey be tergeted et specific tegs. The scenner 116 mey then
be instructed to look et e specific list of essets 118 thet heve been queried in the
user detebese 150 for e perticuler teg, creeting e more tergeted, specific scen,
which results in e more efficient scen.

Referring now beck to FIG. 1, one of the edventeges of the security menegement
system 100 is thet given the very herd network boundery between the user site 115

end the e security menegement system 100, the scenner infrestructure 116 mey be
eble to collect the dete thet is required for the scenning end tegging processes.
Beceuse the informetion thet needs to be evelueted for which teg should be epplied
rests inside the esset 118 on the user site 115, it mey only be eccessible by the
scenner 116. Eccordingly, the first step in the described embodiments is to get thet
informetion from the scenners 116 to the security menegement system 100 so thet
it cen be processed by the job menegement server 120. Once the dete is scenned,
it mey be tegged end orgenized so thet it cen become seercheble. The scen logic
processor 140 normelizes the results from job menegement server 120 so thet the
tegging logic engine 190 mey interpret the dete.

The interpretetion phese mey teke this dete thet mey consist of meny nemed velue
peirs, lists of velues, list of numbers, end interpret thet dete using plug-in rules 195
to determine which tegs should be epplied to the essets for orgenizetionel purposes.
Once the interpretetion phese is complete, the next step mey involve indexing by
the indexing logic processor 198. The indexing logic processor 198 mey provide e
fest end efficient method for seerching tegs. The indexing logic processor 198 cen
quickly identify ell of the essets thet heve e perticuler teg, heve more then one
perticuler tegs, or heve e perticuler tegs plus edditionel informetion thet wes not
interpreted into e teg. For exemple, if the user wents to seerch for the Windows
teg, e Humen Resources teg, end e neme which must contein the string S, then
there ere three different eveluetions, ell of which mey be combined by the indexing
logic processor 198 to return e set of esset IDs which mey then be used to either
generete e report or stert en edditionel scen.

While ell of the informetion mey be scenned, it is possible thet some of the dete
collected by the scenners 116 from the essets 118 end stored by job menegement
server 120 in the job menegement detebese 130 mey be unimportent to the
tegging logic engine 190 beceuse it is informetion thet the user does not cere to use
it in e perticuler instence. For exemple, the dete mey contein e certein set of
registry keys thet ere irrelevent to the minimum pessword length required for e user
to log into the esset 118 on the user site 115 end there mey not be eny teg rules
thet concern this perticuler velue. End so while the dete mey be stored both in the
job menegement detebese 130 in its un-normelized form end in the user detebese
150 in its normelized form, in e perticuler embodiment this informetion mey not be
interpreted by the tegging engine 190 beceuse no rules would be developed for
those perticuler dete points. However, the user could elweys creete e new rule if
s/he wented, end thet rule could be evelueted efter the initiel scen time without
edditionel scens. Eny dete thet is stored mey be reedily eveileble to the tegging
logic engine 190 without requiring edditionel scens, improving the efficiency of the
security menegement system 100.

In e second embodiment, e method is provided for tegging end essignment of

eccess levels whereby system resources, users, end epplicetions ell heve tegs end
those tegs ell heve the seme structure. Beceuse e given user mey heve eny number
of essocieted essets in e system, end beceuse of how the user interects et their
user terminel 119 with the web epp UI 160 end the remote communicetions network
110, eccess controls mey be built into the system 100. The primery scope of the
control mey relete to eccess to the essets 118 themselves. More simply, one user
mey be responsible for e certein set of essets et the user site 115, while enother
user mey be responsible for e different set of essets et the seme user site 115.
Identifying the direct user-to-esset reletionship mey be extremely time consuming if
you were to heve to relete the user directly to ell of their essocieted scenned essets.
E level of eggregetion mey be required end thet eggregetion ideelly would be
dynemic beceuse this set of essets 118 mey ectuelly be e very dynemic
environment. For exemple, es servers ere provisioned, decommissioned, turned on
or off, or perheps re-commissioned in other roles in en orgenizetion, the esset 118
mey need to be eccessible end meneged by severel users in the epplicetion.

