System and method for security policy

US 20030061506A1
Filed: 06/14/2001
Published: 03/27/2003
Est. Priority Date: 04/05/2001
Status: Abandoned Application

First Claim

Patent Images

1. A system for analyzing network traffic to use in performing network and security assessments by listening on a subject network, interpreting events, and taking action, comprising:

a policy specification file;

a network monitor processor for processing network packet data collected from said subject network; and

a policy monitoring component for receiving and processing said policy specification file, and receiving and processing said processed network packet data to assign dispositions to network events contained in said network packet data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy monitoring system and method for performing network and security assessments based on system-wide policy. Real network traffic is analyzed to identify abnormal traffic patterns, system vulnerabilities, and incorrect configuration of computer systems on a network, by listening on a network, logging events, and taking action.

434 Citations

40 Claims

1. A system for analyzing network traffic to use in performing network and security assessments by listening on a subject network, interpreting events, and taking action, comprising:
- a policy specification file;
  
  a network monitor processor for processing network packet data collected from said subject network; and
  
  a policy monitoring component for receiving and processing said policy specification file, and receiving and processing said processed network packet data to assign dispositions to network events contained in said network packet data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, said policy monitoring component further comprising:
    - a parser for parsing said policy specification file;
      
      a policy engine for synthesizing said parsed policy specification file and said processed network packet data, and for performing said assign dispositions and level of severity to said network events contained in said network packet data; and
      
      a logger for logging and storing into an events database said synthesized information by said policy engine according to a logging policy file.
  - 3. The system of claim 2, further comprising:
    - a query mechanism for mining said stored data in said events database.
  - 4. The system of claim 2, further comprising:
    - an alarm script component for generating alarms based on said level of severity of said network events.
  - 5. The system of claim 2, further comprising means for said policy engine:
    - interpreting each protocol event; and
      
      consulting said policy specification file as each protocol event is interpreted to ensure that an earliest determination of said disposition is reached.
  - 6. The system of claim 1, wherein said collected network packet data is captured in a file or is streams-based.
  - 7. The system of claim 1, further comprising:
    - a secure Web server comprising a Web server component and a report database for displaying reports online, said reports generated by said events database using a report script.
  - 8. The system of claim 1, further comprising:
    - a parser for generating an English description policy representation from said policy specification file.
  - 9. The system of claim 1, wherein said network monitor processor is used in standalone mode.
  - 10. The system of claim 1, wherein said network monitor processor and said policy monitoring component run on a same machine.
  - 11. The system of claim 1, further comprising:
    - a policy generator for generating said policy specification file.
  - 12. The system of claim 1, wherein said received network packet data is encoded.

13. A method for analyzing network traffic to use in performing network and security assessments by listening on a subject network, interpreting events, and taking action, said method comprising:
- providing a policy specification file;
  
  providing a network monitor processor for processing network packet data collected from said subject network; and
  
  providing a policy monitoring component for receiving and processing said policy specification file, and receiving and processing said processed network packet data to assign dispositions to network events contained in said network packet data.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, said provided policy monitoring component further comprising:
    - providing a parser for parsing said policy specification file;
      
      providing a policy engine for synthesizing said parsed policy specification file and said processed network packet data, and for performing said assign dispositions and level of severity to said network events contained in said network packet data; and
      
      providing a logger for logging and storing into an events database said synthesized information by said policy engine according to a logging policy file.
  - 15. The method of claim 14, further comprising:
    - providing a query mechanism for mining said stored data in said events database.
  - 16. The method of claim 14, further comprising:
    - providing an alarm script component for generating alarms based on said level of severity of said network events.
  - 17. The method of claim 14, further comprising said policy engine:
    - interpreting each protocol event; and
      
      consulting said policy specification file as each protocol event is interpreted to ensure that an earliest determination of said disposition is reached.
  - 18. The method of claim 13, wherein said collected network packet data is captured in a file or is streams-based.
  - 19. The method of claim 13, further comprising:
    - providing a secure Web server comprising a Web server component and a report database for displaying reports online, said reports generated by said events database using a report script.
  - 20. The method of claim 13, further comprising:
    - providing a parser for generating an English description policy representation from said policy specification file.
  - 21. The method of claim 13, wherein said network monitor processor is used in standalone mode.
  - 22. The method of claim 13, wherein said network monitor processor and said policy monitoring component run on a same machine.
  - 23. The method of claim 13, further comprising:
    - providing a policy generator for generating said policy specification file.
  - 24. The method of claim 13, wherein said received network packet data is encoded.

