Cooperative processing and escalation in a multi-node application-layer security system and method

US 7,539,857 B2
Filed: 10/17/2005
Issued: 05/26/2009
Est. Priority Date: 10/15/2004
Status: Active Grant

First Claim

Patent Images

1. A cooperative processing and escalation method for application-layer security comprising the steps of:

defining escalating operational modes at a plurality of receiving security nodes including standby, passive and active modes, andat a same single security node;

identifying a security violation,matching said security violation to one or more escalation rule(s) of a pre-defined set of escalation rules, wherein said matched escalation rule(s) determine how said single security node responds to said security violation including whether to transmit or receive an escalation trigger or both,creating said escalation trigger associated with said matched escalation rule(s), wherein said escalation trigger instructs said plurality of receiving security nodes to activate one of said escalating operational modes, andtransmitting said escalation trigger to said plurality of receiving security nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cooperative processing and escalation method and system for use in multi-node application-layer security management is disclosed. The method includes the steps of identifying individual application security nodes, grouping and configuring nodes for cooperative processing, assigning the default operational mode at each node, assignment of logging and alert event tasks at each node, and defining escalation and de-escalation rules and triggers at each node. Both loosely-coupled and tightly-coupled configurations, each with its cooperative processing model, are disclosed. The method includes provision for central console configuration and control, near real-time central console dashboard operations interface, alert notification, and operator override of operational modes and event tasks.

63 Citations

View as Search Results

35 Claims

1. A cooperative processing and escalation method for application-layer security comprising the steps of:
- defining escalating operational modes at a plurality of receiving security nodes including standby, passive and active modes, andat a same single security node;
  
  identifying a security violation,matching said security violation to one or more escalation rule(s) of a pre-defined set of escalation rules, wherein said matched escalation rule(s) determine how said single security node responds to said security violation including whether to transmit or receive an escalation trigger or both,creating said escalation trigger associated with said matched escalation rule(s), wherein said escalation trigger instructs said plurality of receiving security nodes to activate one of said escalating operational modes, andtransmitting said escalation trigger to said plurality of receiving security nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, further comprising the step of processing said escalation trigger at said receiving security node(s).
  - 3. The method of claim 2, wherein said receiving security node processing includes processing an escalation trigger which supersedes a previously received escalation trigger.
  - 4. The method of claim 2, wherein said receiving security node processing includes processing an escalation trigger and/or operational mode override received from a security console.
  - 5. The method of claim 1, wherein said pre-defined set of escalation rules is created automatically.
  - 6. The method of claim 1, wherein one or more such pre-defined escalation rules specifies a duration of time in which the escalation to a different operational mode is enforced, followed by an automatic reversion to the default or other operational mode at receiving security node(s).
  - 7. The method of claim 1, wherein one or more such pre-defined escalation rules specifies an escalation to a different operational mode for a non-predetermined duration.
  - 8. The method of claim 1, wherein said transmitting security node is also the receiving security node, otherwise known as self-escalation.
  - 9. The method of claim 1, wherein said receiving security node is selected from the group consisting of:
    - an application firewall, an application monitor, and a data security enforcement point.
  - 10. The method of claim 1, wherein said receiving security nodes are defined as a logical or arbitrary grouping consisting of a plurality of one or more:
    - application firewalls, application monitors, and/or data security enforcement points.
  - 11. The method of claim 1, wherein said step of defining two or more operational modes comprises the step of defining bypass, passive and active operational modes.
  - 12. The method of claim 11, wherein said passive and active operational modes includes sub-settings for transmitting logging and alerts associated with security violations and/or escalation triggers to a security console, log or repository.
  - 13. The method of claim 11, wherein said active mode includes examining in-bound or out-bound application-layer traffic to detect escalation rule violations.
  - 14. The method of claim 11, wherein said active mode includes examining data access requests and/or user data access behavioral patterns to detect escalation rule violations.
  - 15. The method of claim 11, wherein said active mode includes blocking, redirecting, or correcting an in-bound or out-bound security violation.
  - 16. The method of claim 11, wherein said active mode includes denying access, masking data, or denying data decryption for a data access request.
  - 17. The method of claim 11, wherein said active mode includes receiving said escalation triggers.
  - 18. The method of claim 11, wherein said passive mode includes examining in-bound or out-bound application-layer traffic to detect escalation rule violations.
  - 19. The method of claim 11, wherein said passive mode includes examining data access requests and/or user data access behavioral patterns to detect escalation rule violations.
  - 20. The method of claim 11, wherein said passive mode includes receiving said escalation triggers.
  - 21. The method of claim 11, wherein said bypass mode includes receiving said escalation triggers.
  - 22. The method of claim 1, wherein said step of identifying a security violation comprises the step of analyzing in-bound or out-bound application traffic at the application-layer according to a security policy.
  - 23. The method of claim 22, wherein said in-bound and/or out-bound application traffic is transported via hypertext transport protocol (HTTP) or SSL-encrypted hypertext transport protocol (HTTPS).
  - 24. The method of claim 1, wherein said step of identifying a security violation comprises the step of examining data access requests and/or user data access behavioral patterns according to a security policy.
  - 25. The method of claim 1, wherein said transmitting security node is an application firewall, an application monitor, or a data security enforcement point.
  - 26. The method of claim 1, wherein said transmitting security node is a network security device such as a network firewall, network router or other OSI layer 1-6 device or system.
  - 27. The method of claim 1, wherein said transmission of an escalation alert is routed peer-to-peer between the transmitting security node and the receiving security node(s).
  - 28. The method of claim 1, wherein said transmission of an escalation alert is routed from the transmitting security node to one or more hub-and-spoke network locations and thence forwarded to the receiving security node(s).
  - 29. The method of claim 1, wherein said transmitting security node is an application monitor tightly coupled with one or more receiving application firewalls.
  - 30. The method of claim 1, wherein said transmitting security node is an application firewall tightly coupled with a receiving application monitor.

31. A cooperative processing and escalation system for application-layer security comprising:
- means for selectively configuring multiple network nodes to operate in two or more predetermined escalating operational modes including standby, passive and active modes, anda same single security node configured to;
  
  identify a security violation;
  
  match said security violation to one or more escalation rule(s) of a pre-defined set of escalation rules, wherein said escalation rule(s) determine how said security node is to respond to said security violation including whether to transmit or receive an escalation trigger or both,create said escalation trigger associated with said matched escalation rule(s), wherein said escalation trigger instructs said multiple network nodes to activate one of said predetermined escalating operational modes, andtransmit said escalation trigger to said multiple network nodes to cause said multiple network nodes to operate in one of said two or more predetermined escalating operational modes in near-real time.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The cooperative processing and escalation system of claim 31, wherein said network nodes are selected from the group consisting of:
    - one or more application-layer security nodes, one or more network-layer security nodes, and a combination thereof.
  - 33. The cooperative processing and escalation system of claim 31, wherein said two or more predetermined operational modes include a bypass mode and a passive mode.
  - 34. The cooperative processing and escalation system of claim 31, wherein said two or more predetermined operational modes include a passive mode and active mode.
  - 35. The cooperative processing and escalation system of claim 31. wherein said two or more predetermined operational modes include a bypass mode and active mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Rozenberg, Yigal, Bartlett, Jeannine A.
Primary Examiner(s)
Chai; Longbit

Application Number

US11/252,303
Publication Number

US 20060179296A1
Time in Patent Office

1,317 Days
Field of Search

713/152
US Class Current

713/152
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Cooperative processing and escalation in a multi-node application-layer security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Cooperative processing and escalation in a multi-node application-layer security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links