System and method for inferring access policies from access event records

US 8,516,539 B2
Filed: 11/10/2008
Issued: 08/20/2013
Est. Priority Date: 11/09/2007
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a policy for a secure transaction in a network system, the method comprising:

selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of an attempt to access a protected resource of a network system via a gateway, the attempt reported by the gateway in the log record, the network system including a predefined table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name comprising at least one of;

an Internet Protocol (IP) address and a port number of a respective network component, each descriptive name being user-defined to describe the respective network component to a user;

automatically translating one or more distinguished names in at least one of the log components of the selected log record to one or more corresponding descriptive names, respectively, by cross referencing using the predefined table each respective descriptive name from a corresponding distinguished name in the at least one log component;

establishing a policy attribute using the translated one or more descriptive names;

creating a respective policy for the gateway based on the established policy attribute, the policy for controlling access to the protected resource; and

presenting the policy which includes the translated one or more descriptive names for approval.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval.

196 Citations

24 Claims

1. A method of establishing a policy for a secure transaction in a network system, the method comprising:
- selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of an attempt to access a protected resource of a network system via a gateway, the attempt reported by the gateway in the log record, the network system including a predefined table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name comprising at least one of;
  
  an Internet Protocol (IP) address and a port number of a respective network component, each descriptive name being user-defined to describe the respective network component to a user;
  
  automatically translating one or more distinguished names in at least one of the log components of the selected log record to one or more corresponding descriptive names, respectively, by cross referencing using the predefined table each respective descriptive name from a corresponding distinguished name in the at least one log component;
  
  establishing a policy attribute using the translated one or more descriptive names;
  
  creating a respective policy for the gateway based on the established policy attribute, the policy for controlling access to the protected resource; and
  
  presenting the policy which includes the translated one or more descriptive names for approval.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising presenting the policy for approval by displaying the policy on a display device for approval by the user.
  - 3. The method of claim 1, further comprising selecting the log record including the log components indicating the transaction log of the attempt, the attempt comprising a successful or unsuccessful attempt to access the protected resource.
  - 4. The method of claim 3, further comprising editing, responsive to user input, the presented policy prior to approving the presented policy.
  - 5. The method of claim 1, comprising establishing the policy attribute using the translated one or more descriptive names, the one or more descriptive names comprising a descriptive name of at least one of:
    - the protected network resource and a network location from which the policy may authorize access.
  - 6. The method of claim 1, comprising establishing the policy attribute using the translated one or more descriptive names, the one or more descriptive names comprising a descriptive name of the gateway reporting the attempt.
  - 7. The method of claim 1, further comprising identifying the user from the at least one of the log components, and adding a name of the user as a second policy attribute of the policy if the name is validated by a user directory service, the second policy attribute identifying an entity which the policy may authorize access.

8. A method of establishing a policy for a secure transaction in a network system, the network system including network components and a predefined table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name comprising at least one of:
- an Internet Protocol (IP) address and a port number of a respective network component and each descriptive name being user defined to describe the respective network component to a user, the method comprising;
  
  selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of an attempt to access a protected resource of a network system via a gateway, the attempt reported by the gateway in the log record;
  
  translating one or more distinguished names in at least one of the log components to one or more corresponding descriptive names, respectively, by cross referencing using the predefined table each respective descriptive name from a corresponding distinguished name in the at least one log component;
  
  establishing a log policy attribute using the translated one or more descriptive names;
  
  creating a respective policy for the gateway based on the established log policy attribute, the policy for controlling access to the protected resource; and
  
  presenting the policy which includes the translated one or more descriptive names for approval.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising:
    - approving, by an administrator, the presented policy; and
      
      sending, to a directory server, the approved policy.
  - 10. The method of claim 8, further comprising adding the translated one or more descriptive names to one or both of the retrieved log record or the created policy.
  - 11. The method of claim 8, further comprising choosing the one or more distinguished names for translation based on values of log components in the selected log record, the log components used to choose the one or more distinguished names include one or more of:
    - (1) a source field;
      
      (2) a destination field;
      
      (3) a service field;
      
      or (4) a gateway field.
  - 12. The method of claim 8, further comprising if the corresponding descriptive names do not exist in the table, responsive to user input, controlling an addition of the corresponding descriptive names into the table.
  - 13. The method of claim 8, further comprising:
    - generating first values associated with default policy attributes;
      
      establishing second values associated with user established policy attributes; and
      
      overriding, by selective ones of the second values associated with user established policy attributes, corresponding ones of the first values associated with the default policy attributes for the user established policy attributes that correspond to the default policy attributes.
  - 14. The method of claim 13, further comprising:
    - automatically generating at least one third value associated with the log policy attribute;
      
      overriding, by the at least one third value associated with the log policy attribute, a corresponding one of the first values associated with the default policy attributes for the log policy attribute that corresponds to the default policy attributes; and
      
      overriding, by the at least one third value associated with the log policy attribute, a corresponding one of the second values associated with the user established policy attributes for the log policy attribute that corresponds to the user established policy attribute.
  - 15. The method of claim 14, further comprising establishing a plurality of log policy attributes, and if one or more values for the log policy attributes of the respective policy to be created are not applied from or do not exist in the default policy attributes or the user established policy attributes, determining the one or more values from the retrieved log record.

