Secure enterprise network

US 20050193427A1
Filed: 01/25/2005
Published: 09/01/2005
Est. Priority Date: 02/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method of implementing a security system (Packet Sentry (PS)) addressing the internal security problem of enterprises having a generalized approach for inferential determination with directory service based group correlation.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

What is proposed is a method of implementing a security system (Packet Sentry) addressing the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation with transparent authentication of the connected customer and the policy enforcement inside the network. The security system enables the network to analyze and enforce policy using any bit or bits in a stream or a packet, conduct Flow Vector analysis on the data traffic, provide Application Monitoring, Normalization and user authentication validation. The system enables the network to implement Group relationship Analysis and correlation using combination of Network inferences and Directory service data resulting in generation of Group norms using statistically significant relationships. These will provide a more secure enterprise environment where data security levels can be enforced and the usage monitored effectively in the infrastructure.

Citations

23 Claims

1. A method of implementing a security system (Packet Sentry (PS)) addressing the internal security problem of enterprises having a generalized approach for inferential determination with directory service based group correlation.
- View Dependent Claims (2, 3, 4)
- - 2. The method of implementing the security system in claim 1, where in, the system only handles the analysis of data.
  - 3. The method of implementing the security system in claim 1, where in, the system only handles the enforcement of network policy.
  - 4. The method of implementing the security system in claim 1, where in, the system handles the analysis of data and enforcement of network policy.

5. A Security system, (Packet Sentry (PS)), solution is disclosed for addressing internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation having capability to transparently handle authentication verification and implement transparent policy enforcement in a fabric of a network.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The security system in claim 5, wherein, the system (Packet Sentry) verifies that authentication has taken place but does not participate in actual authentication.
  - 7. The security system in claim 5, wherein, the system (Packet Sentry) uses a look-ahead verification scheme to implement authentication verification and transparent policy enforcement in the fabric of the network.
  - 8. The security system in claim 5, wherein, the system (Packet Sentry) uses a cached verification scheme to implement authentication verification and transparent policy enforcement in the fabric of the network.
  - 9. The security system in claim 5, wherein, the system (Packet Sentry) uses a background session verification scheme to implement authentication verification and transparent policy enforcement in the fabric of the network.
  - 10. The security system in claim 5, wherein, the system (Packet Sentry) uses a reverse query of host verification scheme to implement authentication verification and transparent policy enforcement in the fabric of the network.
  - 11. The security system in claim 5, wherein, the system (Packet Sentry) uses an agent deployed on directory services (DS) servers or log consolidation servers to implement authentication verification and transparent policy enforcement in the fabric of the network.

12. A Security system, (Packet Sentry (PS)), solution is disclosed for the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation having capability to do Information Flow vector analysis based on characteristics of the flows such as bit rates, packet sizes, ratios of data packets to control packets, ratios of forward to reverse flows and content weighted rates.
- View Dependent Claims (13, 14)
- - 13. The Security system, (Packet Sentry (PS)), solution in claim 12, where in, the flow vectors analysis is capable of Information flow analysis, Group flow analysis, and Group norm based monitoring.
  - 14. The Security system, (Packet Sentry (PS)), solution in claim 12, where in, the flow vectors analysis is used to generate policy which when enforced, is capable of providing increased security to the network.

15. A Security system, (Packet Sentry (PS)), solution is disclosed for the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation having ability for application monitoring, flow normalization, user behavioral check and user authentication validation on an individual and a group level from which analyze on a network-level which groups access a resource and then to generate statistically significant relationships of the groups of users who have access to a set of resources in a network.
- View Dependent Claims (16, 17, 18)
- - 16. The security system in claim 15, wherein, the statistical relationship between groups and resources is used to generate network policy for implementation in the network.
  - 17. The security system in claim 15, wherein, no inference on group memberships are made, thereby eliminating errors in finding statistically significant groupings, allowing the system to distinguish between multi-group collisions.
  - 18. The security system in claim 15, wherein, the capability for application monitoring, flow normalization, user behavioral check and user authentication validation on an individual and a group level, is used to generate policy which when enforced increase the network security.

19. A Security system, (Packet Sentry (PS)), solution is disclosed for the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation having ability to create policies and enforce them using information available on any bit or bits in a data stream.
- View Dependent Claims (20, 21, 22)
- - 20. The Security system, (Packet Sentry (PS)), solution disclosed in claim 19, wherein, any group of bits in the data stream can be analyzed using regular expression and bit masking techniques, and used to generate metadata about the analyzed data.
  - 21. The Security system, (Packet Sentry (PS)), solution disclosed in claim 19, wherein, any of the bits in the data stream, or the analyzed metadata, can be used to construct an enforcement rule that can act on the data and streams directly, based on the occurrence of any bit or bits of a recognized type identified by the policy.
  - 22. The Security system, (Packet Sentry (PS)), solution disclosed in claim 19, wherein, the ability to generate and enforce policy within a network based on any bit or bits in the data stream improve the security of the network.

23. A Security system, (Packet Sentry (PS)), solution is disclosed for the internal security problem of enterprises having a generalized approach for inferential determination and enforcement of network policy with directory service based group correlation having capability for transparently handle authentication verification and implement transparent policy enforcement in a fabric of a network;
- do Information Flow vector analysis;
  
  implement application monitoring, normalization, user behavioral check and user authentication validation on an individual and group level;
  
  conduct group relationship analysis and correlation using a combination of network Inference and directory services data and from this to generate group norms using statistically significant relationships for use by the security system (Packet Sentry);
  
  create policies and enforce them using information available on any bit or bits of the data stream;

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
PacketMotion Incorporated (Broadcom, Inc.)
Inventors
John, Pramod

Granted Patent

US 8,166,554 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/105 Multiple levels of security

Secure enterprise network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure enterprise network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links