DATA NETWORK AND METHOD FOR CHECKING NODES OF A DATA NETWORK

US 20080313736A1
Filed: 07/31/2008
Published: 12/18/2008
Est. Priority Date: 07/31/2003
Status: Active Grant

First Claim

Patent Images

1. A data network comprising:

a set of nodes connected to each other by a data transmission path, at least one node comprising a storage medium for storing information,an automatically searchable mark located at a node and associated with one or both of;

the stored information and the node, the searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the stored information or controlling access to the node;

said automatically searchable mark further defining one or more of;

a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node or, a permissible data transmission path for transferring the marked information, said searchable mark enabling a priori determination where in said data network a data may reside;

a searching engine for traversing said data network to detect and analyze a searchable mark in said data network, said searching engine detecting a place on which the marked information is stored and detecting one or more possible data transmission paths within said data network for accessing the marked information or the marked node or a possible data transmission path or data transmission paths for transferring the marked information in said data network,wherein the searching engine compares the detected storage place of the information with the permissible storage place that is defined by the searchable mark of the information and checks whether the privacy policy is maintained, and further compares the detected possible paths for transferring the information or for accessing the information or the marked node with the data transmission paths that are defined by the searchable mark of the information or by the searchable mark of the node, and determines whether the privacy policy is maintained, and upon determining a privacy policy violation, said searching engine generates an alarm.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a data network, systems and methods for checking nodes of a data network that are used for detecting whether a privacy policy concerning an information is maintained. The information comprises a mark corresponding to the privacy policy. The mark defines the storage place or the accessing paths or the transferring paths of the information. The mark is automatically searchable. The mark is searched, analyzed and checked as to whether the privacy policy is maintained. The advantage of the system is that vulnerabilities of systems for protecting confidential information may be detected a long time before an attack on the confidential information occurs.

Citations

7 Claims

1. A data network comprising:
- a set of nodes connected to each other by a data transmission path, at least one node comprising a storage medium for storing information,an automatically searchable mark located at a node and associated with one or both of;
  
  the stored information and the node, the searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the stored information or controlling access to the node;
  
  said automatically searchable mark further defining one or more of;
  
  a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node or, a permissible data transmission path for transferring the marked information, said searchable mark enabling a priori determination where in said data network a data may reside;
  
  a searching engine for traversing said data network to detect and analyze a searchable mark in said data network, said searching engine detecting a place on which the marked information is stored and detecting one or more possible data transmission paths within said data network for accessing the marked information or the marked node or a possible data transmission path or data transmission paths for transferring the marked information in said data network,wherein the searching engine compares the detected storage place of the information with the permissible storage place that is defined by the searchable mark of the information and checks whether the privacy policy is maintained, and further compares the detected possible paths for transferring the information or for accessing the information or the marked node with the data transmission paths that are defined by the searchable mark of the information or by the searchable mark of the node, and determines whether the privacy policy is maintained, and upon determining a privacy policy violation, said searching engine generates an alarm.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A data network according to claim 1, wherein the searching engine is connected to the storage medium, wherein the searching engine creates an observed graph of the detected possible data transmission paths, wherein in the storage medium a policy graph of permissible data transmission paths is stored, wherein the permissible data transmission paths are the data transmission paths that are allowed for accessing marked information or a marked node or for transferring marked information, wherein the searching engine compares the observed with the policy graph for detecting a possible but not permissible data transmission path.
  - 3. A data network according to claim 1, wherein the nodes comprise log file creating machines, wherein the log file creating machine stores in a log file which marked information or marked node was requested by an access, wherein the searching engine checks the log files of the nodes for detecting the possible data transmission paths for accessing marked information or marked nodes or for transferring marked information.
  - 4. A data network according to claim 1, wherein the searching engine comprises a search tool to search for marked information, wherein the search tool tries to access marked information in the network with privileged rights, wherein the searched possible data transmission paths for accessing the marked information were stored, wherein the searching engine compares the automatically searchable mark of the detected marked information with the privileged rights that were used by accessing the marked information, wherein depending on the comparison a possible but not admissible data transmission path could be detected.
  - 5. A data network according to claim 1, wherein for at least one of:
    - a user, a machine, an Internet domain, a node, an information a policy graph with allowed data transmission paths, storage place for accessing a marked information, a marked node, for transferring a marked information is provided, and wherein the searching engine checks for the user, the machine, the Internet domain, the node and/or the information, whether the detected possible data transmission paths or storage places exceed the policy graph.
  - 6. A data network according to claim 1, wherein for a class of user, a class of nodes, a class of information a policy class graph with allowed paths, storage places for accessing a marked information, a marked node, for transferring marked information is provided, and wherein the searching engine checks for the class of user, the class of nodes, the class of information, whether the possible detected data transmission paths or storage places exceed the policy class graph.

7. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for checking nodes or information stored at nodes of a data network, said nodes being connected with data transmission paths, said method steps comprising:
- providing an automatically searchable mark located at a node for association with one or both of;
  
  the information and the node, the automatically searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the stored information or, controlling access to the node;
  
  said automatically searchable mark further defining one or more of;
  
  a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node or, a permissible data transmission path in which the marked information could be permissibly transferred, said automatically searchable mark enabling a priori determination where in a network a data may reside; and
  
  ,traversing, by a search engine, said data network to detect and analyze a mark in said data network for detecting the places on which the marked information is stored in said data network and detecting possible data transmission paths for accessing the marked information or the marked node or, detecting a possible data transmission path for transferring the marked information in said data network;
  
  comparing, by the search engine, the detected storage place of the information with the permissible storage place that is defined by the mark of the information and checking whether the privacy policy is maintained, and comparing the detected possible data transmission paths for transferring the information or for accessing the information or the marked node with the data transmission paths that are defined by the automatically searchable mark of the information or by the automatically searchable mark of the node, and determining whether the privacy policy is maintained, andgenerating, by the search engine, an alarm upon determining a privacy policy violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baum-Waidner, Birgit, Waidner, Michael, Kenyon, Christopher

Granted Patent

US 7,941,857 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1408 by monitoring network traff...

DATA NETWORK AND METHOD FOR CHECKING NODES OF A DATA NETWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

DATA NETWORK AND METHOD FOR CHECKING NODES OF A DATA NETWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links