Methods and apparatus for automated creation of security policy

US 7,516,476 B1
Filed: 03/24/2003
Issued: 04/07/2009
Est. Priority Date: 03/24/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of creating a security policy for at least one application executing on a computer system, the method comprising:

(A) providing a template defining a security policy for the at least one application;

(B) exercising the at least one application to generate a sample of actions representing actual behavior of the at least one application;

(C) applying at least one heuristic to determine representative actions from the sample of actions performed by the at least one application; and

(D) arranging the representative actions according to the template in order to produce a security policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated method and apparatus for creating a security policy for one or more applications is provided. The method includes exercising the features of the one or more applications to generate behavioral data, applying a heuristic to aggregate the behavioral data into a subset of representative actions, and organizing the representative actions according to a structure defined by a template into a security policy for the one or more applications. The security policy may be downloaded to one or more workstations for deployment, and provides a safeguard to protect a computer system against cyber-terrorism.

Citations

85 Claims

1. A computer-implemented method of creating a security policy for at least one application executing on a computer system, the method comprising:
- (A) providing a template defining a security policy for the at least one application;
  
  (B) exercising the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  (C) applying at least one heuristic to determine representative actions from the sample of actions performed by the at least one application; and
  
  (D) arranging the representative actions according to the template in order to produce a security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein (C) comprises aggregating the sample of actions to a subset of actions, the subset defining the representative actions.
  - 3. The method of claim 1, wherein (B) comprises exercising the at least one application in a controlled environment.
  - 4. The method of claim 1, wherein (B) comprises generating a sample of actions which represents correct behavior for the at least one application.
  - 5. The method of claim 1, wherein (C) comprises determining the representative actions based, at least in part, on the system resource accessed by the at least one application in each action.
  - 6. The method of claim 1, wherein (A) comprises providing a template which varies according to the computer system on which the at least one application executes.
  - 7. The method of claim 1, wherein (C) comprises applying a heuristic which varies according to the computer system on which the at least one application executes.
  - 8. The method of claim 1, wherein (C) comprises applying a heuristic which is defined in response to examining at least one of the sample of actions and the representative actions.
  - 9. The method of claim 8, wherein a user examines the sample of actions and the representative actions to define the heuristic.
  - 10. The method of claim 9, wherein the user defines the heuristic by defining a strictness of a comparison of actions used to aggregate actions into the subset.
  - 11. The method of claim 9, wherein the user defines the heuristic by responding to at least one question related to the comparison of actions.
  - 12. The method of claim 1, wherein (C) further comprises applying a heuristic which is defined by an automated process.
  - 13. The method of claim 1, further comprising:
    - (E) downloading the security policy to at least one agent executing on the computer system.
  - 14. The method of claim 13, wherein (E) comprises, after downloading the security policy, employing the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
  - 15. The method of claim 1, further comprising:
    - (F) producing a report illustrating the behavior of the at least one application.

16. A computer-readable medium having instructions recorded thereon which, when executed by a computer, cause the computer to perform a method of creating a security policy for at least one application executing on a computer system, the method comprising:
- (A) providing a template defining a security policy for the at least one application;
  
  (B) exercising the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  (C) applying at least one heuristic to determine representative actions from the sample of actions performed by the at least one application; and
  
  (D) arranging the representative actions according to the template in order to produce a security policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer-readable medium of claim 16, wherein (C) comprises aggregating the sample of actions to a subset of actions, the subset defining the representative actions.
  - 18. The computer-readable medium of claim 16, wherein (B) comprises exercising the at least one application in a controlled environment.
  - 19. The computer-readable medium of claim 16, wherein (B) comprises generating a sample of actions which represents correct behavior for the at least one application.
  - 20. The computer-readable medium of claim 16, wherein (C) comprises determining the representative actions based, at least in part, on the system resource accessed by the at least one application in each action.
  - 21. The computer-readable medium of claim 16, wherein (A) comprises providing a template which varies according to the computer system on which the at least one application executes.
  - 22. The computer-readable medium of claim 16, wherein (C) comprises applying a heuristic which varies according to the computer system on which the at least one application executes.
  - 23. The computer-readable medium of claim 16, wherein (C) comprises applying a heuristic which is defined in response to examining at least one of the sample of actions and the representative actions.
  - 24. The computer-readable medium of claim 23, further comprising instructions defining accepting user input in response to the user'"'"'s examination of the sample of actions and the representative actions, wherein the user input is used to define the heuristic.
  - 25. The computer-readable medium of claim 24, wherein the user defines the heuristic by defining a strictness of a comparison of actions used to determine the representative actions.
  - 26. The computer-readable medium of claim 24, wherein the user defines the heuristic by responding to at least one question related to a comparison of actions.
  - 27. The computer-readable medium of claim 16, wherein (C) further comprises applying a heuristic which is defined by an automated process.
  - 28. The computer-readable medium of claim 16, further comprising instructions defining:
    - (E) downloading the security policy to at least one agent executing on the computer system.
  - 29. The computer-readable medium of claim 28, wherein (E) comprises, after downloading the security policy, employing the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
  - 30. The computer-readable medium of claim 16, further comprising instructions defining:
    - (F) producing a report illustrating the behavior of the at least one application.

