Assessing risk based on offline activity history

US 8,108,923 B1
Filed: 12/29/2005
Issued: 01/31/2012
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for accessing a protected network comprising:

logging one or more events into an event log in electronic storage, wherein the one or more events occur while a network capable device is disconnected from the protected network, wherein an amount of information logged about an event is based at least in part on a type of the event and wherein the type of events logged is configurable;

aggregating a log of a quantity of websites visited;

computing, using at least one computer processor, hashes of visited URLs and comparing the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and

providing at least one of the event log and the comparison against hashes of URLs of predetermined malicious websites to one or more other devices associated with the protected network in connection with a request for the network capable device to access the protected network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling access to a protected network is disclosed. In some embodiments, one or more events that occur will a host is disconnected from the protected network are logged. The log is provided to one or more devices associated with the protected network when the host requests access to the protected network after a period in which it was not connected. In some embodiments, a network access control or other device or process uses the log to determine whether and/or an extent to which the host should be permitted to connect to the network.

Citations

37 Claims

1. A method for accessing a protected network comprising:
- logging one or more events into an event log in electronic storage, wherein the one or more events occur while a network capable device is disconnected from the protected network, wherein an amount of information logged about an event is based at least in part on a type of the event and wherein the type of events logged is configurable;
  
  aggregating a log of a quantity of websites visited;
  
  computing, using at least one computer processor, hashes of visited URLs and comparing the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  providing at least one of the event log and the comparison against hashes of URLs of predetermined malicious websites to one or more other devices associated with the protected network in connection with a request for the network capable device to access the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further including monitoring activity while disconnected from the protected network.
  - 3. The method of claim 2 wherein said monitoring includes monitoring for one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 4. The method of claim 1 wherein said events include one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 5. The method of claim 1 wherein the log is provided to a network admission control server.
  - 6. The method of claim 1 wherein the log is provided to a policy manager.
  - 7. The method of claim 1 further including receiving an indication of one or more types of event to be logged.
  - 8. The method of claim 1 further including receiving limited access to the protected network and enforcing an associated limitation.

9. A method for controlling access to a protected network comprising:
- receiving from a network client device requesting access to the protected network an electronic activity log of activities of the network client device during a period in which the network client device was not connected to the protected network, wherein an amount of information about an activity in the activity log is based at least in part on a type of the activity and wherein the type of activities logged is configurable;
  
  receiving an aggregated log of a quantity of websites visited;
  
  receiving a computation of hashes of visited URLs;
  
  comparing the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  determining based at least in part on the activity log and the comparison against hashes of URLs of predetermined websites what access to grant the network client device.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 wherein determining what access to grant the network client device includes determining to deny access to the network client device if the log indicates the network client device poses a risk to the protected network.
  - 11. The method of claim 9 wherein determining what access to grant the network client device includes granting the network client device limited access to the protected network if the log indicates the network client device poses a limited risk to the protected network.
  - 12. The method of claim 9 wherein determining what access to grant the network client device includes granting the network client device unlimited access to the protected network based at least in part on a determination that the log indicates the network client device poses no significant risk to the protected network.
  - 13. The method of claim 9 further comprising updating policies on one or more nodes on the network based at least in part on the activity log.

14. A system for accessing a protected network comprising:
- a processor configured tolog one or more events that occur while a network capable device is disconnected from the protected network into an event log, wherein an amount of information logged about an event is based at least in part on a type of the event and wherein the type of events logged is configurable;
  
  aggregate a log of a quantity of websites visited;
  
  compute hashes of visited URLs and compare the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  a communication interface configured to provide the event log and the comparison against hashes of URLs of predetermined malicious websites to one or more other devices associated with the protected network in connection with a request for the network capable device to access the protected network.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the processor is further configured to monitor activity while disconnected from the protected network.
  - 16. The system of claim 15 wherein said monitoring includes monitoring for one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 17. The system of claim 14 wherein said events include one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 18. The system of claim 14 wherein the communication interface is configured to provide the log to a network admission control server.
  - 19. The system of claim 14 wherein the communication interface is configured to provide the log to a policy manager.

