System and method for unified threat management with a relational rules methodology

US 7,735,116 B1
Filed: 03/24/2006
Issued: 06/08/2010
Est. Priority Date: 03/24/2006
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method of controlling access to a networked device, the method comprising:

receiving an incoming message packet by a security gateway coupled to said networked device;

evaluating the received message packet to determine if the received message packet is compliant with a first test, the first test corresponding to a first level of a security hierarchy implemented by said security gateway,wherein the security hierarchy establishes a relationship between security functions from a lowest level to a highest level; and

the received packet is rejected at the earliest possible operation in the processing of the packet in the security hierarchy;

forwarding the received packet and an indication of its compliance with the first test for subsequent processing upon the received packet complying with the first test; and

dropping the received packet whereby no further processing of the received packet is performed upon the received packet not complying with the first test.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A unified threat management system is provided with a uniform relational rules model. The unified relational rules model provides for the sub-setting of rules and the ability to derive a result based partially from previous security measurements. The sharing of a security check from one security implementation to another using an object-oriented methodology is facilitated. Security policy is divided into specific security features that result in a security hierarchy. The security features may be considered to be listed sequentially, from bottom to top, and form a relationship with one another. These relationships are used to build a current security measure upon a previous security measure and may be used as a pre-cursor when marshalling data content to be validated.

134 Citations

19 Claims

1. A method of controlling access to a networked device, the method comprising:
- receiving an incoming message packet by a security gateway coupled to said networked device;
  
  evaluating the received message packet to determine if the received message packet is compliant with a first test, the first test corresponding to a first level of a security hierarchy implemented by said security gateway,wherein the security hierarchy establishes a relationship between security functions from a lowest level to a highest level; and
  
  the received packet is rejected at the earliest possible operation in the processing of the packet in the security hierarchy;
  
  forwarding the received packet and an indication of its compliance with the first test for subsequent processing upon the received packet complying with the first test; and
  
  dropping the received packet whereby no further processing of the received packet is performed upon the received packet not complying with the first test.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - evaluating the received packet to determine if the received packet complies with a second test, the second test corresponding to a second level of the security hierarchy;
      
      forwarding the received packet and an indication of its compliance with the second test for subsequent processing upon the received packet complying with the second test; and
      
      dropping the received packet whereby no further processing of the received packed is performed upon the received packet not complying with the second test,wherein the second level is higher than the first level in the security hierarchy, andthe security hierarchy comprises at least one other security level between the first and second security levels.
  - 3. The method of claim 2, wherein the first level is said lowest level in the security hierarchy.
  - 4. The method of claim 1, wherein the evaluation of the received packet according to the first test is a function of at least one of:
    - a source address value;
      
      a destination address value;
      
      a source port value;
      
      a destination port value;
      
      a network protocol value;
      
      an incoming interface value;
      
      an outgoing interface value; and
      
      a requested service value.

5. A method of controlling access to a networked device, the method comprising:
- receiving a plurality of incoming message packets by a security gateway coupled to said networked device;
  
  identifying, at a level of a security hierarchy implemented by said security gateway, a subset of the plurality of incoming message packets as being an attack on the networked device,wherein the security hierarchy establishes a relationship between security functions from a lowest level to a highest level;
  
  determining a plurality of indicator parameters of the identified subset of attacking message packets;
  
  dynamically defining an attack defense processing rule as a function of the determined plurality of indicator parameters, wherein said attack defense processing rule may be at any level of said security hierarchy; and
  
  applying the attack defense processing rule to subsequently received incoming message packets to fend off the identified attack.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 5, wherein identifying the subset of incoming packets as being an attack comprises:
    - receiving a predetermined number of access requests for the networked device over a predetermined period of time,wherein the access requests have at least one common parameter value.
  - 7. The method of claim 5, wherein the common parameter value is at least one of:
    - a source address value;
      
      a destination address value;
      
      a source port value;
      
      a destination port value;
      
      a network protocol value;
      
      an outgoing interface value; and
      
      a requested service value.
  - 8. The method of claim 7, further comprising:
    - receiving a new incoming message packet;
      
      determining if the attack defense processing rule is to be applied to the received new incoming message packet; and
      
      applying the attack defense processing rule to the new incoming message packet upon said determining if the attack defense processing rule is to be applied finding that the attack defense processing rule should be so applied.
  - 9. The method of claim 8, wherein determining if the attack defense processing rule is to be applied to the new incoming message packet comprises:
    - comparing a subset of the plurality of indicator parameter values to corresponding values of the new incoming message packet; and
      
      if a predetermined number of matches is found, then determining that the attack defense processing rule is to be applied to the new incoming message packet.
  - 10. The method of claim 8, wherein the attack defense processing rule comprises a first test corresponding to a first level of the security hierarchy and a second test corresponding to a second level of the security hierarchy, wherein the security hierarchy comprises at least one other security level between the first and second security levels, the method further comprising:
    - applying the first test to the new incoming message packet,applying the second test to the new incoming message packet if the first test is passed; and
      
      discarding the new incoming message packet if either of the first and second tests is not passed,whereby the new incoming message packet is rejected at the earliest possible operation in the processing of the packet in the security hierarchy.
  - 11. The method of claim 10, wherein the first level is the lowest level in the security hierarchy.
  - 12. The method of claim 10, wherein the second level is higher than the first level in the security hierarchy.

13. A method of controlling access at a networked device, the method comprising:
- identifying a type of access to be controlled by a security gateway coupled to said networked device; and
  
  generating an access control rule applicable to the identified access type,wherein the generated access control rule comprises two portions, each portion corresponding to a level of a security hierarchy implemented by said security gateway; and
  
  the security hierarchy establishes a relationship between security functions from a lowest level to a highest level.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein generating the access control rule comprises:
    - analytically breaking down the access control rule into;
      
      a first portion corresponding to a first level of the security hierarchy; and
      
      a second portion corresponding to a second level of the security hierarchy,wherein the second level is higher than the first level in the security hierarchy, andthe security hierarchy comprises at least one other security level between the first and second security levels.
  - 15. The method of claim 14, wherein the first level is the lowest level in the security hierarchy.
  - 16. The method of claim 14, wherein:
    - the first portion is a first test; and
      
      the second portion is a second test that provides more security scanning than the first test.
  - 17. The method of claim 16, wherein the first test is one of:
    - a packet filtering test; and
      
      a test that scans a set of security attributes associated with lower levels of the Opens Systems Interconnection(OSI) model.
  - 18. The method of claim 16, wherein the second test is one of:
    - a URL scanning test; and
      
      a test that scans a set of security attributes associated with higher levels of the Opens Systems Interconnection(OSI) model.
  - 19. The method of claim 16, wherein:
    - the second test is at an applications layer of the Opens Systems Interconnection(OSI) model and is a function of a least one of a protocol identifier and a resource identifier.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gauvin, William
Primary Examiner(s)
Song; Hosuk

Application Number

US11/277,429
Time in Patent Office

1,537 Days
Field of Search

713/166, 713150-154, 713/160, 709/230, 380/277, 705/7, 726 2- 3, 726 11- 14
US Class Current

726/2
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

System and method for unified threat management with a relational rules methodology

First Claim

3 Assignments

Litigations

1 Petition

Accused Products

Abstract

134 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for unified threat management with a relational rules methodology

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others