31. A system for creating a security policy for at least one application executing on a computer system, the system comprising:
- a first component to provide a template defining a security policy for the at least one application;
  
  a second component to exercise the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  a third component to apply at least one heuristic to determine representative actions from the sample of actions performed by the at least one application; and
  
  a fourth component to arrange the representative actions according to the template in order to produce a security policy,where at least one of, the first component, the second component, the third component, and the fourth component are embodied on a computer-readable medium.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The system of claim 31, wherein the third component aggregates the sample of actions to a subset of actions, the subset defining the representative actions.
  - 33. The system of claim 31, wherein the second component exercises the at least one application in a controlled environment.
  - 34. The system of claim 31, wherein the second component generates a sample of actions which represents correct behavior for the at least one application.
  - 35. The system of claim 31, wherein the third component determines the representative actions based, at least in part, on the system resource accessed by the at least one application in each action.
  - 36. The system of claim 31, wherein the first component provides a template which varies according to the computer system on which the at least one application executes.
  - 37. The system of claim 31, wherein the third component applies a heuristic which varies according to the computer system on which the at least one application executes.
  - 38. The system of claim 31, wherein the third component applies a heuristic which is defined in response to examining at least one of the sample of actions and the subset of actions.
  - 39. The system of claim 38, further comprising:
    - a fifth component to accept user input in response to the user'"'"'s examination of the sample of actions and the representative actions, wherein the user input is used to define the heuristic.
  - 40. The system of claim 39, wherein the user input defines a strictness of a comparison of actions used to aggregate actions into the representative actions.
  - 41. The system of claim 39, wherein the user input defines a response to at least one question related to a comparison of actions.
  - 42. The system of claim 31, wherein the third component applies a heuristic which is defined by an automated process.
  - 43. The system of claim 31, further comprising:
    - a sixth component to download the security policy to at least one agent executing on the computer system.
  - 44. The system of claim 43, wherein the sixth component, after downloading the security policy, employs the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
  - 45. The system of claim 31, further comprising:
    - a seventh component to produce a report illustrating the behavior of the at least one application.

46. A system for deploying a security policy for at least one application, the system comprising:
- a first component to exercise the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  a second component to apply at least one heuristic to determine representative actions from the sample of actions performed by the at least one application; and
  
  a third component to arrange the representative actions according to a template to produce a security policy.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 47. The system of claim 46, wherein the second component aggregates the sample of actions to a subset of actions, the subset defining the representative actions.
  - 48. The system of claim 46, wherein the first component exercises the at least one application in a controlled environment.
  - 49. The system of claim 46, wherein the first component generates a sample of actions which represents correct behavior for the at least one application.
  - 50. The system of claim 46, wherein the second component determines the representative actions based, at least in part, on the system resource accessed by the at least one application in each action.
  - 51. The system of claim 46, wherein the third component modifies a template which varies according to the computer system on which the at least one application executes.
  - 52. The system of claim 46, wherein the second component applies a heuristic which varies according to the computer system on which the at least one application executes.
  - 53. The system of claim 46, wherein the second component applies a heuristic which is defined in response to examining at least one of the sample of actions and the subset of actions.
  - 54. The system of claim 53, further comprising:
    - a fourth component to accept user input in response to the user'"'"'s examination of the sample of actions and the representative actions, wherein the user input is used to define the heuristic.
  - 55. The system of claim 54, wherein the user input provides a strictness of a comparison of actions used to aggregate actions into the subset.
  - 56. The system of claim 54, wherein the user input provides a response to at least one question related to a comparison of actions.
  - 57. The system of claim 46, wherein the second component applies a heuristic which is defined by an automated process.
  - 58. The system of claim 46, further comprising:
    - a fifth component to download the security policy to at least one agent executing on the computer system.
  - 59. The system of claim 58, wherein the sixth component, after downloading the security policy, employs the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
  - 60. The system of claim 46, further comprising:
    - a sixth component to produce a report illustrating the behavior of the at least one application.

