Policy-based selection of remediation

US 7,665,119 B2
Filed: 09/03/2004
Issued: 02/16/2010
Est. Priority Date: 09/03/2004
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of automatically determining one or more remediations for a device that includes a processor, the method comprising:

receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, the at-least-one policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, violation of the condition potentially being indicative of unauthorized activity or manipulation of the device;

automatically determining, from the received parameter values, whether the conditions for any policies are violated, respectively;

automatically selecting one or more remediations for the device according to the violated policies, respectively; and

deploying the one or more selected remediations to the device, wherein the deploying of the one or more selected remediations includes automatically mapping the one or more selected remediations to one or more actions the execution of which carries out the one or more selected remediations, respectively.

View all claims

7 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A method, of automatically determining one or more remediations for a device that includes a processor, may include: receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device; automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and automatically selecting one or more remediations for the device according to the satisfied policies, respectively.

Citations

38 Claims

1. A method of automatically determining one or more remediations for a device that includes a processor, the method comprising:
- receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, the at-least-one policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, violation of the condition potentially being indicative of unauthorized activity or manipulation of the device;
  
  automatically determining, from the received parameter values, whether the conditions for any policies are violated, respectively;
  
  automatically selecting one or more remediations for the device according to the violated policies, respectively; and
  
  deploying the one or more selected remediations to the device, wherein the deploying of the one or more selected remediations includes automatically mapping the one or more selected remediations to one or more actions the execution of which carries out the one or more selected remediations, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1, further comprising:
    - automatically determining which of the violated policies are also activated with respect to the device;
      
      wherein the selecting of the one or more remediations is based upon those policies that are both violated and activated.
  - 3. A machine configured to implement the method of claim 2.
  - 4. The method of claim 1, wherein:
    - the at-least-one policy is a first type of policy; and
      
      there is at least one instance of a second type of policy, the second policy type being associated collectively with two or more given ones of the plurality of parameters, the second type of policy defining as a condition thereof a collection of at least two sub-conditions,a first one of the sub-conditions in the collection being defined as one or more potential values of the first parameter, anda second one of the sub-conditions in the collection being defined as one or more potential values of the second parameter,violation of the condition occurring when respective violation of the sub-conditions coincides,the violation of the condition possibly being indicative of unauthorized activity or manipulation of the device.
  - 5. The method of claim 4, wherein, for at least the first sub-condition, the one or more potential values defined for the associated parameter represent normal values thereof.
  - 6. The method of claim 5, wherein, for at least the first and second sub-conditions, the one or more potential values defined for the associated parameters respectively represent normal values thereof.
  - 7. The method of claim 4, wherein:
    - the first parameter is an identification of an entity; and
      
      the first sub-condition is one ofpresence of the entity on a list of permissible entities, andpresence of the entity on a list of impermissible entities.
  - 8. The method of claim 4, wherein:
    - the collection includes a third sub-condition;
      
      the first sub-condition is absence of the entity from a list of permissible entities;
      
      the second sub-condition is absence of the entity from a list of impermissible entities; and
      
      the third sub-condition is violation of the first and second sub-conditions.
  - 9. The method of claim 4, further comprising:
    - representing the collection of conditions in machine-memory as an at least two-level hierarchical tree structure.
  - 10. The method of claim 9, wherein the hierarchical tree structure includes:
    - a root node representing a logical operator; and
      
      at least two leaf nodes respectively reporting to the root node, the leaf nodes being statements of the at-least-two sub-conditions, respectively, evaluation of each statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 11. The method of claim 10, wherein the hierarchical tree structure further includes:
    - at least N additional leaf nodes respectively reporting to the root node, where N is a positive integer and N≧
      
      1.
  - 12. The method of claim 11, wherein N≧
    - 2.
  - 13. The method of claim 12, wherein N≧
    - 3.
  - 14. The method of claim 10, wherein the logical operator is one of a logical AND, a logical OR and a logical NOT.
  - 15. The method of claim 10, wherein one or more of the at-least-two leaf nodes is a multi-part node, each multi-part node including:
    - an intermediate node representing a logical operator reporting to the root node; and
      
      at least one sub-leaf node respectively reporting to the intermediate node, each sub-leaf node being a statement of a sub-sub-condition, evaluation of the statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 16. The method of claim 15, wherein the multi-part node further includes:
    - at least two sub-leaf nodes respectively reporting to the intermediate node.
  - 17. A machine configured to implement the method of claim 9.
  - 18. The method of claim 1, wherein the condition for at least one policy describes for the corresponding at-least-one parameter one of the following:
    - existence;
      
      non-existence;
      
      a range of potential values thereof;
      
      change in the value thereof;
      
      no-change in the value thereof;
      
      a maximum amount of change in the value thereof;
      
      a minimum amount of change in the value thereof;
      
      a maximum potential value thereof;
      
      a minimum potential value thereof;
      
      being equal to a specific value thereof;
      
      not being equal to a specific value thereof;
      
      presence on a list; and
      
      absence from a list.
  - 19. The method of claim 1, wherein, for at least one policy, the one or more potential values defined as the condition for the given parameter represent aberrations from normal values of the given parameter.
  - 20. The method of claim 1, wherein at least one policy has as the condition thereof one or more values that are based upon a change in the given parameter.
  - 21. The method of claim 20, wherein at least one policy has as the condition thereof one or more values representing a difference between a current value of the given parameter and a previous value thereof.
  - 22. The method of claim 1, wherein each action is an automatically-machine-actionable type of operation.
  - 23. The method of claim 22, wherein each operation is a machine-language command.
  - 24. The method of claim 23, wherein the machine-language command is a set of one or more Java byte codes.
  - 25. A machine configured to implement the method of claim 1.