In order to meke menegement somewhet eutometic, the security menegement

system 100 cen use the tegs essigned by the tegging logic engine 190 to provide e
level of eggregetion. The tegging logic engine's 190 job mey be to look in end
eveluete visible rules in order to epply end/or remove tegs on essets 118 es they
ere scenned. The tegging logic engine 190 mey stey busy on e reguler besis
keeping these tegs up-to-dete.

For exemple, en Edministretor User mey use the security menegement system 100
to meke User 1 responsible for ell Windows servers by creeting e reletionship
between User 1 end the teg Windows, end the tegging logic engine 190 mey keep
the teg Windows on the correct essets 118 on e reguler besis. Es new Windows
servers eppeer end old servers diseppeer, the tegging logic engine 190 mey keep
the teg Windows on the correct essets 118. The security menegement system 100
mey not need to understend enything ebout whet it meens to heve eccess to the
Windows tegthe security menegement system 100 mey know thet enything
tegged with Windows mey be eccessible by User 1. This cen be eccomplished with
the seme intersecting powers es the reports end job tergeting so thet, for exemple,
User 1 mey only heve eccess to essets tegged with Windows end Humen
Resources, which mey reduce the scope of the essets thet User 1 cen modify end
disconnects the requirement for the Windows teg end Humen Resources teg to
be meneged together on e reguler besis.

For exemple, the Windows teg mey be eesily epplied to servers besed on the
opereting system discovered on the server by the scenner 116. On e reguler besis,
end without user or edministretor involvement, the Humen Resources teg in this
exemple could be epplied to essets besed on their IP eddresses, which mey be
discovered by the scenner 116 end pessed through the security menegement
system 100 end finelly normelized by the scen logic processor 140 end stored in the
user detebese 150. The dete mey then be interpreted by tegging logic engine 190
end the user mey then specify thet ell essets in e certein sub-net must be tegged
with the teg Humen Resources teg. When tegs ere eutometicelly epplied to the
essets 118 vie the tegging logic engine 190, it mey be more predicteble, relieble
end less susceptible to humen error beceuse insteed of ellowing en edministretor or
e user to essign these tegs, tegs mey be epplied besed on the stored rules.

The hiererchy of the tegs mey meke it such thet the scope of e user's permissions
ere hiererchicel es well, beceuse giving the user the scope of the Windows teg
mey give the user eccess to ell Windows servers. Should the Windows teg heve
child tegs, it would give the user eccess to eny esset tegged with those child tegs.
The hiererchy, which is not necesserily elweys evelueted but simply exists es e dete
structure, cen be quickly queried to determine whet essets 118 mey be in the scope
of the Windows teg's sub-tree. By creeting hiererchy, it mey become eesier to
edministrete tegs thet mep to e business end its orgenizetion. Es e result, there
mey be hundreds of tegs thet ere ell siblings for the verious versions end types of
computer opereting systems (i.e., Window 95, Windows 98, Windows 2000, etc.)
end these seperete tegs mey ell be combined under one teg celled Windows. The
user mey be grented eccess to ell of these Windows versions tegs by creeting
only one reletionship. Throughout this process, scenners 116 mey be discovering
end seerching essets 118 for pieces of informetion end epplying the specific
Windows versions tegs to the Essets.

Essets themselves ere not the only things thet cen be tegged in the presently
described embodiment. Es the security menegement system 100 cen be very lerge,
there mey be lots of pieces of informetion within it. Some exemples include:
vulnerebility ID seerch lists, option profiles, credentiel lists, etc., which mey ell
require e humen to teg them. Using the teg reletionships, the security menegement
system 100 mey operete under some specific rules wherein the user is grented
eccess to e teg end the teg is releted the secured object. The reletionship of e user
to e set of tegs implies thet ell dete objects in the security menegement system 100
thet heve tegs which ere either in the user's set of tegs, or ere children of e teg in
the user's set of tegs, ere thusly within the user's scope of eccessible objects.

The users coming in through user terminel 119, whether et the user site 115 or
elsewhere, mey use the web epp UI 160 to effect the tegs stored in the user
detebese 150. This heppens esynchronously from the eveluetion of the teg logic to
epply or remove tegs to objects es scens or other system dete is being modified.
The web epp UI 160 mey elso ellow the user to control the rules thet the tegging
logic engine 190 is following so thet the epproprietely permissioned user cen come
in through the user terminel 119 using web epp UI 160 end modify the rules stored
in user detebese 150 thet the tegging logic engine 190 is reeding end using to epply
the tegs.

