System And Methodology For Providing Community-Based Security Policies

US 20040019807A1
Filed: 05/14/2003
Published: 01/29/2004
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. In a system comprising a plurality of devices connected to a network, a method for regulating network access at a particular device, the method comprising:

providing at a plurality of devices connected to a network a security module for establishing security settings, said security settings for regulating network access at said plurality of devices;

collecting information about established security settings from at least some of said plurality of devices;

generating consensus security settings based upon the collected information; and

in response to a request for network access at a particular device, determining whether or not to permit network access based, at least in part, upon the consensus security settings.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methodology for providing community-based security policies is described. In one embodiment in a system comprising a plurality of devices connected to a network, a security module is provided for establishing security settings for regulating network access at these devices. Information is collected from at least some the devices about the security settings established on such devices and consensus security settings are generated based upon the collected information. In response to a request for network access at a particular device, determining whether or not to permit network access is based, at least in part, upon the consensus security settings.

300 Citations

47 Claims

1. In a system comprising a plurality of devices connected to a network, a method for regulating network access at a particular device, the method comprising:
- providing at a plurality of devices connected to a network a security module for establishing security settings, said security settings for regulating network access at said plurality of devices;
  
  collecting information about established security settings from at least some of said plurality of devices;
  
  generating consensus security settings based upon the collected information; and
  
  in response to a request for network access at a particular device, determining whether or not to permit network access based, at least in part, upon the consensus security settings.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the network comprises the Internet.
  - 3. The method of claim 1, wherein said security settings specify particular programs which are allowed network access.
  - 4. The method of claim 1, wherein said security settings specify particular types of network access which are allowed.
  - 5. The method of claim 1, wherein said step of establishing security settings includes obtaining user input as to whether a particular program should be allowed network access.
  - 6. The method of claim 1, wherein said security module automatically transmits said information about established security settings to a repository.
  - 7. The method of claim 1, wherein said collecting step includes collecting information about whether a particular program is permitted to access the network.
  - 8. The method of claim 7, wherein said generating step includes determining whether at least a majority of users permit a particular program to access the network.
  - 9. The method of claim 1, wherein said generating step includes using a weighted voting technique.
  - 10. The method of claim 9, further comprising:
    - automatically permitting network access if access is permitted under said consensus security settings.
  - 11. The method of claim 9, further comprising:
    - automatically blocking network access if access is blocked under said consensus security settings.
  - 12. The method of claim 1, wherein said generating step includes determining whether a particular program requesting access is known to be a malicious program.
  - 13. The method of claim 1, wherein said determining'"'"'step includes the substeps of:
    - identifying a particular program requesting network access;
      
      if said particular program is included in security settings established at the particular computer, determining whether to permit network access based upon said security settings at the particular computer; and
      
      otherwise, if said particular program is not included in said security settings at said particular computer, determining whether to permit network access based upon the consensus security settings.
  - 14. The method of claim 1, wherein said request for network access comprises a request for access to the Internet.
  - 15. The method of claim 1, wherein said determining step includes using a “
    - firewall”
      
      application for selectively blocking network access.
  - 16. A computer-readable medium having computer-executable instructions for performing the method of claim 1.
  - 17. A downloadable set of computer-executable instructions for performing the method of claim 1.

18. A system for managing access to resources on a per program basis, the system comprising:
- a plurality of computers capable of connecting to resources;
  
  a policy module enabling security policies to be defined at said plurality of computers;
  
  a voting module collecting the security policies from said plurality of computers and generating a community-based security policy based upon the collected security policies; and
  
