AUTOMATED AND ADAPTIVE MODEL-DRIVEN SECURITY SYSTEM AND METHOD FOR OPERATING THE SAME

US 20150269383A1
Filed: 01/22/2015
Published: 09/24/2015
Est. Priority Date: 01/22/2014
Status: Active Grant

First Claim

Patent Images

1. A method of managing implementation of policies in an information technologies system, the method comprising:

receiving into a processor at least one policy function stored in at least one memory;

receiving into the processor at least one refinement template from the at least one memory;

receiving into the processor at least one available policy function from the at least one memory;

receiving into the processor a policy input indicating a high-level policy for the IT system, the policy input being compliant with the at least one policy function, and being received in a format that is not machine-enforceable at an enforcement entity of the IT system;

based on the received policy input, automatically or semi-automatically generating via the processor a machine-enforceable rule and/or configuration by filling the at least one refinement template, the machine-enforceable rule and/or configuration including the at least one available policy function and being compliant with the received policy input; and

distributing, via the processor, the machine-enforceable rule and/or configuration to the at least one memory of the IT system or another at least one memory to thereby enable implementation of the policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing implementation of policies in an information technologies system receives at least one policy function, at least one refinement template and at least one available policy function from the at least one memory, receives a policy input indicating a high-level policy for the IT system where the policy input is compliant with the at least one policy function and is received in a format that is not machine-enforceable at an enforcement entity of the IT system, based on the received policy input, automatically or semi-automatically generates a machine-enforceable rule and/or configuration by filling the at least one refinement template, where the machine-enforceable rule and/or configuration includes the at least one available policy function and being compliant with the received policy input, and distributes the machine-enforceable rule and/or configuration to the at least one memory of the IT system or another at least one memory to thereby enable implementation of the policies.

283 Citations

30 Claims

1. A method of managing implementation of policies in an information technologies system, the method comprising:
- receiving into a processor at least one policy function stored in at least one memory;
  
  receiving into the processor at least one refinement template from the at least one memory;
  
  receiving into the processor at least one available policy function from the at least one memory;
  
  receiving into the processor a policy input indicating a high-level policy for the IT system, the policy input being compliant with the at least one policy function, and being received in a format that is not machine-enforceable at an enforcement entity of the IT system;
  
  based on the received policy input, automatically or semi-automatically generating via the processor a machine-enforceable rule and/or configuration by filling the at least one refinement template, the machine-enforceable rule and/or configuration including the at least one available policy function and being compliant with the received policy input; and
  
  distributing, via the processor, the machine-enforceable rule and/or configuration to the at least one memory of the IT system or another at least one memory to thereby enable implementation of the policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - calculating automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template,wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement, andwherein the machine-enforceable rule and/or configuration is generated by using the calculated refinement chain during the generation.
  - 3. The method of claim 1, further comprising:
    - calculating automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template; and
      
      if one or more refinement chains exist, storing information in the at least one memory about at least one refined policy function being now also available and/or about how to refine the policy function,wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement.
  - 4. The method of claim 3, wherein the at least one refinement chain is calculated by determining a matching of at least one available feature and at least one required feature using the at least one refinement template.
  - 5. The method of claim 1, wherein the policy input is authored in a high-level policy editor that allows configuration of a high-level policy, and wherein the method further comprises automatically or semi-automatically configuring the high-level policy editor based on the at least one available policy function.
  - 6. The method of claim 5, wherein the at least one policy function includes information about the at least one policy function being available, required, or available &
    - required, and wherein the high level policy editor is configured to set the at least one available policy function as a policy editing choice in the high level policy editor.
  - 7. The method of claim 5, wherein the at least one policy function includes information about the at least one policy function being available, required, or available &
    - required, and wherein the high level policy editor is configured to set the at least one available policy function, which is also a required policy function, as a policy editing choice in the high level policy editor.
  - 8. The method of claim 5, further comprising:
    - calculating automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template; and
      
      configuring the high-level policy editor using a result of the refinement chain,wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement.
  - 9. The method of claim 8, wherein the machine-enforceable rule and/or configuration is generated by using the calculated refinement chain during the generation of the machine-enforceable rule and/or configuration.
  - 10. The method of claim 8, wherein the calculated refinement chain is used in a subsequent rule generation.
  - 11. The method of claim 1, wherein the at least one policy function relates to non-functional system characteristics for the IT system.
  - 12. The method of claim 1, wherein the at least one refinement template defines how to map between at least one input policy function and at least one output policy function or defines at least one refinement of at least one input policy function to at least one output policy function in a one-to-one, one-to-many, many-to-one, or many-to-many relationship.
  - 13. The method of claim 1, wherein the at least one refinement template is stacked into multi-step refinement chains if inputs and outputs of the at least one refinement template match inputs and outputs of the multi-step refinement chains.
  - 14. The method of claim 1, wherein generating the machine-enforceable rule and/or configuration includes filling in a reference to a policy function implementation or filling in at least one output value provided by a policy function implementation.
  - 15. The method of claim 1, wherein the machine-enforceable rule and/or configuration is selectively distributed only to the at least one memory of the IT system or the another at least one memory where the machine-enforceable rule and/or configuration is actually processed.

