System and method for incrementally distributing a security policy in a computer network

US 7,363,650 B2
Filed: 09/13/2002
Issued: 04/22/2008
Est. Priority Date: 10/28/1998
Status: Expired due to Term

First Claim

Patent Images

1. A system for updating a security policy in a distributed computing environment, comprising:

a policy manager, coupled to a network, includinga global version of a security policy;

tracking means for recording a sequence of incremental changes to be made to the global version of the security policy at the policy manager;

computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy, said pre-computing being executed prior to updating the security policy;

updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy; and

a policy distributor for determining which application guard the sequence of incremental changes is applicable to and for transmitting the accumulated delta to the application guard through the network; and

the application guard, coupled to the network, forstoring a local version of the security policy, said local version being a subset of the global version of the security policy;

receiving the accumulated delta distributed through the network;

updating the local version of the security policy by combining the received accumulated delta with the local version of the security policy to generate a copy of an updated local version of the security policy based on the sequence of incremental chances to the global version of the security policy; and

storing the undated local version of the security policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for generating an updated version of, or reconstructing a previously enforced version of, a local client security policy stored in an application guard. A policy manager distributes a change (or an accumulation of changes) to the currently enforced version of the security policy through a network to the application guard. The application guard uses the distributed change to update the currently enforced version of the local client security policy. To reconstruct a previously enforced version of a local security policy, the policy manager generates a reversing delta equal to the reverse of the change (or accumulation of changes) from a previously enforced version to the currently enforced version of the security policy, and distributes the reversing delta through the network to the application guard. The application guard applies the distributed reversing delta to the currently enforced version to reconstruct the previously enforced version.

Citations

32 Claims

1. A system for updating a security policy in a distributed computing environment, comprising:
- a policy manager, coupled to a network, includinga global version of a security policy;
  
  tracking means for recording a sequence of incremental changes to be made to the global version of the security policy at the policy manager;
  
  computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy, said pre-computing being executed prior to updating the security policy;
  
  updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy; and
  
  a policy distributor for determining which application guard the sequence of incremental changes is applicable to and for transmitting the accumulated delta to the application guard through the network; and
  
  the application guard, coupled to the network, forstoring a local version of the security policy, said local version being a subset of the global version of the security policy;
  
  receiving the accumulated delta distributed through the network;
  
  updating the local version of the security policy by combining the received accumulated delta with the local version of the security policy to generate a copy of an updated local version of the security policy based on the sequence of incremental chances to the global version of the security policy; and
  
  storing the undated local version of the security policy.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the global version of the security policy is stored in an enterprise policy data file.
  - 3. The system of claim 1, wherein the accumulated delta is stored in a policy change tracking table.
  - 4. The system of claim 1, wherein the second version of the security policy is stored in an enterprise policy data file.
  - 5. The system of claim 1, wherein the sequence of incremental changes includes rule deletions, rule additions, or rule amendments.

6. A system for updating a plurality of security policies in a distributed computing environment, comprising:
- a policy manager, coupled to a network, includinga first version of each of a plurality of security policies;
  
  tracking means for recording a sequence of incremental changes to be made to the first version of each security policy;
  
  computing means for pre-computing a respective accumulated delta for each sequence of incremental changes, said pre-computing being executed prior to updating the first version of the security policy;
  
  updating means for combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy; and
  
  a policy distributor for determining which of a plurality of application guards the sequence of incremental changes is applicable to and for distributing each of the accumulated deltas to the application guards through the network; and
  
  the plurality of application guards, coupled to the network, eachstoring a copy of the first version of one the plurality of security policies;
  
  receiving a respective accumulated delta distributed through the network;
  
  updating the first version at each of the application guards by combining the received accumulated delta with the copy of the respective first version of the security policy to generate a copy of the respective second version of the security policy based on the sequence of incremental chances to the first version at the policy manager; and
  
  storing the copy of the respective second version of the security policy.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the first version of each of a plurality of security policies is stored in an enterprise policy data file.
  - 8. The system of claim 6, wherein each of the accumulated deltas is stored in a policy change tracking table.
  - 9. The system of claim 6, wherein the second version of the respective security policy is stored in an enterprise policy data file.
  - 10. The system of claim 6, wherein each sequence of incremental changes includes rule deletions, rule additions, or rule amendments.

