Behavior model generator system for facilitating confirmation of intention of security policy creator

US 20060005228A1
Filed: 04/28/2005
Published: 01/05/2006
Est. Priority Date: 06/18/2004
Status: Abandoned Application

First Claim

Patent Images

1. An behavior model generator system comprising:

policy storing means for storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data;

topology storing means for storing topology information which describes information on a device connected to a communication network to which a network access controller is connected, said network access controller performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting; and

behavior model generating means for generating an behavior model based on the security policy stored in said policy storing means, said behavior model including data representative of the operation of said network access controller for each device described in the topology information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy normalizing means normalizes an entered security policy. Specifically, if the security policy does not include necessary items, the policy normalizing means compensates the security policy for the missing items by predefined values so that the security policy includes the necessary items. An behavior model generating means generates an behavior model representative of the operation of a network access controller based on the normalized security policy. In this event, the behavior model generating means generates an behavior model which is represented by a data structure that is not dependent on the type of the network access controller. A modifying means modifies the behavior model in accordance with a modification principle desired by an operator, and a configuration generating means generates configuration for the network access controller from the modified behavior model.

69 Citations

View as Search Results

25 Claims

1. An behavior model generator system comprising:
- policy storing means for storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data;
  
  topology storing means for storing topology information which describes information on a device connected to a communication network to which a network access controller is connected, said network access controller performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting; and
  
  behavior model generating means for generating an behavior model based on the security policy stored in said policy storing means, said behavior model including data representative of the operation of said network access controller for each device described in the topology information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The behavior model generator system according to claim 1, further comprising policy input means for entering a security policy, wherein said policy storing means stores a security policy entered through said policy input means.
  - 3. The behavior model generator system according to claim 1, further comprising topology information input means for entering topology information, wherein said topology storing means stores topology information entered through said topology information input means.
  - 4. The behavior model generator system according to claim 1, further comprising policy normalizing means, operable when the security policy does not include a description related to a predefined item, for executing normalization for adding a description related to the item to the security policy, wherein said behavior model generating means generates an behavior model based on the normalized security policy.
  - 5. The behavior model generator system according to claim 1, further comprising:
    - conversion rule storing means for storing a conversion rule for use in converting the behavior model to configuration for defining the operation of said network access controller, said configuration being described in a format dependent on the type of said network access controller; and
      
      configuration generating means for converting the behavior model to the configuration in accordance with the conversion rule.
  - 6. The behavior model generator system according to claim 1, further comprising:
    - modification principle input means for entering a modification principle for an behavior model generated by said behavior model generating means; and
      
      modifying means for modifying the behavior model in accordance with the modification principle.
  - 7. The behavior model generator system according to claim 6, further comprising information output means for displaying an image, wherein:
    - said modifying means displays a user interface on said information output means for displaying a plurality of candidate modification principles to prompt a user to select a modification principle.
  - 8. The behavior model generator system according to claim 6, wherein:
    - said modifying means is responsive to a modification principle entered through said modification principle input means, said modification principle defining that verbosity of the behavior model is not permitted, for modifying an behavior model to delete duplicate information in information included in the behavior model.
  - 9. The behavior model generator system according to claim 8, further comprising information output means for displaying an image, wherein:
    - said modifying means displays a user interface on said information output means for showing a modification principle which defines that verbosity is not permitted for an behavior model and a modification principle which defines that verbosity is permitted for an behavior model to prompt the user to select one of the modification principles.
  - 10. The behavior model generator system according to claim 6, wherein:
    - said topology storing means stores topology information including information on a software application installed in each device; and
      
