System for supporting security administration and method of doing the same

US 20040215978A1
Filed: 04/26/2004
Published: 10/28/2004
Est. Priority Date: 04/24/2003
Status: Active Grant

First Claim

Patent Images

1. A system for supporting security administration in a network system, including:

a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;

an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and

a correspondence maker which, based on said node information, makes correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for supporting security administration in a network system, includes a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of the network system, for each of the hardwares and each of the softwares, an input device which receives a set of rules as guidance relating to security of the network system, and topology information indicative of hardwares of the network system and softwares installed in each of the hardwares, and a correspondence maker which, based on the node information, makes correspondence between each of the rules and each of the hardwares or softwares indicated by the topology information.

Citations

40 Claims

1. A system for supporting security administration in a network system, including:
- a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
  
  an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
  
  a correspondence maker which, based on said node information, makes correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system as set forth in claim 1, wherein said input device receives a set of rules including information about security functions which information corresponds to each of said rules, and said correspondence maker, based on said node information, identifies security function provided by each of said hardwares or softwares indicated by said topology information, and makes correspondence among a rule corresponding to the thus identified security function, the thus identified security function, and said each of said hardwares or softwares.
  - 3. The system as set forth in claim 1, further comprising an output device which outputs information about correspondence made by said correspondence maker between each of said rules and each of said hardwares or softwares.
  - 4. The system as set forth in claim 3, wherein said correspondence maker judges there is inconsistency in said correspondence, when rules to which a hardware or software commonly corresponds are contradictory to one another, and causes said output device to output detection of said inconsistency.
  - 5. The system as set forth in claim 3, further comprising a inconsistency-information memory which stores inconsistency in correspondence between a rule and a hardware or software, and wherein said correspondence maker judges there is inconsistency between a rule and a hardware or software, when correspondence between a rule and a hardware or software is coincident with said inconsistency, and causes said correspondence maker to output judgment result.
  - 6. The system as set forth in claim 1, wherein said correspondence maker judges whether there is a rule which does not have correspondence to any hardware or software, among said rules input through said input device, and if such a rule exists, said correspondence maker causes said input device to output information indicating that such a rule exists.
  - 7. The system as set forth in claim 3, wherein said correspondence maker judges whether there is a hardware or software which does not have correspondence to any rule, among said hardwares or softwares indicated by said topology information, and if such a hardware or software exists, said correspondence maker causes said input device to output information indicating that such a hardware or software exists.
  - 8. The system as set forth in claim 1, further comprising:
    - a parameter-information memory which stores parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information;
      
      a parameter-extracting device which extracts said parameter information out of said parameter-information memory for each of said security functions to which a rule and a hardware or software corresponds, and extracts a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information;
      
      an script-model memory which stores a model of a script including a command for determining a parameter on the assumption that a parameter is not determined; and
      
      a script maker which extracts said model out of said script-model memory, and makes said script, based on the thus extracted model and said parameter extracted by said parameter-extracting device.
  - 9. The system as set forth in claim 8, wherein said parameter-information memory stores said parameter information for each of security functions which parameter information does not include description dependent on a hardware or software.
  - 10. The system as set forth in claim 8, wherein said script maker stores a model of a script dependent on a hardware or software, for each of security functions of each of said hardwares and each of said softwares, and extracts a model of a script identified by a combination of a security function and a hardware or software which combination corresponds to a rule, out of said script-model memory, to thereby make a script.
  - 11. The system as set forth in claim 1, further comprising:
    - a vulnerability information input device which receives vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution, and an recommendation-degree judge which determines a degree at which said solution is recommended to carry out, based on a combination of a rule, a security function, and a hardware or software which combination was made by said correspondence maker.
  - 12. The system as set forth in claim 11, wherein said recommendation-degree judge judges whether a hardware or software identified as said object has correspondence to a rule, and classifies said degree, based on the judgment result.
  - 13. The system as set forth in claim 11, wherein said recommendation-degree judge judges whether said reason is included in said combination, and classifies said degree, based on the judgment result.
  - 14. The system as set forth in claim 11, wherein said recommendation-degree judge judges whether a hardware or software identified as said object is includes in said topology information, and classifies said degree, based on the judgment result.
  - 15. The system as set forth in claim 1, wherein said input device receives a set of rules classified for classes of a communication network, and topology information indicative of said class of said communication network and hard-wares belonging to each of said classes, and said correspondence maker makes correspondence between a rule and a hardware or software for each of classes of said communication network.
  - 16. The system as set forth in claim 1, wherein said input device receives a set of rules which do not include description dependent on a particular hardware or software, and said node-information memory stores said node information storing security functions described without dependence on a particular hardware or software.