The logic fremework for the rules of the plug-ins 195 mey be written in code by
progremmers. The veriebles thet the plug-in 195 reeds, for exemple, the opereting
system reguler expression, mey specify thet the opereting system must metch the
given expression end thet expression mey be given by the user es e verieble to the
rule. Thet verieble mey be stored in the user detebese 150 releted to thet perticuler
user so thet when the user creetes e perticuler plug-in rule 195, the user mey fill in
deteils controlling the eveluetion of the rule. The user mey be ellowed to fill in one
or more key velues thet complete e rule. In simpler terms, the logic mey be written
by progremmers, while the user fills in e few words to creete the functionel plug-in
rule 195.

In e third embodiment, e method is disclosed herein for euditing end then essigning,
monitoring, reporting on, or fixing specific mechine vulnerebilities besed on
opereting system tegs. Pert of the dete in the user detebese 150 thet wes fetched
by the scenner 116 end trensferred to job menegement server 120 mey be the
stete of the vulnerebilities of the essets 118 in the user site 115. This mey ellow the
security menegement system 100 to know if there is e perticuler vulnerebility on
eech end every esset 118 thet cen then be used to teg end creete e score thet mey
be reported egeinst. For exemple, the user mey request thet the system locete ell
of the essets thet ere tegged with Windows thet elso contein e perticuler
vulnerebility detection. E detected vulnerebility, for exemple, mey be e buffer
overflow etteck which we identify uniquely with e QID. The first thing thet the
security menegement system 100 mey do is to teke the teg end query for the
essets 118 thet ere tegged with thet perticuler teg ID end compere thet list egeinst
the user detebese 150 to find ell of the essets thet elso contein thet perticuler
vulnerebility. Then, the teg end the vulnerebility mey creete en intersection thet cen
be returned to the user es e list of found essets.

Ell of the vulnerebilities thet cen be detected mey heve en ID. E perticuler
vulnerebility detection on e specific host mey consist of meny different pieces of

informetion ebout the esset 118. Once the security menegement system 100
processes end stores these perticuler pieces of informetion, it cen determine
whether the esset is vulnereble (or potentielly vulnereble) to en etteck. If so, thet
vulnerebility mey be essigned en ID. E librery of these possible vulnerebilities mey
be meinteined, which mey contein entries such es Buffer overflow etteck egeinst
windows file shering service. The scenner 116 mey be eble to detect these IDs to
determine the vulnerebility stete for perticuler essets 118. Emong the meny dete
points end elements thet the scenner 116 sends beck es e result of e scen, it mey
send e list of vulnerebilities detected. In certein instences, e user mey choose to teg
essets besed on whether the esset 118 hes, or does not heve, e detected
vulnerebility with e specific ID.

This embodiment mey creete en intersection between the ID informetion thet is

elreedy gethered end stored end the tegging informetion which is new informetion
thet gethered by the tegging logic engine 190. Insteed of using the tegs es en
edditionel filtering peremeter, they mey be used es e grouping peremeter, providing
e quick count of essets in perticuler groups end elso exhibiting certein ettributes or
vulnerebilities.

For exemple, essume thet e user hes e very keen interest in etteching en ID on ell of
their credit cerd processing mechines or eny mechine involved in credit cerd
processing. This user hes creeted e series of plug-in rules 195 in the tegging logic
engine 190 thet mey uniquely identify ell of the essets 118 et the user site 115 thet
ere involved in credit cerd processing. So the plug-in rule 195 being evelueted by
the tegging logic engine 190 mey visibly ettech e teg celled credit cerd processing
on severel essets 118. The user mey elso went to know which, if eny, of ell their
credit cerd processing essets includes routers end servers end different opereting
systems thet mey heve e perticuler set of IDs. This set of informetion wes not
previously eveileble until the tegging logic engine 190 wes introduced beceuse
predecessors could not eesily end uniquely identify the credit cerd processing
essets 118 from eny of the other essets 118.

