Systems and methods for creating and modifying access control lists

US 9,769,174 B2
Filed: 08/07/2015
Issued: 09/19/2017
Est. Priority Date: 06/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

collecting, by a computer system, data from a plurality of different types of sources on a network;

identifying, by the computer system based on the collected data, one or more services provided by a host network asset for use by a client network asset over the network;

presenting to a user interface, a graphical representation that includes representations of;

the host network asset, the client network asset, the one or more services, and a flow information graph visually indicating a security vulnerability associated with one or more of the host network asset and the client network asset;

receiving, by the computer system via the user interface, input from a user that includes;

a selection of a service from the one or more services; and

a selection permitting or rejecting access to the selected service by the client network asset; and

in response to the input from the user, modifying access to the selected service by the client network asset over the network.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure can present information on services hosted and used by various assets on a network, and allow users to control access to such services. In particular, embodiments of the disclosure may be used to present one or more services hosted by a network asset, and control access to such services by other network assets based on user input.

Citations

19 Claims

1. A computer-implemented method comprising:
- collecting, by a computer system, data from a plurality of different types of sources on a network;
  
  identifying, by the computer system based on the collected data, one or more services provided by a host network asset for use by a client network asset over the network;
  
  presenting to a user interface, a graphical representation that includes representations of;
  
  the host network asset, the client network asset, the one or more services, and a flow information graph visually indicating a security vulnerability associated with one or more of the host network asset and the client network asset;
  
  receiving, by the computer system via the user interface, input from a user that includes;
  
  a selection of a service from the one or more services; and
  
  a selection permitting or rejecting access to the selected service by the client network asset; and
  
  in response to the input from the user, modifying access to the selected service by the client network asset over the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein presenting the graphical representation includes displaying which of the one or more services have been previously used by the client network asset and which of the one or more services have not been previously used by the client network asset.
  - 3. The method of claim 1, wherein presenting the flow information graph further depicts the host network asset, the client network asset, connections between the host network asset and the client network asset, services that are permitted to be accessed between the host network asset and the client network asset, and services that are not permitted to be accessed between the host network asset and the client network asset.
  - 4. The method of claim 3, wherein the flow information graph visually indicates one or more of:
    - an attribute of the host network asset, an attribute of the client network asset, and an attribute of a connection between the host network asset and the client network asset.
  - 5. The method of claim 4, wherein the flow information graph further depicts:
    - network data associated with one or more of host network asset and the client network asset; and
      
      a system operational attribute associated with one or more of the host network asset and the client network asset.
  - 6. The method of claim 3, wherein the flow information graph depicts connections between the host network asset and the client network asset using selectable directional flow lines.
  - 7. The method of claim 6, wherein the flow lines indicate a type of the source of the collected data used to identify the connection.
  - 8. The method of claim 1, wherein the input from the user includes an annotation associated with the selected service, and wherein presenting the graphical representation includes displaying the annotation for the selected service.
  - 9. The method of claim 1, wherein the input from the user further includes a selection of a second client network asset.
  - 10. The method of claim 9, wherein the second client network asset uses services from the host network asset.
  - 11. The method of claim 9, wherein the second client network asset uses services from a second host network asset.
  - 12. The method of claim 1, wherein the input from the user includes a selection of one or more of:
    - network flow associated with the host asset and an attribute associated with the host asset.
  - 13. The method of claim 1, wherein modifying access to the selected service includes restricting access by the client network asset to all services provided by the host network asset.
  - 14. The method of claim 1, wherein modifying access to the selected service includes allowing access by the client network asset to all services provided by the host network asset.
  - 15. The method of claim 1, wherein modifying access to the selected service includes selectively restricting access by a plurality of client network assets to all services provided by the host network asset based on a common attribute of each of the plurality of client network assets.
  - 16. The method of claim 1, wherein modifying access to the selected service includes selectively allowing access by a plurality of client network assets to all services provided by the host network asset based on a common attribute of each of the plurality of client network assets.
  - 17. The method of claim 1, wherein the collected data is obtained from a source selected from the group consisting of:
    - a NETFLOW IPFIX collector, a network tap, a router, a switch, a firewall, an intrusion detection system, an intrusion protection system, and combinations thereof.

18. A tangible, non-transitory computer-readable medium storing instructions that, when executed, cause a computer system to:
- collect data from a plurality of different types of sources on a network;
  
  identify, based on the collected data, one or more services provided by a host network asset for use by a client network asset over the network;
  
  present a graphical representation that includes representations of;
  
  the host network asset, the client network asset, the one or more services, and a flow information graph visually indicating a security vulnerability associated with one or more of the host network asset and the client network asset;
  
  receive, via the user interface, input from a user that includes;
  
  a selection of a service from the one or more services; and
  
  a selection permitting or rejecting access to the selected service by the client network asset; and
  
  in response to the input from the user, modify access to the selected service by the client network asset over the network.

19. A computer system comprising:
- a processor; and
  
  memory in communication with the processor and storing instructions that, when executed by the processor, cause the computer system to;
  
  collect data from a plurality of different types of sources on a network;
  
  identify, based on the collected data, one or more services provided by a host network asset for use by a client network asset over the network;
  
  present a graphical representation that includes representations of;
  
  the host network asset, the client network asset, the one or more services, and a flow information graph visually indicating a security vulnerability associated with one or more of the host network asset and the client network asset;
  
  receive, via the user interface, input from a user that includes;
  
  a selection of a service from the one or more services; and
  
  a selection permitting or rejecting access to the selected service by the client network asset; and
  
  in response to the input from the user, modify access to the selected service by the client network asset over the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Catbird Networks, Inc.
Original Assignee
Catbird Networks, Inc.
Inventors
Rieke, Malcolm, Dennis, James Sebastian
Primary Examiner(s)
CRIBBS, MALCOLM

Application Number

US14/821,103
Publication Number

US 20160072815A1
Time in Patent Office

774 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/22   comprising specially adapte...

H04L 41/5009   Determining service level p...

H04L 41/5058   Service discovery by the se...

H04L 43/045   for graphical visualisation...

H04L 43/06   Generation of reports

H04L 63/101   Access control lists [ACL]

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for creating and modifying access control lists

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for creating and modifying access control lists

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links