Open federation security techniques with rate limits

US 8,490,160 B2
Filed: 10/04/2007
Issued: 07/16/2013
Est. Priority Date: 10/04/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from a peer in a second federated enterprise network;

determining the peer is an untrusted peer;

comparing by a processor a message rate value with a message rate limit value to generate a threat status indicator value for the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network;

dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and

authorizing, by the access edge server, communication of the message from the untrusted peer based on the threat status indicator value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Open federation security techniques with rate limits are described. An apparatus may include a network interface operative to communicate messages, and a secure open federation (SOF) module operative to manage a message rate between multiple federated networks. The SOF module may comprise a peer authentication module operative to determine whether a peer making the message is an untrusted peer. The SOF module may comprise a peer rate tracking module operative to retrieve a message rate value and a message rate limit value associated with the untrusted peer, and compare the message rate value with the message rate limit value to form a threat status indicator value. The SOF module may comprise a peer authorization module operative to authorize communication of the message based on the threat status indicator value. Other embodiments are described and claimed.

30 Citations

View as Search Results

19 Claims

1. A method, comprising:
- receiving, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from a peer in a second federated enterprise network;
  
  determining the peer is an untrusted peer;
  
  comparing by a processor a message rate value with a message rate limit value to generate a threat status indicator value for the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network;
  
  dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and
  
  authorizing, by the access edge server, communication of the message from the untrusted peer based on the threat status indicator value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising dynamically adjusting the message rate limit value based on one or more rate adjustment metrics.
  - 3. The method of claim 1, comprising dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on a federation partner type.
  - 4. The method of claim 1, comprising dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on administrator configuration parameters.
  - 5. The method of claim 1, comprising dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on a size for a user group.
  - 6. The method of claim 1, comprising dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on a message traffic direction.
  - 7. The method of claim 1, comprising dynamically adjusting the message rate limit value in accordance with a rate adjustment metric based on a number of message connections.

8. An article of manufacture comprising a computer-readable storage memory unit containing computer-readable, computer-executable instructions that if executed enable a system to:
- receive, at an access edge server for a first federated enterprise network, a message sent to a client in the first federated enterprise network from an untrusted peer in a second federated enterprise network;
  
  compare by a processor a message rate value with a message rate limit value associated with the untrusted peer, the message rate value determined using a count of a number of messages from the second federated enterprise network, the count including messages from any entity within the second federated enterprise network;
  
  dynamically adjust the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and
  
  authorize, by the access edge server, communication of the message based on the comparison.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The article of claim 8, further comprising instructions that if executed enable the system to dynamically adjust the message rate limit value based on one or more rate adjustment metrics.
  - 10. The article of claim 8, further comprising instructions that if executed enable the system to reject the message when a message rate value is equal to or greater than a message rate limit value for the untrusted peer.
  - 11. The article of claim 8, further comprising instructions that if executed enable the system to accept the message when a message rate value is less than a message rate limit value for the untrusted peer.
  - 12. The article of claim 8, wherein the peer is the entire second federated enterprise network.
  - 13. The article of claim 8, further comprising instructions that if executed enable the system to associate a threat watch indicator with the untrusted peer when a message rate value is equal to or greater than a message rate limit value.
  - 14. The article of claim 8, further comprising instructions that if executed enable the system to display an operator message indicating said message has been received from said untrusted peer.

15. An access edge server apparatus, comprising:
- a processor;
  
  a network interface operative to communicate messages;
  
  a secure open federation module executing on the processor in a first federated network, communicatively coupled to the network interface, the secure open federation module operative to manage a message rate between multiple federated networks, the secure open federation module comprising;
  
  a peer authentication module operative to determine whether a peer in a second federated network sending a message to a client in the first federated network is an untrusted peer;
  
  a peer rate tracking module operative to retrieve a message rate value and a message rate limit value associated with the untrusted peer, and compare by the processor the message rate value with the message rate limit value to form a threat status indicator value, the message rate value determined using a count of a number of messages from the second federated network, the count including messages from any entity within the second federated network and to dynamically adjust the message rate limit value in accordance with a rate adjustment metric based on message traffic patterns including a number of errors communicated to the first federated enterprise network; and
  
  a peer authorization module operative to authorize communication of the message based on the threat status indicator value.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The apparatus of claim 15, the peer rate tracking module operative to dynamically adjust the message rate limit value based on one or more rate adjustment metrics.
  - 17. The apparatus of claim 15, wherein the peer is the entire second federated enterprise network.
  - 18. The apparatus of claim 15, comprising a peer tracking database operative to store the message rate value and the message rate limit value.
  - 19. The apparatus of claim 15, the peer authentication module operative to determine the untrusted peer is a trusted peer based on the threat status indicator value after expiration of a defined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Buch, Jeremy T., Trommsdorff, Michael, Undery, James
Primary Examiner(s)
ZECHER, CORDELIA P K

Application Number

US11/906,850
Publication Number

US 20090092050A1
Time in Patent Office

2,112 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/1416 Event detection, e.g. attac...

Open federation security techniques with rate limits

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Open federation security techniques with rate limits

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links