17. A system for supporting security administration in a network system, including:
- an input device which receives topology information indicative of hardwares of said network system and softwares installed in each of said hardwares;
  
  a function-map input device which receives a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
  
  a parameter-information memory which stores parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information;
  
  a parameter-extracting device which extracts said parameter information out of said parameter-information memory for each of said security functions to which a rule and a hardware or software corresponds, and extracts a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map;
  
  a script-model memory which stores a model of a script including a command for determining a parameter on the assumption that a parameter is not determined; and
  
  a script maker which extracts said model out of said script-model memory, and makes said script, based on the thus extracted model and said parameter extracted by said parameter-extracting device.

18. A system for supporting security administration in a network system, including:
- a function-map input device which receives a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
  
  a vulnerability information input device which receives vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
  
  a recommendation-degree judge which determines a degree at which said solution is recommended to carry out, based on said function map.

19. A system for supporting security administration in a network system, including:
- a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
  
  an input device which receives a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
  
  a constraint-information memory which stores constraint information indicative of constraint to a security function in each of said classes of said communication network; and
  
  a correspondence maker which, based on said node information, identifies a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and makes correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software, said correspondence maker judges whether said security function associated with said rule and said hardware of software accords with said constraint information.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system as set forth in claim 19, further comprising an output device which outputs information indicative of said rule, said security function and said hardware or software, and wherein said correspondence maker causes said output device to output said correspondence, and, if a security function associated with said rule and said hardware or software in a class does not accord with said constraint information, said correspondence maker causes said output device to output no accordance of said security function with said constraint information.
  - 21. The system as set forth in claim 20, wherein said constraint-information memory stores combinations of a plurality of security functions which must not be included in a common class, as said constraint information, and said correspondence maker, if a combination coincident with said constraint information exists in said security functions associated with hardwares belonging to a common class or softwares installed in said hardwares, causes said output device to output that there is a combination of a plurality of security functions which must not be included in a common class.
  - 22. The system as set forth in claim 20, wherein said constraint information memory stores a combination of a plurality of security functions about which an attention is to be paid to a system administrator when said security functions are includes in a common class, as said constraint information, and said correspondence maker, if a combination coincident with said constraint information exists in said security functions associated with hardwares belonging to a common class or softwares installed in said hardwares, causes said output device to output warning.
  - 23. The system as set forth in claim 20, wherein said constraint information memory stores a combination of a plurality of security functions which are determined preferable to be included in a common class, and said correspondence maker, if only a part of said security functions indicated by said constraint information exists in said security functions associated with hardwares belonging to a common class or softwares installed in said hardwares, causes said output device to output that a combination of a plurality of security functions which are determined preferable to be included in a common class is not made.
  - 24. The system as set forth in claim 20, wherein said constraint information memory stores a combination of a plurality of security functions which have to be included in a common class, and said correspondence maker, if only a part of said security functions indicated by said constraint information exists in said security functions associated with hardwares belonging to a common class or softwares installed in said hardwares, causes said output device to output that a combination of a plurality of security functions which have to be included in a common class is not made.

25. A method of supporting security administration in a network system, including:
- storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
  
  receiving a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
  
  based on said node information, making correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.

26. A method of supporting security administration in a network system, including:
- receiving topology information indicative of hardwares of said network system and softwares installed in each of said hardwares;
  
  receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
  
  storing parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information;
  
  extracting said parameter information for each of said security functions to which a rule and a hardware or software corresponds, and extracting a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map;
  
  storing a model of a script including a command for determining a parameter on the assumption that a parameter is not determined; and
  
  extracting said model out of said script-model memory, and making said script, based on the thus extracted model and said parameter.

27. A method of supporting security administration in a network system, including:
- receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
  
  receiving vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
  
  determining a degree at which said solution is recommended to carry out, based on said function map.

28. A method of supporting security administration in a network system, including:
- storing node information indicative of security functions provided by hardwares and sorfwares of said network system, for each of said hardwares and each of said softwares;
  
  receiving a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
  
  storing constraint information indicative of constraint to a security function in each of said classes of said communication network;
  
  based on said node information, identifying a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and making correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software; and
  
  judging whether said security function associated with said rule and said hardware of software accords with said constraint information.

29. A program for causing a computer to carry out steps, said computer including a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of a network system, for each of said hardwares and each of said softwares, said steps including:
- receiving a set of rules as guidance relating to security of said network system, and topology information indicative of hardwares of said network system and softwares installed in each of said hardwares; and
  
  based on said node information, making correspondence between each of said rules and each of said hardwares or softwares indicated by said topology information.

30. A program for causing a computer to carry out steps, said computer including a parameter-information memory which stores parameter information including an instruction to extract a parameter to be applied to a hardware or software for causing said hardware or software to carry out its security functions, out of said topology information, and a script-model memory which stores a model of a script including a command for determining a parameter on the assumption that a parameter is not determined, said steps including:
- receiving topology information indicative of hardwares of a network system to be administrated and softwares installed in each of said hardwares;
  
  receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of said network system, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
  
  extracting said parameter information for each of said security functions to which a rule and a hardware or software corresponds, and extracting a parameter out of said topology information in accordance with an instruction included in the thus extracted parameter information, based on said function map; and
  
  extracting said model out of said script-model memory, and making said script, based on the thus extracted model and said parameter.

