Declarative language for specifying a security policy
First Claim
1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
- a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
means for loading said annotated policy specification into a policy engine;
means for said policy engine to receive said network event from an agent;
means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event;
means for said policy engine to communicate agent directives to said agent; and
means for said policy engine to output said network event and said disposition to a datastore;
wherein said each object is a first-class object;
wherein said first-class object comprises any of;
a policy;
a group;
a credential, said credential having a specificity;
a condition;
a disposition; and
a rule, said rule having an outcome;
wherein said rule for evaluating said event comprises;
a protocol field associated with said event;
a plurality of actions associated with said event;
an initiator for representing said active principal of said event;
a target for representing said passive principal of said event, andmeans for said outcome to generate a disposition by specifying constraints upon said event, said outcome comprising;
at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological order; and
further comprising;
a prerequisite having a plurality of rule'"'"'s, such that said prerequisite is satisfied when at least one of said plurality of rules is applied to a prior event.
10 Assignments
0 Petitions
Accused Products
Abstract
The invention is a declarative language system and comprises a language as a tool for expressing network security policy in a formalized way. It allows the specification of security policy across a wide variety of networking layers and protocols. Using the language, a security administrator assigns a disposition to each and every network event that can occur in a data communications network. The event'"'"'s disposition determines whether the event is allowed (i.e. conforms to the specified policy) or disallowed and what action, if any, should be taken by a system monitor in response to that event. Possible actions include, for example, logging the information into a database, notifying a human operator, and disrupting the offending network traffic.
-
Citations
5 Claims
-
1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element; a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language; a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification; means for loading said annotated policy specification into a policy engine; means for said policy engine to receive said network event from an agent; means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event; means for said policy engine to communicate agent directives to said agent; and means for said policy engine to output said network event and said disposition to a datastore; wherein said each object is a first-class object; wherein said first-class object comprises any of; a policy; a group; a credential, said credential having a specificity; a condition; a disposition; and a rule, said rule having an outcome; wherein said rule for evaluating said event comprises; a protocol field associated with said event; a plurality of actions associated with said event; an initiator for representing said active principal of said event; a target for representing said passive principal of said event, and means for said outcome to generate a disposition by specifying constraints upon said event, said outcome comprising; at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological order; and
further comprising;a prerequisite having a plurality of rule'"'"'s, such that said prerequisite is satisfied when at least one of said plurality of rules is applied to a prior event.
-
-
2. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element; a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language; a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification; means for loading said annotated policy specification into a policy engine; means for said policy engine to receive said network event from an agent; means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event; means for said policy engine to communicate agent directives to said agent; means for said policy engine to output said network event and said disposition to a datastore; an annotated specification language; wherein said first policy specification further comprises; a plurality of credentials, a plurality of conditions, a plurality of rules; wherein means for compiling comprises; means for checking said first policy specification for syntax errors and semantics errors; means for checking said first policy specification for credential errors; means for checking said first policy specification for condition errors; means for checking said first policy specification for completeness and coverage of said plurality of rules; means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; means for ordering said plurality of rules by using said annotated specification language;
said an annotated specification language providing additional information to said means to evaluate;means for said policy engine to receive said plurality of protocol events and to provide a sequencing of said plurality of protocol events by using said associated predefined protocol layers; means for to select a policy rule associated with each of said plurality of protocol events, using a specificity of said policy rule; means for said policy engine to determine said policy rule outcome; means for engine to render said policy rule as a pending policy rule; and means for said policy engine to render one of said policy rule and said pending policy rule as final.
-
-
3. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
-
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element; a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language; a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification; means for loading said annotated policy specification into a policy engine; means for said policy engine to receive said network event from an agent; means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event; means for said policy engine to communicate agent directives to said agent; means for said policy engine to output said network event and said disposition to a datastore; an annotated specification language; wherein said first policy specification further comprises; a plurality of credentials, a plurality of conditions, a plurality of rules; wherein means for compiling comprises; means for checking said first policy specification for syntax errors and semantics errors; means for checking said first policy specification for credential errors; means for checking said first policy specification for condition errors; means for checking said first policy specification for completeness and coverage of said plurality of rules; means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; means for ordering said plurality of rules by using said annotated specification language;
said wherein means for ordering said plurality of rules comprises;a plurality of predetermined protocols; a plurality of predetermined protocol-action groups; means to assign each of said rules to one of said predetermined protocols; means to assign each of said rules to one of said predetermined protocol-action groups; means to rank each of said rules in said predetermined protocol-action groups by using said credential ranking value for said target credential of said rule and by using said credential ranking value for said initiator credential of said rule; means to sort in increasing order each of said ranked rules in said predetermined protocol-action groups; and
further comprising;a 2-tuple for each said rule, said 2-tuple having a first element and a second element; wherein said first element is a highest credential ranking value of said target credential and initiator credential; and wherein said second element is a lowest credential ranking value of said target credential and initiator credential; and wherein means to sort uses said 2-tuple of each rule.
-
-
4. A method for evaluating a policy using a plurality of policy rules, each rule having a ranking and a disposition, to a protocol event reported by an agent, said protocol event having a protocol, a protocol action, a target credential, and an initiator credential, comprising the steps of:
-
selecting a first set of rules from said plurality of policy rules, such that each rule is associated with said agent; selecting a second set of rules from said first set of rules, such that each rule is associated with said protocol from said event; selecting a third set of rules from said second set of rules such that each rule is associated with said protocol action from said event; searching for a most specific policy rule from said third set, such that said most specific policy rule is satisfied by said protocol event and generating an error disposition when said most specific policy rule is undetermined; checking said third set of rules for a fourth set of rules having same said ranking as said selected most specific policy rule; providing means to select a single applicable rule from said fourth set of rules; and producing a final disposition for a network event, wherein said network event comprises said protocol event.
-
-
5. A method for evaluating a policy using a plurality of policy rules, each rule having a ranking and a disposition, to a protocol event reported by an agent, said protocol event having a protocol, a protocol action, a target credential, and an initiator credential, comprising the steps of:
-
selecting a first set of rules from said plurality of policy rules, such that each rule is associated with said agent; selecting a second set of rules from said first set of rules, such that each rule is associated with said protocol from said event; selecting a third set of rules from said second set of rules, such that each rule is associated with said protocol action from said event; searching for a most specific policy rule from said third set, such that said most specific policy rule is satisfied by said protocol event and generating an error disposition when said most specific policy rule is undetermined; checking said third set of rules for a fourth set of rules having same said ranking as said selected most specific policy rule; and providing means to select a single applicable rule from said fourth set of rules; wherein the step of searching for a most specific policy rule further comprises the steps of; satisfying any of a plurality of prerequisite rules by a previous protocol event in an order corresponding to an order of said plurality of prerequisite rules; and matching a rule target credential and a rule initiator credential with said event target credential and said event initiator credential.
-
Specification