System and method for threat-driven security policy controls

US 10,009,381 B2
Filed: 01/27/2016
Issued: 06/26/2018
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a source machine;

a destination machine;

a policy compiler; and

an enforcement point communicatively coupled via a network to the source machine, the destination machine, and the policy compiler, the enforcement point including a processor and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising;

acquiring a firewall security policy from the policy compiler;

receiving network traffic originating from the source machine and directed to the destination machine;

analyzing the network traffic using the firewall security policy;

forwarding or dropping the network traffic according to the firewall security policy;

redirecting one or more network packets of the network traffic according to the firewall security policy;

accumulating the network traffic and metadata associated with the network traffic; and

initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and the metadata, the initiating comprising;

receiving information associated with the source machine and the destination machine from an external system of record;

weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information;

statistically analyzing the weighted one or more of the redirected network packet, the further network traffic, the metadata, and the received information to calculate an updated risk score; and

providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for a security system are provided herein. Exemplary methods may include: acquiring a firewall security policy from a policy compiler; receiving network traffic originating from a source machine and directed to a destination machine; analyzing the network traffic using the firewall security policy; forwarding or dropping each of the network traffic according to the security policy; and redirecting one or more network packets of the network traffic according to the security policy.

Citations

17 Claims

1. A system comprising:
- a source machine;
  
  a destination machine;
  
  a policy compiler; and
  
  an enforcement point communicatively coupled via a network to the source machine, the destination machine, and the policy compiler, the enforcement point including a processor and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising;
  
  acquiring a firewall security policy from the policy compiler;
  
  receiving network traffic originating from the source machine and directed to the destination machine;
  
  analyzing the network traffic using the firewall security policy;
  
  forwarding or dropping the network traffic according to the firewall security policy;
  
  redirecting one or more network packets of the network traffic according to the firewall security policy;
  
  accumulating the network traffic and metadata associated with the network traffic; and
  
  initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and the metadata, the initiating comprising;
  
  receiving information associated with the source machine and the destination machine from an external system of record;
  
  weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information;
  
  statistically analyzing the weighted one or more of the redirected network packet, the further network traffic, the metadata, and the received information to calculate an updated risk score; and
  
  providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the method further comprises:
    - applying the updated firewall security policy to another network packet.
  - 3. The system of claim 1 wherein the policy compiler produces the updated firewall security policy using at least a conditional declarative policy, the metadata, and the updated risk score.
  - 4. The system of claim 1 further comprising:
    - a surveillance node communicatively coupled to the source machine via the network, wherein the redirecting is to the surveillance node.
  - 5. The system of claim 4 wherein the source machine communicates with the surveillance node as if the surveillance node were the destination machine.
  - 6. The system of claim 5 wherein the surveillance node is a honeypot.
  - 7. The system of claim 1 wherein the forwarding or dropping the network traffic according to the firewall security policy uses at least one of an address associated with the source machine, a port associated with the source machine, an address associated with the destination machine, a port associated with the destination machine, and a protocol associated with the network packet.
  - 8. The system of claim 1 wherein the source machine is at least one of a first physical host and a first virtual machine and wherein the destination machine is at least one of a second physical host and a second virtual machine.

9. A method for operating an enforcement point comprising:
- acquiring a firewall security policy from a policy compiler;
  
  receiving network traffic originating from a source machine and directed to a destination machine;
  
  analyzing the network traffic using the firewall security policy;
  
  forwarding or dropping each of the network traffic according to the firewall security policy;
  
  redirecting one or more network packets of the network traffic according to the firewall security policy;
  
  accumulating the network traffic and metadata associated with the network traffic; and
  
  initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and the metadata, the initiating comprising;
  
  receiving information associated with the source machine and the destination machine from an external system of record;
  
  weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information;
  
  statistically analyzing the weighted one or more of the redirected network packet, the further network traffic, the metadata, and the received information to calculate an updated risk score; and
  
  providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 further comprising:
    - applying the updated firewall security policy to another network packet.
  - 11. The method of claim 9 wherein the policy compiler produces the updated firewall security policy using at least a conditional declarative policy, the metadata, and the updated risk score.
  - 12. The method of claim 9 wherein the redirecting is to a surveillance node, the surveillance node being communicatively coupled to the source machine via a network.
  - 13. The method of claim 12 wherein the source machine communicates with the surveillance node as if the surveillance node were the destination machine.
  - 14. The method of claim 13 wherein the surveillance node is a honeypot.
  - 15. The method of claim 9 wherein the forwarding or dropping each of the network traffic according to the firewall security policy uses at least one of an address associated with the source machine, a port associated with the source machine, an address associated with the destination machine, a port associated with the destination machine, and a protocol associated with the network packet.
  - 16. The method of claim 9 wherein the source machine is at least one of a first physical host and a first virtual machine and wherein the destination machine is at least one of a second physical host and a second virtual machine.

17. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
- acquiring a firewall security policy from a policy compiler;
  
  receiving network traffic originating from a source machine and directed to a destination machine;
  
  analyzing the network traffic using the firewall security policy;
  
  forwarding or dropping the network traffic according to the firewall security policy;
  
  accumulating the network traffic and metadata associated with the network traffic; and
  
  initiating an update to the firewall security policy by the policy compiler using at least one of the network traffic and the metadata, the initiating comprising;
  
  receiving information associated with the source machine and the destination machine from an external system of record;
  
  weighting one or more of a redirected network packet, further network traffic, the metadata, and the received information;
  
  statistically analyzing the weighted one or more of the redirected network packet, the further network traffic, the metadata, and the received information to calculate an updated risk score; and
  
  providing the updated risk score to the policy compiler, such that the policy compiler produces an updated firewall security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
vArmour Networks Inc
Original Assignee
vArmour Networks Inc
Inventors
Lian, Jia-Jyi, Paterra, Anthony, Woolward, Marc
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/008,298
Publication Number

US 20160294875A1
Time in Patent Office

881 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

System and method for threat-driven security policy controls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for threat-driven security policy controls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links