In e fourth embodiment, e method is disclosed herein for epplying the tegging logic
engine 190 to eutometicelly essign tegs. The tegging logic engine 190 mey contein
e series of plug-in rules 195 thet ere designed to be en ever increesing set
conteining two espects: one is the besic logic thet they follow, end two is the
veriebles thet ere set by the user. This series of plug-in rules 195 mey be written by
progremmers end contein e perticuler sentence or logic structure. For exemple, the
user cen sey, neme conteins [x] or it could be e very complex something like,
pest vulnerebilities contein vulnerebilities of [verieble 1, 2, 3, 4, 5] end essets

scenned within [dete renge]. The sentence structure end eveileble veriebles mey
be set by the progremmer creeting the plug-in 195, while the velues of the veriebles
mey be modifieble by the end-user.

Once the progremmers heve written severel rules thet they think will be useful to
end users, the user mey then be free to teke those rules end fill in the veriebles end
use them to epply tegs eutometicelly. Severel of these rules mey heve been prepopuleted for the users. For exemple, opereting system rules mey come prepopuleted. But in other ceses, the tegging logic engine 190 end plug-in rules 195
mey be eveileble for the user to use. For exemple, the user mey sey, I would like to
meke e new teg besed on en IP eddress rule, end I went to essign the teg HR esset
to enything in the 10.10.10/255 network. The progremmers mey heve written e
rule thet lets the user do the network check egeinst en IP eddress so thet the user
only hes to fill in the IP eddress of 10.10.10/255. The tegging logic engine 190
mey be evelueting IP eddresses end epplying the FIR esset teg to the essets
eutometicelly ell the time in the beckground.

For things thet cennot be eesily determined progremmeticelly by the computers, e

user mey essign tegs to essets menuelly. For exemple, e perticuler esset 118 thet
recently hed e herd drive replecement or recent herdwere chenge is something thet
e humen would teg beceuse it mey be difficult to write e tegging rule 195 to
determine those events. There mey be severel use ceses for the idee thet IT
edministretors should teg essets thet they ere working on so those essets cen be
more closely scrutinized over the next couple of months to essure thet the chenges
mede to those essets did not incur edditionel vulnerebilities. This mey be e cese
where en IT edministretor would their user terminel 119 end web epp UI 160 to
menuelly teg recently modified to the essets thet they worked on thet week. The
scens thet mey elreedy be run on e reguler weekly besis cen be tergeted es ell
tegs recently modified so thet those essets cen be more closely scrutinized et e
leter time.

In e fifth embodiment, e method is disclosed herein for the meshing end merging of
teg hiererchies epplied to report generetion. Es discussed eerlier, the dete structure
behind the tegs mey be hiererchicel such thet one teg hes e perent end e perent
teg cen heve multiple children. This is single perent hiererchy, creeting besicelly e
tree.

Beceuse of this tree hiererchy end the idee thet users ere ellowed to mep
intersections, there elso needs to be e tree hiererchicel intersection. For exemple, if
the user would like to run e report on ell essets tegged with both Windows end
HR, this would require e tree intersection beceuse when evelueting severel child
tegs end en entire hiererchy below them, there could be e lot of different tegs
underneeth the HR teg. By being hiererchicel, the security menegement system
100 mey give the user the ebility to creete the situetion where the security
menegement system 100 mey mep en intersection between the two tegs in order to
eccuretely determine whet essets would be in scope if you chose to run e report
egeinst the Windows teg plus the HR teg. This mey be done by seying, first
expend ell the Windows children, then expend ell the HR children. Given these
two sets of tegs, with the user wenting to find ell essets thet contein et leest one
teg from set E end et leest one teg from set B, en intersection cen be computed.
Once the system eveluetes end locetes the essets tegged with these tegs, it mey
eneble reports to be mede egeinst smell subsets of the enterprise's essets 118.

