NON-INTRUSIVE METHOD AND APPARATUS FOR AUTOMATICALLY DISPATCHING SECURITY RULES IN CLOUD ENVIRONMENT

US 20150033285A1
Filed: 09/12/2012
Published: 01/29/2015
Est. Priority Date: 10/24/2011
Status: Active Grant

First Claim

Patent Images

1. A non-intrusive method for automatically dispatching a plurality of security rules in a cloud environment, comprising:

forming a composition application model of an application in the cloud environment, wherein said composition application model comprises various servers for deploying said application;

generating a topology model of said various servers in the cloud environment;

automatically generating a plurality of security rules to be adopted by a plurality of server-side firewalls for respective various servers based on an application context of the following;

(i) said application, (ii) said composition application model, (iii) and said topology model; and

dispatching said plurality of security rules to each server-side firewall based on said composition application model and said topology model.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a non-intrusive method and apparatus for automatically dispatching security rules in a cloud environment. The method comprises: forming a composition application model of an application in the cloud environment, said composition application model including at least types of various servers for deploying said application; generating a topology model of said various servers in the cloud environment; automatically generating security rules to be adopted by the server-side firewalls of respective servers based on the application context of said application, said composition application model and said topology model; and dispatching said security rules to each server-side firewall based on said composition application model and topology model.

Citations

19 Claims

1. A non-intrusive method for automatically dispatching a plurality of security rules in a cloud environment, comprising:
- forming a composition application model of an application in the cloud environment, wherein said composition application model comprises various servers for deploying said application;
  
  generating a topology model of said various servers in the cloud environment;
  
  automatically generating a plurality of security rules to be adopted by a plurality of server-side firewalls for respective various servers based on an application context of the following;
  
  (i) said application, (ii) said composition application model, (iii) and said topology model; and
  
  dispatching said plurality of security rules to each server-side firewall based on said composition application model and said topology model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the application context of said application is included in either file struts.xml or file web.xml.
  - 3. The method according to claim 1, wherein said plurality of security rules are used by said plurality of server-side firewalls to validate a user'"'"'s input with respect to various servers protected by the plurality of server-side firewalls.
  - 4. The method according to claim 1, wherein automatically generating the plurality of security rules to be adopted by the plurality of server-side firewalls for the respective various servers is based on a severity input by a user.
  - 5. The method according to claim 1, further comprising:
    - receiving feedback information about a plurality of either security rule violations or exceptions from the plurality of firewalls;
      
      updating said plurality of security rules based on said feedback information; and
      
      dispatching a plurality of updated security rules to each server-side firewall.
  - 6. The method according to claim 5, wherein updating said plurality of security rules is performed periodically.
  - 7. The method according to claim 5, wherein updating said plurality of security rules based on said feedback information comprises:
    - newly forming a new composition application model of said application in the cloud environment;
      
      generating a new topology model of said various servers in the cloud environment based on said feedback information; and
      
      updating said plurality of security rules based on said feedback information, wherein the application context of said application is based on the new composition application model and the new topology model.
  - 8. The method according to claim 1, wherein said topology model contains at least one Internet Protocol (IP) address for the various servers.
  - 9. The method according to claim 1, further comprising:
    - setting a plurality default security rules for said application; and
      
      modifying said plurality of default security rules when automatically generating the plurality of security rules to be adopted by the plurality of server-side firewalls of respective various servers.

10. A non-intrusive apparatus for automatically dispatching a plurality of security rules in a cloud environment, comprising:
- a composition application model forming means for forming a composition application model of an application in the cloud environment, wherein said composition application model comprises various servers for deploying said application;
  
  a topology model generating means for generating a topology model of said various servers in the cloud environment;
  
  a security rule generating means for automatically generating a plurality of security rules to be adopted by a plurality of server-side firewalls for respective various servers based on the following;
  
  (i) the application context of said application, (ii) said composition application model, and (iii) said topology model; and
  
  a security rule dispatching means for dispatching said plurality of security rules to each server-side firewall based on said composition application model and topology model.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein application context of said application is included in either file struts.xml or file web.xml.
  - 12. The apparatus according to claim 10, wherein said plurality of security rules are used by said plurality of server-side firewalls to validate a user'"'"'s input with respect to the various servers protected by the plurality of server-side firewalls.
  - 13. The apparatus according to claim 10, wherein automatically generating the plurality of security rules to be adopted by the plurality of server-side firewalls for the respective various servers is based on the severity input by a user.
  - 14. The apparatus according to claim 10, further comprising:
    - a receiving means for receiving feedback information about a plurality of security rule violations or exceptions from server-side firewalls;
      
      an updating means for updating said plurality of security rules based on said feedback information; and
      
      a re-dispatching means for dispatching a plurality of updated security rules to each server-side firewall.
  - 15. The apparatus according to claim 14, wherein updating said plurality of security rules is performed periodically.
  - 16. The apparatus according to claim 14, wherein said updating means comprises:
    - a re-constructing means for forming a new composition application model of said application in the cloud environment and generating a new topology model of said various servers in the cloud environment based on said feedback information; and
      
      a second updating means for updating said plurality of security rules based on said feedback information, wherein the application context of said application is based on the new composition application model and the new topology model.
  - 17. The apparatus according to claim 10, wherein said topology model comprises at least one IP address for the respective various servers.
  - 18. The apparatus according to claim 10, further comprising:
    - setting means that sets a plurality of default security rules for said application; and
      
      modifying means that modifies said plurality of default security rules when the generating means generates a plurality of security rules to be adopted by the plurality of server-side firewalls for the respective various servers comprises a.

19. A computer readable non-transitory article of manufacture tangibly embodying computer readable instructions which, when executed, cause a computer to carry out the steps of a method comprising:
- forming a composition application model of an application in the cloud environment, wherein said composition application model comprises various servers for deploying said application;
  
  generating a topology model of said various servers in the cloud environment;
  
  automatically generating a plurality of security rules to be adopted by a plurality of server-side firewalls for respective various servers based on an application context of the following;
  
  (i) said application, (ii) said composition application model, (iii) and said topology model; and
  
  dispatching said plurality of security rules to each server-side firewall based on said composition application model and said topology model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Globalfoundries US Incorporated (GlobalFoundries, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Gao, Bo, Ims, Steven D., McGee, Jason R., Yi, Li, Zhang, Yu, Lan, Ling

Granted Patent

US 9,444,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

NON-INTRUSIVE METHOD AND APPARATUS FOR AUTOMATICALLY DISPATCHING SECURITY RULES IN CLOUD ENVIRONMENT

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

NON-INTRUSIVE METHOD AND APPARATUS FOR AUTOMATICALLY DISPATCHING SECURITY RULES IN CLOUD ENVIRONMENT

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links