16. An administration device for establishing a policy for a secure transaction using stored log records of a network system, comprising:
- an audit module for retrieving at least one respective log record of an attempt to access a protected resource of a network system via a gateway, the attempt reported by the gateway in the log record, the network system including a predefined table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name comprising at least one of;
  
  an Internet Protocol (IP) address and a port number of a respective network component, each descriptive name being user-defined to describe the respective network component to a user;
  
  a policy inference logic module for automatically translating one or more distinguished names in the retrieved log record to one or more corresponding descriptive names, respectively, by cross referencing using the predefined table each respective descriptive name from a corresponding distinguished name in the retrieved log record, establishing a policy attribute using the translated one or more descriptive names, and creating a policy for the gateway based on the retrieved log record and the established policy attribute, the policy for controlling access to the protected resource; and
  
  a policy module for presenting the created policy which includes the translated one or more descriptive names for approval and for communicating the approved policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The device of claim 16, wherein the established policy attribute includes a set of default policy attributes having default values and a set of user established policy attributes having user established values, each of the respective user established policy attributes which correspond to the default policy attributes override the default values with the corresponding user established values.
  - 18. The device of claim 17, wherein if one or more values for the policy attribute of the policy to be created are not applied from or do not exist in the default policy attributes or the user established policy attributes, the policy inference logic determines the one or more values from values in the retrieved log record.
  - 19. The device of claim 17, wherein the policy module presents to an administrator the created policy with each value of the policy attribute automatically pre-populated with one of a default value from the default policy attributes, a user established value from the user established policy attributes or a log attribute value determined from the retrieved log record.
  - 20. The device of claim 16, wherein:
    - the at least one respective log record includes a plurality of fields with associated values, as distinguished names of resources on the network system; and
      
      the policy inference logic module reads one or more of the distinguished names in the retrieved log record, translates the one or more distinguished names to the one or more descriptive names, respectively, and adds the one or more descriptive names to one or both of the retrieved log record and the created policy.
  - 21. The device of claim 20, wherein the policy inference logic module is configured to communicate with a directory server such that the read distinguished names are cross referenced in a plurality of reference tables of the directory server to obtain the translated descriptive names.
  - 22. The device of claim 20, wherein when the policy inference logic module reads the retrieved log record, the policy inference logic module requests to cross reference the one or more distinguished names to retrieve corresponding descriptive names from one or more reference tables, if the corresponding descriptive names do not exist in the one or more reference tables, the policy inference logic module, responsive to user input, controls an addition of the corresponding descriptive names in the one or more reference tables.
  - 23. The device of claim 16, wherein the administration device maintains the policy which defines access rules for the network, the access rules including:
    - (1) an entity allowed or denied access;
      
      (2) one or more resources to which the access is granted; and
      
      (3) one or more gateways through which the access is allowed.

24. A non-transitory computer readable storage medium for storing program code to execute the method comprising:
- selecting a log record from among a plurality of log records, the selected log record including log components indicating a transaction log of an attempt to access a protected resource of a network system via a gateway, the attempt reported by the gateway in the log record, the network system including a predefined table with a plurality of records, each record including a distinguished name and a corresponding descriptive name, each distinguished name comprising at least one of;
  
  an Internet Protocol (IP) address and a port number of a respective network component, each descriptive name being user-defined to describe the respective network component to a user;
  
  automatically translating one or more distinguished names in at least one of the log components of the selected log record to one or more corresponding descriptive names, respectively, by cross referencing using the predefined table each respective descriptive name from a corresponding distinguished name in the at least one log component;
  
  establishing a policy attribute using the translated one or more descriptive names;
  
  creating a respective policy for the gateway based on the established policy attribute, the policy for controlling access to the protected resource; and
  
  presenting the policy which includes the translated one or more descriptive names for approval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Kumar, Srinivas, Weber, Dean A.
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US12/267,804
Publication Number

US 20090138939A1
Time in Patent Office

1,744 Days
Field of Search

726/1, 726/3, 726/11, 726/12, 713/153
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

System and method for inferring access policies from access event records

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for inferring access policies from access event records

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others