SYSTEMS, METHODS, AND MEDIA FOR ENFORCING A SECURITY POLICY IN A NETWORK INCLUDING A PLURALITY OF COMPONENTS

US 20100235879A1
Filed: 12/08/2009
Published: 09/16/2010
Est. Priority Date: 06/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing a security policy in a network including a plurality of components, the method comprising:

receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of the plurality of components;

attributing a first event of the plurality of events to a first principal;

attributing a second event of the plurality of events to a second principal;

determining whether the first and second events are correlated;

storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated;

comparing the second event to the security policy; and

modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and media for enforcing a security policy in a network are provided, including, for example, receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of a plurality of components; attributing a first event of the plurality of events to a first principal; attributing a second event of the plurality of events to a second principal; determining whether the first and second events are correlated; storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated; comparing the second event to the security policy; and modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.

Citations

30 Claims

1. A method for enforcing a security policy in a network including a plurality of components, the method comprising:
- receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of the plurality of components;
  
  attributing a first event of the plurality of events to a first principal;
  
  attributing a second event of the plurality of events to a second principal;
  
  determining whether the first and second events are correlated;
  
  storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated;
  
  comparing the second event to the security policy; and
  
  modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the modifying of the network behavior includes at least one of killing a process, dropping a connection, denying access to an IP address, increasing logging, issuing a warning, and locking a user name.
  - 3. The method of claim 1, wherein at least one of the first principal and second principal include at least one of an address, a username, a key, a token, and/or a physical identifier.
  - 4. The method of claim 1, wherein the determining whether the first and second events are correlated comprises comparing the first event and the second event to extract common event information.
  - 5. The method of claim 4, wherein the common event information comprises at least one of a sequence ID number, a process ID number, a port ID, and a MAC address.
  - 6. The method of claim 1, wherein the determining whether the first and second events are correlated is based on at least one of, timing relationships, function-call graphs, and taint graphs.
  - 7. The method of claim 1, wherein the first principal corresponds to an IP address, and the second principal corresponds to a user name.
  - 8. The method of claim 7, wherein the first event describes firewall entry, and the second event describes detection of an incorrect password.
  - 9. The method of claim 7, wherein the modifying of the network behavior includes at least one of:
    - killing a process, dropping a connection, denying access to the IP address, increasing logging, issuing a warning, and locking the user name.
  - 10. The method of claim 1, wherein the data structure comprises a graph including at least one node representing a principal and at least one link connecting the principal to an event node.
  - 11. The method of claim 10, further comprising:
    - outputting the graph to a display; and
      
      receiving an input from a user to request the modification of the network behavior to enforce the security policy against the first principal.
  - 12. The method of claim 10, wherein the comparing of the second event to the security policy comprises determining whether the graph indicates malicious behavior by comparing the graph to at least one known malicious graph.
  - 13. The method of claim 10, wherein:
    - the comparing of the second event to the security policy comprises calculating at least one distance score based on a comparison of the graph to at least one known malicious graph or at least one known benign graph; and
      
      the modifying of the network behavior to enforce the security policy against the first principal is based on the at least one distance score.
  - 14. The method of claim 1, wherein the data structure comprises a graph including a node representing the first principal, a node representing the second principal, and at least one link connecting at least one of the first principal and the second principal to an event.
  - 15. The method of claim 1, wherein the data structure comprises a graph including:
    - a node for the first principal;
      
      a node for the first event, which is connected to the node for the first principal by at least one link;
      
      a node for the second principal;
      
      a node for the second event, which is connected to the node for the second principal by at least one link; and
      
      at least one link connecting the second event to the first event.
  - 16. The method of claim 1, wherein the first principal has an associated score, the method further comprising:
    - determining a penalty value based on the second event; and
      
      decreasing the score of the first principal by the penalty value.
  - 17. The method of claim 16, further comprising:
    - providing rehabilitation instructions to an entity associated with the first principal;
      
      receiving notification that the rehabilitation instructions have been complied with; and
      
      increasing the score of the first principal based on the compliance.

18. A method for enforcing a security policy in a network including a plurality of components, the method comprising:
- receiving the security policy having a plurality of policy rules, wherein the plurality of policy rules are represented by a corresponding plurality of policy graphs, wherein each vertex in the plurality of policy graphs has attributes describing an event, and wherein each of the plurality of policy rules has a corresponding actuator;
  
  receiving a plurality of requests;
  
  modeling the plurality of requests, wherein a graph of each request is generated;
  
  comparing the graph of each request with the plurality of policy graphs; and
  
  in response to detecting a deviation from one of the plurality of policy graph, activating the corresponding actuator.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, further comprising, in response to determining that the graph of each request is isomorphic with one of the plurality of policy graphs, conducting a wildcard match of the attributes of corresponding vertices.
  - 20. The method of claim 18, further comprising:
    - receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of the plurality of components; and
      
      generating linkages between the plurality of events by detecting correlations between attributes associated with each of the plurality of events.
  - 21. The method of claim 20, further comprising assigning a successor attribute to an event that indicates that the event is a successor.
  - 22. The method of claim 21, wherein each of the plurality of sensors is grouped into a sensor group and wherein the method further comprises transmitting information associated with the successor from the sensor group to another sensor group as each request propagates through the network.

23. A method for enforcing a security policy in a network including a plurality of components, the method comprising:
- receiving a request;
  
  processing the request at a first node, wherein a sensor monitors a plurality of events generated at the first node;
  
  associating information relating to the plurality of events with a graph representing interactions of the request with the network; and
  
  transmitting the information relating to the plurality of events and the graph to a neighboring second node, wherein the second node evaluates the request against the security policy using the transmitted information.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, further comprising deploying a trust management system that reports the plurality of events as trust management credentials.
  - 25. The method of claim 24, further comprising evaluating the security policy at each of the first service and the second service by reviewing the trust management credentials.
  - 26. The method of claim 25, further comprising determining whether the trust management credentials are in a credential chain and whether a list of keys in the credential chain is in a given order.

27. A method for creating security policies in a network including a plurality of components, the method comprising:
- monitoring a plurality of requests, wherein a plurality of events associated with each of the plurality of requests is generated at a plurality of nodes;
  
  modeling the plurality of requests and the plurality of events, wherein a representation of each of the plurality of requests is generated;
  
  transmitting the representation to an administrator node;
  
  receiving a modified representation from the administrator node; and
  
  generating a security policy having a plurality of policy rules in response to receiving the modified representation, wherein the plurality of policy rules reflect the modified representation.
- View Dependent Claims (28, 29, 30)
- - 28. The method of claim 27, wherein the representation is at least one of:
    - a graph and a path.
  - 29. The method of claim 27, wherein each vertex in the representation has attributes describing an event of the plurality of events.
  - 30. The method of claim 27, wherein each of the plurality of policy rules has a corresponding actuator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Burnside, Matthew, Keromytis, Angelos D.

Granted Patent

US 8,516,575 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0263   Rule management

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

SYSTEMS, METHODS, AND MEDIA FOR ENFORCING A SECURITY POLICY IN A NETWORK INCLUDING A PLURALITY OF COMPONENTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS, METHODS, AND MEDIA FOR ENFORCING A SECURITY POLICY IN A NETWORK INCLUDING A PLURALITY OF COMPONENTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links