Network Privilege Manager for a Dynamically Programmable Computer Network
First Claim
1. A method for managing network privileges in a dynamically programmable computer network, the method comprising, with at least one computing device:
- monitoring, over time, network activity data, the network activity data being a function of network traffic of the dynamically programmable computer network, the network activity data indicative of one or more network flows within the network traffic;
updating, over time, access control data, the access control data indicating one or more of;
acceptable network flows and unacceptable network flows over the network;
at a time instance, determining a current network context based on the network activity data, the current network context indicative of one or more network flows of the dynamically programmable computer network;
at the time instance, determining a current version of the access control data;
using the current version of the access control data, comparing the current network context to a security policy, the security policy defining a criterion for determining whether to execute an action in response to the current network context and an action to execute if the current network context matches the criterion; and
execute the action to control flow of communications across the dynamically programmable computer network based on the comparison of the current network context to the criterion including the current version of the control data.
2 Assignments
0 Petitions
Accused Products
Abstract
A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy.
168 Citations
30 Claims
-
1. A method for managing network privileges in a dynamically programmable computer network, the method comprising, with at least one computing device:
-
monitoring, over time, network activity data, the network activity data being a function of network traffic of the dynamically programmable computer network, the network activity data indicative of one or more network flows within the network traffic; updating, over time, access control data, the access control data indicating one or more of;
acceptable network flows and unacceptable network flows over the network;at a time instance, determining a current network context based on the network activity data, the current network context indicative of one or more network flows of the dynamically programmable computer network; at the time instance, determining a current version of the access control data; using the current version of the access control data, comparing the current network context to a security policy, the security policy defining a criterion for determining whether to execute an action in response to the current network context and an action to execute if the current network context matches the criterion; and execute the action to control flow of communications across the dynamically programmable computer network based on the comparison of the current network context to the criterion including the current version of the control data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network privilege manager for a dynamically programmable computer network, the network privilege manager embodied in one or more computer readable media of a computing device and comprising a plurality of instructions that, when executed, cause the computing device to:
-
receive network activity data from an event auditor of the dynamically programmable computer network, the network activity data indicative of one or more network flows within network traffic of the dynamically programmable network; determine a current network context based on the network activity data, the current network context indicative of one or more current network flows of the dynamically programmable computer network; in response to the current network context, select a security policy, the security policy defining a criterion and a response to the one or more current network flows; and generate a flow policy directive to implement the response to the one or more current network flows on the dynamically programmable network. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A security service for a computer network, the security service comprising, embodied in one or more computing devices of the computer network:
-
a context analysis module to; receive network activity data from an event auditor of the computer network, the network activity data generated as a function of network traffic of the computer network and indicative of one or more network flows within the network traffic; and determine a current network context based on the network activity data, the current network context indicative of one or more current network flows of the computer network; a policy evaluation module to, in response to the current network context; select a contextual security policy having a criterion matching the current network context, the contextual security policy defining the criterion and a response to the one or more current network flows; and generate a flow policy directive to implement the selected contextual security policy; and a policy directive interface module to transmit the flow policy directive to a security actuator of the computer network. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
-
25. An event auditor for monitoring a dynamically programmable computer network, the event auditor comprising:
-
a monitoring module to, over time, passively monitor network traffic passing through one or more network switches of the dynamically programmable computer network; and an analysis module to, in response to the monitoring by the monitoring module, generate network activity data as a function of the network traffic, the network activity data indicative of one or more network flows within the network traffic, and to update access control data, the access control data indicative of one or more of;
acceptable network flows and unacceptable network flows. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification