Method and system for authentication event security policy generation
First Claim
Patent Images
1. A method for generating and using security policies for a computer network, the method comprising:
- detecting, via a network monitoring device, authentication events associated with at least one user accessing a user node and at least one corresponding endpoint network node, the authentication events involving host computers contacting authentication servers on the computer network by monitoring activity involving the authentication servers;
extracting, via the network monitoring device, original authentication information associated with the at least one user from an authentication log from at least one of the authentication servers for each of the authentication events, the original authentication information including user names, each user node address, each corresponding endpoint network node address, authentication protocols and communication ports from the authentication events;
generating, via the network monitoring device, security policies based on the original authentication information, including the user names, using a usage model that characterizes legitimate network communications between the at least one user and the at least one corresponding endpoint network node by reference to at least user names, user node addresses, endpoint network node addresses, authentication protocols and communication ports;
detecting, via collectors of the network monitoring device, new authentication events on the computer network, the collectors of the network monitoring device access authentication servers via application programming interfaces;
extracting, via the network monitoring device, subsequent authentication information, including the user names, user node addresses, endpoint network node addresses, authentication protocols and communication ports from the new authentication events;
comparing, via the network monitoring device, the subsequent authentication information against the generated security policies, which were defined based on the original authentication information, for the computer network;
categorizing the new authentication event from the comparison of the subsequent authentication information and the generated security policies;
determining whether the categorized new authentication event violates the generated security policies;
generating alerts in response to the categorized new authentication event violating the generated security policies by determining a violation of the new authentication event exceeds a predefined threat level, the alerts indicative of the new authentication events'"'"' threat level;
logging the violation that exceeds the predefined threat level and initiating a security response comprising of further monitoring of the new authentication events, quarantine of the new authentication events, or blocking of the new authentication events; and
maintaining, via the network monitoring device, a current authentication state based on the comparison of the subsequent authentication information against the generated security policies when the new authentication event is consistent with the generated security policies, the current authentication state associates the user accessing the user node with the corresponding endpoint network node.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network.
-
Citations
9 Claims
-
1. A method for generating and using security policies for a computer network, the method comprising:
-
detecting, via a network monitoring device, authentication events associated with at least one user accessing a user node and at least one corresponding endpoint network node, the authentication events involving host computers contacting authentication servers on the computer network by monitoring activity involving the authentication servers; extracting, via the network monitoring device, original authentication information associated with the at least one user from an authentication log from at least one of the authentication servers for each of the authentication events, the original authentication information including user names, each user node address, each corresponding endpoint network node address, authentication protocols and communication ports from the authentication events; generating, via the network monitoring device, security policies based on the original authentication information, including the user names, using a usage model that characterizes legitimate network communications between the at least one user and the at least one corresponding endpoint network node by reference to at least user names, user node addresses, endpoint network node addresses, authentication protocols and communication ports; detecting, via collectors of the network monitoring device, new authentication events on the computer network, the collectors of the network monitoring device access authentication servers via application programming interfaces; extracting, via the network monitoring device, subsequent authentication information, including the user names, user node addresses, endpoint network node addresses, authentication protocols and communication ports from the new authentication events; comparing, via the network monitoring device, the subsequent authentication information against the generated security policies, which were defined based on the original authentication information, for the computer network; categorizing the new authentication event from the comparison of the subsequent authentication information and the generated security policies; determining whether the categorized new authentication event violates the generated security policies; generating alerts in response to the categorized new authentication event violating the generated security policies by determining a violation of the new authentication event exceeds a predefined threat level, the alerts indicative of the new authentication events'"'"' threat level; logging the violation that exceeds the predefined threat level and initiating a security response comprising of further monitoring of the new authentication events, quarantine of the new authentication events, or blocking of the new authentication events; and maintaining, via the network monitoring device, a current authentication state based on the comparison of the subsequent authentication information against the generated security policies when the new authentication event is consistent with the generated security policies, the current authentication state associates the user accessing the user node with the corresponding endpoint network node. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for monitoring security in a computer network, the method comprising:
-
detecting, via a network monitoring device, communication events associated with at least one user accessing a user node and at least one corresponding endpoint network node, the communication events occurring between at least one or more of host computers and authentication servers on the computer network; extracting, via the network monitoring device, authentication information associated with the at least one user, in response to the communication event, from an authentication server log file from at least one of the authentication servers, the extracted authentication information including user information including user names of users of the host computers seeking authentication, address of the user node, addresses of the each endpoint network node, authentication protocols and communication ports; generating, via the network monitoring device, a model of an authentication state of the network including the user names, the address of the user node, the addresses of each endpoint network node, the authentication protocols and the communication ports of the authentication information extracted from the communication events; monitoring, via collectors of the network monitoring device, new authentication events on the computer network, the collectors of the network monitoring device access the authentication servers via application programming interfaces; comparing the new authentication events against the model; categorizing the new authentication event based on the comparison against the model; determining whether the categorized new authentication event violates the model; generating alerts in response to the categorized new authentication event violating security policies based on the model by determining a violation of the new authentication event exceeds a predefined threat level, the alerts indicative of the new authentication events'"'"' threat level; logging the violation that exceeds the predefined threat level and initiating a security response comprising of further monitoring of the new authentication events, quarantine of the new authentication events, or blocking of the new authentication events; and maintaining, via the network monitoring device, a current authentication state based on the comparison of the new authentication event against the model when the new authentication event is consistent with the model, the current authentication state associates the user accessing the user node with the corresponding endpoint network node. - View Dependent Claims (8, 9)
-
Specification