Data network and method for checking nodes of a data network

US 7,941,857 B2
Filed: 07/31/2008
Issued: 05/10/2011
Est. Priority Date: 07/31/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A system for checking nodes or information stored at nodes of a data network, said system comprising:

a set of nodes connected to each other by a data transmission path, at least one node comprising a storage medium and a processor device operatively coupled to said storage medium and configured to perform a method comprising;

storing an automatically searchable mark in said storage medium of said at least one node and associated with one or both of;

the at least one node and information stored therein;

the automatically searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the marked information or controlling access to the marked node;

said automatically searchable mark further defining one or more of;

a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node, or a permissible data transmission path for transferring the marked information;

said automatically searchable mark enabling a prior determination where in said data network a data may reside;

a searching engine including a further processor device operatively coupled to said data network and configured to perform a method comprising;

traversing said data network to detect and analyze the automatically searchable mark stored at said marked node in said data network, said further processor device detecting a place on which the marked information is stored and detecting one or more possible data transmission paths within said data network for accessing the marked information or the marked node or a possible data transmission path or data transmission paths for transferring the marked information in said data network, andcomparing the detected storage place of the marked information with the permissible storage place that is defined by the automatically searchable mark of the marked information and checking whether the privacy policy is maintained, and further comparing the detected possible data transmission paths for transferring the marked information or for accessing the marked information or the marked node with the permissible data transmission paths that are defined by the automatically searchable mark of the marked information or by the automatically searchable mark of the marked node, and determining whether the privacy policy is maintained, andupon determining a privacy policy violation, generating an alarm.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a data network, systems and methods for checking nodes of a data network that are used for detecting whether a privacy policy concerning an information is maintained. The information comprises a mark corresponding to the privacy policy. The mark defines the storage place or the accessing paths or the transferring paths of the information. The mark is automatically searchable. The mark is searched, analyzed and checked as to whether the privacy policy is maintained. The advantage of the system is that vulnerabilities of systems for protecting confidential information may be detected a long time before an attack on the confidential information occurs.

Citations

7 Claims

1. A system for checking nodes or information stored at nodes of a data network, said system comprising:
- a set of nodes connected to each other by a data transmission path, at least one node comprising a storage medium and a processor device operatively coupled to said storage medium and configured to perform a method comprising;
  
  storing an automatically searchable mark in said storage medium of said at least one node and associated with one or both of;
  
  the at least one node and information stored therein;
  
  the automatically searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the marked information or controlling access to the marked node;
  
  said automatically searchable mark further defining one or more of;
  
  a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node, or a permissible data transmission path for transferring the marked information;
  
  said automatically searchable mark enabling a prior determination where in said data network a data may reside;
  
  a searching engine including a further processor device operatively coupled to said data network and configured to perform a method comprising;
  
  traversing said data network to detect and analyze the automatically searchable mark stored at said marked node in said data network, said further processor device detecting a place on which the marked information is stored and detecting one or more possible data transmission paths within said data network for accessing the marked information or the marked node or a possible data transmission path or data transmission paths for transferring the marked information in said data network, andcomparing the detected storage place of the marked information with the permissible storage place that is defined by the automatically searchable mark of the marked information and checking whether the privacy policy is maintained, and further comparing the detected possible data transmission paths for transferring the marked information or for accessing the marked information or the marked node with the permissible data transmission paths that are defined by the automatically searchable mark of the marked information or by the automatically searchable mark of the marked node, and determining whether the privacy policy is maintained, andupon determining a privacy policy violation, generating an alarm.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein the further processor device of said search engine is configured to create an observed graph of the detected possible data transmission paths, wherein in the storage medium a policy graph of permissible data transmission paths is stored, wherein the permissible data transmission paths are the data transmission paths that are allowed for accessing marked information or a marked node or for transferring marked information, wherein the further processor device compares the observed graph with the policy graph for detecting a possible but not permissible data transmission path.
  - 3. The system according to claim 1, wherein the processor device at said at least one node is further configured to store in a log file which marked information or marked node was requested by an access, wherein the further processor device checks the log files of the nodes for detecting the possible data transmission paths for accessing marked information or marked nodes or for transferring marked information.
  - 4. The system according to claim 1, wherein the further processor device is further configured to search for marked information, wherein the further processor device is configured to access marked information in the data network with privileged rights, wherein the searched possible data transmission paths for accessing the marked information were stored, wherein the further processor device compares the automatically searchable mark of the detected marked information with the privileged rights that were used by accessing the marked information, wherein depending on the comparison a possible but not admissible data transmission path could be detected.
  - 5. The system according to claim 1, wherein for at least one of:
    - a user, a machine, an Internet domain, a node, an information a policy graph with allowed data transmission paths, storage place for accessing a marked information, a marked node, for transferring a marked information is provided, and wherein the further processor device is configured to check for the user, the machine, the Internet domain, the node and/or the information, whether the detected possible data transmission paths or storage places exceed the policy graph.
  - 6. The system according to claim 1, wherein for a class of user, a class of nodes, a class of information a policy class graph with allowed paths, storage places for accessing a marked information, a marked node, for transferring marked information is provided, and wherein the further processor is further configured to check for the class of user, the class of nodes, the class of information, whether the detected possible data transmission paths or storage places exceed the policy class graph.

7. A tangible storage medium readable by a processing circuit and storing computer-readable instructions for execution by the processing circuit to perform method steps for checking nodes or information stored at nodes of a data network, said nodes being connected with data transmission paths, said method steps comprising:
- providing an automatically searchable mark located on at least one node for association with one or both of;
  
  the at least one node and information stored therein;
  
  the automatically searchable mark corresponding to a privacy policy for controlling storage of, transfer of, or access to the marked information or, controlling access to the marked node;
  
  said automatically searchable mark further defining one or more of;
  
  a permissible storage place where the marked information is permissibly stored, a permissible data transmission path for accessing the marked information or the marked node, or a permissible data transmission path in which the marked information could be permissibly transferred;
  
  said automatically searchable mark enabling a prior determination where in said data network a data may reside; and
  
  traversing, by a search engine, said data network to detect and analyze the automatically searchable mark stored at said marked node in said data network for detecting the places on which the marked information is stored in said data network and detecting possible data transmission paths for accessing the marked information or the marked node or, detecting a possible data transmission path for transferring the marked information in said data network;
  
  comparing, by the search engine, the detected storage place of the marked information with the permissible storage place that is defined by the automatically searchable mark of the marked information and checking whether the privacy policy is maintained, and comparing the detected possible data transmission paths for transferring the marked information or for accessing the marked information or the marked node with the permissible data transmission paths that are defined by the automatically searchable mark of the marked information or by the automatically searchable mark of the marked node, and determining whether the privacy policy is maintained, andgenerating, by the search engine, an alarm upon determining a privacy policy violation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baum-Waidner, Birgit, Kenyon, Christopher M., Waidner, Michael P.
Primary Examiner(s)
Zee; Edward

Application Number

US12/183,912
Publication Number

US 20080313736A1
Time in Patent Office

1,013 Days
Field of Search

726/3, 726/22, 726/23, 726/25, 726/27
US Class Current

726/23
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/1408 by monitoring network traff...

Data network and method for checking nodes of a data network

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Data network and method for checking nodes of a data network

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links