Method for the automatic setting and updating of a security policy

US 7,614,085 B2
Filed: 05/01/2003
Issued: 11/03/2009
Est. Priority Date: 05/09/2002
Status: Active Grant

First Claim

Patent Images

1. A method for the automatic update of a security policy enforced by at least one security package within a computerized system, comprising the steps of:

a. Providing within the computerized system at least one trusted source, each capable of issuing a security report detailing at least one of;

network protocol and its related attributes, application protocol and its related attributes application paths, application action, application action attributes, and application action flow, or security flaws within the computerized system;

b. Periodically operating each of said at least one trusted source in order to issue a respective security report;

c. Importing each respective security report into a security correcting unit, and forming one consolidated file comprising the details from each respective security report;

d. Importing into said security correcting unit one or more attributes files of said at least one security package;

e. Separately comparing the content of said consolidated file with the content of each of the imported attributes files, and updating each attributes file with security information included within said consolidated file;

f. Separately exporting said updated attributes files and effecting each of them as the active attributes file or files of the corresponding security package;

g. Using a predefined set of logical rules to decide which content from said consolidated file to effect and which to ignore; and

h. Importing into said security correcting unit a second type report comprising application locations and paths that are defined by said security correcting unit as the only valid locations and paths for accessing an application, and said security correcting unit updating one or more relevant attribute files using the content of said second type report, thereby effecting an updated security policy.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for creating and/or updating a security policy within a computerized system protected by at least one security package, comprising: (a) Providing at least one trusted source within the system, capable of issuing a report detailing the structure and/or attributes of the system and/or security flaws within the system; (b) Periodically operating said at least one trusted source in order to periodically issue said report; (c) Importing each trusted source report into a security correcting unit, and forming one consolidated file containing the details from all said reports; (d) Importing into said security correcting unit the attributes files of all the security packages; (e) Separately comparing the content of said consolidated file with each of the imported attributes files, and updating each attributes file with the security information included within said consolidated file, information which is missing from the said attributes file, and is relevant to said attributes file; and (f) Separately exporting said updated attributes files and effecting each of them as the active attributes file of the corresponding security package, thereby effecting an updated security policy.

Citations

15 Claims

1. A method for the automatic update of a security policy enforced by at least one security package within a computerized system, comprising the steps of:
- a. Providing within the computerized system at least one trusted source, each capable of issuing a security report detailing at least one of;
  
  network protocol and its related attributes, application protocol and its related attributes application paths, application action, application action attributes, and application action flow, or security flaws within the computerized system;
  
  b. Periodically operating each of said at least one trusted source in order to issue a respective security report;
  
  c. Importing each respective security report into a security correcting unit, and forming one consolidated file comprising the details from each respective security report;
  
  d. Importing into said security correcting unit one or more attributes files of said at least one security package;
  
  e. Separately comparing the content of said consolidated file with the content of each of the imported attributes files, and updating each attributes file with security information included within said consolidated file;
  
  f. Separately exporting said updated attributes files and effecting each of them as the active attributes file or files of the corresponding security package;
  
  g. Using a predefined set of logical rules to decide which content from said consolidated file to effect and which to ignore; and
  
  h. Importing into said security correcting unit a second type report comprising application locations and paths that are defined by said security correcting unit as the only valid locations and paths for accessing an application, and said security correcting unit updating one or more relevant attribute files using the content of said second type report, thereby effecting an updated security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, wherein:
    - a. The step of importing each respective security source report further comprises the step of transforming each respective security report into a common format, and forming said consolidated file in said common format;
      
      b. The step of importing into said security correcting unit one or more attributes files of said at least one security package further comprises the step of transforming each attributes file into said common format; and
      
