SYSTEM AND METHOD FOR INFERRING ACCESS POLICIES FROM ACCESS EVENT RECORDS

US 20090138939A1
Filed: 11/10/2008
Published: 05/28/2009
Est. Priority Date: 11/09/2007
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a policy for a secure transaction in a network system, the method comprising;

selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of a transaction on the network system;

automatically translating at least one of the log components of the selected log record into a policy attribute;

creating a respective policy based on the translated policy attribute; and

presenting the policy for approval.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval.

137 Citations

21 Claims

1. A method of establishing a policy for a secure transaction in a network system, the method comprising;
- selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of a transaction on the network system;
  
  automatically translating at least one of the log components of the selected log record into a policy attribute;
  
  creating a respective policy based on the translated policy attribute; and
  
  presenting the policy for approval.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the presenting of the policy for approval includes displaying the policy on a display device for approval by a user.
  - 3. The method of claim 1, further comprising approving, by a user, the presented policy.
  - 4. The method of claim 3, further comprising editing, responsive to user input, the presented policy prior to approving the presented policy.

5. A method of establishing a policy for a secure transaction in a network system, the network system including network components and a table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name being a network system identifier of a respective network component and each descriptive name being user definable to describe the respective network component to a user, the method comprising;
- selecting a log record from among a plurality of log record, the selected log record including log components indicating a transaction log of a transaction on the network system;
  
  translating one or more distinguished names in at least one log component to one or more corresponding descriptive names, respectively, by cross referencing using the table each respective descriptive name from a corresponding distinguished name in the at least one log component;
  
  establishing a log policy attribute using the translated one or more descriptive names;
  
  creating a respective policy based on the established policy attribute; and
  
  presenting the policy which includes the translated one or more descriptive names for approval.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5, further comprising:
    - approving, by a user, the presented policy; and
      
      sending, to a directory server, the approved policy.
  - 7. The method of claim 5, further comprising adding the translated one or more descriptive names to one or both of the retrieved log record or the created policy.
  - 8. The method of claim 5, further comprising choosing the one or more distinguished names for translation based on values of log components in the selected log record, wherein the log components used to choose the one or more distinguished names include one or more of:
    - (1) a source field;
      
      (2) a destination field;
      
      (3) a service field;
      
      or (4) a gateway field.
  - 9. The method of claim 5, further comprising if the corresponding descriptive names do not exist in the table, responsive to user input, controlling an addition of the corresponding descriptive names into the table.
  - 10. The method of claim 5, further comprising:
    - generating first values associated with default policy attributes;
      
      establishing second values associated with user established policy attributes; and
      
      overriding, by selective ones of the second values associated with user established policy attributes, corresponding ones of the first values associated with the default policy attributes for the user established policy attributes that correspond to the default policy attributes.
  - 11. The method of claim 10, further comprising:
    - automatically generating at least one third value associated with a log policy attribute;
      
      overriding, by the at least one third value associated with the log policy attribute, a corresponding one of the first values associated with the default policy attributes for the log policy attribute that corresponds to the default policy attributes; and
      
      overriding, by the at least one third value associated with the log policy attribute, a corresponding one of the second values associated with the user established policy attributes for the log policy attribute that corresponds to the user established policy attribute.
  - 12. The method of claim 11, wherein the establishing of the log policy attribute includes establishing a plurality of log policy attributes, and if one or more values for the log policy attributes of the respective policy to be created are not applied from or do not exist in the default policy attributes or the user established policy attributes, determining the one or more values from the retrieved log record.

13. An administration device for establishing a policy for a secure transaction using stored log records of a network system, comprising:
- an audit module for retrieving at least one respective log record;
  
  a policy inference logic module for automatically creating a policy based on the retrieved log record and predetermined policy attributes; and
  
  a policy module for presenting the created policy for approval and for communicating the approved policy.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The device of claim 13, wherein the predetermined policy attributes include a set of default policy attributes having default values and a set of user established policy attributes having user established values, each of the respective user established policy attributes which correspond to the default policy attributes override the default values with the corresponding user established values.
  - 15. The device of claim 14, wherein if one or more values for the policy attribute of the policy to be created are not applied from or do not exist in the default policy attributes or the user established policy attributes, the policy inference logic determines the one or more values from values in the retrieved log record.
  - 16. The device of claim 13, wherein:
    - the at least one respective log record includes a plurality of field with associated values, as distinguished names of resources on the network system; and
      
      the policy inference logic module reads one or more of the distinguished names in the retrieved log record, translates the one or more distinguished names to one or more descriptive names, respectively, and adds the one or more descriptive names to one or both of the retrieved log record or the created policy.
  - 17. The device of claim 16, wherein the policy inference logic module is configured to communicate with a directory server such that the read distinguished names are cross referenced in a plurality of reference tables of the directory server to obtain the translated descriptive names.
  - 18. The device of claim 16, wherein when the policy inference logic module reads the retrieved log record, the policy inference logic module requests to cross reference the one or more distinguished names to retrieve corresponding descriptive names from one or more reference tables, if the corresponding descriptive names do not exist in the one or more reference tables, the policy inference logic module, responsive to user input, controls an addition of the corresponding descriptive names in the one or more reference tables.
  - 19. The device of claim 13, wherein the policy module presents to a user the created policy with each value of the policy attribute automatically pre-populated with one of a default value from the default policy attributes, a user established value from the user established policy attributes or a log attribute value determined from the retrieved log record.
  - 20. The device of claim 13, wherein the administration device maintains the policy which defines access rules for the network, the access rules including:
    - (1) an entity allowed or denied access;
      
      (2) one or more resources to which the access is granted; and
      
      (3) one or more gateways through which the access is allowed.

21. A computer readable storage medium for storing program code to execute the method comprising:
- selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of a transaction on the network system;
  
  automatically translating at least one of the log components of the selected log record into a policy attribute;
  
  creating a respective policy based on the translated policy attribute; and
  
  presenting the policy for approval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Applied Identity, Co.
Inventors
Weber, Dean A., Kumar, Srinivas

Granted Patent

US 8,516,539 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

SYSTEM AND METHOD FOR INFERRING ACCESS POLICIES FROM ACCESS EVENT RECORDS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR INFERRING ACCESS POLICIES FROM ACCESS EVENT RECORDS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links