System and method for automatically configuring application control rules

US 8,943,547 B2
Filed: 12/04/2013
Issued: 01/27/2015
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for configuring application control rules, comprising:

generating a new application control rule that specifies restrictions or a permission on executing a software application, a function of an application or a category of applications;

collecting information about one or more computers in a network, the information comprising information about software applications deployed on the one or more computers and one or more existing application control rules associated with the software applications;

determining a priority for each of the new application control rule and the one or more existing application control rules;

testing, by a processor, the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit an execution of the software application, the function of an application or the category of applications;

comparing verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicts between the compared rules; and

upon detecting a conflict between the compared rules, reconfiguring one of the compared rules with a lower priority to eliminate the conflict.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for configuring application control rules. The system creates a new application control rule that specifies restrictions or permission on execution a software application, a function of an application or a category of applications. The system then collects information about one or more computers in a network, including information about software applications deployed on the computers and existing application control rules. The system then tests the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit execution of an application, certain function of an application or a category of applications. The system then compares verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicting rules, and reconfigures the new application control rule to eliminate conflicts.

8 Citations

View as Search Results

20 Claims

1. A computer-implemented method for configuring application control rules, comprising:
- generating a new application control rule that specifies restrictions or a permission on executing a software application, a function of an application or a category of applications;
  
  collecting information about one or more computers in a network, the information comprising information about software applications deployed on the one or more computers and one or more existing application control rules associated with the software applications;
  
  determining a priority for each of the new application control rule and the one or more existing application control rules;
  
  testing, by a processor, the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit an execution of the software application, the function of an application or the category of applications;
  
  comparing verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicts between the compared rules; and
  
  upon detecting a conflict between the compared rules, reconfiguring one of the compared rules with a lower priority to eliminate the conflict.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein collecting information about one or more computers further includes:
    - assigning identified applications to one or more categories based on at least one of an application developer, an application function, and application metadata.
  - 3. The method of claim 1, wherein collecting information about one or more computers further includes:
    - collecting user accounts for the one or more computers;
      
      categorizing identified computer users into a plurality of different user roles; and
      
      generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules.
  - 4. The method of claim 3, wherein testing the new application control rule includes:
    - applying the new and existing application control rules to the identified computer users;
      
      receiving verdicts of each applied application control rule restricting or permitting the execution of the software application, the function of an application or the category of applications to the identified computer users; and
      
      comparing verdicts of the new and existing application control rules for the same application and the same computer user to identify conflicting application control rules.
  - 5. The method of claim 4, wherein two or more application control rules conflict with each other when at least one application control rule permits the execution of the software application, the function of an application or the category of applications to a user and at least one other application control rules prohibits an execution of the same application, same function of the application or the same category of applications to the same user.
  - 6. The method of claim 1, further comprising testing jointly the new application control rule and the one or more existing application control rules using the collected information to determine verdicts rendered by the new application control rule and the one or more existing application control rules that restrict or permit the execution of the software application, the function of the application or the category of applications.
  - 7. The method of claim 1, wherein reconfiguring the new application control rules further includes adding an exception to the new application control rule that eliminates a conflict with the conflicting existing application control rule.

8. A system for configuring application control rules, the system comprising:
- a hardware processor configured to;
  
  generate a new application control rule that specifies restrictions or a permission on executing a software application, a function of an application or a category of applications;
  
  collect information about one or more computers in a network, the information comprising information about software applications deployed on the one or more computers and one or more existing application control rules associated with the software applications;
  
  determine a priority for each of the new application control rule and the one or more existing application control rules;
  
  test the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit an execution of an application, certain function of the software application, the function of an application or the category of applications;
  
  compare verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicts between the compared rules; and
  
  upon detecting a conflict between the compared rules, reconfigure one of the compared rules with a lower priority to eliminate the conflict.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein to collect information about one or more computers, the processor is further configured to:
    - assign identified applications to one or more categories based on at least one of an application developer, an application function, and application metadata.
  - 10. The system of claim 8, wherein to collect information about one or more computers, the processor is further configured to:
    - collect user accounts for the one or more computers;
      
