Conditional policies

US 10,129,117 B2
Filed: 02/16/2016
Issued: 11/13/2018
Est. Priority Date: 06/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, via a computer having a processor configured to execute computer readable instructions, a change to a security measurement of an endpoint in a network from a first value to a second value, the security measurement of the endpoint represented by a number on a scale, a decimal number from 0-1, a binary result, or multiple values describing different security parameters;

determining, via the computer, one or more policies that are applicable to the endpoint based on the security measurement corresponding to the second value; and

updating, via the computer, policy data for the network to enforce the one or more policies with respect to the endpoint.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Conditional policies can be defined that change based on security measurements of network endpoints. In an example embodiment, a network traffic monitoring system can monitor network flows between the endpoints and quantify how secure those endpoints are based on analysis of the network flows and other data. A conditional policy may be created that establishes one or more first connectivity policies for handling a packet when a security measurement of an endpoint is a first value or first range values, and one or more second connectivity policies for handling the packet. The connectivity policies may include permitting connectivity, denying connectivity, redirecting the packet using a specific route, or other network action. When the network traffic monitoring system detects a change to the security measurement of the endpoint, one or more applicable policies can be determined and the system can update policy data for the network to enforce the policies.

540 Citations

20 Claims

1. A method comprising:
- detecting, via a computer having a processor configured to execute computer readable instructions, a change to a security measurement of an endpoint in a network from a first value to a second value, the security measurement of the endpoint represented by a number on a scale, a decimal number from 0-1, a binary result, or multiple values describing different security parameters;
  
  determining, via the computer, one or more policies that are applicable to the endpoint based on the security measurement corresponding to the second value; and
  
  updating, via the computer, policy data for the network to enforce the one or more policies with respect to the endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein updating the policy data includes:
    - updating an endpoint group of the endpoint from a first endpoint group to a second endpoint group,wherein the one or more policies are applicable to the second endpoint group and not applicable to the first endpoint group.
  - 3. The method of claim 1, wherein updating the policy data includes:
    - determining one or more first policies in a policy table that are applicable to the endpoint based on the security measurement corresponding to the first value; and
      
      adding the one or more policies to the policy table,wherein the one or more policies are prioritized over the one or more first policies based on the one or more policies corresponding to a level of specificity exceeding that of the one or more first policies.
  - 4. The method of claim 1, wherein updating the policy data includes:
    - determining one or more first policies in a policy table that are applicable to the endpoint based on the security measurement corresponding to the first value;
      
      adding the one or more policies to the policy table of the network; and
      
      removing the one or more first policies from the policy table.
  - 5. The method of claim 1, further comprising:
    - remediating the endpoint based on network traffic flow between the endpoint and a second endpoint, wherein the one or more policies include a policy that allows the network traffic flow.
  - 6. The method of claim 5, further comprising:
    - detecting a second change to the security measurement of the endpoint from the second value to the first value or a third value;
      
      determining one or more second policies that are applicable to the endpoint based on the security measurement corresponding to the first value or the third value; and
      
      updating policy data of the network to enforce the one or more second policies with respect to the endpoint.
  - 7. The method of claim 1, wherein the one or more policies are whitelist rules, and updating the policy data includes:
    - determining one or more second policies that are applicable to the endpoint based on the security measurement corresponding to the first value;
      
      removing the one or more second policies from a policy table; and
      
      adding the one or more policies to the policy table to allow a network traffic flow between the endpoint and a second endpoint.
  - 8. The method of claim 1, wherein the one or more policies are blacklist rules, and updating the policy data includes:
    - determining one or more second policies that are applicable to the endpoint based on the security measurement corresponding to the first value;
      
      adding the one or more second policies to a policy table; and
      
      removing the one or more policies to deny a network traffic flow between the endpoint and a second endpoint.
  - 9. The method of claim 1, further comprising:
    - receiving a packet including a source or a destination corresponding to the endpoint;
      
      determining a network action for the packet based on the one or more policies; and
      
      performing the network action,wherein the network action is one of forwarding the packet, dropping the packet, logging the packet, marking the packet, selecting a service graph for the packet, redirecting the packet, or copying the packet.
  - 10. The method of claim 1, wherein the policy data includes a policy table applicable to a first collection of endpoints of the network and not applicable to a second collection of endpoints of the network.
  - 11. The method of claim 1, wherein the policy data includes a policy table applicable to an entirety of the network.