16. An information technologies (IT) policy management system, comprising:
- At least one memory that stores at least one policy function, at least one refinement template, or at least one available policy function; and
  
  a processor that is configured to;
  
  receive the at least one policy function, the at least one refinement template, and the at least one available policy function from the at least one memory;
  
  receive a policy input indicating a high-level policy for the IT system, the policy input being compliant with the at least one policy function, and being received in a format that is not machine-enforceable at an enforcement entity of the IT system;
  
  based on the received policy input, automatically or semi-automatically generates a machine-enforceable rule and/or configuration by filling the at least one refinement template, the machine-enforceable rule and/or configuration including the at least one available policy function and being compliant with the received policy input; and
  
  distributes the machine-enforceable rule and/or configuration to the at least one memory of the IT system or another at least one memory to thereby enable implementation of the policies.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The IT policy management system of claim 16, wherein the processor is further configured to calculate automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template, wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement, and wherein the machine-enforceable rule and/or configuration is generated by using the calculated refinement chain during the generation.
  - 18. The IT policy management system of claim 16, wherein the processor is further configured to calculate automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template, wherein, if one or more refinement chains exist, the processor is configured to store information in the at least one memory about at least one refined policy function being now also available and/or about how to refine the policy function, and wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement.
  - 19. The IT policy management system of claim 18, wherein the at least one refinement chain is calculated by determining a matching of at least one available feature and at least one required feature using the at least one refinement template.
  - 20. The IT policy management system of claim 16, wherein the policy input is authored in a high-level policy editor that allows configuration of a high-level policy, and wherein the processor is further configured to automatically or semi-automatically configure the high-level policy editor based on the at least one available policy function.
  - 21. The IT policy management system of claim 20, wherein the at least one policy function includes information about the at least one policy function being available, required, or available &
    - required, and wherein the high level policy editor is configured to set the at least one available policy function as a policy editing choice in the high level policy editor.
  - 22. The IT policy management system of claim 20, wherein the at least one policy function includes information about the at least one policy function being available, required, or available &
    - required, and wherein the high level policy editor is configured to set the at least one available policy function that is also a required policy function as a policy editing choice in the high level policy editor.
  - 23. The IT policy management system of claim 20, wherein the processor is further configured to calculate automatically or semi-automatically, based on the received at least one policy function, a refinement chain by determining a matching of a policy function input and policy function output combination based on the at least one refinement template, and to configure the high-level policy editor using a results of the refinement chain, and wherein the refinement chain maps between at least one available policy function and at least one refined policy function and forms at least one path for selection as refinement.
  - 24. The IT policy management system of claim 23, wherein the machine-enforceable rule and/or configuration is generated by using the calculated refinement chain during the generation of the machine-enforceable rule and/or configuration.
  - 25. The IT policy management system of claim 23, wherein the calculated refinement chain is used in a subsequent rule generation.
  - 26. The IT policy management system of claim 16, wherein the at least one policy function relates to non-functional system characteristics for the IT system.
  - 27. The IT policy management system of claim 16, wherein the at least one refinement template defines how to map between at least one input policy function and at least one output policy function or defines at least one refinement of at least one input policy function to at least one output policy function in a one-to-one, one-to-many, many-to-one, or many-to-many relationship.
  - 28. The IT policy management system of claim 16, wherein the at least one refinement template is stacked into multi-step refinement chains if inputs and outputs of the at least one refinement template match inputs and outputs of the multi-step refinement chains.
  - 29. The IT policy management system of claim 16, wherein the machine-enforceable rule and/or configuration is generated by filling in a reference to a policy function implementation or filling in at least one output value provided by a policy function implementation.
  - 30. The IT policy management system of claim 16, wherein the machine-enforceable rule and/or configuration is selectively distributed only to the at least one memory of the IT system or the another at least one memory where the machine-enforceable rule and/or configuration is actually processed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Object Security Limited
Original Assignee
Object Security Limited
Inventors
LANG, Ulrich, SCHREINER, Rudolf

Granted Patent

US 9,563,771 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/20   for managing network securi...

AUTOMATED AND ADAPTIVE MODEL-DRIVEN SECURITY SYSTEM AND METHOD FOR OPERATING THE SAME

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

283 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED AND ADAPTIVE MODEL-DRIVEN SECURITY SYSTEM AND METHOD FOR OPERATING THE SAME

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

283 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links