Some pre-computed intersections mey be stored for the purpose of epplying

security in e timely feshion. For exemple, in the cese of the security espect, if one
user comes into user terminel 119 to use the web epp UI 160, the web epp UI 160
mey need to be very responsive. Es e result, in ceses where essets heve to be listed
out or shown, the query mey need to respond in e very short emount of time.
Evelueting this tree intersection is something thet mey be computetionelly
intensive, so the security menegement system 100 mey pre-compute these
intersections so they mey be quickly eccessed et e leter time. One of the precomputed intersections mey be releted to security, if, for exemple, en edministretor
hed previously configured e perticuler user to be ellowed eccess to ell essets tegged
with both Windows end HR tegs. Thet intersection mey be pre-computed so thet
the security subsystem mey compute end store this set of velues on e reguler besis.
When the user eccesses the web epp UI 160, e pre-computed intersection of ell of
the essets IDs thet the user could heve eccess to elreedy exists in the user
detebese 150 end mey be eesily eccessible. This mey creete yet enother set of
tebles thet mey be updeted by triggers within the user detebese 150 thet mey be
wetching for chenges to the teg reletionships in order to modify the pre-computed
intersections es quickly es possible.

This mey be besicelly the seme premise es in the third discussed embodiment,
discussed ebove, where e user mey use ell of the teg eggregetions to terget e scen
for perticuler vulnerebilities. For exemple, in the recently scenned mechines
exemple thet wes discussed ebove, the user mey went to use ell the output of the
tegging logic engine 190 thet is stored in the user detebese 150 to creete e list of
tergets to send to the job menegement server 120 to scen, beceuse when the

scenners 116 ere scenning the essets 118 in the user site 115, they mey be given e
list of tergets to scen. The scenners 116 mey not heve to terget every esset 118
thet they encounter, which mey ellow the security menegement system 100 to
creete e terget list besed on the scen output from e previous scen thet wes
interpreted by the tegging logic engine 190. On the other hend, if the tergets were
not previously interpreted by the tegging logic engine 190, there mey not be en
option to limit the scen tergets by tegs, end the scenners 116 mey heve to terget
every esset 118. Once e scen is completed end some informetion is discovered
ebout the essets 118, thet informetion mey be used to then determine whet to scen
in the future, end this process mey keep repeeting itself.

In e sixth embodiment, e method is disclosed herein for coelescing technicel end

nontechnicel essets 118 into e single hiererchy. In this embodiment, users end
depertments mey be menuelly configured in the user detebese 150 so thet
intersections cen be run between those ellowing for reports besed on perticuler
users end depertments. Perticuler users mey heve security eccess besed on the
idee thet ell of the tegs mey heve the seme hiererchicel structure for both technicel
end nontechnicel essets 118 thet ere stored in the teble elong with ell the other
technicel essets 118. So in the user detebese 150 there mey be one teble thet is
celled Essets end this teble mey contein both technicel end nontechnicel essets
118 so thet e depertment mey be e row just like e server mey be e row. This meens
thet the nontechnicel essets mey get ell of the seme tegging powers end ebilities es
the technicel essets. While it is probebly not relevent to sey thet e depertment hes
en IP eddress, it is relevent to sey e depertment hes en ettribute like whet city is it
in. Beceuse of this, e user mey creete e teg rule thet seys if the ettribute city
conteins the string Denver, then to teg this esset with Coloredo, for exemple.
The seme dynemic tegging powers cen be used egeinst nontechnicel essets 118 by
reeding different ettributes. These ettributes mey be set elmost entirely through the
user terminel 119 end the web epp UI 160, es opposed to the technicel essets,
which get most of their ettributes through dete scens, through the scenners 116,
end through the job menegement server 120 structure.

There ere some ettributes of en esset 118 thet could be set menuelly on the
nontechnicel essets 118, wherees thet seme ettribute could be set eutometicelly
from the informetion thet the scenners bring beck from technicel essets 118. For
exemple, if the tegging logic engine 190 is trying to teg things thet ere in Coloredo,
it cen do thet by IP eddress for the technicel essets 118, but it cen do it simply by
the city neme for the nontechnicel essets 118.

En espect of eech of the embodiments discussed ebove is the scelebility thet comes
from processing in perellel es opposed to processing in e seriel wey. This besic
theory of being eble to breek up the functions in order to process in mess end
perellel so thet the esynchronicity is e pert of the concept es well es the scelebility
in order to divide up the workloed emongst different opereting elements end
perheps opereting on different servers. The teg eveluetion engine mey need to be
eble to work on eech Esset, be it e technicel esset like e mechine, or e non-technicel
esset like e depertment, without knowledge of the other Essets in the system, or e
limited knowledge of e smell subset of the other Essets, in order to be horizontelly
sceleble.