12. A non-transitory computer-readable medium having computer readable instructions that, when executed by a processor of a computer, cause the computer to:
- define a conditional policy for an endpoint in a network, the conditional policy corresponding to at least a first policy for the endpoint having a first value for a security measurement and a second policy for the endpoint having a second value for the security measurement, the security measurement represented by a number on a scale, a decimal number from 0-1, a binary result, or multiple values describing different security parameters;
  
  determine that the security measurement of the endpoint corresponds to the first value;
  
  add the first policy to a policy table of the network; and
  
  enforce the first policy.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the computer readable instructions further cause the computer to:
    - update an endpoint group of the endpoint from a first endpoint group to a second endpoint group,wherein the first policy is applicable to the second endpoint group and not applicable to the first endpoint group.
  - 14. The non-transitory computer-readable medium of claim 12, wherein,the policy table includes the second policy, andthe first policy is enforced instead of the second policy based on the first policy corresponding to a level of specificity exceeding that of the second policy.
  - 15. The non-transitory computer-readable medium of claim 12, wherein the computer readable instructions further cause the computer to:
    - remove the second policy from the policy table.
  - 16. The non-transitory computer-readable medium of claim 12, wherein the computer readable instructions further cause the computer to:
    - modify a state of the endpoint based on network traffic flow between the endpoint and a remediation server,wherein the first policy allows the network traffic flow between the endpoint and the remediation server.
  - 17. The non-transitory computer-readable medium of claim 16, wherein the computer readable instructions further cause the computer to:
    - detect a change to the security measurement of the endpoint from the first value to the second value;
      
      obtain the second policy based on the security measurement corresponding to the first value; and
      
      update the policy table to enforce the second policy with respect to the endpoint.

18. A system comprising:
- a processor; and
  
  a memory including instructions that when executed by the processor, cause the system to;
  
  define a policy for an endpoint group in a network corresponding to a first value range for a first security measurement;
  
  detect a second security measurement corresponding to an endpoint not associated with the endpoint group;
  
  determine that the second security measurement is within the first value range; and
  
  assign the endpoint to the endpoint group,wherein,the first security measurement and/or the second security measurement is represented by a number on a scale, a decimal number from 0-1, a binary result, or multiple values describing different security parameters.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the policy is a whitelist rule, and the instructions further cause the system to:
    - determine one or more second policies that are applicable to the endpoint based on the first security measurement corresponding to a third value, wherein the one or more second policies are configured to block a network traffic flow between the endpoint and a second endpoint; and
      
      allow, based on at least the policy, the network traffic flow.
  - 20. The system of claim 18, wherein the policy is a blacklist rule, and the instructions further cause the system to:
    - determine one or more second policies that are applicable to the endpoint based on the security measurement corresponding to a third value, wherein the one or more second policies are configured to allow a network traffic flow between the endpoint and a second endpoint; and
      
      block, based on at least the policy, the network traffic flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gupta, Sunil Kumar, Yadav, Navindra, Watts, Michael Standish, Parandehgheibi, Ali, Gandham, Shashidhar, Kulshreshtha, Ashutosh, Deen, Khawar
Primary Examiner(s)
Avery, Jeremiah

Application Number

US15/045,210
Publication Number

US 20160359913A1
Time in Patent Office

1,001 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/137   Hash-based content-based in...

G06F 16/162   Delete operations erasing i...

G06F 16/17   Details of further file sys...

G06F 16/173   Customisation support for f...

G06F 16/174   Redundancy elimination perf...

G06F 16/1744   using compression, e.g. spa...

G06F 16/1748   De-duplication implemented ...

G06F 16/2322   using timestamps

G06F 16/235   Update request formulation

G06F 16/2365   Ensuring data consistency a...

G06F 16/24578   using ranking

G06F 16/248   Presentation of query results

G06F 16/285   Clustering or classification

G06F 16/288   Entity relationship models

G06F 16/29   Geographical information da...

G06F 16/9535   Search customisation based ...

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595 : Network integration; Enabli...

