Distributed network security using a logical multi-dimensional label-based policy model

US 9,882,919 B2
Filed: 09/02/2014
Issued: 01/30/2018
Est. Priority Date: 04/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method of quarantining a bad actor within an administrative domain, the method comprising:

storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain;

storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension;

storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule;

receiving an instruction to quarantine the bad actor;

updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state;

identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state;

responsive to identifying the changed actor-set,sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A managed server (MS) within an administrative domain is quarantined. The administrative domain includes multiple MSs that use management instructions to configure management modules so that the configured management modules implement an administrative domain-wide management policy that comprises a set of one or more rules. The quarantined MS is isolated from other MSs. A description of the MS is modified to indicate that the MS is quarantined, thereby specifying a description of the quarantined MS. Cached actor-sets are updated to indicate the quarantined MS'"'"'s changed state, thereby specifying updated actor-sets. A determination is made regarding which updated actor-sets are relevant to an other MS, thereby specifying currently-relevant updated actor-sets. A determination is made regarding whether the currently-relevant updated actor-sets differ from actor-sets previously sent to the other MS. Responsive to determining that the currently-relevant updated actor-sets are identical to the previously-sent actor-sets, no further action is taken.

Citations

20 Claims

1. A method of quarantining a bad actor within an administrative domain, the method comprising:
- storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain;
  
  storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension;
  
  storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule;
  
  receiving an instruction to quarantine the bad actor;
  
  updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state;
  
  identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state;
  
  responsive to identifying the changed actor-set,sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the bad actor is a target managed server, and wherein the method further comprises:
    - modifying a description of the target managed server to indicate that the target managed server is quarantined by setting a value for a quarantine-specific configured characteristic of the target managed server.
  - 3. The method of claim 1, further comprising determining to quarantine the bad actor.
  - 4. The method of claim 3, wherein the bad actor is a target managed server, wherein determining to quarantine the target managed server comprises determining that a network attack originated from the target managed server or determining that the target managed server has a vulnerability.
  - 5. The method of claim 1, wherein sending the information describing the changed actor-set and the instruction causes the particular managed server to block inbound network traffic that originated from the bad actor.
  - 6. The method of claim 1, further comprising, prior to updating the cached actor-sets:
    - determining, based on a description of the bad actor, additional information regarding the bad actor; and
      
      modifying the description of the bad actor to indicate the additional information.
  - 7. The method of claim 1, wherein the bad actor is a target managed server, the method further comprising:
    - determining, based on a description of the target managed server, currently-relevant rules that are applicable to the target managed server after it is quarantined;
      
      determining whether the currently-relevant rules differ from previously-relevant rules that were applicable to the target managed server prior to it being quarantined; and
      
      responsive to determining that the currently-relevant rules differ from the previously-relevant rules;
      
      determining a rule that should be added, removed, or modified relative to the previously-relevant rules;
      
      generating, based on the determined rule, a function-level instruction; and
      
      sending, to the target managed server, the function-level instruction and an instruction to add, remove, or modify the function-level instruction.
  - 8. The method of claim 7, wherein sending the function-level instruction and the instruction to add, remove, or modify causes the target managed server to block outbound network traffic.
  - 9. The method of claim 7, wherein sending the function-level instruction and the instruction to add, remove, or modify causes the target managed server to allow only administrative inbound network traffic.
  - 10. The method of claim 1, wherein the bad actor is a target managed server, the method further comprising:
    - determining a changed actor set relevant to the target managed server that was changed based on the target managed server becoming quarantined;
      
      sending, to the target managed server, information describing the changed actor-set relevant to the target managed server and an instruction to add, remove, or modify the changed actor-set in a local list stored by the target managed server.
  - 11. The method of claim 1, wherein the bad actor is an unmanaged device group, the method further comprising determining to add an unmanaged device to the unmanaged device group.
  - 12. The method of claim 11, wherein determining to add the unmanaged device to the unmanaged device group comprises determining that the unmanaged device poses a security threat.
  - 13. The method of claim 11, wherein sending the information describing the changed actor-set and the instruction causes the particular managed server to block inbound network traffic that originated from the unmanaged device or to block outbound network traffic that is destined for the unmanaged device.
  - 14. The method of claim 1, wherein each of the cached actor-sets comprises one or more actor-set records, each actor-set record identifying a managed server or an unmanaged device group.
  - 15. The method of claim 14, wherein at least one of the actor-set records comprises a unique identifier, an identifier of an operating system, or an IP address.