25. A method for interatively developing network security policy for a network, comprising:
- creating an initial network security policy file;
  
  ensuring said initial network security policy file is uploaded to a machine on said network;
  
  running a network monitor on said network machine to collect said network traffic;
  
  said network monitor outputting said collected network traffic in an output file, and passing said output file to a policy monitor;
  
  said policy monitor analyzing said collected network traffic;
  
  storing said analyzed network traffic in a database;
  
  examining said analyzed network traffic in said database by querying said database using a query tool; and
  
  modifying said initial network security policy file as needed until a comprehensive and desired policy file is attained.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The method of claim 25, wherein said network machine is remote, and further comprising uploading said modified network security policy file to said remote network machine as needed.
  - 27. The method of claim 25, further comprising:
    - monitoring network traffic by using said attained comprehensive and desired policy file.
  - 28. The method of claim 27, wherein monitoring network traffic is on a continuous basis.
  - 29. The method of claim 25, further comprising:
    - generating reports from said database, and using said generated reports as input for further policy refinement and/or using said generated reports for continuously monitoring network traffic.
  - 30. The method of claim 29, further comprising:
    - encrypting said reports, and sending said encrypted reports to a remote secure Web server.
  - 31. The method of claim 30, further comprising:
    - accessing said reports on said remote server in a user-friendly manner.
  - 32. The method of claim 25, wherein creating an initial network security policy file, and modifying said network security policy file as needed use a policy generator tool.

33. A system for interatively developing network security policy for a network, said system comprising:
- means for creating an initial network security policy file;
  
  means for ensuring said initial network security policy file is uploaded to a machine on said network;
  
  means for running a network monitor on said machine to collect said network traffic;
  
  means for said network monitor outputting said collected network traffic in an output file, and passing said output file to a policy monitor;
  
  means for said policy monitor analyzing said collected network traffic;
  
  means for storing said analyzed network traffic in a database;
  
  means for examining said analyzed network traffic in said database by querying said database using a query tool; and
  
  means for modifying said initial network security policy file as needed until a comprehensive and desired policy file is attained.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40)
- - 34. The system of claim 33, wherein said network machine is remote, and further comprising means for uploading said modified network security policy file to said remote network machine as needed.
  - 35. The system of claim 33, further comprising:
    - means for monitoring network traffic by using said attained comprehensive and desired policy file.
  - 36. The system of claim 35, wherein monitoring network traffic is on a continuous basis.
  - 37. The system of claim 33, further comprising:
    - means for generating reports from said database, and using said generated reports as input for further policy refinement and/or using said generated reports for continuously monitoring network traffic.
  - 38. The system of claim 37, further comprising:
    - means for encrypting said reports, and sending said encrypted reports to a remote secure Web server.
  - 39. The system of claim 38, further comprising:
    - means for accessing said reports on said remote server in a user-friendly manner.
  - 40. The system of claim 33, wherein means for creating an initial network security policy file, and modifying said network security policy file as needed uses a policy generator tool.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Securify, Inc. (McAfee, LLC)
Original Assignee
Securify, Inc. (McAfee, LLC)
Inventors
Sherlock, Kieran G., Cooper, Geoffrey, Shaw, Bob, Valente, Luis

Application Number

US09/881,147
Publication Number

US 20030061506A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 41/069   using logs of notifications...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/5009   Determining service level p...

H04L 43/00   Arrangements for monitoring...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 69/22   Parsing or analysis of headers

System and method for security policy

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

434 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for security policy

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

434 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links