Open federation security techniques with rate limits
First Claim
1. A method, comprising:
- receiving, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from a peer in a second federated enterprise network;
determining the peer is an untrusted peer;
comparing by a processor a message rate value with a message rate limit value to generate a threat status indicator value for the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network;
dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and
authorizing, by the access edge server, communication of the message from the untrusted peer based on the threat status indicator value.
2 Assignments
0 Petitions
Accused Products
Abstract
Open federation security techniques with rate limits are described. An apparatus may include a network interface operative to communicate messages, and a secure open federation (SOF) module operative to manage a message rate between multiple federated networks. The SOF module may comprise a peer authentication module operative to determine whether a peer making the message is an untrusted peer. The SOF module may comprise a peer rate tracking module operative to retrieve a message rate value and a message rate limit value associated with the untrusted peer, and compare the message rate value with the message rate limit value to form a threat status indicator value. The SOF module may comprise a peer authorization module operative to authorize communication of the message based on the threat status indicator value. Other embodiments are described and claimed.
30 Citations
19 Claims
-
1. A method, comprising:
-
receiving, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from a peer in a second federated enterprise network; determining the peer is an untrusted peer; comparing by a processor a message rate value with a message rate limit value to generate a threat status indicator value for the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network; dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and authorizing, by the access edge server, communication of the message from the untrusted peer based on the threat status indicator value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article of manufacture comprising a computer-readable storage memory unit containing computer-readable, computer-executable instructions that if executed enable a system to:
-
receive, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from an untrusted peer in a second federated enterprise network; compare by a processor a message rate value with a message rate limit value associated with the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network; dynamically adjust the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and authorize, by the access edge server, communication of the message based on the comparison. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An access edge server apparatus, comprising:
-
a processor; a network interface operative to communicate messages; a secure open federation module executing on the processor in a first federated network, communicatively coupled to the network interface, the secure open federation module operative to manage a message rate between multiple federated networks, the secure open federation module comprising; a peer authentication module operative to determine whether a peer in a second federated network sending a message to a client in the first federated network is an untrusted peer; a peer rate tracking module operative to retrieve a message rate value and a message rate limit value associated with the untrusted peer, and compare by the processor the message rate value with the message rate limit value to form a threat status indicator value, the message rate value determined using a count of a number of messages from the second federated network, the count including messages from any entity within the second federated network and to dynamically adjust the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and a peer authorization module operative to authorize communication of the message based on the threat status indicator value. - View Dependent Claims (16, 17, 18, 19)
-
Specification