Computer-readable recording medium storing security management program, security management system, and method of security management

US 7,680,826 B2
Filed: 06/15/2006
Issued: 03/16/2010
Est. Priority Date: 03/10/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-readable recording medium storing a security management program for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the security management program, when executed on the gateway computer, causing the gateway computer to function as a system comprising:

a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program;

a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted;

a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained;

a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, to determine the link libraries to be called by the job program, and to register associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database;

a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, to register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and to transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program;

a submission destination-determining unit, operable once identification information to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and to refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program;

a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining; and

a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security management program coping with a security hole found in a library. When a request for executing jobs, including a job program, is input, a service library-determining section analyzes the job program and determines link libraries called by the job program. Then, a job submission section transmits the job program to submission destination nodes, and instructs the submission destination nodes to execute the jobs according to the request. After that, when identification information for identifying a vulnerable library having a security defect is input, a submission destination-determining section obtains identification information for identifying the job program corresponding to the vulnerable library, and identification information for identifying the submission destination nodes corresponding to the job program. Subsequently, a forcible job stop section instructs the submission destination nodes to stop processes for executing the job program.

7 Citations

10 Claims

1. A computer-readable recording medium storing a security management program for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the security management program, when executed on the gateway computer, causing the gateway computer to function as a system comprising:
- a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program;
  
  a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted;
  
  a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained;
  
  a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, to determine the link libraries to be called by the job program, and to register associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database;
  
  a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, to register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and to transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program;
  
  a submission destination-determining unit, operable once identification information to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and to refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program;
  
  a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining; and
  
  a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-readable recording medium according to claim 1, wherein the vulnerable library information-obtaining unit to periodically search the security database in which is registered identification information for identifying a vulnerable library whenever a security defect is found in a library, to thereby obtain the identification information for identifying the vulnerable library, and outputting the obtained information to said submission destination-determining unit.
  - 3. The computer-readable recording medium according to claim 2, wherein said vulnerable library information-obtaining unit periodically searches the security database in which is registered identification information for identifying a vulnerable library according to a request for obtaining information on a vulnerable library, the request being issued from said service library-determining unit, to thereby obtain the identification information for identifying the vulnerable library, and passes the information to said service library-determining unit,wherein after determining the link libraries, said service library-determining unit issues the request for obtaining information on a vulnerable library to said vulnerable library information-obtaining unit, receives the identification information for identifying the vulnerable library from said vulnerable library information-obtaining unit, and determines whether or not there exists a link library whose identification information matches the identification information for identifying the vulnerable library, andwherein said job submission unit causes the submission destination nodes to execute the job program only when said service library-determining unit has determined that there is no link library whose identification information matches the identification information for identifying vulnerable libraries.
  - 4. The computer-readable recording medium according to claim 3, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in the security database, andwherein said vulnerable library information-obtaining unit outputs only identification information for identifying a vulnerable library set to have a higher degree of risk than a first predetermined degree of risk, to said submission destination-determining unit, and passes only identification information for identifying a vulnerable library set to have a higher degree of risk than a second predetermined degree of risk lower than the first predetermined degree of risk, to said service library-determining unit.
  - 5. The computer-readable recording medium according to claim 1, wherein the system further comprises a library update-instructing unit to transmit a library update instruction for updating the vulnerable library to a latest version thereof, to the submission destination nodes.
  - 6. The computer-readable recording medium according to claim 5, wherein said forcible job stop unit causes the submission destination nodes to start the job program after the vulnerable library in the submission destination nodes has been updated.
  - 7. The computer-readable recording medium according to claim 1, wherein the link libraries determined by said service library-determining unit include those incorporated in the job program itself and those stored in other files separately from the job program.
  - 8. The computer-readable recording medium according to claim 1, wherein said service library-determining unit registers library names and versions of the link libraries as the identification information for identifying link libraries, in said service library management database, and wherein said submission destination-determining unit receives a library name and a version of the vulnerable library as the identification information for identifying the vulnerable library.

9. A security management system for carrying out security management of jobs submitted to nodes on a network, the security management system comprising:
- a processor;
  
  memory;
  
  a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program;
  
  a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted;
  
  a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained;
  
  a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, determining the link libraries to be called by the job program, and registering associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database;
  
  a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program;
  
  a submission destination-determining unit, operable when identification information, to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program;
  
  a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining unit; and
  
  a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database.

10. A method for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the method comprising:
- receiving input of a job execution request whereby the job program is obtained;
  
  analyzing the job program obtained in said job execution request-obtaining step, determining the link libraries to be called by the job program, and registering associations between identification information for identifying the job program and identification information for identifying the link libraries in a service library management database;
  
  determining submission destination nodes which are to be caused to execute the job program received;
  
  registering identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in a job submission destination management database;
  
  transmitting the job program to the submission destination nodes for causing the submission destination nodes to execute the job program;
  
  referring, when identification information for identifying a vulnerable library having a security defect is input, to the service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and referring to the job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program;
  
  instructing the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained in said referring;
  
  outputting only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk, wherein degrees of risk indicative of levels of levels of hazard to be caused by vulnerable libraries are set in a security database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Imai, Yuji
Primary Examiner(s)
Truong; Cam Y T

Application Number

US11/452,897
Publication Number

US 20070226256A1
Time in Patent Office

1,370 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/51 at application loading time...

H04L 63/0823 using certificates cryptogr...

Computer-readable recording medium storing security management program, security management system, and method of security management

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

7 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Computer-readable recording medium storing security management program, security management system, and method of security management

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links