Policy-based selection of remediation

US 20060053475A1
Filed: 09/03/2004
Published: 03/09/2006
Est. Priority Date: 09/03/2004
Status: Active Grant

First Claim

Patent Images

27. A machine-readable medium comprising instructions, execution of which by a machine determines one or more remediations for a device that includes a processor, the machine-readable instructions including:

a first code segment to receive values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device;

a second code segment to automatically determine, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and

a third code segment to automatically select one or more remediations for the device according to the satisfied policies, respectively.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, of automatically determining one or more remediations for a device that includes a processor, may include: receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device; automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and automatically selecting one or more remediations for the device according to the satisfied policies, respectively.

Citations

45 Claims

27. A machine-readable medium comprising instructions, execution of which by a machine determines one or more remediations for a device that includes a processor, the machine-readable instructions including:
- a first code segment to receive values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device;
  
  a second code segment to automatically determine, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and
  
  a third code segment to automatically select one or more remediations for the device according to the satisfied policies, respectively.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42, 43, 44, 45)
- - 1. A method of automatically determining one or more remediations for a device that includes a processor, the method comprising:
    - receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, the at-least-one policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device;
      
      automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and
      
      automatically selecting one or more remediations for the device according to the satisfied policies, respectively.
  - 2. The method of claim 1, further comprising:
    - automatically determining which of the satisfied policies are also activated with respect to the device;
      
      wherein the selecting of the one or more remediations is based upon those policies that are both satisfied and activated.
  - 3. The method of claim 1, wherein:
    - the at-least-one policy is a first type of policy; and
      
      there is at least one instance of a second type of policy, the second policy type being associated collectively with two or more given ones of the plurality of parameters, the second type of policy defining as a condition thereof a collection of at least two sub-conditions, a first one of the sub-conditions in the collection being defined as one or more potential values of the first parameter, and a second one of the sub-conditions in the collection being defined as one or more potential values of the second parameter, satisfaction of the condition occurring when respective satisfaction of the sub-conditions coincides, the satisfaction of the condition possibly being indicative of unauthorized activity or manipulation of the device.
  - 4. The method of claim 3, wherein, for at least the first sub-condition, the one or more potential values defined for the associated parameter represent normal values thereof.
  - 5. The method of claim 4, wherein, for at least the first and second sub-conditions, the one or more potential values defined for the associated parameters respectively represent normal values thereof.
  - 6. The method of claim 3, wherein:
    - the first parameter is an identification of an entity; and
      
      the first sub-condition is one of presence of the entity on a list of permissible entities, and presence of the entity on a list of impermissible entities.
  - 7. The method of claim 3, wherein:
    - the collection includes a third sub-condition;
      
      the first sub-condition is absence of the entity from a list of permissible entities;
      
      the second sub-condition is absence of the entity from a list of impermissible entities; and
      
      the third sub-condition is satisfaction of the first and second sub-conditions.
  - 8. The method of claim 3, further comprising:
    - representing the collection of conditions in machine-memory as an at least two-level hierarchical tree structure.
  - 9. The method of claim 8, wherein the hierarchical tree structure includes:
    - a root node representing a logical operator; and
      
      at least two leaf nodes respectively reporting to the root node, the leaf nodes being statements of the at-least-two sub-conditions, respectively, evaluation of each statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 10. The method of claim 9, wherein the hierarchical tree structure further includes:
    - at least N additional leaf nodes respectively reporting to the root node, where N is a positive integer and N≧
      
      1.
  - 11. The method of claim 10, wherein N≧
    - 2.
  - 12. The method of claim 11, wherein N≧
    - 3.
  - 13. The method of claim 9, wherein the logical operator is one of a logical AND, a logical OR and a logical NOT.
  - 14. The method of claim 9, wherein one or more of the at-least-two leaf nodes is a multi-part node, each multi-part node including:
    - an intermediate node representing a logical operator reporting to the root node; and
      
      at least one sub-leaf node respectively reporting to the intermediate node, each sub-leaf node being a statement of a sub-sub-condition, evaluation of the statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 15. The method of claim 14, wherein the multi-part node further includes:
    - at least two sub-leaf nodes respectively reporting to the intermediate node.
  - 16. The method of claim 1, wherein the condition for at least one policy describes for the corresponding at-least-one parameter one of the following:
    - existence;
      
      non-existence;
      
      a range of potential values thereof;
      
      change in the value thereof;
      
      no-change in the value thereof;
      
      a maximum amount of change in the value thereof;
      
      a minimum amount of change in the value thereof;
      
      a maximum potential value thereof;
      
      a minimum potential value thereof;
      
      being equal to a specific value thereof;
      
      not being equal to a specific value thereof;
      