61. A computer-implemented method of securing a computer system against terrorist attack, the method comprising:
- (A) providing a template defining a security policy for at least one application executing on a computer system;
  
  (B) exercising the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  (C) applying at least one heuristic to determine representative actions from the sample of actions performed by the at least one application;
  
  (D) arranging the representative actions according to the template in order to produce a security policy;
  
  (E) downloading the security policy to at least one agent executing on the computer system; and
  
  (F) employing the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
- - 62. The method of claim 61, wherein (C) comprises aggregating the sample of actions to a subset of actions, the subset defining the representative actions.
  - 63. The method of claim 61, wherein (B) comprises exercising the at least one application in a controlled environment.
  - 64. The method of claim 61, wherein (B) comprises generating a sample of actions which represents correct behavior for the at least one application.
  - 65. The method of claim 61, wherein (C) comprises determining the representative actions based, at least in part, on the system resource accessed by the at least one application in each action.
  - 66. The method of claim 61, wherein (A) comprises providing a template which varies according to the computer system on which the at least one application executes.
  - 67. The method of claim 61, wherein (C) comprises applying a heuristic which varies according to the computer system on which the at least one application executes.
  - 68. The method of claim 61, wherein (C) comprises applying a heuristic which is defined in response to examining at least one of the sample of actions and the subset of actions.
  - 69. The method of claim 68, wherein a user defines a heuristic by examining the sample of actions and the subset of actions.
  - 70. The method of claim 69, wherein the user defines the heuristic by defining a strictness of a comparison of actions used to aggregate actions into the subset.
  - 71. The method of claim 69, wherein the user defines the heuristic by responding to at least one question related to the comparison of actions.
  - 72. The method of claim 61, wherein (C) further comprises applying a heuristic which is defined by an automated process.
  - 73. The method of claim 61, further comprising:
    - (G) producing a report illustrating the behavior of the at least one application.

74. A computer-readable medium having instructions recorded thereon which, when executed by a computer, cause the computer to perform a method of creating a security policy for at least one application executing on a computer system, the method comprising:
- (A) providing a template defining a security policy for the at least one application;
  
  (B) exercising the at least one application to generate a sample of actions representing actual behavior of the at least one application;
  
  (C) applying at least one heuristic to determine representative actions from the sample of actions performed by the at least one application, wherein the heuristic is defined using input accepted from a user in response to the user'"'"'s examination of the at least one of the sample of actions and the representative actions; and
  
  (D) arranging the representative actions according to the template in order to produce a security policy.
- View Dependent Claims (75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85)
- - 75. The computer-readable medium of claim 74, wherein the user defines the heuristic by defining a strictness of a comparison of actions used to determine the representative actions.
  - 76. The computer-readable medium of claim 74, wherein the user defines the heuristic by responding to at least one question related to a comparison of actions.
  - 77. The computer-readable medium of claim 74, wherein (C) comprises aggregating the sample of actions to a subset of actions, the subset defining the representative actions.
  - 78. The computer-readable medium of claim 74, wherein (B) comprises exercising the at least one application in a controlled environment.
  - 79. The computer-readable medium of claim 74, wherein (B) comprises generating a sample of actions which represents correct behavior for the at least one application.
  - 80. The computer-readable medium of claim 74, wherein (C) comprises determining the representative action based, at least in part, on the system resource accessed by the at least one application in each action.
  - 81. The computer-readable medium of claim 74, wherein (A) comprising providing a template which varies according to the computer system on which the at least one application executes.
  - 82. The computer-readable medium of claim 74, wherein (C) comprises applying a heuristic which varies according to the computer system on which the at least one application executes.
  - 83. The computer-readable medium of claim 74, further comprising instructions defining:
    - (E) downloading the security policy to at least one agent executing on the computer system.
  - 84. The compute-readable medium of claim 83, wherein (E) comprises, after downloading the security policy, employing the security policy to determine whether a request issued by the at least one application to access a system resource should be allowed or denied.
  - 85. The computer-readable medium of claim 83, further comprising instructions defining:
    - (F) producing a report illustrating the behavior of the at least one application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rangamani, Venkat R., Grecu, Dan L., Gladstone, Philip J. S., Kraemer, Jeffrey A., Costello, Brian F., Kirby, Alan J.
Primary Examiner(s)
Revak; Christopher A

Application Number

US10/395,711
Time in Patent Office

2,206 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

Methods and apparatus for automated creation of security policy

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

85 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for automated creation of security policy

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

85 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links