Declarative language for specifying a security policy
First Claim
1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
- a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent; and
means for said Policy Engine to output said network event and said disposition to a datastore;
wherein said each object is a first-class object and wherein said first-class object is any of;
a policy;
a group;
a credential, said credential having a specificity;
a condition;
a disposition; and
a rule, said rule having an outcome;
wherein said rule for evaluating said event comprises;
a protocol field associated with said event;
a plurality of actions associated with said event;
an initiator for representing said active principal of said event;
a target for representing said passive principal of said event, and means for said outcome to generate a disposition by specifying constraints upon said event said outcome comprising at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological order; and
wherein said outcome comprises any of an immediate outcome and a final outcome, wherein said immediate outcome is evaluated by said Policy Engine when said rule is selected, and wherein said final outcome is evaluated when said Policy Engine determines said event is final.
14 Assignments
0 Petitions
Accused Products
Abstract
The invention is a declarative language system and comprises a language as a tool for expressing network security policy in a formalized way. It allows the specification of security policy across a wide variety of networking layers and protocols. Using the language, a security administrator assigns a disposition to each and every network event that can occur in a data communications network. The event'"'"'s disposition determines whether the event is allowed (i.e. conforms to the specified policy) or disallowed and what action, if any, should be taken by a system monitor in response to that event. Possible actions include, for example, logging the information into a database, notifying a human operator, and disrupting the offending network traffic.
-
Citations
9 Claims
-
1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent; and
means for said Policy Engine to output said network event and said disposition to a datastore;
wherein said each object is a first-class object and wherein said first-class object is any of;
a policy;
a group;
a credential, said credential having a specificity;
a condition;
a disposition; and
a rule, said rule having an outcome;
wherein said rule for evaluating said event comprises;
a protocol field associated with said event;
a plurality of actions associated with said event;
an initiator for representing said active principal of said event;
a target for representing said passive principal of said event, and means for said outcome to generate a disposition by specifying constraints upon said event said outcome comprising at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological order; and
wherein said outcome comprises any of an immediate outcome and a final outcome, wherein said immediate outcome is evaluated by said Policy Engine when said rule is selected, and wherein said final outcome is evaluated when said Policy Engine determines said event is final.
-
-
2. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a datastore; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, a plurality of rules;
wherein means for compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality of rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein said means for ordering said plurality of credentials further comprises;
means for computing a combined weight for each of said plurality of credentials of each attribute weight, having a plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
an attribute rank;
an assertion type rank; and
an attribute assertion count;
means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
means for computing a credential weight penalty for each of said plurality of credentials; and
means for comparing said plurality of credentials;
wherein said attribute assertion count starts at zero and is incremented monotonically for subsequent assertions.
-
-
3. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a data store; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, a plurality of rules;
wherein means for compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality of rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein said means for ordering said plurality of credentials further comprises;
means for computing a combined weight for each of said plurality of credentials of each attribute weight, having a plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
an attribute rank;
an assertion type rank; and
an attribute assertion count;
means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
means for computing a credential weight penalty for each of said plurality of credentials; and
means for comparing said plurality of credentials; and
wherein said assertion count is zero, and said attribute assertion count is omitted from said 3-tuple.
-
-
4. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of object comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a datastore; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, a plurality of rules;
wherein means or compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality of rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein said means for ordering said plurality credentials further comprises;
means for computing a combined weight for each of said plurality of credentials of each attribute weight, having a Plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
an attribute rank;
an assertion type rank; and
an attribute assertion count;
means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
means for computing a credential weight penalty for each of said plurality of credentials; and
means for comparing said plurality of credentials;
wherein said attribute weight is represented by a 3-tuple having a weight keyword in said annotated specification language; and
further comprising means to sort a plurality of 3-tuples, wherein said attribute rank is a primary key, said assertion type rank is a secondary key, and said attribute assertion count is a tertiary key, thereby providing a sorted list.
-
-
5. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a datastore; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, a plurality of rules;
wherein means far compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality at rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein said means for ordering said plurality of credentials further comprises;
means for computing a combined weight for each of plurality of credentials of each attribute weight, having a plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
an attribute rank;
an assertion type rank; and
an attribute assertion count;
means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
means for computing a credential weight penalty for each of said plurality of credentials; and
means for comparing said plurality of credentials;
wherein said attribute weight is represented by a 3-tuple having a weight keyword in said annotated specification language; and
wherein means for computing a weight penalty comprises;
a weight-penalty keyword in said annotated specification language having a penalty-count parameter, wherein said penalty-count parameter is an integer representing a total number of occurrences of logical operator or in each credential.
