Systems and methods for supporting information security and sub-system operational protocol conformance

US 10,547,616 B2
Filed: 08/21/2017
Issued: 01/28/2020
Est. Priority Date: 04/01/2003
Status: Expired due to Term

First Claim

Patent Images

1. A system comprising:

one or more data processors; and

a non-transitory, computer-readable storage medium containing instructions which, when executed on the one or more data processors, cause the one or more data processors to perform actions including;

detecting a request from an agent device;

responsive to the request, identifying an access-right indicator configured to enable determination of which type of access for electronic resources are to be granted;

generating or retrieving one or more identifiers for the agent device, the one or more identifiers uniquely corresponding to the agent device amongst a set of agent devices and being configured to inhibit identity discovery;

generating a credential for the agent device that represents the access-right indicator and the one or more identifiers;

storing, in a data store, the credential in association with a token;

transmitting an instance of the token to the agent device;

receiving a request communication from the agent device, the request communication comprising the instance of the token;

querying the data store with the instance of the token;

in response to the query, receiving the credential from the data store; and

transmitting, to the agent device or a second device, the credential in response to the request communication.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that support information security and sub-system operational conformance with protocols. In some embodiments, agent access to resources can be controlled via generation of credentials and/or tokens and/or conditioned external authentication. In some embodiments, workflows used to assess protocol conformance can be conditionally triggered at sub-systems.

136 Citations

20 Claims

1. A system comprising:
- one or more data processors; and
  
  a non-transitory, computer-readable storage medium containing instructions which, when executed on the one or more data processors, cause the one or more data processors to perform actions including;
  
  detecting a request from an agent device;
  
  responsive to the request, identifying an access-right indicator configured to enable determination of which type of access for electronic resources are to be granted;
  
  generating or retrieving one or more identifiers for the agent device, the one or more identifiers uniquely corresponding to the agent device amongst a set of agent devices and being configured to inhibit identity discovery;
  
  generating a credential for the agent device that represents the access-right indicator and the one or more identifiers;
  
  storing, in a data store, the credential in association with a token;
  
  transmitting an instance of the token to the agent device;
  
  receiving a request communication from the agent device, the request communication comprising the instance of the token;
  
  querying the data store with the instance of the token;
  
  in response to the query, receiving the credential from the data store; and
  
  transmitting, to the agent device or a second device, the credential in response to the request communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as recited in claim 1, wherein the actions further signing the credential, wherein the stored credential includes the signed credential.
  - 3. The system as recited in claim 1, wherein the credential includes a statement that is includes data representing a type of access right to be authorized for the agent device, the type of access right determined based on the access-right indicator.
  - 4. The system as recited in claim 1, wherein the credential includes a dynamic component that is configured to be used to determine, at a time at which the credential is processed, a type of access right to be authorized for the agent device, the dynamic component determined based on the access-right indicator.
  - 5. The system as recited in claim 1, wherein the actions further detecting initiation of an access event initiated by the agent device;
    - determining, based on at least part of the credential, whether the accessevent is authorized for the agent device; and
      
      selectively enabling performance of the access event when it is determined, based on at least part of the credential, that the access event is authorized for the agent device.
  - 6. The system as recited in claim 1, wherein the actions further receiving a first communication, generated at the agent device, that corresponds for a request for data access or to initiate a resource action;
    - determining that an access condition is satisfied based on by determining the data access or resource action is associated with a predefined authentication requirement and that an authorization indication associated with the predefined authentication requirement has not yet been received;
      
      in response to the determination, transmitting a second communication that corresponds for a request to indicate whether the data access or resource action is authorized for the agent device;
      
      receiving a third communication in response to the second communication that indicates whether the data access or resource action is authorized for the agent device; and
      
      availing the data access or resource action when the third communication indicates that the data access or resource action is authorized for the agent device.
  - 7. The system as recited in claim 1, wherein the actions further identifying a protocol that includes one or more parameter constraints pertaining to operation of a system;
    - identifying a plurality of sub-systems within the system, each sub-system of the plurality of sub-systems being configured to perform different types of operations via access to and usage of different resources;
      
      for each sub-system of the plurality of sub-systems;
      
      generating an implementation of the protocol, the implementation of the protocol defining a workflow that is to occur in response to a detection at the sub-system of a defined event, the defined event corresponding to a device interaction or data change, wherein the implementation of the protocol transforms the protocol into an executable process that applies to each sub-system of the plurality of sub-systems;
      
      monitoring data changes at the sub-system for the defined event;
      
      in response to detecting the defined event;
      
      storing, in a data log, one or more data elements associated with the defined event;
      
      event; and
      
      determine whether an alert condition is satisfied for the defined in response to determining that the alert condition is satisfied,transmitting an alert representing an occurrence of the defined event.