      presence on a list; and
      
      absence from a list.
  - 17. The method of claim 1, wherein, for at least one policy, the one or more potential values defined as the condition for the given parameter represent aberrations from normal values of the given parameter.
  - 18. The method of claim 1, wherein at least one policy has as the condition thereof one or more values that are based upon a change in the given parameter.
  - 19. The method of claim 18, wherein at least one policy has as the condition thereof one or more values representing a difference between a current value of the given parameter and a previous value thereof.
  - 20. The method of claim 1, further comprising:
    - automatically creating, for each satisfied policy, a machine-actionable map between the policy, the corresponding one or more selected remediations and the device.
  - 21. The method of claim 20, further comprising:
    - automatically expanding, for each of the satisfied policies, the machine-actionable map to include mapping to one or more actions the execution of which carries out the one or more selected remediations, respectively.
  - 22. The method of claim 1, further comprising:
    - deploying the one or more selected remediations to the device.
  - 23. The method of claim 22, wherein the deploying of the one or more selected remediations includes:
    - automatically mapping the one or more selected remediations to one or more actions the execution of which carries out the one or more selected remediations, respectively.
  - 24. The method of claim 23, wherein each action is an automatically-machine-actionable type of operation.
  - 25. The method of claim 24, wherein each operation is a machine-language command.
  - 26. The method of claim 25, wherein the machine-language command is a set of one or more Java byte codes.
  - 28. The machine-readable medium of claim 27, wherein the machine-readable instructions further include:
    - a fourth code segment to automatically determine which of the satisfied policies are also activated with respect to the device;
      
      the third code segment selecting the one or more remediations based upon those policies that are both satisfied and activated.
  - 29. The machine-readable medium of claim 27, wherein:
    - the at-least-one policy is a first type of policy; and
      
      there is at least one instance of a second type of policy, the second policy type being associated collectively with two or more given ones of the plurality of parameters, the second type of policy defining as a condition thereof a collection of at least two sub-conditions, a first one of the sub-conditions in the collection being defined as one or more potential values of the first parameter, and a second one of the sub-conditions in the collection being defined as one or more potential values of the second parameter, satisfaction of the condition occurring when respective satisfaction of the sub-conditions coincides, the satisfaction of the condition possibly being indicative of unauthorized activity or manipulation of the device.
  - 30. The machine-readable medium of claim 29, the machine-readable instructions further include:
    - a fourth code segment to represent the collection of conditions in machine-memory as an at least two-level hierarchical tree structure.
  - 31. The machine-readable medium of claim 30, wherein the fourth code segment represents the hierarchical tree structure as including:
    - a root node representing a logical operator; and
      
      at least two leaf nodes respectively reporting to the root node, the leaf nodes being statements of the at-least-two sub-conditions, respectively, evaluation of each statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 32. (canceled)
  - 33. (canceled)
  - 34. The machine-readable medium of claim 33, wherein the fourth code segment is further operable to automatically expand, for each of the satisfied policies, the machine-actionable map to include mapping to one or more actions the execution of which carries out the one or more selected remediations, respectively.
  - 35. The machine-readable medium of claim 27, further comprising:
    - a fourth code segment to deploy the one or more selected remediations as one or more automatically-machine-actionable actions.
  - 36. The machine-readable medium of claim 35, wherein each automatically-machine-actionable action takes the form of a set of one or more Java byte codes.
  - 37. A machine configured to implement the method of claim 1.
  - 38. (canceled)
  - 39. (canceled)
  - 42. The machine-readable medium of claim 31, wherein the fourth code segment represents the hierarchical tree structure as further including:
    - at least N additional leaf nodes respectively reporting to the root node, where N is a positive integer and N≧
      
      1.
  - 43. The machine-readable medium of claim 31, wherein the fourth code segment represents one or more of the at-least-two leaf nodes as a multi-part node, each multi-part node including:
    - an intermediate node representing a logical operator reporting to the root node; and
      
      at least one sub-leaf node respectively reporting to the intermediate node, each sub-leaf node being a statement of a sub-sub-condition, evaluation of the statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 44. A machine configured to implement the method of claim 2.
  - 45. A machine configured to implement the method of claim 8.

32-1. The machine-readable medium of claim 27, wherein the condition for at least one policy describes for the corresponding at-least-one parameter one of the following:
- existence;
  
  non-existence;
  
  a range of potential values thereof;
  
  change in the value thereof;
  
  no-change in the value thereof;
  
  a maximum amount of change in the value thereof;
  
  a minimum amount of change in the value thereof;
  
  a maximum potential value thereof;
  
  a minimum potential value thereof;
  
  being equal to a specific value thereof;
  
  not being equal to a specific value thereof;
  
  presence on a list; and
  
  absence from a list.

33-2. The machine-readable medium of claim 27, wherein the machine-readable instructions further include:
- a fourth code segment to automatically create, for each satisfied policy, a machine-actionable map between the policy, the corresponding one or more selected remediations and the device.

38-3. A machine configured to implement the method of claim 20.

39-4. A machine configured to implement the method of claim 22.

40. An apparatus for determining one or more remediations for a device that includes a processor, the apparatus comprising:
- means for receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device;
  
  means for automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and
  
  means for automatically selecting one or more remediations for the device according to the satisfied policies, respectively.
- View Dependent Claims (41)
- - 41. The method of claim 40, further comprising:
    - means for automatically determining which of the satisfied policies are also activated with respect to the device;
      
      wherein the means for selecting is operable to automatically select the one or more remediations based upon those policies that are both satisfied and activated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Immordino, John Leonard, Bezilla, Daniel Bailey, Ogura, James Le

Granted Patent

US 7,665,119 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based selection of remediation

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links