      c. The step of separately exporting each of said updated attributes files and effecting the same as the active attributes file or files of the corresponding security package further comprises the step of transforming said attributes file from a common format into a package specific format, prior to said exporting.
  - 3. A method according to claim 1, wherein each respective security report comprises at least one attribute component.
  - 4. A method according to claim 2 wherein each respective security report is arranged in the corresponding trusted source specific format.
  - 5. A method according to claim 2 wherein each of said attributes files is arranged in the corresponding security package specific format.
  - 6. A method according to claim 1, wherein each security package effects a security policy within its predefined range of responsibility, according to the content of its attributes file.
  - 7. A method according to claim 1, wherein one of said at least one trusted source comprises a security scanner.
  - 8. A method according to claim 3, wherein said attribute component is intended to eliminate a known flaw.
  - 9. A method according to claim 3, wherein said attribute component is related to the current structure of the system, which when recorded within an updated attributes file enforces a security policy bounded to said structure, thereby rejecting activity deviated from said structure.

10. A computerized system for the automatic update of a security policy, the computerized system comprising one or more computers collectively comprising the following components:
- a. At least one security package enforcing a security policy within a predefined range of responsibility, said policy being defined by a specific, attributes file associated with each of said at least one security package;
  
  b. At least one trusted source capable of issuing a security report detailing at least one of;
  
  network protocol and its related attributes, application protocol and its related attributes, application paths, application action, application action attributes, and application action flow or security flaws within the system;
  
  c. A security correcting unit for;
  
  importing said report from each of said at least one trusted source, and producing a consolidated file including information from each said report;
  
  importing a second type report comprising application locations and paths that are defined by said security correcting unit as the only valid locations and paths for accessing an application, and updating one or more relevant attribute files using the content of said second type report, andimporting the attributes file from each of said at least one security package, separately comparing the content of said consolidated file with each of the imported attributes files, and updating each attributes file with security information included within said consolidated file, using a predefined set of logical rules to decide which content from said consolidated file to effect and which to ignore, and exporting said updated attributes files and effecting each of them as the active attributes file of the corresponding security package, thereby effecting an updated security policy.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A system according to claim 10 wherein the security correcting unit further comprises:
    - At least one first importing modules for importing reports from each of said at least one trusted source;
      
      A consolidation module for receiving each of said reports and forming one consolidated file containing information included in said reports;
      
      At least one second importing modules for importing into the correcting unit from each security package its corresponding attributes file;
      
      A security policy creation module comprising a set of predefined logical decision rules for use while updating the attributes files, for comparing the content of said consolidated file with each of the imported attributes files, and updating each attributes file with the security information included within said consolidated file, information which is missing from the said attributes file, and is relevant to said attributes file; and
      
      At least one exporting module for exporting each updated attributes file into its corresponding security package, thereby effecting an updated security policy.
  - 12. A system according to claim 11, further comprising at least one first transform modules for transforming each report from its trusted source specific format into a common format, at least one second transform modules for transforming each imported attributes security package from its package specific format into a common format, and at least one third transform modules for transforming each updated attributes file from a common format into its package specific format before its exportation into the corresponding package, and wherein the consolidated file is also arranged in said common format.
  - 13. System according to claim 10, wherein one of the security packages comprises an Intrusion Detection System, whose set of signatures is stored within a file, said file being treated as the attributes file of a security package, and is therefore updated accordingly.
  - 14. System according to claim 10, wherein one of the security packages comprises an application switch, whose set of attributes that is used for direction being stored within a file, said file being treated by the system as an attributes file of a security package, and is therefore updated accordingly.
  - 15. System according to claim 10, wherein one of the security packages comprises an Application Layer Firewall, whose set of attributes that is used for denying actions or accesses within the application or allowing legal actions or accesses within the application is stored within a file, said file being treated by the system as an attributes file of a security package, and is therefore updated accordingly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Ben-Itzhak, Yuval
Primary Examiner(s)
Dinh; Minh

Application Number

US10/433,532
Publication Number

US 20050038881A1
Time in Patent Office

2,378 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Method for the automatic setting and updating of a security policy

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the automatic setting and updating of a security policy

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links