Automated security enclave generation

US 10,135,859 B2
Filed: 05/03/2016
Issued: 11/20/2018
Est. Priority Date: 05/03/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining one or more risk parameters that define risk profiles of one or more applications and one or more services operating in a network;

determining an optimal number of clusters for grouping the one or more applications and the one or more services based on the risk profiles;

grouping the one or more applications and the one or more services into the optimal number of clusters based on the risk profiles; and

applying one or more security enclaves to each of the clusters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Creating security enclaves includes determining one or more parameters of one or more applications and one or more services operating in the network. An optimal number of clusters for grouping the one or more applications and the one or more services is determined based on the one or more parameters. Then, the one or more applications and the one or more services are grouped into the clusters and one or more security enclaves are applied to each of the clusters so as to maximize operational security of the network.

17 Citations

View as Search Results

20 Claims

1. A method comprising:
- determining one or more risk parameters that define risk profiles of one or more applications and one or more services operating in a network;
  
  determining an optimal number of clusters for grouping the one or more applications and the one or more services based on the risk profiles;
  
  grouping the one or more applications and the one or more services into the optimal number of clusters based on the risk profiles; and
  
  applying one or more security enclaves to each of the clusters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the clusters are self-organizing clusters configured to group the one or more applications and one or more services.
  - 3. The method of claim 1, wherein the one or more applications and the one or more services are grouped into the clusters by a self-organizing map.
  - 4. The method of claim 3, wherein determining further comprises:
    - creating a vector representative of each of the one or more applications and each of the one or more services based on the risk profiles; and
      
      generating the self organizing map based on one or more similarities in the vectors.
  - 5. The method of claim 1, further comprising:
    - assigning weights to each of the one or more risk parameters based on an impact on operational security of the network.
  - 6. The method of claim 1, wherein the optimal number of clusters is determined based on deviations in intra-cluster variation.
  - 7. The method of claim 1, wherein applying the one or more security enclaves further comprises:
    - segmenting the network or inserting at least a portion of the cluster into a preexisting segment of the network.
  - 8. The method of claim 1, wherein the one or more risk parameters are determined based on data collected from at least one of security devices, applications, network devices, and Internet of Things sensors.

9. A system comprising:
- a network in which one or more applications and one or more services are operating;
  
  a server having connectivity to the network, the server configured to;
  
  determine one or more risk parameters that define risk profiles of the one or more applications and the one or more services operating in the network;
  
  determine an optimal number of clusters for grouping the one or more applications and the one or more services based on the risk profiles;
  
  group the one or more applications and the one or more services into the optimal number of clusters based on the risk profiles; and
  
  apply one or more security enclaves to each of the clusters.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein the one or more applications and one or more services are grouped into the clusters by a self-organizing map.
  - 11. The system of claim 10, wherein, in determining the optimal number of clusters, the server is further configured to:
    - create a vector representative of each of the one or more applications and each of the one or more services based on the risk profiles; and
      
      generate the self organizing map based on one or more similarities in the vectors.
  - 12. The system of claim 9, wherein the server is further configured to:
    - assign weights to each of the one or more risk parameters based on an impact on operational security.
  - 13. The system of claim 9, wherein the optimal number of clusters is determined based on deviations in intra-cluster variation.
  - 14. The system of claim 9, wherein in applying the one or more security enclaves, the server is further configured to:
    - segment the network or insert at least a portion of the cluster into a preexisting segment of the network.

15. A non-transitory computer-readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- determine one or more risk parameters that define risk profiles of one or more applications and one or more services operating in a network;
  
  determine an optimal number of clusters for grouping the one or more applications and the one or more services based on the risk profiles;
  
  group the one or more applications and the one or more services into the optimal number of clusters based on the risk profiles; and
  
  apply one or more security enclaves to each of the clusters.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage media of claim 15, wherein the one or more applications and the one or more services are grouped into the clusters by a self-organizing map.
  - 17. The non-transitory computer-readable storage media of claim 16, wherein the instructions operable to determine the optimal number of clusters are further operable to:
    - create a vector representative of each of the one or more applications and each of the one or more services based on the risk profiles; and
      
      generate the self organizing map based on one or more similarities in the vectors.
  - 18. The non-transitory computer-readable storage media of claim 15, wherein the instructions are further operable to:
    - assign weights to each of the one or more risk parameters based on an impact on operational security.
  - 19. The non-transitory computer-readable storage media of claim 15, wherein the optimal number of clusters is determined based on deviations in intra-cluster variation.
  - 20. The non-transitory computer-readable storage media of claim 15, wherein the instructions operable to apply the one or more security enclaves are further operable to:
    - segment the network or insert at least a portion of the cluster into a preexisting segment of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McLaughlin, Mark-David, Reddy, Rajidi P., Santos, Omar
Primary Examiner(s)
Avery, Jeremiah L

Application Number

US15/145,408
Publication Number

US 20170324765A1
Time in Patent Office

931 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1441 Countermeasures against mal...

H04L 63/20 for managing network securi...

Automated security enclave generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security enclave generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links