Autonomic self-healing network

US 8,407,240 B2
Filed: 01/03/2006
Issued: 03/26/2013
Est. Priority Date: 01/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining information dynamically of assets residing on a network by discovering the assets connected to the network, populating an assets database, and performing ongoing monitoring of the network to determine and reconcile previously unknown assets;

comparing a device identifier to the dynamically obtained information of assets at a time of a request to access the network;

determining that the device identifier matches the dynamically obtained information of assets;

determining that the assets comply with one or more rules at the time of the request to access the network, wherein access to the network is permitted only after the determining steps; and

quarantining a device from the network or a portion thereof based upon one or more of the determining steps.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method capable of obtaining information dynamically of assets residing on a network. The system and method further capable of comparing a device identifier to the dynamically obtained information of assets and policies at a time of a request to access the network and determining whether the device identifier matches at least one of the dynamically obtained information of assets and policies. The system and method further capable of quarantining the device from the network or a portion thereof based upon the determining.

Citations

37 Claims

1. A method comprising:
- obtaining information dynamically of assets residing on a network by discovering the assets connected to the network, populating an assets database, and performing ongoing monitoring of the network to determine and reconcile previously unknown assets;
  
  comparing a device identifier to the dynamically obtained information of assets at a time of a request to access the network;
  
  determining that the device identifier matches the dynamically obtained information of assets;
  
  determining that the assets comply with one or more rules at the time of the request to access the network, wherein access to the network is permitted only after the determining steps; and
  
  quarantining a device from the network or a portion thereof based upon one or more of the determining steps.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the quarantining step comprises directing the device to a segmented portion of the network.
  - 3. The method of claim 2, wherein the segmented portion is based upon pre-defined policies and known assets to the network.
  - 4. The method of claim 1, wherein the quarantining step comprises switching the device to a virtual network.
  - 5. The method of claim 1, further comprising resolving authorization of the quarantined device.
  - 6. The method of claim 1, wherein the obtaining step comprises performing ongoing discovery of assets connected to the network to populate an assets database.
  - 7. The method of claim 6, wherein the ongoing discovery is performed either continuously or periodically.
  - 8. The method of claim 6, wherein the ongoing discovery is performed actively or passively.
  - 9. The method of claim 1, further comprising authorizing access to the network based upon a match between the device identifier and at least one of the dynamically obtained information of assets and policies.
  - 10. The method of claim 9, wherein the authorizing step comprises granting limited access to the network.
  - 11. The method of claim 9, wherein the authorizing step comprises granting access to a portion of the network.
  - 12. The method of claim 1, further comprising providing a warning based upon certain violations of the policies.
  - 13. The method of claim 1, further comprising querying a policy database to obtain the one or more rules.
  - 14. The method of claim 13, wherein the ongoing monitoring is configured to detect existing servers, clients, and one of stolen or borrowed Internet Protocol (IP) addresses.
  - 15. The method of claim 14, wherein the quarantine persists until the device identifier matches the dynamically obtained information of assets and/or the assets comply with the one or more rules.
  - 16. The method of claim 1, wherein the device identifier comprises a version of an operating system;
    - an IP address;
      
      a version of at least one patch;
      
      a Media Access Control (MAC) address of a server;
      
      an owner of the server;
      
      whether the server is authorized to access the network;
      
      a security settings on a wireless device;
      
      a service set identifier (SSID);
      
      an extended service set identifier (ESSID);
      
      whether the wireless device is authorized to access the network;
      
      whether an antivirus software is installed and current; and
      
      whether certain services are enabled.