      categorize identified computer users into a plurality of different user roles; and
      
      generate application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules.
  - 11. The system of claim 8, wherein to test the new application control rule, the processor is further configured to:
    - apply the new and existing application control rules to the identified computer users;
      
      receive verdicts of each applied application control rule restricting or permitting the execution of the software application, the function of an application or the category of applications to the identified computer users; and
      
      compare verdicts of the new and existing application control rules for the same application and the same computer user to identify conflicting application control rules.
  - 12. The system of claim 11, wherein two or more application control rules conflict with each other when at least one application control rule permits the execution of the software application, the function of an application or the category of applications to a user and at least one other application control rules prohibits an execution of the same application, same function of the application or the same category of applications to the same user.
  - 13. The system of claim 8, wherein the processor is further configured to test jointly the new application control rule and the one or more existing application control rules using the collected information to determine verdicts rendered by the new application control rule and the one or more existing application control rules that restrict or permit the execution of the software application, the function of the application or the category of applications.
  - 14. The system of claim 8, wherein to reconfigure the new application activation control rules, the processor further configured to add an exception to the new application control rule that eliminates a conflict with the conflicting existing application control rule.

15. A computer program product stored on a non-transitory computer-readable storage medium, the computer program product comprising computer-executable instructions for configuring application control rules, including instructions for:
- generating a new application control rule that specifies restrictions or a permission on executing a software application, a function of an application or a category of applications;
  
  collecting information about one or more computers in a network, information comprising information about software applications deployed on the one or more computers and one or more existing application control rules associated with the software applications;
  
  determining a priority for each of the new application control rule and the one or more existing application control rules;
  
  testing, by a processor, the new application control rule using the collected information to determine verdicts rendered by the new application control rule that restrict or permit an execution of the software application, the function of an application or the category of applications;
  
  comparing verdicts rendered by the new application rule with the verdicts rendered by the existing application control rules to identify conflicts between the compared rules; and
  
  upon detecting a conflict between the compared rules, reconfiguring one of the compared rules with a lower priority to eliminate the conflict.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The product of claim 15, wherein instructions for collecting information about one or more computers further include instructions for:
    - assigning identified applications to one or more categories based on at least one of an application developer, an application function, and application metadata.
  - 17. The product of claim 15, wherein instructions for collecting information about one or more computers further include instructions for:
    - collecting user accounts for the one or more computers;
      
      categorizing identified computer users into a plurality of different user roles; and
      
      generating application control policies for the plurality of different user roles, wherein each policy includes one or more application control rules.
  - 18. The product of claim 17, wherein instructions for testing the new application control rule further include instructions for:
    - applying the new and existing application control rules to the identified computer users;
      
      receiving verdicts of each applied application control rule restricting or permitting the execution of the software application, the function of an application or the category of applications to the identified computer users; and
      
      comparing verdicts of the new and existing application control rules for the same application and the same computer user to identify conflicting application control rules.
  - 19. The product of claim 18, wherein two or more application control rules conflict with each other when at least one application control rule permits the execution of the software application, the function of an application or the category of applications to a user and at least one other application control rules prohibits an execution of the same application, same function of the application or the same category of applications to the same user.
  - 20. The product of claim 15, further comprising instructions for testing jointly the new application control rule and the one or more existing application control rules using the collected information to determine verdicts rendered by the new application control rule and the one or more existing application control rules that restrict or permit the execution of the software application, the function of the application or the category of applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Kazachkov, Andrey V., Pravdivy, Andrey A., Shiyafetdinov, Damir R.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US14/096,529
Publication Number

US 20150007252A1
Time in Patent Office

419 Days
Field of Search

726/1, 726/27
US Class Current

726/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06N 5/027   Frames

H04L 63/20   for managing network securi...

System and method for automatically configuring application control rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automatically configuring application control rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links