Automated configuration of security software suites

US 20030046583A1
Filed: 08/30/2001
Published: 03/06/2003
Est. Priority Date: 08/30/2001
Status: Abandoned Application

First Claim

Patent Images

1. A network reference model for use in configuring security software on a computer network, the network reference model comprising:

a database engine providing deduction;

a network information database associated with the database engine and providing a central repository for a configuration of hardware and software installed on the network; and

a security goal database associated with the database engine and describing uses that the hardware and software installed on the network may support.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network reference models and configuration tools utilizing a database engine providing deduction facilitate automatic or semi-automatic configuration of security software packages based on security policies. One or more associated databases provide a central repository of information about the network and its security goals. The associated databases may further provide a central repository of information about network events, such as possible attacks and benign events that could be confused with attacks. Taken together, the database engine and associated databases facilitate automated generation of detailed security goals. The security goals can then be used by various configuration modules to configure security software packages installed within the network.

122 Citations

View as Search Results

20 Claims

1. A network reference model for use in configuring security software on a computer network, the network reference model comprising:
- a database engine providing deduction;
  
  a network information database associated with the database engine and providing a central repository for a configuration of hardware and software installed on the network; and
  
  a security goal database associated with the database engine and describing uses that the hardware and software installed on the network may support.
- View Dependent Claims (2, 3)
- - 2. The network reference model of claim 1, further comprising:
    - an event database associated with the database engine and containing events related to the network, wherein such events include possible attacks against the network and benign events that could be confused with the possible attacks.
  - 3. The network reference model of claim 1, wherein the database engine is an object-oriented description logic database engine.

4. A configuration tool for use in configuring security software packages on a computer network, the configuration tool comprising:
- a description logic database engine;
  
  a network information database associated with the description logic database engine and providing a central repository for a configuration of hardware and software installed on the network;
  
  a security goal database associated with the description logic database engine and providing security goals describing uses that the hardware and software of the network may support;
  
  a first configuration module coupled to the description logic database engine for configuring intrusion blocking security software packages; and
  
  a second configuration module coupled to the description logic database engine for configuring intrusion detecting security software packages;
  
  wherein the first configuration module configures the intrusion blocking security software packages based on the configuration of the hardware and software installed on the network and the security goals; and
  
  wherein the second configuration module configures the intrusion detecting security software packages based on the configuration of the hardware and software installed on the network and the security goals.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The configuration tool of claim 4, further comprising:
    - an event database associated with the description logic database engine and containing events related to the network.
  - 6. The configuration tool of claim 5, wherein the events contained in the event database include possible attacks against the network and benign events that could be confused with the possible attacks.
  - 7. The configuration tool of claim 4, further comprising:
    - a system hardening module coupled to the description logic database engine for automating a process of hardening the network.
  - 8. The configuration tool of claim 7, wherein the system hardening module is context sensitive.
  - 9. The configuration tool of claim 4, further comprising:
    - an audit configuration module coupled to the description logic database engine for probing the network for vulnerabilities.

10. A configuration tool for use in configuring security software packages on a computer network, the configuration tool comprising:
- a description logic database engine;
  
  a network information database associated with the description logic database engine and providing a central repository for a configuration of hardware and software installed on the network;
  
  a security goal database associated with the description logic database engine and providing security goals describing uses that the hardware and software of the network may support;
  
  an event database associated with the description logic database engine and containing events related to the network, wherein the events contained in the event database include possible attacks against the network and benign events that could be confused with the possible attacks;
  
  a first configuration module coupled to the description logic database engine for configuring intrusion blocking security software packages;
  
  a second configuration module coupled to the description logic database engine for configuring intrusion detecting security software packages;
  
  a system hardening module coupled to the description logic database engine for automating a process of hardening the network; and
  
  an audit configuration module coupled to the description logic database engine for probing the network for vulnerabilities;
  
  wherein the first configuration module configures the intrusion blocking security software packages based on the configuration of the hardware and software installed on the network and the security goals;
  
  wherein the second configuration module configures the intrusion detecting security software packages based on the configuration of the hardware and software installed on the network and the security goals; and
  
  wherein the system hardening module is context sensitive.

11. A method for configuring a security software package installed on an individual network device, the method comprising:
- using active inference in a database engine to decompose one or more security policies for a class of network devices into one or more security goals for the individual network device, wherein the individual network device is a member of the class of network devices; and
  
  configuring the security software package using the one or more security goals.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein using active inference further comprises automatically classifying the individual network device based on an IP address, a network topology or a service provided by the individual network device, and applying rules to the individual network device based on its classification.
  - 13. The method of claim 11, wherein the database engine is an object-oriented description logic database engine.
  - 14. The method of claim 11, wherein the security software package is selected from the group consisting of an intrusion blocking software package and an intrusion detecting software package.

15. A method for configuring a security software package installed on an individual network device, the method comprising:
- using active inference in an object-oriented description logic database engine to decompose one or more security policies for a class of network devices into one or more security goals for the individual network device, wherein the individual network device is a member of the class of network devices; and
  
  configuring the security software package using the one or more security goals;
  
  wherein the security software package is selected from the group consisting of an intrusion blocking software package and an intrusion detecting software package.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein using active inference further comprises automatically classifying the individual network device based on an IP address, a network topology and one or more services the individual network device provides, and applying rules to the individual network device based on its classification.

17. A method for configuring a security software package, the method comprising:
- defining one or more security policies for a class of network devices, wherein the security software package is a service running on at least one network device of the class of network devices;
  
  using a database engine providing deduction to decompose the one or more security policies for the class of network devices into one or more security goals;
  
  using to database engine providing deduction to associate the one or more security goals with the at least one network device; and
  
  configuring the security software package on the at least one network device using the one or more security goals.

18. A method for configuring security software packages, comprising:
- generating a first database containing a configuration of hardware devices and software packages installed on a network, wherein the software packages include the security software packages;
  
  defining classes of hardware devices installed on the network;
  
  automatically classifying each of the hardware devices into one of the classes of hardware devices using a database engine providing deduction;
  
  generating a second database containing first security goals;
  
  decomposing the first security goals into second security goals for individual hardware devices using the database engine and the configuration of the hardware devices and the software packages installed on the network; and
  
  configuring each of the security software packages using the second security goals.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein generating a second database containing first security goals further comprises generating a second database containing first security goals for each class of hardware devices.
  - 20. The method of claim 19, wherein decomposing the first security goals into second security goals for individual hardware devices further comprises using inference to associate the second security goals with individual hardware devices within each class of hardware devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Thomas, Vicraj T., Harp, Steven A., Goldman, Robert P.

Application Number

US09/943,405
Publication Number

US 20030046583A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/20 for managing network securi...

Automated configuration of security software suites

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Automated configuration of security software suites

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others