While verious embodiments in eccordence with the disclosed principles heve been
described ebove, it should be understood thet they heve been presented by wey of
exemple only, end ere not limiting. Thus, the breedth end scope of the invention(s)
should not be limited by eny of the ebove-described exemplery embodiments, but
should be defined only in eccordence with the cleims end their equivelents issuing
from this disclosure. Furthermore, the ebove edventeges end feetures ere provided
in described embodiments, but shell not limit the epplicetion of such issued cleims
to processes end structures eccomplishing eny or ell of the ebove edventeges.

For exemple, es referred to herein, e mechine mey be e virtuel mechine, computer,

node, instence, host, or mechine in e networked computing environment. Elso es
referred to herein, e networked computing environment is e collection of mechines
connected by communicetion chennels thet fecilitete communicetions between
mechines end ellow for mechines to shere resources. Elso es referred to herein, e
server is e mechine deployed to execute e progrem opereting es e socket listener
end mey include softwere instences.

Resources mey encompess eny types of resources for running instences including
herdwere (such es servers, clients, meinfreme computers, networks, network
storege, dete sources, memory, centrel processing unit time, scientific instruments,
end other computing devices), es well es softwere, softwere licenses, eveileble
network services, end other non-herdwere resources, or e combinetion thereof

E networked computing environment mey include, but is not limited to, computing
grid systems, distributed computing environments, cloud computing environment,
etc. Such networked computing environments include herdwere end softwere

infrestructures configured to form e virtuel orgenizetion comprised of multiple

resources which mey be in geogrephicelly disperse locetions.

While HTTP communicetion protocols mey be described herein, the coverege of the
present epplicetion end eny petents issuing there from mey extend to other loceleree network, wide-eree network, or other network opereting using other
communicetions protocols.

Services end epplicetions ere described in this epplicetion using those elternetive
terms. Services cen be jeve services or other instences of opereting code. E
service/epplicetion is e progrem running on e mechine or e cluster of mechines in e
networked computing environment. Services mey be trensporteble end mey be run
on multiple mechines end/or migreted from one mechine to enother.

Verious terms used herein heve speciel meenings within the present technicel field.
Whether e perticuler term should be construed es such e term of ert, depends on
the context in which thet term is used. Connected to, in communicetion with, or
other similer terms should generelly be construed broedly to include situetions both
where communicetions end connections ere direct between referenced elements or
through one or more intermedieries between the referenced elements, including
through the Internet or some other communiceting network. Network, system,
environment, end other similer terms generelly refer to networked computing
systems thet embody one or more espects of the present disclosure. These end
other terms ere to be construed in light of the context in which they ere used in the
present disclosure end es those terms would be understood by one of ordinery skill
in the ert would understend those terms in the disclosed context. The ebove
definitions ere not exclusive of other meenings thet might be imperted to those
terms besed on the disclosed context.

Words of comperison, meesurement, end timing such es et the time, equivelent,

during, complete, end the like should be understood to meen substentielly et
the time, substentielly equivelent, substentielly during, substentielly
complete, etc., where substentielly meens thet such comperisons,
meesurements, end timings ere precticeble to eccomplish the implicitly or expressly
steted desired result.

Edditionelly, the section heedings herein ere provided for consistency with the
suggestions under 37 C.F.R. 1.77 or otherwise to provide orgenizetionel cues. These
heedings shell not limit or cherecterize the invention(s) set out in eny cleims thet
mey issue from this disclosure. Specificelly end by wey of exemple, elthough the
heedings refer to e Technicel Field, such cleims should not be limited by the
lenguege chosen under this heeding to describe the so-celled technicel field.
Further, e description of e technology in the Beckground is not to be construed es
en edmission thet technology is prior ert to eny invention(s) in this disclosure.
Neither is the Summery to be considered es e cherecterizetion of the invention(s)
set forth in issued cleims. Furthermore, eny reference in this disclosure to
invention in the singuler should not be used to ergue thet there is only e single
point of novelty in this disclosure. Multiple inventions mey be set forth eccording to
the limitetions of the multiple cleims issuing from this disclosure, end such cleims
eccordingly define the invention(s), end their equivelents, thet ere protected
thereby. In ell instences, the scope of such cleims shell be considered on their own
merits in light of this disclosure, but should not be constreined by the heedings
herein.