  an enforcement module for trapping a request for access to resources from a particular program at a particular computer and determining whether to permit access to the resources based, at least in part, upon the community-based security policy.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The system of claim 18, wherein access to the resources comprises access to a network.
  - 20. The system of claim 19, wherein the network comprises the Internet.
  - 21. The system of claim 18, wherein said security policies specify particular programs which are allowed to access the resources.
  - 22. The system of claim 21, wherein said security policies specify particular types of access which are allowed.
  - 23. The system of claim 18, wherein said policy module provides for obtaining user input as to whether a particular program should be allowed to access the resources.
  - 24. The system of claim 18, wherein said policy module automatically transmits said security policies to the voting module.
  - 25. The system of claim 18, wherein said voting module determines whether a particular application is permitted access to the resources under at least a majority of the collected security policies.
  - 26. The system of claim 18, wherein said voting module generates a community-based security policy based upon whether access to the resources is permitted by a selected percentage of the collected security policies.
  - 27. The system of claim 18, wherein said policy module enables a user to automatically permit access to the resources if access is permitted under the community-based security policy.
  - 28. The system of claim 18, wherein said enforcement module includes using a “
    - firewall”
      
      component for selectively blocking access to the resources.
  - 29. The system of claim 18, wherein said enforcement module displays the community-based security policy to a user to assist a user in deciding whether to permit access to the resources.

30. A method for assisting a user in configuring a program, the method comprising:
- providing a configuration module at a plurality of computers connected to a network, the configuration module enabling a user to adopt configuration settings for the program;
  
  collecting votes from at least some users of the program based upon the configuration settings adopted by said at least some users at said plurality of computers;
  
  generating recommended configuration settings by tallying the collected votes; and
  
  displaying the recommended configuration settings at a particular computer to assist a user in configuring the program.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 31. The method of claim 30, wherein said configuration setting includes whether a particular program is permitted to access the network.
  - 32. The method of claim 30, wherein said configuration setting includes a security setting.
  - 33. The method of claim 30, wherein said configuration module provides for obtaining user input as to whether a particular program should be allowed to access the network.
  - 34. The method of claim 30, wherein said configuration module automatically transmits a vote based upon the configuration setting adopted by a user.
  - 35. The method of claim 30, wherein said generating step includes determining the configuration setting adopted by at least a majority of users from which votes are collected.
  - 36. The method of claim 30, further comprising:
    - automatically adopting the recommended configuration settings for configuration of the program at said particular computer.
  - 37. The method of claim 30, wherein said generating step includes utilizing a weighted voting calculation.
  - 38. The method of claim 30, wherein said displaying step includes displaying the recommended configuration settings in response to a request for access to the network at said particular computer.
  - 39. The method of claim 30, wherein said displaying step includes displaying voting information about the recommended configuration settings.

40. In a system comprising a plurality of computers connected to a network, a method for managing network access, the method comprising:
- providing a security module enabling security rules to be defined at said plurality of computers, said security rules identifying programs permitted to access the network;
  
  collecting said security rules from said plurality of computers in a repository to form a community-based security policy;
  
  trapping a request for access to the network from a particular program at a particular computer;
  
  if said particular program is included in said security rules at said particular computer, determining whether to permit access to the network based upon said security rules at said particular computer; and
  
  otherwise, if said particular program is not included in said security rules at said particular computer, determining whether to permit access based upon said community based security policy.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
- - 41. The method of claim 40, wherein the network comprises the Internet.
  - 42. The method of claim 40, wherein said security rules specify particular types of network access which are allowed.
  - 43. The method of claim 40, wherein said step of enabling security rules to be defined includes obtaining user input as to whether a particular program should be permitted to access the network.
  - 44. The method of claim 40, wherein said step of forming a community-based security policy includes determining whether at least a majority of users permit a particular program to access the network.
  - 45. The method of claim 44, further comprising:
    - automatically blocking access to the network if access is blocked under said community-based security policy.
  - 46. The method of claim 40, further comprising:
    - utilizing an enforcement module for selectively permitting programs to access the network based upon the community-based security policy.
  - 47. The method of claim 40, further comprising:
    - regulating access to the network based upon the community-based security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Zone Labs Inc. (Check Point Software Technologies Limited)
Inventors
Freund, Gregor P.

Granted Patent

US 7,340,770 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/104   Grouping of entities

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System And Methodology For Providing Community-Based Security Policies

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

300 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

System And Methodology For Providing Community-Based Security Policies

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

300 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links