17. A method comprising:
- receiving a request for access to a network from a device;
  
  verifying whether the device is known by querying an assets database;
  
  verifying whether the request complies with a rule set by querying a policy database;
  
  granting access to the network or portions thereof only when the device is known and complies with the rule set;
  
  quarantining the device to a virtual network or segment thereof based upon the denied access; and
  
  obtaining information dynamically of assets residing on the network by ongoing monitoring of the network to determine and reconcile previously unknown assets, wherein the ongoing monitoring is configured to detect existing servers, clients, and one of stolen or borrowed Internet Protocol (IP) addresses.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The method of claim 17, wherein the segmented portion is based upon pre-defined policies and known assets to the network.
  - 19. The method of claim 17, wherein the quarantining step comprises switching the device to a virtual network.
  - 20. The method of claim 17, further comprising resolving authorization of the quarantined device.
  - 21. The method of claim 17, wherein the obtaining step comprises performing ongoing discovery of assets connected to the network to populate the assets database.
  - 22. The method of claim 21, wherein the ongoing discovery is performed either continuously or periodically and is performed actively or passively.
  - 23. The method of claim 17, further comprising comparing a device identifier of the device to assets which are dynamically obtained by the assets database.
  - 24. The method of claim 23, wherein the quarantining step is based on the comparison of the device identifier to the assets.
  - 25. The method of claim 23, further comprising authorizing access to the network based upon a match between the device identifier and at least one of the dynamically obtained information of assets and the rule sets.
  - 26. The method of claim 25, wherein the authorizing step comprises granting limited access to the network.
  - 27. The method of claim 25, wherein the authorizing step comprises granting access to a portion of the network.
  - 28. The method of claim 17, further comprising providing a warning based upon certain violations of the rule sets.
  - 29. The method of claim 17, wherein the policy database includes a minimum version of an operating system, a minimum patch level, a minimum software version, a wireless requirements, at least one client requirement, and at least one service requirement.

30. A system for quarantining devices on a network comprising:
- means for obtaining information dynamically of assets residing on the network by discovering the assets connected to the network, populating an assets database, and performing ongoing monitoring of the network to determine and reconcile previously unknown assets;
  
  means for comparing a device identifier to the dynamically obtained information of assets at a time of a request to access the network;
  
  means for determining that the device identifier matches the dynamically obtained information of assets;
  
  means for determining that the assets comply with one or more rules at the time of the request to access the network, wherein access to the network is permitted only after the device identifier is matched and the assets comply with the one or more rules; and
  
  means for quarantining the device from the network or a portion thereof based upon one or more of the determinations;
  
  wherein the means for obtaining, comparing, determining, and quarantining is embodied in one of a hardware environment and a combination of a software environment and a hardware environment.
- View Dependent Claims (31, 32, 33, 34, 35, 36)
- - 31. The system of claim 30, wherein the means for quarantining comprises directing the device to a segmented portion of the network.
  - 32. The system of claim 30, further comprising means for switching the device to a virtual network based on the determination.
  - 33. The system of claim 30, further comprising means for resolving authorization of the quarantined device.
  - 34. The system of claim 30, wherein the ongoing discovery is performed by one of continuously, periodically, actively and passively.
  - 35. The system of claim 30, further comprising means for authorizing access to the network or a portion thereof based upon a match between the device identifier and at least one of the dynamically obtained information of assets and policies.
  - 36. The system of claim 30, further comprising means for providing a warning based upon certain violations of the policies.

37. A computer program product comprising a computer useable storage medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- obtain information dynamically of assets residing on a network by discovering the assets connected to the network, populating an assets database, and performing ongoing monitoring of the network to determine and reconcile previously unknown assets;
  
  compare a device identifier to the dynamically obtained information of assets at a time of a request to access the network;
  
  determine that the device identifier matches the dynamically obtained information of assets;
  
  determine that the assets comply with one or more rules at the time of the request to access the network, wherein access to the network is permitted only after the device identifier is matched and the assets comply with the one or more rules; and
  
  quarantine the device from the network or a portion thereof based upon one or more of the determining steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Denton, Guy S.
Primary Examiner(s)
Saeed, Usmaan
Assistant Examiner(s)
VO, CECILE H

Application Number

US11/324,869
Publication Number

US 20070157313A1
Time in Patent Office

2,639 Days
Field of Search

707/5, 707/9, 707/705, 707758-759, 707765-766, 710/1, 711/147, 711/163, 715716-726, 726 1- 36, 705 22- 44, 709225-249
US Class Current

707/766
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Autonomic self-healing network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Autonomic self-healing network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links