20. A system for controlling access to a protected network comprising:
- a communication interface configured to receive from a client requesting access to the protected network a log of activities of the client during a period in which the client was not connected to the protected network, wherein an amount of information about an activity in the activity log is based at least in part on a type of the activity and wherein the type of activities logged is configurable;
  
  a processor configured to;
  
  aggregate a log of a quantity of websites visited;
  
  compute hashes of visited URLs and compare the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  determine based at least in part on the activity log and the comparison against hashes of URLs of predetermined malicious websites what access to grant the client.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20 wherein determining what access to grant the client includes determining to deny access to the client if the log indicates the client poses a risk to the protected network.
  - 22. The system of claim 20 wherein determining what access to grant the client includes granting the client limited access to the protected network if the log indicates the client poses a limited risk to the protected network.
  - 23. The system of claim 20 wherein determining what access to grant the client includes granting the client unlimited access to the protected network based at least in part on a determination that the log indicates the client poses no significant risk to the protected network.
  - 24. The system of claim 20 wherein the processor is further configured to update policies on one or more nodes on the network based at least in part on the activity log.

25. A computer program product for accessing a protected network, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- logging one or more events that occur while a network capable device is disconnected from the protected network into an event log, wherein an amount of information logged about an event is based at least in part on a type of the event and wherein the type of events logged is configurable;
  
  aggregating a log of a quantity of websites visited;
  
  computing hashes of visited URLs and comparing the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  providing the event log and the comparison against hashes of URLs of predetermined malicious websites to one or more other devices associated with the protected network in connection with a request for the network capable device to access the protected network.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The computer program product as recited in claim 25, the computer program product further comprising computer instructions for monitoring activity while disconnected from the protected network.
  - 27. The computer program product as recited in claim 26 wherein said monitoring includes monitoring for one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 28. The computer program product as recited in claim 25 wherein said events include one or more of software installation, software removal, registry modification, website visited, access points connected to, other networks connected to, user added, and user deleted.
  - 29. The computer program product as recited in claim 25 wherein the log is provided to a network admission control server.
  - 30. The computer program product as recited in claim 25 wherein the log is provided to a policy manager.
  - 31. The computer program product as recited in claim 25, the computer program product further comprising computer instructions for receiving an indication of one or more types of event to be logged.
  - 32. The computer program product as recited in claim 25, the computer program product further comprising computer instructions for receiving limited access to the protected network and enforcing an associated limitation.

33. A computer program product for controlling access to a protected network, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving from a client requesting access to the protected network a log of activities of the client during a period in which the client was not connected to the protected network, wherein an amount of information about an activity in the activity log is based at least in part on a type of the activity and wherein the type of activities logged is configurable;
  
  aggregating a log of a quantity of websites visited;
  
  computing hashes of visited URLs and comparing the computed hashes of visited URLs against hashes of URLs of predetermined malicious websites; and
  
  determining based at least in part on the activity log and the comparison against hashes of URLs of predetermined malicious websites what access to grant the client.
- View Dependent Claims (34, 35, 36, 37)
- - 34. The computer program product as recited in claim 33 wherein determining what access to grant the client includes determining to deny access to the client if the log indicates the client poses a risk to the protected network.
  - 35. The computer program product as recited in claim 33 wherein determining what access to grant the client includes granting the client limited access to the protected network if the log indicates the client poses a limited risk to the protected network.
  - 36. The computer program product as recited in claim 33 wherein determining what access to grant the client includes granting the client unlimited access to the protected network based at least in part on a determination that the log indicates the client poses no significant risk to the protected network.
  - 37. The computer program product as recited in claim 33, the computer program product further comprising computer instructions for updating policies on one or more nodes on the network based at least in part on the activity log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Hernacki, Brian
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
SONG, HEE K

Application Number

US11/324,190
Time in Patent Office

2,224 Days
Field of Search

726 2- 5, 726 16- 17, 726 21- 22, 726 25- 27, 713/166, 713/168
US Class Current

726/11
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 63/101   Access control lists [ACL]

H04L 63/1425   Traffic logging, e.g. anoma...

Assessing risk based on offline activity history

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Assessing risk based on offline activity history

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links