8. A computer-program product tangibly embodied in a non-transitory, machine-readable storage medium, including instructions configured to cause one or more data processors to perform actions including:
- detecting a request from an agent device;
  
  responsive to the request, identifying an access-right indicator configured to enable determination of which type of access for electronic resources are to be granted;
  
  generating or retrieving one or more identifiers for the agent device, the one or more identifiers uniquely corresponding to the agent device amongst a set of agent devices and being configured to inhibit identity discovery;
  
  generating a credential for the agent device that represents the access-right indicator and the one or more identifiers;
  
  storing, in a data store, the credential in association with a token;
  
  transmitting an instance of the token to the agent device;
  
  receiving a request communication from the agent device, the request communication comprising the instance of the token;
  
  querying the data store with the instance of the token;
  
  in response to the query, receiving the credential from the data store; and
  
  transmitting, to the agent device or a second device, the credential in response to the request communication.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-program product as recited in claim 8, wherein the actions further include:
    - signing the credential, wherein the stored credential includes the signed credential.
  - 10. The computer-program product as recited in claim 8, wherein the credential includes a statement that is includes data representing a type of access right to be authorized for the agent device, the type of access right determined based on the access-right indicator.
  - 11. The computer-program product as recited in claim 8, wherein the credential includes a dynamic component that is configured to be used to determine, at a time at which the credential is processed, a type of access right to be authorized for the agent device, the dynamic component determined based on the access-right indicator.
  - 12. The computer-program product as recited in claim 8, wherein the actions further include:
    - detecting initiation of an access event initiated by the agent device;
      
      determining, based on at least part of the credential, whether the access event is authorized for the agent device; and
      
      selectively enabling performance of the access event when it is determined, based on at least part of the credential, that the access event is authorized for the agent device.
  - 13. The computer-program product as recited in claim 8, wherein the actions further include:
    - receiving a first communication, generated at the agent device, that corresponds for a request for data access or to initiate a resource action;
      
      determining that an access condition is satisfied based on by determining the data access or resource action is associated with a predefined authentication requirement and that an authorization indication associated with the predefined authentication requirement has not yet been received;
      
      in response to the determination, transmitting a second communication that corresponds for a request to indicate whether the data access or resource action is authorized for the agent device;
      
      receiving a third communication in response to the second communication that indicates whether the data access or resource action is authorized for the agent device; and
      
      availing the data access or resource action when the third communication indicates that the data access or resource action is authorized for the agent device.
  - 14. The computer-program product as recited in claim 8, wherein the actions further include:
    - identifying a protocol that includes one or more parameter constraints pertaining to operation of a system;
      
      identifying a plurality of sub-systems within the system, each sub-system of the plurality of sub-systems being configured to perform different types of operations via access to and usage of different resources;
      
      for each sub-system of the plurality of sub-systems;
      
      generating an implementation of the protocol, the implementation of the protocol defining a workflow that is to occur in response to a detection at the sub-system of a defined event, the defined event corresponding to a device interaction or data change, wherein the implementation of the protocol transforms the protocol into an executable process that applies to each sub-system of the plurality of sub-systems;
      
      monitoring data changes at the sub-system for the defined event;
      
      in response to detecting the defined event;
      
      storing, in a data log, one or more data elements associated with the defined event;
      
      event; and
      
      determine whether an alert condition is satisfied for the defined in response to determining that the alert condition is satisfied, transmitting an alert representing an occurrence of the defined event.

15. A computer-implemented method for facilitating information security and sub-system operational conformance of protocols, the method comprising:
- detecting a request from an agent device;
  
  responsive to the request, identifying an access-right indicator configured to enable determination of which type of access for electronic resources are to be granted;
  
  generating or retrieving one or more identifiers for the agent device, the one or more identifiers uniquely corresponding to the agent device amongst a set of agent devices and being configured to inhibit identity discovery;
  
  generating a credential for the agent device that represents the access-right indicator and the one or more identifiers;
  
  storing, in a data store, the credential in association with a token;
  
  transmitting an instance of the token to the agent device;
  
  receiving a request communication from the agent device, the request communication comprising the instance of the token;
  
  querying the data store with the instance of the token;
  
  in response to the query, receiving the credential from the data store; and
  
  transmitting, to the agent device or a second device, the credential in response to the request communication.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method as recited in claim 15, further comprising:
    - signing the credential, wherein the stored credential includes the signed credential.
  - 17. The method as recited in claim 15, wherein the credential includes a statement that is includes data representing a type of access right to be authorized for the agent device, the type of access right determined based on the access-right indicator.
  - 18. The method as recited in claim 15, wherein the credential includes a dynamic component that is configured to be used to determine, at a time at which the credential is processed, a type of access right to be authorized for the agent device, the dynamic component determined based on the access-right indicator.
  - 19. The method as recited in claim 15, further comprising:
    - detecting initiation of an access event initiated by the agent device;
      
      determining, based on at least part of the credential, whether the access event is authorized for the agent device; and
      
      selectively enabling performance of the access event when it is determined, based on at least part of the credential, that the access event is authorized for the agent device.
  - 20. The method as recited in claim 15, further comprising:
    - receiving a first communication, generated at the agent device, that corresponds for a request for data access or to initiate a resource action;
      
      determining that an access condition is satisfied based on by determining the data access or resource action is associated with a predefined authentication requirement and that an authorization indication associated with the predefined authentication requirement has not yet been receivein response to the determination, transmitting a second communication that corresponds for a request to indicate whether the data access or resource action is authorized for the agent device;
      
      receiving a third communication in response to the second communication that indicates whether the data access or resource action is authorized for the agent device; and
      
      availing the data access or resource action when the third communication indicates that the data access or resource action is authorized for the agent device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Carter, Stephen R., Lowry, Lee Edward, Turner, Paul Alexandre, Ward, Robert Mark, Burch, Lloyd Leon, Olds, Dale Robert, Buss, Duane Fredrick
Primary Examiner(s)
Powers, William S

Application Number

US15/682,120
Publication Number

US 20170374096A1
Time in Patent Office

890 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Systems and methods for supporting information security and sub-system operational protocol conformance

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for supporting information security and sub-system operational protocol conformance

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links