Network Privilege Manager for a Dynamically Programmable Computer Network

US 20140331280A1
Filed: 07/02/2014
Published: 11/06/2014
Est. Priority Date: 05/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing network privileges in a dynamically programmable computer network, the method comprising, with at least one computing device:

monitoring, over time, network activity data, the network activity data being a function of network traffic of the dynamically programmable computer network, the network activity data indicative of one or more network flows within the network traffic;

updating, over time, access control data, the access control data indicating one or more of;

acceptable network flows and unacceptable network flows over the network;

at a time instance, determining a current network context based on the network activity data, the current network context indicative of one or more network flows of the dynamically programmable computer network;

at the time instance, determining a current version of the access control data;

using the current version of the access control data, comparing the current network context to a security policy, the security policy defining a criterion for determining whether to execute an action in response to the current network context and an action to execute if the current network context matches the criterion; and

execute the action to control flow of communications across the dynamically programmable computer network based on the comparison of the current network context to the criterion including the current version of the control data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy.

168 Citations

30 Claims

1. A method for managing network privileges in a dynamically programmable computer network, the method comprising, with at least one computing device:
- monitoring, over time, network activity data, the network activity data being a function of network traffic of the dynamically programmable computer network, the network activity data indicative of one or more network flows within the network traffic;
  
  updating, over time, access control data, the access control data indicating one or more of;
  
  acceptable network flows and unacceptable network flows over the network;
  
  at a time instance, determining a current network context based on the network activity data, the current network context indicative of one or more network flows of the dynamically programmable computer network;
  
  at the time instance, determining a current version of the access control data;
  
  using the current version of the access control data, comparing the current network context to a security policy, the security policy defining a criterion for determining whether to execute an action in response to the current network context and an action to execute if the current network context matches the criterion; and
  
  execute the action to control flow of communications across the dynamically programmable computer network based on the comparison of the current network context to the criterion including the current version of the control data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, comprising selecting the security policy from a number of possible security policies based on the criterion matching the current network context more than a predefined threshold number of times within a predefined time period.
  - 3. The method of claim 1, comprising selecting the security policy from a number of possible security policies based on the criterion matching an event count within an update interval, the event count generated as a function of aggregated inbound network traffic or outbound network traffic.
  - 4. The method of claim 1, further comprising receiving network role data describing a role associated with one or more hosts of the dynamically programmable computer network;
    - wherein determining the current network context comprises determining a role associated with an endpoint of a network flow within the network traffic.
  - 5. The method of claim 1, wherein the access control data comprises Internet Protocol (IP) reputation data received from a network intelligence server, the IP reputation data identifying a plurality of malicious network addresses;
    - and determining the current network context comprises determining whether a network flow within the network traffic is associated with a malicious network address identified by the IP reputation data in the current version of the access control data.
  - 6. The method of claim 5, wherein the IP reputation data comprises a threat type associated with each of the plurality of malicious network addresses.
  - 7. The method of claim 1, wherein the action of the contextual security policy comprises a drop response, a block response, a quarantine response, or a redirect response.
  - 8. The method of claim 1, comprising, in response to executing the action, modifying the current network context and evaluating the modified current network context with another security policy.
  - 9. The method of claim 1, wherein the security policy comprises a plurality of different criterion, and the method comprises comparing the current network context to first criterion of the security policy, executing an action associated with the current network context matching the first criterion, updating the current network context in response to executing the action, and comparing the updated current network context to second criterion of the security policy.
  - 10. The method of claim 1, comprising receiving the security policy in a human-intuitive format and converting the security policy to a plurality of criteria and a plurality of actions associated with one or more of the criteria.
  - 11. The method of claim 1, comprising, at the time instance, determining a current version of the security policy and comparing the current network context to the current version of the security policy.

12. A network privilege manager for a dynamically programmable computer network, the network privilege manager embodied in one or more computer readable media of a computing device and comprising a plurality of instructions that, when executed, cause the computing device to:
- receive network activity data from an event auditor of the dynamically programmable computer network, the network activity data indicative of one or more network flows within network traffic of the dynamically programmable network;
  
  determine a current network context based on the network activity data, the current network context indicative of one or more current network flows of the dynamically programmable computer network;
  
  in response to the current network context, select a security policy, the security policy defining a criterion and a response to the one or more current network flows; and
  
