Network access control

US 8,438,619 B2
Filed: 09/21/2007
Issued: 05/07/2013
Est. Priority Date: 09/21/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus for controlling access to a network by a plurality of users, comprising:

a criteria engine configured to generate a plurality of criteria to be monitored for at least one user from the plurality of users;

a checker configured to generate at least one check for each of the plurality of criteria;

a profiler configured to retrieve a profile for the at least one user, the profile including the plurality of criteria and the at least one check for each of the plurality of criteria;

a comparator configured to compare the retrieved profile to a summary of a profile received from the at least one user;

a communicator comprising a signal transmitter, the communicator being configured to communicate a message from the signal transmitter to the at least one user based on the comparison;

the comparator being further configured to assign an action type to each of a plurality of discrete levels of compliance for the at least one user; and

an interface configured to receive an instruction to one of modify, add and delete at least one of a profile, a policy, a criteria, and a check,wherein the action type includes at least one of a disconnect action, a quarantine action, and a non-action, and the discrete levels of compliance include at least two value ranges.

View all claims

17 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An system for controlling access to a network by a user device. The system includes a criteria engine that generates a plurality of criteria to be monitored on the user device and a checker that generates at least one check for each of the plurality of criteria. The system further includes a profiler that retrieves a profile for the user device, the profile including the plurality of criteria and the at least one check for each of the plurality of criteria, a comparator that compares a summary of the retrieved profile to a summary of a profile received from the user device and a communicator that communicates a message to the user device based on the comparison.

28 Citations

View as Search Results

21 Claims

1. An apparatus for controlling access to a network by a plurality of users, comprising:
- a criteria engine configured to generate a plurality of criteria to be monitored for at least one user from the plurality of users;
  
  a checker configured to generate at least one check for each of the plurality of criteria;
  
  a profiler configured to retrieve a profile for the at least one user, the profile including the plurality of criteria and the at least one check for each of the plurality of criteria;
  
  a comparator configured to compare the retrieved profile to a summary of a profile received from the at least one user;
  
  a communicator comprising a signal transmitter, the communicator being configured to communicate a message from the signal transmitter to the at least one user based on the comparison;
  
  the comparator being further configured to assign an action type to each of a plurality of discrete levels of compliance for the at least one user; and
  
  an interface configured to receive an instruction to one of modify, add and delete at least one of a profile, a policy, a criteria, and a check,wherein the action type includes at least one of a disconnect action, a quarantine action, and a non-action, and the discrete levels of compliance include at least two value ranges.
- View Dependent Claims (2, 3, 4, 5, 10)
- - 2. The apparatus according to claim 1, wherein:
    - the plurality of criteria comprise a security object and a timestamp of the security object; and
      
      the check comprises at least one of determining;
      
      whether the security object is a particular security object;
      
      whether the security object was updated;
      
      when the security object was updated;
      
      the priority level of the security object; and
      
      a version of the security object.
  - 3. The apparatus according to claim 2, wherein the security object includes at least one of an antivirus application, a firewall application, an antispyware application, an operating system status update, a registry key, an operating system version number, and an external condition.
  - 4. The apparatus according to claim 1, the profile engine being further configured to modify the retrieved profile in accordance with the received instruction.
  - 5. The apparatus according to claim 1, wherein the message is one of an affirmative message and the retrieved profile.
  - 10. The apparatus according to claim 1, further comprising a processor structured and arranged to at least one of process and control data from the criteria engine, the checker, the profiler, the comparator, and the communicator.

6. A system comprising a first apparatus and a second apparatus,the first apparatus being structured and arranged for controlling access to a network by a plurality of users and comprising:
- a criteria engine configured to generate a plurality of criteria to be monitored for at least one user from the plurality of users;
  
  a checker configured to generate at least one check for each of the plurality of criteria;
  
  a profiler configured to retrieve a profile for the at least one user, the profile including the plurality of criteria and the at least one check for each of the plurality of criteria;
  
  a comparator configured to compare the retrieved profile to a summary of a profile received from the at least one user;
  
  a communicator comprising a signal transmitter, the communicator being configured to communicate a message from the signal transmitter to the at least one user based on the comparison;
  
  the comparator being further configured to assign an action type to each of a plurality of discrete levels of compliance for the at least one user; and
  
  an interface configured to receive an instruction to one of modify, add and delete at least one of a profile, a policy, a criteria, and a check,wherein the action type includes at least one of a disconnect action, a quarantine action, and a non-action, and the discrete levels of compliance include at least two value ranges; and
  
  the second apparatus being structured and arranged for use with the first apparatus and comprising;
  
  a communicator configured to receive a profile;
  
  a storage configured to store the profile; and
  
  a profile engine configured to process the profile.
- View Dependent Claims (7, 8, 9)
- - 7. The second apparatus according to claim 6, the profile engine being further configured to determine a status of a plurality of portions of the second apparatus corresponding to the plurality of criteria, the determination being based upon the checks for each of the criteria.
  - 8. The second apparatus according to claim 7, the profile engine being further configured to generate a compliance level based on the determined status of the plurality of portions of the second apparatus.
  - 9. The second apparatus according to claim 8, the communicator being further configured to send the compliance level to said apparatus for controlling access to the network.

11. A method for controlling access to a network by a plurality of users, comprising:
- receiving, via a signal receiver, a compliance level from a signal transmitted from a user;
  
  comparing the compliance level to a predetermined compliance value set;
  
  controlling access to the network by the user based on the comparison; and
  
  generating a policy for the user; and
  
  sending a message to the user,wherein the generating of the policy comprises;
  
  generating a plurality of criteria to be monitored;
  
  generating a check for each criteria of the plurality of criteria;
  
  generating an associated compliance level based on a status of the check for each criteria of the plurality of criteria;
  
  generating the predetermined compliance value set, including at least one compliance value range; and
  
  associating the at least one compliance value range with an action type, access to the network by the user being controlled based on the action type.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method according to claim 11, wherein the compliance value set comprises at least two value ranges of compliance values, and wherein controlling access to the network comprises at least one of disconnecting the user from the network, quarantining the user, and logging the user as healthy.
  - 13. The method according to claim 11, wherein the action type comprises one of disconnecting the user, quarantining the user, and logging the user as healthy.
  - 14. The method according to claim 11, wherein the message comprises one of an affirmative message and the generated policy.
  - 15. The method according to claim 11, wherein the plurality of criteriacomprise at least one of:
    - a spyware portion;
      
      a malware portion;
      
      an antivirus portion;
      
      a specific file type portion;
      
      an operating system status portion;
      
      a user defined trigger;
      
      an update status portion; and
      
      a registry key portion.

16. A method for controlling access to a network by a user that has received a policy comprising a criteria, at least one check for the criteria and a compliance level associated with a status of the at least one check, the method comprising:
- generating a summary of a policy currently being used by the user;
  
  sending via a signal transmitter the summary of the current policy to a host when a condition changes;
  
  receiving via a signal receiver a message from the host;
  
  receiving another policy from the host, the another policy being different from the policy currently being used by the user;
  
  selecting a criteria to be checked in accordance with the received another policy;
  
  checking a status of at least one check corresponding to the selected criteria;
  
  determining a compliance level based on the checked status of the at least one check; and
  
  sending the compliance level to the host, wherein the compliance level corresponds to an action type for controlling access to the network by the user.

17. A non-transitory computer readable medium comprising a plurality of program code sections, which when executed by a processor, cause access to a network by a user to be controlled, the tangible computer readable medium comprising:
- a compliance level receiving code section that, when executed, causes receiving via a signal receiver a compliance level from a user;
  
  a comparing code section that, when executed, causes comparing the compliance level to a predetermined compliance value set; and
  
  an access control code section that, when executed, causes controlling access to the network by the user based on the comparison;
  
  a policy generating code section that, when executed, causes generating a policy for the user; and
  
  a messaging code section that, when executed, causes sending a message to the user,wherein, when executed, the policy generating code section further causes;
  
  generating a plurality of criteria to be monitored;
  
  generating a check for each criteria of the plurality of criteria;
  
  generating an associated compliance level based on a status of the check for each criteria of the plurality of criteria;
  
  generating the predetermined compliance value set, including at least one compliance value range; and
  
  associating the at least one compliance value range with an action type, access to the network by the user being controlled based on the action type.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer readable medium according to claim 17, wherein the predetermined compliance value set comprises at least two ranges of compliance values, and wherein controlling access to the network comprises at least one of disconnecting the user from the network, quarantining the user, and logging the user as healthy.
  - 19. The non-transitory computer readable medium according to claim 17, further comprising:
    - a policy generating code section that, when executed, causes generating a policy for the user; and
      
      a message sending code section that, when executed, causes sending a message to the user.
  - 20. The non-transitory computer readable medium according to claim 19, wherein the policy generating code section comprises:
    - a criteria generating code section that, when executed, causes generating a criteria;
      
      a check generating code section that, when executed, causes generating at least one check for the criteria; and
      
      an associating code section that, when executed, causes associating at least one compliance value range with an action type, access to the network by the user being controlled based on the action type check for the criteria.
  - 21. The non-transitory computer readable medium according to claim 19, wherein the message is the generated policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netmotion Wireless Holdings, Inc. (NetMotion Software, Inc.)
Original Assignee
Netmotion Wireless Holdings, Inc. (NetMotion Software, Inc.)
Inventors
Olson, Erik
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/859,336
Publication Number

US 20090083835A1
Time in Patent Office

2,055 Days
Field of Search

726/6, 726/1, 726/2, 726/3, 726/4, 726/27, 713/151, 713/152, 713/154, 713/156, 713/166
US Class Current

726/6
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1416 Event detection, e.g. attac...

Network access control

First Claim

17 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Network access control

First Claim

17 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others