-
-
6. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a datastore; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, a plurality of rules;
wherein means for compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality of rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein said means for ordering said plurality of credentials further comprises;
means for computing a combined weight for each of sail plurality of credentials of each attribute weight, having a plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
an attribute rank;
an assertion type rank; and
an attribute assertion count;
means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
means for computing a credential weight penalty for each of said plurality of credentials; and
means for comparing said plurality of credentials;
wherein means for comparing said plurality of credentials comprises;
means to determine a highest ranking 3-tuple from said sorted 3-tuples;
means to compare credential weight penalties; and
means to assign said credential rank.
-
-
7. A declarative language system for specifying in a annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a Policy Engine;
means for said Policy Engine to receive said network event from an Agent;
means for said Policy Engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said Policy Engine to communicate agent directives to said Agent;
means for said Policy Engine to output said network event and said disposition to a datastore; and
an annotated specification language;
wherein said first policy specification further comprises;
a plurality of credentials, a plurality of conditions, and a plurality of rules;
wherein means for compiling comprises;
means for checking said first policy specification for syntax errors and semantics errors;
means for checking said first policy specification for credential errors;
means for checking said first policy specification for condition errors;
means for checking said first policy specification for completeness and coverage of said plurality of rules;
means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
means for ordering said plurality of rules by using said annotated specification language;
wherein means for ordering said plurality of rules comprises;
a plurality of predetermined protocols;
a plurality of predetermined protocol-action groups;
means to assign each of said rules to one of said predetermined protocols;
means to assign each of said rules to one of said predetermined protocol-action groups;
means to rank each of said rules in said predetermined protocol-action groups by using said credential ranking value for said target credential of said rule and by using said credential ranking value for said initiator credential of said rule; and
means to sort in increasing order each of said ranked rules in said predetermined protocol-action groups; and
means to force said rule ranking value for any of each of said rules using said annotated specification language, said annotated specification language having a rank-above expression having a rule-name parameter;
wherein means to force said rule ranking value comprises;
generating a new ranking level for said forced ranked rule, whereby each of said rules having a rule ranking level at forced level or higher are incremented.
-
-
8. A method for evaluating a policy using a plurality of policy rules, each rule having a ranking and a disposition, to a protocol event reported by an Agent, said protocol event having a protocol, a protocol action, a target credential, and an initiator credential, comprising the steps of:
-
selecting a first set of rules from said plurality of policy rules, such that each rule is associated with said Agent;
selecting a second set of rules from said first set of rules, such that each rule is associated with said protocol from said event;
selecting a third set of rules from said second set of rules, such that each rule is associated with said protocol action from said event;
searching for a most specific policy rule from said third set, such that said most specific policy rule is satisfied by said protocol event and generating an error disposition when said most specific policy rule is undetermined;
checking said third set of rules for a fourth set of rules having same said ranking as said selected most specific policy rule; and
providing means to select a single applicable rule from said fourth set of rules;
wherein the step of providing means to select a single applicable rule further comprises the steps of;
designating any rule of said fourth set of rules that specifies all of said plurality of protocols as less specific;
designating any rule of said fourth set of rules that specifies all of said plurality of protocol actions as less specific;
designating any rule of said fourth set of rules having prerequisite rules as more specific, wherein a rule having a higher ranking prerequisite is more specific than a rule having a lower ranking prerequisite;
sorting any remaining rules in increasing lexical order by said names and thereafter by said immediate dispositions in decreasing order of precedence; and
selecting said single applicable rule from first rule of said sorted rules.
-
-
9. A method for evaluating a policy using a plurality of policy rules, each rule having a ranking and a disposition, to a protocol event reported by an Agent, said protocol event having a protocol, a protocol action, a target credential, and an initiator credential, comprising the steps of:
-
selecting a first set of rules from plurality of policy rules, such that each rule is associated with said Agent;
selecting a second set of rules from said first set of rules, such that each rule is associated with said protocol from said event;
selecting a third set of rules from said second set of rules, such that each rule is associated with said protocol action from said event;
searching for a most specific policy rule from said third set, such that said most specific policy rule is satisfied by said protocol event and generating an error disposition when said most specific policy rule is undetermined;
checking said third set of rules for a fourth set of rules having same said ranking as said selected most specific policy rule; and
providing means to select a single applicable rule from said fourth set of rules;
wherein the step of providing means to select a single applicable rule further comprises the steps of;
designating any rule of said fourth set of rules that specifies all of said plurality of protocol as less specific;
designating any rule of said fourth set of rules that specifies all of said plurality of protocol actions as less specific;
designating any rule of said fourth set of rules having prerequisite rules as more specific, wherein a rule having a higher ranking prerequisite is more specific than a rule having a lower ranking prerequisite;
sorting any remaining rules in increasing lexical order by said names and thereafter by said immediate dispositions in decreasing order of precedence; and
selecting said single applicable rule from first rule of said sorted rules; and
wherein said immediate dispositions in decreasing order of precedence comprises;
a policy violation;
CONTINUE; and
OK.
-
Specification