26. A machine-readable medium comprising instructions, execution of which by a machine determines one or more remediations for a device that includes a processor, the machine-readable instructions including:
- a first code segment to receive values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, violation of the condition potentially being indicative of unauthorized activity or manipulation of the device;
  
  a second code segment to automatically determine, from the received parameter values, whether the conditions for any policies are violated, respectively;
  
  a third code segment to automatically select one or more remediations for the device according to the violated policies, respectively; and
  
  a fourth code segment to automatically create, for each violated policy, a machine-actionable map between the policy, the corresponding one or more selected remediations and the device.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 27. The machine-readable medium of claim 26, wherein the machine-readable instructions further include:
    - a fifth code segment to automatically determine which of the violated policies are also activated with respect to the device;
      
      the third code segment selecting the one or more remediations based upon those policies that are both violated and activated.
  - 28. The machine-readable medium of claim 26, wherein:
    - the at-least-one policy is a first type of policy; and
      
      there is at least one instance of a second type of policy, the second policy type being associated collectively with two or more given ones of the plurality of parameters, the second type of policy defining as a condition thereof a collection of at least two sub-conditions,a first one of the sub-conditions in the collection being defined as one or more potential values of the first parameter, anda second one of the sub-conditions in the collection being defined as one or more potential values of the second parameter,violation of the condition occurring when respective violation of the sub-conditions coincides,the violation of the condition possibly being indicative of unauthorized activity or manipulation of the device.
  - 29. The machine-readable medium of claim 28, the machine-readable instructions further include:
    - a fifth code segment to represent the collection of conditions in machine-memory as an at least two-level hierarchical tree structure.
  - 30. The machine-readable medium of claim 29, wherein the fifth code segment represents the hierarchical tree structure as including:
    - a root node representing a logical operator; and
      
      at least two leaf nodes respectively reporting to the root node, the leaf nodes being statements of the at-least-two sub-conditions, respectively, evaluation of each statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 31. The machine-readable medium of claim 30, wherein the fifth code segment represents the hierarchical tree structure as further including:
    - at least N additional leaf nodes respectively reporting to the root node, where N is a positive integer and N≧
      
      1.
  - 32. The machine-readable medium of claim 30, wherein the fifth code segment represents one or more of the at-least-two leaf nodes as a multi-part node, each multi-part node including:
    - an intermediate node representing a logical operator reporting to the root node; and
      
      at least one sub-leaf node respectively reporting to the intermediate node, each sub-leaf node being a statement of a sub-sub-condition, evaluation of the statement according to a corresponding one or more of the received parameter values yielding an indication of the statement being true or false.
  - 33. The machine-readable medium of claim 26, wherein the condition for at least one policy describes for the corresponding at-least-one parameter one of the following:
    - existence;
      
      non-existence;
      
      a range of potential values thereof;
      
      change in the value thereof;
      
      no-change in the value thereof;
      
      a maximum amount of change in the value thereof;
      
      a minimum amount of change in the value thereof;
      
      a maximum potential value thereof;
      
      a minimum potential value thereof;
      
      being equal to a specific value thereof;
      
      not being equal to a specific value thereof;
      
      presence on a list; and
      
      absence from a list.
  - 34. The machine-readable medium of claim 26, wherein the fourth code segment is further operable to automatically expand, for each of the violated policies, the machine-actionable map to include mapping to one or more actions the execution of which carries out the one or more selected remediations, respectively.
  - 35. The machine-readable medium of claim 26, further comprising:
    - a fifth code segment to deploy the one or more selected remediations as one or more automatically-machine-actionable actions.
  - 36. The machine-readable medium of claim 35, wherein each automatically-machine-actionable action takes the form of a set of one or more Java byte codes.

37. An apparatus for determining one or more remediations for a device that includes a processor, the apparatus comprising:
- means for receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, violation of the condition potentially being indicative of unauthorized activity or manipulation of the device;
  
  means for automatically determining, from the received parameter values, whether the conditions for any policies are violated, respectively; and
  
  means for automatically selecting one or more remediations for the device according to the violated policies, respectively andmeans for deploying the one or more selected remediations to the device, wherein the deploying of the one or more selected remediations includes automatically mapping the one or more selected remediations to one or more actions the execution of which carries out the one or more selected remediations, respectively.
- View Dependent Claims (38)
- - 38. The method of claim 37, further comprising:
    - means for automatically determining which of the violated policies are also activated with respect to the device;
      
      wherein the means for selecting is operable to automatically select the one or more remediations based upon those policies that are both violated and activated.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Fortinet Inc.
Original Assignee
Secure Elements Incorporated (Fortinet Inc.)
Inventors
Bezilla, Daniel Bailey, Immordino, John Leonard, Ogura, James Le
Primary Examiner(s)
Revak, Christopher A

Application Number

US10/933,504
Publication Number

US 20060053475A1
Time in Patent Office

1,992 Days
Field of Search

726/25
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Policy-based selection of remediation

First Claim

7 Assignments

Litigations

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based selection of remediation

First Claim

7 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links