System and methodology for providing community-based security policies

US 7,340,770 B2
Filed: 05/14/2003
Issued: 03/04/2008
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. In a system comprising a plurality of devices connected to a network, a method for regulating network access at a particular device, the method comprising:

providing at a plurality of devices connected to a network a security module for establishing security settings, said security settings for regulating network access at said plurality of devices;

collecting information about established security settings from at least some of said plurality of devices connected to the network;

in response to a request for network access at a particular device, determining whether or not to permit network access based, at least in part, upon the collected information about established security settings;

wherein said collecting step includes collecting information about whether a particular program is permitted to access the network; and

wherein said determining step includes determining whether at least a majority of users permit a particular program to access the network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methodology for providing community-based security policies is described. In one embodiment in a system comprising a plurality of devices connected to a network, a security module is provided for establishing security settings for regulating network access at these devices. Information is collected from at least some the devices about the security settings established on such devices and consensus security settings are generated based upon the collected information. In response to a request for network access at a particular device, determining whether or not to permit network access is based, at least in part, upon the consensus security settings.

62 Citations

View as Search Results

40 Claims

1. In a system comprising a plurality of devices connected to a network, a method for regulating network access at a particular device, the method comprising:
- providing at a plurality of devices connected to a network a security module for establishing security settings, said security settings for regulating network access at said plurality of devices;
  
  collecting information about established security settings from at least some of said plurality of devices connected to the network;
  
  in response to a request for network access at a particular device, determining whether or not to permit network access based, at least in part, upon the collected information about established security settings;
  
  wherein said collecting step includes collecting information about whether a particular program is permitted to access the network; and
  
  wherein said determining step includes determining whether at least a majority of users permit a particular program to access the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network comprises the Internet.
  - 3. The method of claim 1, wherein said security settings specify particular programs which are allowed network access.
  - 4. The method of claim 1, wherein said security settings specify particular types of network access which are allowed.
  - 5. The method of claim 1, wherein said step of establishing security settings includes obtaining user input as to whether a particular program should be allowed network access.
  - 6. The method of claim 1, wherein said security module automatically transmits said information about established security settings to a repository at a machine on the network.
  - 7. The method of claim 1, wherein said determining step includes determining whether a particular program requesting access is known to be a malicious program.
  - 8. The method of claim 1, wherein said determining step includes the substeps of:
    - identifying a particular program requesting network access;
      
      if said particular program is included in security settings established at the particular computer, determining whether to permit network access based upon said security settings at the particular computer; and
      
      otherwise, if said particular program is not included in said security settings at said particular computer, determining whether to permit network access based upon the collected security settings information.
  - 9. The method of claim 1, wherein said request for network access comprises a request for access to the Internet.
  - 10. The method of claim 1, wherein said determining step includes using a “
    - firewall”
      
      application for selectively blocking network access.

11. In a system comprising a plurality of devices connected to a network, a method for regulating network access at a particular device, the method comprising:
- providing at a plurality of devices connected to a network a security module for establishing security settings, said security settings for regulating network access at said plurality of devices;
  
  collecting information about established security settings from at least some of said plurality of devices connected to the network;
  
  in response to a request for network access at a particular device, determining whether or not to permit network access based, at least in part, upon the collected information about established security settings; and
  
  wherein said determining step includes determining a percentage of the collected security settings permitting access to the network.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising:
    - automatically permitting network access if the percentage of the collected security settings permitting access exceeds a specified threshold.
  - 13. The method of claim 11, further comprising:
    - automatically blocking network access if the percentage of the collected security settings permitting access is less than a specified threshold.

14. A system for managing access to resources on a per program basis, the system comprising:
- a plurality of computers capable of connecting to resources;
  
  a policy module enabling security policies to be defined at said plurality of computers;
  
  a repository for collecting the security policies from said plurality of computers, said repository available to said plurality of computers;
  
  an enforcement module for trapping a request for access to resources from a particular program at a particular computer and determining whether to permit access to the resources based, at least in part, upon security policies collected in said repository; and
  
  wherein said enforcement module determines whether a particular program is permitted to access the resources under at least a majority of the security policies.