11. A system for reconstructing a security policy in a distributed computing environment, comprising:
- a policy manager, coupled to a network, includinga global version of a security policy;
  
  tracking means for recording a sequence of incremental changes to be made to the global version of the security policy;
  
  computing means for pre-computing an accumulated delta based on the sequence of incremental changes to the global version of the security policy said pre-computing being executed prior to updating the global version of the security policy;
  
  a policy change tracking table for storing the accumulated delta;
  
  updating means for combining the accumulated delta with the global version of the security policy to generate a second version of the security policy stored in an enterprise policy data file;
  
  reversing means for generating an accumulated reversing delta based on the sequence of incremental changes to the global version of the security policy;
  
  updating means for combining the accumulated reversing delta with the second version of the security policy to reconstruct the global version of the security policy; and
  
  a policy distributor for determining which application guard the sequence of incremental chances is applicable to and for distributing the accumulated delta and the accumulated reversing delta to the application guard through the network; and
  
  the application guard, coupled to the network, forstoring a copy of the local version of the security policy;
  
  receiving the accumulated delta and the accumulated reversing delta distributed through the network;
  
  updating the copy of the local version at the application guard by combining the accumulated delta with the copy of the local version of the security policy to generate a copy of an updated local version of the security policy in the application guard based on the sequence of incremental chances to the global security policy; and
  
  combining the accumulated reversing delta with a copy of the updated local version of the security policy to reconstruct a copy of the local version of the security policy in the application guard.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, wherein the global version of the security policy is stored in an enterprise policy data file.
  - 13. The system of claim 11, wherein the accumulated delta is stored in a policy change tracking table.
  - 14. The system of claim 11, wherein the second version of the security policy is stored in an enterprise policy data file.
  - 15. The system of claim 11, wherein the sequence of incremental changes includes rule deletions, rule additions, or rule amendments.

16. A system for reconstructing a plurality of security policies in a distributed computing environment, comprising:
- a policy manager, coupled to a network, includinga first version of each of a plurality of security policies;
  
  tracking means for recording a sequence of incremental changes to the first version of each security policy;
  
  computing means for pre-computing an accumulated delta for each sequence of incremental changes said pre-computing being executed prior to updating the first version of each security policy;
  
  updating means for combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy;
  
  reversing means for generating a plurality of accumulated reversing deltas, each based on a sequence of incremental changes to the first version of a respective security policy;
  
  updating means for combining each accumulated reversing delta with the second version of its respective security policy to reconstruct the first version of the respective security policy; and
  
  a policy distributor for determining which of a plurality of application guards the sequence of incremental chances is applicable to and for distributing each accumulated delta and each accumulated reversing delta to the application guards through the network; and
  
  the plurality of application guards, coupled to the network, eachstoring a copy of the first version of one of the security policies;
  
  receiving a respective accumulated delta and a respective accumulated reversing delta distributed through the network; and
  
  capable ofupdating the copy of the first version stored at each application guard by combining the received respective accumulated delta with the copy of the first version of the security policy stored in the application guard to generate a copy of the second version of the security policy in the application guard based on the sequence of incremental changes to the first version at the policy manager; and
  
  combining the respective accumulated reversing delta with the copy of the second version of the security policy stored in the application guard to reconstruct a copy of the first version of the security policy in the application guard.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the first version of each of a plurality of security policies is stored in an enterprise policy data file.
  - 18. The system of claim 16, wherein each accumulated delta is stored in a policy change tracking table.
  - 19. The system of claim 16, wherein the second version of the respective security policy is stored in an enterprise policy data file.
  - 20. The system of claim 16, wherein each sequence of incremental changes includes rule deletions, rule additions, or rule amendments.

21. A method for incrementally distributing a security policy in a distributed computing environment, comprising:
- storing a global version of a security policy in a policy manager coupled to a network, and a local version of the security policy in an application guard coupled to the network;
  
  recording a sequence of incremental changes to the global version of the security policy at the policy manager;
  
  pre-computing an accumulated delta based on the sequence of incremental changes, said pre-computing being executed prior to updating the local version of the security policy stored in the application guard;
  
  combining the accumulated delta with the global version of the security policy to generate a updated global version of the security policy;
  
  determining by the policy manager, which application guard the incremental changes are applicable to, based on the local version of the security policy stored on the application guard;
  
  distributing the accumulated delta through the network to the application guard in order to update the local version of the security policy stored at the application guard;
  
  receiving in the application guard the accumulated delta distributed through the network; and
  
  updating the local version of the security policy at the application guard by combining the received accumulated delta with the copy of the local version of the security policy stored in the application guard to generate a copy of the updated local version of the security policy based on the series of incremental changes to the global version of the security policy.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein the undated local version of the security policy DV(i+1), the local version of the security policy DV(i), and the accumulated delta D(i) are related according to the equation, DV(i+1)=DV(i)+D(i) wherein i represents a number of distributions of the accumulated delta.
  - 23. The method of claim 21, wherein recording a sequence of incremental changes comprises recording rule deletions, rule additions, or rule amendments.

