Worried about your BIG-IP devices? We've got a scanner for that. LEARN MORE ›

Perceptual Analysis: A Look at Bishop Fox’s New Technology Patent

Lightbulbs hanging down from above

Share

We’ve achieved a significant milestone in transforming the offensive security space with the recent patent grant award of our innovative technique known as perceptual analysis (US Patent No. 11,218,496), invented by Principal Researchers Rob Ragan and Oscar Salazar. Officially, the U.S. Patents and Trademark Office refers to this technique as the application of computer visual classification to security events but in the spirit of brevity we’ll refer to it as “perceptual analysis.”

Astute observers may recognize this terminology; its inventors featured the technique in their AppSec California presentation in January 2019 titled, “Pose a Threat: How Perceptual Analysis Helps Bug Hunters.” While Rob and Oscar were excited to share this technique during their presentation, the “secret sauce” of the invention was withheld given our intent to formally apply for a patent and incorporate the technology into our award-winning Cosmos platform.

So, What is Perceptual Analysis?

Security teams have long leveraged open source tools such as Amass and DirBuster to find security vulnerabilities. While those tools help improve accuracy by mapping attack surfaces and performing asset discovery, they do not scale as effectively as needed by many organizations. The impact of that is compounded by the differences in how testers assess, which can easily create gaps in coverage. Imagine a large spreadsheet where multiple testers are updating attack targets — it is easy to see how confusion and mishaps occur.

Traditional scanners also have limits to their effectiveness, primarily because they require in-depth knowledge of each issue to write a signature and they don’t perform well in finding unknown issues. Changes in the target environment also add to the complexity, as modern security postures are not static. Dynamic load balancers and virtual hosting mean penetration testers cannot rely on IP addresses alone to assemble their target lists.

But what if there was a better way that not only solved all the problems described above, but also only required a target and a path to find potential (and unknown) exposures? The answer lies in screenshots. No, seriously.

Perceptual analysis makes it easy for humans to analyze screenshots through fuzzing and brute force attacks. It visually reveals anomalies and outliers that could indicate a vulnerability. This technique creates a new method that can speed testing, find previously unknown critical exposures without exact signatures, improve accuracy, and create a continuously refreshed target list and asset inventory. When applied at scale, it can reduce millions of results to thousands of vulnerable candidates – and do it quickly. It is the rare technology that improves testing accuracy and coverage while also reducing false positives. Future enhancements include more automation, optical character recognition that can filter based on text in the screen shot, and machine learning to sort initial results into more granular categorizations.


“As cybersecurity challenges increase in complexity and intensity, we are seeing commensurate demand for the innovative solutions we are bringing to market through our Cosmos platform and continuous offensive security offerings. By assembling the best technical minds in the industry and drawing upon insights gleaned from thousands of customer environments, Bishop Fox is driving innovation and fueling the expansion of our offerings to stay ahead of attackers, which is incredibly rewarding.”

- Vinnie Liu, Co-founder & CEO, Bishop Fox


The Future of Offensive Security

Despite 700K professionals entering the cybersecurity field in the last year, there is still a shortage of talent, giving attackers a strategic advantage. Bishop Fox is committed to developing innovative technologies, like perceptual analysis, to provide continuous, scalable ways to improve the security of dynamic attack surfaces and to help overburdened security teams reclaim the upper hand.

We believe every company should be able to proactively protect their most vital assets – no matter their size, industry, or budgets. We are committed to evolving our technology portfolio and hope these innovations have a positive impact to improve the security of the products, applications, and networks people use every day.


To get the technical details of our patent and learn more about perceptual analysis, please visit:

Find Out First

Be first to learn about latest tools, advisories, and findings.


Joe sechman

About the author, Joe Sechman

AVP of R&D at Bishop Fox

Joe brings over 20 years of experience to his role as Associate Vice President of R&D where he is responsible for nurturing a culture of innovation across Bishop Fox. Over his career, Joe has amassed many security certifications, delivered several presentations, and has co-authored multiple industry publications with groups such as ISC2, ISACA, ASIS, HP, and IEEE.

Additionally, Joe is a prolific inventor with nine granted patents in the fields of dynamic and runtime application security testing, attack surface enumeration, and coverage (U.S. Patents 10,699,017, 10,515,219, 10,516,692, 10,515,220, 10,423,793, 9,846,781, 10,650,148, 10,587,641, and 11,057,395). Prior to joining Bishop Fox, Joe held leadership positions with companies such as Cobalt Labs, HP Fortify, Royal Philips, and Sunera LLC (now Focal Point Data Risk). Earlier in his career, Joe served as the lead penetration tester within SPI Labs at SPI Dynamics where he cut his teeth alongside some of the best and brightest application security industry professionals. Joe received his Bachelor of Business Administration degree in Management Information Systems from the Terry College of Business - University of Georgia.
More by Joe

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.