31. A program for causing a computer to carry out steps of receiving a function map including a set of information indicative of correspondence among a rule as a guidance relating to security of a network system to be administrated, a hardware or software of said network system, and a security function provided by said hardware or software to accomplish said rule;
- receiving vulnerability information including at least first information indicative of a reason why a security vulnerability point is caused, second information indicative of an object to which a solution to said security vulnerability point is applied, and third information indicative of said solution; and
  
  determining a degree at which said solution is recommended to carry out, based on said function map.

32. A program for causing a computer to carry out steps, said computer including a node-information memory storing node information indicative of security functions provided by hardwares and sorfwares of a network system, for each of said hardwares and each of said softwares, and a constraint-information memory which stores constraint information indicative of constraint to a security function in each of said classes of said communication network, said steps including:
- receiving a set of rules as guidance relating to security of said network system, and topology information indicative of classes of said communication network, hardwares belonging to each of said classes, and softwares installed in each of said hardwares, said rules being associated with information of a security function and being classified for each of said classes of said communication network;
  
  based on said node information, identifying a security function provided by a hardware belonging to each of said classes of said communication network or by a software installed in said hardware for each of said classes of said communication network, and making correspondence among a rule associated with the thus identified security function, said security function, and said hardware or software; and
  
  judging whether said security function associated with said rule and said hardware of software accords with said constraint information.

33. An information-display system to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares, said information-display system including:
- a screen-information memory which stores information about a screen having a rule-display section for displaying each of rules, a node-display section for displaying each of hardwares and each of softwares, and a correspondence-display section located between said rule-display section and said node-display section;
  
  a screen-information maker which, based on said screen information stored in said screen-information memory, makes output information in accordance with which each of rules is displayed in said rule-display section, each of hardwares and each of softwares are displayed in said node-display section, and a line connecting a rule to a hardware or software associated with said rule is displayed in said correspondence-display section; and
  
  an output device which displays said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.
- View Dependent Claims (34, 35)
- - 34. The system as set forth in claim 33, wherein said screen-information maker makes screen information in accordance with which each of rules is displayed such that each of rules and said correspondence-display section are spaced away from each other by a distance determined in accordance with a hierarchy associated with said each of rules, and further in accordance with which a first rule located at a lower hierarchy relative to a second rule is displayed below said second rule.
  - 35. The system as set forth in claim 33, wherein said screen-information maker makes screen information in accordance with which said each of hardwares and each of softwares are displayed such that a distance between said each of hardwares and each of softwares and said correspondence-display section is dependent on whether what is displayed is a hardware or software, and further in accordance with which a software installed in a hardware is displayed below said hardware.

36. An information-display system to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares, said information-display system including:
- a screen-information memory which stores information about a screen having a section in which each of rules, each of hardwares and each of softwares are displayed;
  
  a screen-information maker which, based on said screen information stored in said screen-information memory, makes output information in accordance with which said hardwares and said softwares are displayed in said section, said each of rules is displayed around an area in which said hardwares and said softwares are displayed, and a line connecting a rule to a hardware or software associated with said rule; and
  
  an output device which displays said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.
- View Dependent Claims (37, 38)
- - 37. The system as set forth in claim 36, wherein said screen-information maker makes screen information in accordance with which a first rule located at a lower hierarchy relative to a second rule is displayed adjacent to said second rule.
  - 38. The system as set forth in claim 36, wherein said screen-information maker makes screen information in accordance with which a line connecting a software to a hardware in which said software is installed is displayed.

39. A method of displaying information to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares, said method including:
- storing information about a screen having a rule-display section for displaying each of rules, a node-display section for displaying each of hardwares and each of softwares, and a correspondence-display section located between said rule-display section and said node-display section;
  
  based on said screen information, making output information in accordance with which each of rules is displayed in said rule-display section, each of hardwares and each of softwares are displayed in said node-display section, and a line connecting a rule to a hardware or software associated with said rule is displayed in said correspondence-display section; and
  
  displaying said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.

40. A method of displaying information to be applied to a system for supporting security administration which system makes correspondence between each of rules as guidance relating to security in a network system, and each of hardwares of said network system and each of softwares installed in each of said hardwares, said method including:
- storing information about a screen having a section in which each of rules, each of hardwares and each of softwares are displayed;
  
  based on said screen information, making output information in accordance with which said hardwares and said softwares are displayed in said section, said each of rules is displayed around an area in which said hardwares and said softwares are displayed, and a line connecting a rule to a hardware or software associated with said rule; and
  
  displaying said each of rules, said each of hardwares and each of softwares, and said line in a screen in accordance with said output information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Matsuda, Katsushi, Okajo, Sumitaka

Granted Patent

US 7,739,722 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

System for supporting security administration and method of doing the same

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System for supporting security administration and method of doing the same

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links