24. A method for incrementally distributing a plurality of security policies in a distributed computing environment, comprising:
- storing a first version of each of a plurality of security policies in a policy manager coupled to a network;
  
  storing a copy of the first version of each security policy in a respective application guard coupled to the network;
  
  recording a sequence of incremental changes to the first version of each security policy at the policy manager;
  
  pre-computing a plurality of accumulated deltas based on respective sequences of incremental changes, said pre-computing being executed prior to updating the security policy at the respective application guard;
  
  combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy;
  
  determining which of the application guards, the sequence of incremental chances is applicable to;
  
  distributing each of the accumulated deltas to the application guards through the network in order to update the security policy at the application guards;
  
  receiving in each of the application guards a respective accumulated delta distributed through the network; and
  
  updating the first version of the security policy by combining the respective accumulated delta with the copy of the first version of the security policy stored in the application guard to generate a copy of the second version of the security policy based on the sequence of incremental changes at the policy manager.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, wherein the second version of a security policy DV(i+1), the first version of that security policy DV(i), and the respective accumulated delta D(i) are related according to the equation, DV(i+1)=DV(i)+D(i) wherein i represents a number of distributions of the respective accumulated delta.
  - 26. The method of claim 24, wherein recording a sequence of incremental changes comprises recording rule deletions, rule additions, or rule amendments.

27. A method for reconstructing a security policy in a distributed computing environment, comprising:
- storing a global version of a security policy in a policy manager coupled to a network, and a local version in an application guard coupled to the network;
  
  recording a sequence of incremental changes to be made to the global version of the security policy;
  
  pre-computing an accumulated delta based on the sequence of incremental changes, said pre-computing being executed prior to updating the local version of the security policy at the application guard;
  
  combining the accumulated delta with the global version of the security policy to generate a second global version of the security policy;
  
  determining which application guard the sequence of incremental chances is applicable to;
  
  distributing the accumulated delta through the network to the application guard in order to update the security policy at the application guard;
  
  receiving the distributed accumulated delta in the application guard;
  
  combining the accumulated delta with the local version of the security policy to generate a copy of an updated version of the security policy based on the sequence of incremental chances to the global security policy;
  
  generating an accumulated reversing delta based on the sequence of incremental changes to the global version of the security policy;
  
  combining the accumulated reversing delta with the updated global version of the security policy to reconstruct the global version of the security policy in the policy manager;
  
  distributing the accumulated reversing delta through the network; and
  
  receiving the distributed accumulated reversing delta in the application guard;
  
  combining the accumulated reversing delta with the updated local version of the security policy to reconstruct the copy of the local version of the security policy in the application guard.
- View Dependent Claims (28, 29)
- - 28. The method of claim 27, wherein the updated local version of the security policy DV(n+1), the local version of the security policy DV(n), and the accumulated reversing delta (−
    - D(n)) are related according to the equation, DV(n)=DV(n+1)+(−
      
      D(n)) wherein n represents a number of incremental changes.
  - 29. The method of claim 27, wherein recording a sequence of incremental changes comprises recording rule deletions, rule additions, or rule amendments.

30. A method for reconstructing a plurality of security policies in a distributed computing environment, comprising:
- storing a first version of each of a plurality of security policies in a policy manager coupled to a network;
  
  storing the first version of each security policy in a respective application guard coupled to the network;
  
  recording a respective sequence of incremental changes to the first version of each security policy;
  
  pre-computing a respective accumulated delta for each sequence of incremental changes, said pre-computing being executed prior to updating the first version of the security policy at the respective application guard;
  
  combining each accumulated delta with the first version of its respective security policy to generate a second version of the respective security policy;
  
  determining which application guards the sequence of incremental changes is applicable to;
  
  distributing each of the accumulated deltas through the network to the application guards in order to update the security policy at the application guards;
  
  receiving in each of the application guards a respective accumulated delta distributed through the network;
  
  combining the received accumulated delta with the copy of the first version of the security policy to generate a copy of the second version of the security policy in each application guard based on the sequence of incremental changes at the policy manager;
  
  generating a plurality of accumulated reversing deltas, each based on an accumulation of incremental changes to the first version of a respective security policy;
  
  combining each accumulated reversing delta with the second version of its respective security policy to reconstruct the first version of the respective security policy;
  
  distributing the each of the accumulated reversing deltas through the network;
  
  receiving in each of the application guards a respective accumulated reversing delta distributed through the network; and
  
  combining the received accumulated reversing delta with the copy of the second version of the security policy to reconstruct the copy of the first version of the security policy in the application guard.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30, wherein the second version of a security policy DV(n+1), the first version of that security policy DV(n), and the respective accumulated reversing delta (−
    - D(n)) are related according to the equation, DV(n)=DV(n+1)+(−
      
      D(n)) wherein n represents a number of incremental changes.
  - 32. The method of claim 30, wherein recording a sequence of incremental changes comprises recording rule deletions, rule additions, or rule amendments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Xu, Mingde, Moriconi, Mark S., Godik, Simon, Yagen, Ken
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Cervetti; David Garcia

Application Number

US10/243,122
Publication Number

US 20030115484A1
Time in Patent Office

2,048 Days
Field of Search

726/3, 726/1
US Class Current

726/1
CPC Class Codes

G02B 6/132   by deposition of thin films

G06F 21/50   Monitoring users, programs ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H01L 21/02164   the material being a silico...

H01L 21/31111   by chemical means

H01L 21/31608   Deposition of SiO2 H01L21/3...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

System and method for incrementally distributing a security policy in a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for incrementally distributing a security policy in a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links