  generate a flow policy directive to implement the response to the one or more current network flows on the dynamically programmable network.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The network privilege manager of claim 12, wherein the network privilege manager is to transmit the flow policy directive to a security actuator of the dynamically programmable computer network.
  - 14. The network privilege manager of claim 12, wherein to select the security policy comprises to select a security policy having the criterion matching the current network context more than a predefined threshold number of times within a predefined time period.
  - 15. The network privilege manager of claim 12, wherein to select the security policy comprises to select a contextual security policy having a criterion matching an event count within an update interval, the event count generated as a function of aggregated inbound network traffic or outbound network traffic.
  - 16. The network privilege manager of claim 12, comprising a plurality of instructions that, when executed, cause the computing device to receive network role data describing a role associated with one or more hosts of the dynamically programmable computer network;
    - wherein to determine the current network context comprises to determine a role associated with an endpoint of a network flow within the network traffic.
  - 17. The network privilege manager of claim 12, comprising a plurality of instructions that, when executed, cause the computing device to receive Internet Protocol (IP) reputation data from a network intelligence server, the IP reputation data to identify a plurality of malicious network addresses;
    - wherein to determine the current network context comprises to determine whether a network flow within the network traffic is associated with a malicious network address identified by the IP reputation data.

18. A security service for a computer network, the security service comprising, embodied in one or more computing devices of the computer network:
- a context analysis module to;
  
  receive network activity data from an event auditor of the computer network, the network activity data generated as a function of network traffic of the computer network and indicative of one or more network flows within the network traffic; and
  
  determine a current network context based on the network activity data, the current network context indicative of one or more current network flows of the computer network;
  
  a policy evaluation module to, in response to the current network context;
  
  select a contextual security policy having a criterion matching the current network context, the contextual security policy defining the criterion and a response to the one or more current network flows; and
  
  generate a flow policy directive to implement the selected contextual security policy; and
  
  a policy directive interface module to transmit the flow policy directive to a security actuator of the computer network.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The security service of claim 18, comprising the security actuator, wherein the security actuator is to convert the flow policy directive to one or more packet disposition directives.
  - 20. The security service of claim 19, comprising a security mediator to compare the one or more packet disposition directives to a set of currently active flow rules and implement the one or more packet disposition directives based on the comparison.
  - 21. The security service of claim 19, wherein the one or more packet disposition directives are to cause one or more network switches to control flow of communications across the computer network to implement the flow policy directive.
  - 22. The security service of claim 18, wherein to select the contextual security policy comprises to select a contextual security policy having the criterion matching the current network context more than a predefined threshold number of times within a predefined time period.
  - 23. The security service of claim 18, wherein the context analysis module is further to receive network role data describing a role associated with one or more hosts of the computer network;
    - and to determine the current network context comprises to determine a role associated with an endpoint of a network flow within the network traffic.
  - 24. The security service of claim 18, wherein the context analysis module is further to receive Internet Protocol (IP) reputation data from a network intelligence server, the IP reputation data identifies a plurality of malicious network addresses;
    - and to determine the current network context comprises to determine whether a network flow within the network traffic is associated with a malicious network address identified by the IP reputation data.

25. An event auditor for monitoring a dynamically programmable computer network, the event auditor comprising:
- a monitoring module to, over time, passively monitor network traffic passing through one or more network switches of the dynamically programmable computer network; and
  
  an analysis module to, in response to the monitoring by the monitoring module, generate network activity data as a function of the network traffic, the network activity data indicative of one or more network flows within the network traffic, and to update access control data, the access control data indicative of one or more of;
  
  acceptable network flows and unacceptable network flows.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The event auditor of claim 25, wherein the network activity data is further indicative of geographical data associated with each endpoint of the network flows.
  - 27. The event auditor of claim 25, wherein the network activity data is further indicative of a domain name associated with each endpoint of the network flows.
  - 28. The event auditor of claim 25, wherein the analysis module is further to generate network activity data indicative of an event count within an update interval, the event count generated as a function of aggregated inbound network traffic or outbound network traffic.
  - 29. The event auditor of claim 25, wherein the event count comprises a number of TCP flows, a number TCP packets, an amount of TCP data, a number of UDP packets, an amount of UDP data, a number of unresponded-to SYN packets, or a number of unsolicited SYN-ACK packets.
  - 30. The event auditor of claim 25, wherein the network activity data is further indicative of a final session disposition of each of the network flows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A., Nitz, Kenneth C.

Granted Patent

US 10,116,696 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/126 the source of the received ...

H04L 63/20 for managing network securi...

Network Privilege Manager for a Dynamically Programmable Computer Network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Network Privilege Manager for a Dynamically Programmable Computer Network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others