16. A non-transitory computer-readable storage medium storing computer program modules for quarantining a bad actor within an administrative domain, the computer program modules executable by a processor to perform steps comprising:
- storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain;
  
  storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension;
  
  storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule;
  
  receiving an instruction to quarantine the bad actor;
  
  updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state;
  
  identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state;
  
  responsive to identifying the changed actor-set,sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the bad actor is a target managed server, the method further comprising:
    - determining, based on a description of the target managed server, currently-relevant rules that are applicable to the target managed server after it is quarantined;
      
      determining whether the currently-relevant rules differ from previously-relevant rules that were applicable to the target managed server prior to it being quarantined; and
      
      responsive to determining that the currently-relevant rules differ from the previously-relevant rules;
      
      determining a rule that should be added, removed, or modified relative to the previously-relevant rules;
      
      generating, based on the determined rule, a function-level instruction; and
      
      sending, to the target managed server, the function-level instruction and an instruction to add, remove, or modify the function-level instruction.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein the bad actor is a target managed server, the method further comprising:
    - determining a changed actor set relevant to the target managed server that was changed based on the target managed server becoming quarantined;
      
      sending, to the target managed server, information describing the changed actor-set relevant to the target managed server and an instruction to add, remove, or modify the changed actor-set in a local list stored by the target managed server.

19. A system for quarantining a bad actor within an administrative domain, the system comprising:
- a non-transitory computer-readable storage medium storing computer program modules executable to perform steps comprising;
  
  storing cached actor-sets, each of the cached actor sets specifying a group of actors present in the administrative domain;
  
  storing a plurality of rules applicable to a particular managed server, each of the rules specifying a provider of a service, a user of the service, and a function controlling interactions between the provider and the user of the service, wherein each of the rules specifies at least one of the provider of the service and the user of the service as a set of managed servers using a label set, wherein a label of the label set represents a dimension of the managed servers and a value of the dimension;
  
  storing in association with a given rule of the plurality of rules, relevant actor-sets comprising a subset of the cached actor-sets that each include at least one of the provider specified in the given rule and the user specified in the given rule;
  
  receiving an instruction to quarantine the bad actor;
  
  updating the cached actor-sets to indicate a change in state of the bad actor to a quarantined state;
  
  identifying a changed actor-set in the relevant actor-sets for the given rule, wherein the changed actor-set was updated based on the change in state of the bad actor to the quarantined state;
  
  responsive to identifying the changed actor-set,sending, to the particular managed server, information describing the changed actor-set and an instruction to add, remove, or modify the changed actor-set in a local list stored by the particular managed server; and
  
  a computer processor for executing the computer program modules.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein the bad actor is a target managed server, the method further comprising:
    - determining, based on a description of the target managed server, currently-relevant rules that are applicable to the target managed server after it is quarantined;
      
      determining whether the currently-relevant rules differ from previously-relevant rules that were applicable to the target managed server prior to it being quarantined; and
      
      responsive to determining that the currently-relevant rules differ from the previously-relevant rules;
      
      determining a rule that should be added, removed, or modified relative to the previously-relevant rules;
      
      generating, based on the determined rule, a function-level instruction; and
      
      sending, to the target managed server, the function-level instruction and an instruction to add, remove, or modify the function-level instruction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Illumio, Inc.
Original Assignee
Illumio, Inc.
Inventors
Kirner, Paul J., Cook, Daniel R., Fandli, Juraj G., Glenn, Matthew K., Gupta, Mukesh, Rubin, Andrew S., Scott, Jerry B., Verghese, Thukalan V.
Primary Examiner(s)
Traore, Fatoumata

Application Number

US14/474,916
Publication Number

US 20140373091A1
Time in Patent Office

1,246 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 61/2514   between local and global IP...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

Distributed network security using a logical multi-dimensional label-based policy model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed network security using a logical multi-dimensional label-based policy model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links