Applying security policy to an application session

US 10,305,859 B2
Filed: 05/22/2017
Issued: 05/28/2019
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A system for applying a security policy to an application session, the system comprising:

a security gateway configured to;

inspect a data packet for the application session to determine a first user identity provided by a user when accessing the application session and store the first user identity in an application session record, the application session being accessed by the user during an access session, wherein the inspecting the data packet includes;

determining a first host identity and an application session time associated with the application session; and

storing the first host identity and the application session time in the application session record;

match the application session record against an access session record associated with the access session to determine a second user identity provided by the user when accessing the access session, wherein the matching the application session record against the access session record includes;

matching the first host identity stored in the application session record against a second host identity stored in the access session record, wherein the second host identity is associated with the second user identity, the second user identity being stored in the access session record; and

matching the application session time stored in the application session record against an access session time stored in the access session record;

obtain the security policy comprising network parameters mapped to the second user identity; and

apply the security policy to the application session; and

a database configured to store at least the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Applying a security policy to an application session, includes recognizing the application session between a network and an application via a security gateway, determining by the security gateway a user identity of the application session using information about the application session, obtaining by the security gateway the security policy comprising network parameters mapped to the user identity, and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.

258 Citations

15 Claims

1. A system for applying a security policy to an application session, the system comprising:
- a security gateway configured to;
  
  inspect a data packet for the application session to determine a first user identity provided by a user when accessing the application session and store the first user identity in an application session record, the application session being accessed by the user during an access session, wherein the inspecting the data packet includes;
  
  determining a first host identity and an application session time associated with the application session; and
  
  storing the first host identity and the application session time in the application session record;
  
  match the application session record against an access session record associated with the access session to determine a second user identity provided by the user when accessing the access session, wherein the matching the application session record against the access session record includes;
  
  matching the first host identity stored in the application session record against a second host identity stored in the access session record, wherein the second host identity is associated with the second user identity, the second user identity being stored in the access session record; and
  
  matching the application session time stored in the application session record against an access session time stored in the access session record;
  
  obtain the security policy comprising network parameters mapped to the second user identity; and
  
  apply the security policy to the application session; and
  
  a database configured to store at least the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the first user identity is used to access an application associated with the application session and the second user identity is used to establish the access session.
  - 3. The system of claim 1, further comprising an identity server, wherein the security gateway is further configured to:
    - store the access session record of the access session to the identity server, andsend the first host identity and the application session time to the identity server when matching the application session record against the access session record.
  - 4. The system of claim 1, wherein the security gateway is configured to match the application session record against the access session record by determining that the application session time is a time period between a starting time of the access session and an ending time of the access session, the starting time and the ending time being stored in the access session record.
  - 5. The system of claim 1, wherein the security gateway is configured to determine the first user identity by matching the data packet against an application identifier to recognize the application session.
  - 6. The system of claim 5, wherein the application identifier includes one or more of the following:
    - transport layer information, at least one transport port number, and application layer information.
  - 7. The system of claim 1, wherein the security policy comprises one or more of a network traffic policy mapped to the second user identity and a document access policy mapped to the second user identity, wherein the security gateway applies the security policy by applying one or more of the network traffic policy and the document access policy to the application session.
  - 8. The system of claim 7, wherein the network traffic policy comprises one or more of the following:
    - a packet modification control for the application session;
      
      a traffic shaping control;
      
      an application session access control indicative of whether the second user identity is denied or allowed to continue the application session;
      
      a bandwidth control;
      
      a connection rate control;
      
      a server load balancer preference; and
      
      a quality of service.
  - 9. The system of claim 8, wherein the quality of service includes applying a change of a Differentiated Services Code Point (DSCP) marking in data packets of the application session.
  - 10. The system of claim 7, wherein the document access policy comprises a document identity and a document user identity, wherein the security gateway is configured to apply the document access policy by:
    - comparing the second user identity with the document user identity; and
      
      in response to determining that the second user identity matches the document user identity, allowing access to a document with the document identified by the second user identity.
  - 11. The system of claim 1, wherein the security gateway is further configured to generate a security report concerning applying of the security policy to the application session.

12. A method for applying a security policy to an application session, the method comprising:
- inspecting, by a security gateway, a data packet for the application session to determine a first user identity provided by a user when accessing the application session and store the first user identity in an application session record, the application session being accessed by the user during an access session, wherein the inspecting the data packet includes;
  
  determining a first host identity and an application session time associated with the application session; and
  
  storing the first host identity and the application session time in the application session record;
  
  matching, by the security gateway, the application session record against an access session record associated with the access session to determine a second user identity provided by the user when accessing the access session, wherein the matching the application session record against the access session record includes;
  
  matching the first host identity stored in the application session record against a second host identity stored in the access session record, wherein the second host identity is associated with the second user identity, the second user identity being stored in the access session record; and
  
  matching the application session time stored in the application session record against an access session time stored in the access session record;
  
  obtaining, by the security gateway, the security policy comprising network parameters mapped to the second user identity; and
  
  applying, by the security gateway, the security policy to the application session.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein the matching the application session record against the access session record includes determining that the application session time is a time period between a starting time of the access session and an ending time of the access session, the starting time and the ending time being stored in the access session record.
  - 14. The method of claim 12, further comprising querying, by the security gateway, a further server by sending the second user identity to the further server to obtain additional user information.

15. A non-transitory computer readable storage medium having embodied thereon a computer readable program code being executable by at least one processor to perform a method for applying a security policy to an application session, the method comprising:
- inspecting, by a security gateway, a data packet for the application session to determine a first user identity provided by a user when accessing the application session and store the first user identity in an application session record, the application session being accessed by the user during an access session, wherein the inspecting the data packet includes;
  
  determining a first host identity and an application session time associated with the application session; and
  
  storing the first host identity and the application session time in the application session record;
  
  matching, by the security gateway, the application session record against an access session record associated with the access session to determine a second user identity provided by the user when accessing the access session, wherein the matching the application session record against the access session record includes;
  
  matching the first host identity stored in the application session record against a second host identity stored in the access session record, wherein the second host identity is associated with the second user identity, the second user identity being stored in the access session record; and
  
  matching the application session time stored in the application session record against an access session time stored in the access session record;
  
  obtaining, by the security gateway, the security policy comprising network parameters mapped to the second user identity; and
  
  applying, by the security gateway, the security policy to the application session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Oshiba, Dennis, Chiong, John
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lavelle, Gary E

Application Number

US15/601,954
Publication Number

US 20170289106A1
Time in Patent Office

736 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/44   Program or device authentic...

H04L 12/66   Arrangements for connecting...

H04L 51/04   Real-time or near real-time...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0407   wherein the identity of one...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

H04L 65/1026 : at the edge

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1004 : Server selection for load b...

H04L 67/104 : Peer-to-peer [P2P] networks

H04L 67/141 : Setup of application sessio...

H04L 67/306 : User profiles

H04L 67/535 : Tracking the activity of th...

H04L 69/28 : Timers or timing mechanisms...

H04L 69/329 : in the application layer [O...

H04M 1/7243 : with interactive means for ...

H04W 12/084 : using delegated authorisati...

H04W 12/37 : Managing security policies ...

H04W 12/61 : Time-dependent

View All

Applying security policy to an application session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

258 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Applying security policy to an application session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

258 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links