15. A system for managing access to resources on a per program basis, the system comprising:
- a plurality of computers capable of connecting to resources;
  
  a policy module enabling security policies to be defined at said plurality of computers;
  
  a repository for collecting the security policies from said plurality of computers, said repository available to said plurality of computers;
  
  an enforcement module for trapping a request for access to resources from a particular program at a particular computer and determining whether to permit access to the resources based, at least in part, upon security policies collected in said repository; and
  
  wherein said enforcement module determines a percentage of the collected security policies permitting access to the resources.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The system of claim 15, wherein access to the resources comprises access to a network.
  - 17. The system of claim 16, wherein the network comprises the Internet.
  - 18. The system of claim 15, wherein said security policies specify particular programs which are allowed to access the resources.
  - 19. The system of claim 18, wherein said security policies specify particular types of access which are allowed.
  - 20. The system of claim 15, wherein said policy module provides for obtaining user input as to whether a particular program should be allowed to access the resources.
  - 21. The system of claim 15, wherein said policy module automatically transmits said security policies to the repository.
  - 22. The system of claim 15, wherein said policy module enables a user to automatically permit access to the resources if access is permitted under a specified percentage of the collected security policies.
  - 23. The system of claim 15, wherein said enforcement module includes using a “
    - firewall”
      
      component for selectively blocking access to the resources.
  - 24. The system of claim 15, wherein said enforcement module displays the collected security policy information to a user to assist a user in deciding whether to permit access to the resources.

25. A method for assisting a user in configuring a program, the method comprising:
- providing a configuration module at a plurality of computers connected to a network, the configuration module enabling a user to adopt a configuration setting for the program;
  
  collecting at a computer on the network the configuration setting adopted by at least some users of the program at said plurality of computers;
  
  generating a recommended configuration setting based upon the collected configuration settings;
  
  displaying the recommended configuration setting at a particular computer connected to the network to assist a user in configuring the program; and
  
  wherein said generating step includes determining the configuration setting adopted by at least a majority of users from which configuration settings are collected.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The method of claim 25, wherein said configuration setting includes whether a particular program is permitted to access the network.
  - 27. The method of claim 25, wherein said configuration setting includes a security setting.
  - 28. The method of claim 25, wherein said configuration module provides for obtaining user input as to whether a particular program should be allowed to access the network.
  - 29. The method of claim 25, wherein said configuration module automatically transmits the configuration setting adopted by a user to the computer on the network collecting the configuration information.
  - 30. The method of claim 25, further comprising:
    - automatically adopting the recommended configuration setting for configuration of the program at said particular computer.
  - 31. The method of claim 25, wherein said displaying step includes displaying a recommended security setting in response to a request for access to the network at said particular computer.

32. A method for assisting a user in configuring a program, the method comprising:
- providing a configuration module at a plurality of computers connected to a network, the configuration module enabling a user to adopt a configuration setting for the program;
  
  collecting at a computer on the network the configuration setting adopted by at least some users of the program at said plurality of computers;
  
  generating a recommended configuration setting based upon the collected configuration settings;
  
  displaying the recommended configuration setting at a particular computer connected to the network to assist a user in configuring the program; and
  
  wherein said generating step includes generating information about a percentage of users adopting a particular configuration setting.

33. A method for assisting a user in configuring a program, the method comprising:
- providing a configuration module at a plurality of computers connected to a network, the configuration module enabling a user to adopt a configuration setting for the program;
  
  collecting at a computer on the network the configuration setting adopted by at least some users of the program at said plurality of computers;
  
  generating a recommended configuration setting based upon the collected configuration settings;
  
  displaying the recommended configuration setting at a particular computer connected to the network to assist a user in configuring the program; and
  
  wherein generating step includes utilizing a weighted voting calculation.

34. In a system comprising a plurality of computers connected to a network, a method for managing network access, the method comprising:
- providing a security module enabling security rules to be defined at said plurality of computers, said security rules identifying programs permitted to access the network;
  
  collecting said security rules from said plurality of computers in a repository, said repository available to said plurality of computers;
  
  trapping a request for access to the network from a particular program at a particular computer;
  
  if said particular program is included in said security rules at said particular computer, determining whether to permit access to the network based upon said security rules at said particular computer; and
  
  otherwise, if said particular program is not included in said security rules at said particular computer, determining whether to permit access based upon said repository;
  
  wherein said step of determining whether to permit access based upon said repository includes determining whether at least a majority of users permit a particular program to access the network.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The method of claim 34, wherein the network comprises the Internet.
  - 36. The method of claim 34, wherein said security rules specify particular types of network access which are allowed.
  - 37. The method of claim 34, wherein said step of enabling security rules to be defined includes obtaining user input as to whether a particular program should be permitted to access the network.
  - 38. The method of claim 34, further comprising:
    - automatically blocking access to the network if at least a majority of users block a particular program from accessing the network.
  - 39. The method of claim 34, further comprising:
    - utilizing an enforcement module for selectively permitting programs to access the network based upon the security rules.
  - 40. The method of claim 34, further comprising:
    - regulating access to the network based upon the determination made about whether to permit access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Freund, Gregor
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US10/249,882
Publication Number

US 20040019807A1
Time in Patent Office

1,756 Days
Field of Search

726/11, 726/14
US Class Current

726/11
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/104   Grouping of entities

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System and methodology for providing community-based security policies

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

40 Claims

Specification

Use Cases

Quick Links

Others

System and methodology for providing community-based security policies

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

40 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others