G06F 21/53 : by executing in a restricte...

G06F 21/552 : involving long-term monitor...

G06F 21/556 : involving covert channels, ...

G06F 21/566 : Dynamic detection, i.e. det...

G06F 2221/033 : Test or assess software

G06F 2221/2101 : Auditing as a secondary aspect

G06F 2221/2105 : Dual mode as a secondary as...

G06F 2221/2111 : Location-sensitive, e.g. ge...

G06F 2221/2115 : Third party

G06F 2221/2145 : Inheriting rights or proper...

G06F 3/0482 : Interaction with lists of s...

G06F 3/04842 : Selection of displayed obje...

G06F 3/04847 : Interaction techniques to c...

G06F 9/45558 : Hypervisor-specific managem...

G06N 20/00 : Machine learning

G06N 99/00 : Subject matter not provided...

G06T 11/206 : Drawing of charts or graphs

H04J 3/0661 : using timestamps

H04J 3/14 : Monitoring arrangements for...

H04L 1/242 : by comparing a transmitted ...

H04L 41/046 : comprising network manageme...

H04L 41/0668 : by dynamic selection of rec...

H04L 41/0803 : Configuration setting

H04L 41/0806 : for initial configuration o...

H04L 41/0816 : the condition being an adap...

H04L 41/0893 : Assignment of logical group...

H04L 41/0894 : Policy-based network config...

H04L 41/12 : Discovery or management of ...

H04L 41/16 : using machine learning or a...

H04L 41/22 : comprising specially adapte...

H04L 41/40 : using virtualisation of net...

H04L 43/02 : Capturing of monitoring data

H04L 43/026 : using flow identification

H04L 43/04 : Processing captured monitor...

H04L 43/045 : for graphical visualisation...

H04L 43/062 : related to network traffic

H04L 43/08 : Monitoring or testing based...

H04L 43/0805 : by checking availability

H04L 43/0811 : by checking connectivity

H04L 43/0829 : Packet loss

H04L 43/0841 : Round trip packet loss

H04L 43/0858 : One way delays

H04L 43/0864 : Round trip delays

H04L 43/0876 : Network utilisation, e.g. v...

H04L 43/0882 : Utilisation of link capacity

H04L 43/0888 : Throughput

H04L 43/10 : Active monitoring, e.g. hea...

H04L 43/106 : using time related informat...

H04L 43/12 : Network monitoring probes

H04L 43/16 : Threshold monitoring

H04L 43/20 : the monitoring system or th...

H04L 45/306 : Route determination based o...

H04L 45/38 : Flow based routing

H04L 45/46 : Cluster building

H04L 45/507 : Label distribution

H04L 45/66 : Layer 2 routing, e.g. in Et...

H04L 45/74 : Address processing for routing

H04L 47/11 : Identifying congestion

H04L 47/20 : Traffic policing

H04L 47/2441 : relying on flow classificat...

H04L 47/2483 : involving identification of...

H04L 47/28 : in relation to timing consi...

H04L 47/31 : by tagging of packets, e.g....

H04L 47/32 : by discarding or delaying d...

H04L 61/5007 : Internet protocol [IP] addr...

H04L 63/0227 : Filtering policies mail mes...

H04L 63/0263 : Rule management

H04L 63/06 : for supporting key manageme...

H04L 63/0876 : based on the identity of th...

H04L 63/1408 : by monitoring network traff...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/16 : Implementing security featu...

H04L 63/20 : for managing network securi...

H04L 67/01 : Protocols

H04L 67/10 : in which an application is ...

H04L 67/1001 : for accessing one among a p...

H04L 67/12 : specially adapted for propr...

H04L 67/51 : Discovery or management the...

H04L 67/535 : Tracking the activity of th...

H04L 67/75 : Indicating network or usage...

H04L 69/16 : Implementation or adaptatio...

H04L 69/22 : Parsing or analysis of headers

H04L 7/10 : Arrangements for initial sy...

H04L 9/0866 : involving user or device id...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3242 : involving keyed hash functi...

H04W 72/54 : based on quality criteria

H04W 84/18 : Self-organising networks, e...

View All

Conditional policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

540 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Conditional policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

540 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others