      said modifying means is responsive to a modification principle entered through said modification principle input means, said modification principle defining that strictness is required for the behavior model, for modifying an behavior model to delete information other than information related to the software application installed in a device corresponding to the behavior model from information included in the behavior model based on the topology information.
  - 11. The behavior model generator system according to claim 10, further comprising information output means for displaying an image, wherein said modifying means displays a user interface on said information output means for showing a modification principle which defines that strictness is required for an behavior model, and a modification principle which defines that strictness is not required for an behavior model to prompt the user to select one of the modification principles.
  - 12. The behavior model generator system according to claim 6, wherein:
    - said behavior model generating means generates, in accordance with the security policy stored in said policy storing means, an behavior model in a first description format which describes that data is permitted to transmit when a transmission permission condition is satisfied and describes that data is prohibited from transmitting when the transmission permission condition is not satisfied, and an behavior model in a second description format which describes that data is prohibited from transmitting when a transmission prohibition condition is satisfied and describes that data is permitted to transmit when the transmission prohibition condition is not satisfied, and said modifying means is responsive to a modification principle entered through said modification principle input means, said modification principle defining a modification to an behavior model in the second description format, for modifying the behavior model in the first description format to convert the same to an behavior model in the second description format, and is responsive to a modification principle entered through said modification principle input means, said modification principle defining a modification to an behavior model in the first description format, for modifying the behavior model in the second description format to an behavior model in the first description format.
  - 13. The behavior model generator system according to claim 12, further comprising information output means for displaying an image, wherein:
    - said modifying means displays a user interface on said information output means for showing a modification principle which defines a modification to an behavior model in the second description format, a modification principle which defines a modification to an behavior model in the first description format, and a modification principle which defines that no modification is made to an behavior model to prompt the user to select one of the modification principles.
  - 14. The behavior model generator system according to claim 6, wherein said modifying means is responsive to a modification principle entered through said modification principle input means, said modification principle defining that efficiency is required for the operation of a device, for modifying an behavior model to a form which enables a higher operation of said network access controller.
  - 15. The behavior model generator system according to claim 14, further comprising information output means for displaying an image, wherein:
    - said modifying means displays a user interface on said information output means for displaying a modification principle which defines that efficiency is required for the operation of a device, and a modification principle which defines that efficiency is not required for the operation of a device to prompt the user to select one of the modification principles.
  - 16. The behavior model generator system according to claim 7, wherein said modifying means displays a user interface on said information output means which displays an behavior model generated by said behavior model generating means as a single diagram.
  - 17. The behavior model generator system according to claim 16, wherein said modifying means modifies an behavior model displayed as a diagram on the user interface in accordance with a modification principle entered through said modification principle input means.
  - 18. The behavior model generator system according to claim 6, wherein said modifying means is responsive to a modification principle entered through said modification principle input means, said modification principle being applied to each behavior model which has not been modified, for modifying each behavior model which has not been modified in accordance with the modification principle.
  - 19. The behavior model generator system according to claim 6, further comprising information output means for displaying an image, wherein:
    - said modifying means displays a modified behavior model on said information output means as a diagram.
  - 20. The behavior model generator system according to claim 1, further comprising information output means for displaying an image, wherein:
    - said behavior model generating means displays a generated behavior model on said information output means as a diagram.

21. An behavior model generating method comprising the steps of:
- policy storing means storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data;
  
  topology storing means storing topology information which describes information on a device connected to a communication network to which a network access controller is connected, said network access controller performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting; and
  
  behavior model generating means generating an behavior model based on the security policy stored in said policy storing means, said behavior model including data representative of the operation of said network access controller for each device described in the topology information.
- View Dependent Claims (22, 23, 24)
- - 22. The behavior model generating method according to claim 21, further comprising the steps of:
    - entering a security policy through policy input means; and
      
      storing the security policy in policy storing means.
  - 23. The behavior model generating method according to claim 21, further comprising the steps of:
    - entering topology information through topology information input means; and
      
      storing the topology information in topology storing means.
  - 24. The behavior model generating method according to claim 21, further comprising the steps of:
    - policy normalizing means executing normalization when the security policy does not include a description related to a predefined item for adding a description related to the item to the security policy; and
      
      an behavior model generating means generating an behavior model based on the normalized security policy.

25. An behavior model generating program, when run on a computer comprising policy storing means for storing a security policy including at least a transmission permission condition or a transmission prohibition condition for communicated data, and topology storing means for storing topology information which describes information on a device connected to a communication network to which a network access controller is connected, said network access controller performing at least an operation for permitting the communicated data to transmit or an operation for prohibiting the communicate data from transmitting, causing said computer to execute processing for generating an behavior model based on the security policy stored in said policy storing means, said behavior model including data representative of the operation of said network access controller for each device described in the topology information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Matsuda, Katsushi

Application Number

US11/116,359
Publication Number

US 20060005228A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2221/2101 Auditing as a secondary aspect

H04L 63/0263 Rule management

Behavior model generator system for facilitating confirmation of intention of security policy creator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

69 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Behavior model generator system for facilitating confirmation of intention of security policy creator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links