Declarative language for specifying a security policy

US 20040250112A1
Filed: 06/15/2004
Published: 12/09/2004
Est. Priority Date: 01/07/2000
Status: Active Grant

First Claim

Patent Images

1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:

a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;

a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;

a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;

means for loading said annotated policy specification into a policy engine;

means for said policy engine to receive said network event from an agent;

means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event;

means for said policy engine to communicate agent directives to said agent; and

means for said policy engine to output said network event and said disposition to a datastore.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention is a declarative language system and comprises a language as a tool for expressing network security policy in a formalized way. It allows the specification of security policy across a wide variety of networking layers and protocols. Using the language, a security administrator assigns a disposition to each and every network event that can occur in a data communications network. The event'"'"'s disposition determines whether the event is allowed (i.e. conforms to the specified policy) or disallowed and what action, if any, should be taken by a system monitor in response to that event. Possible actions include, for example, logging the information into a database, notifying a human operator, and disrupting the offending network traffic.

173 Citations

View as Search Results

52 Claims

1. A declarative language system for specifying in an annotated policy specification a security policy of a network event, wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active principal and a passive principal, said declarative language system comprising:
- a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at least one list having a first element;
  
  a declarative language editor for providing means for specifying in a first policy specification said security policy using said declarative language;
  
  a declarative language compiler for providing means for compiling said first policy specification and generating said annotated policy specification;
  
  means for loading said annotated policy specification into a policy engine;
  
  means for said policy engine to receive said network event from an agent;
  
  means for said policy engine to evaluate said security policy against said network event and to generate a disposition for said network event;
  
  means for said policy engine to communicate agent directives to said agent; and
  
  means for said policy engine to output said network event and said disposition to a datastore.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 2. The system of claim 1, wherein said declarative language uses the S-expression language.
  - 3. The system of claim 2, wherein the S-expression language is a variant by Rivest used in SPKI/SDSI.
  - 4. The system of claim 3, wherein for said each object, said first element of said list is a type, such that said type is associated with said each object.
  - 5. The system of claim 4, wherein said type is a byte string.
  - 6. The system of claim 3, wherein a canonical representation of said S-expression language is supported.
  - 7. The system of claim 3, wherein an advanced representation of said S-expression language is supported.
  - 8. The system of claim 6, wherein said canonical representation is digitally signed.
  - 9. The system of claim 2, wherein said declarative language allows embedded comments in said S-expression language.
  - 10. The system of claim 2, wherein said declarative language supports macros.
  - 11. The system of claim 2, wherein said declarative language supports included files.
  - 12. The system of claim 1, wherein said each object is a first-class object.
  - 13. The system of claim 12, wherein said first-class object is a built-in object, such that said built-in first-class object is associated with said declarative language compiler, and wherein said built-in first-class object is unextendable within said annotated policy specification.
  - 14. The system of claim 12, wherein said first-class object is a user-defined object.
  - 15. The system of claim 12, wherein said first-class object further comprises a description field.
  - 16. The system of claim 12, wherein said first-class object is any of:
    - a policy;
      
      a group;
      
      a credential, said credential having a specificity;
      
      a condition;
      
      a disposition; and
      
      a rule, said rule having an outcome.
  - 17. The declarative language of claim 16, wherein said policy comprises:
    - a name parameter for referencing said security policy;
      
      a version number parameter associated with a version of said declarative language; and
      
      at least one rule of a plurality of rules.
  - 18. The system of claim 17, wherein said group comprises:
    - a union object, said union object comprising a plurality of items, each item having a same type;
      
      a name parameter for said union object; and
      
      a type parameter for defining said same type of said plurality of items.
  - 19. The system of claim 18, wherein one of said plurality of items is a second group comprising a second union object, said second union object comprising a second plurality of items, each item of said second plurality of items having said same type.
  - 20. The system of claim 18, wherein said type is a primitive data type in said declarative language.
  - 21. The system of claim 20, wherein said primitive data type includes, but is not limited to, any of:
    - a string;
      
      an IP address;
      
      a MAC address;
      
      an integer;
      
      a version number; and
      
      a hash value.
  - 22. The system of claim 16, wherein said credential comprises:
    - a name parameter for referencing said credential; and
      
      at least one assertion, wherein said assertion is a logical expression comprising;
      
      a plurality of attributes, each of said plurality of attributes having an attribute-value; and
      
      a plurality of logical operands;
      
      wherein said credential is associated with one of said active principal and said passive principal in said event, and wherein said credential has a specificity; and
      
      wherein said credential is associated with a first protocol, said first protocol having a set of associated attributes and a set of associated operands.
  - 23. The system of claim 22, wherein each of plurality of credential attributes comprises an implied fetching function, said function returning a value associated with each of said plurality of credential attributes.
  - 24. The system of claim 23, wherein said function is argumentless and wherein said returned value is a single value.
  - 25. The system of claim 23, wherein said function has a plurality of arguments and wherein said returned value is a union of a plurality of values.
  - 26. The system of claim 22, wherein said credential further comprises a second credential, wherein said second credential is associated with said first protocol.
  - 27. The system of claim 16, wherein said condition comprises:
    - a name parameter for referencing said condition; and
      
      at least one assertion, wherein said assertion is a logical expression comprising;
      
      a plurality of attributes, each of said plurality of attributes having an attribute value;
      
      a plurality of logical operands;
      
      wherein said condition defines a constraint on said event; and
      
      wherein said condition is associated with a first protocol, said first protocol having a first set of associated attributes and a first set of associated operands.
  - 28. The system of claim 27, wherein said condition further comprises a second condition wherein said second condition is associated with said first protocol.
  - 29. The system of claim 16, wherein said disposition comprises:
    - a disposition code for indicating one of the absence of a violation of said rule and the presence of said violation of said rule; and
      
      wherein said disposition represents said outcome of said rule.
  - 30. The system of claim 29, further comprising:
    - a logging directive, wherein said logging directive comprises;
      
      a severity code, said severity code indicating a severity level of said disposition; and
      
      a human readable string for providing additional details.
  - 31. The system of claim 30, wherein said severity code is used by a logging subsystem for classifying and filtering said network event.
  - 32. The system of claim 29, further comprising an agent directive having instructions that are communicated to said agent.
  - 33. The system of claim 32, wherein said agent monitors network traffic.
  - 34. The system of claim 32, wherein said agent enforces security policy.
  - 35. The system of claim 16, wherein said rule for evaluating said event comprises:
    - a protocol field associated with said event;
      
      a plurality of actions associated with said event;
      
      an initiator for representing said active principal of said event;
      
      a target for representing said passive principal of said event; and
      
      means for said outcome to generate a disposition by specifying constraints upon said event, said outcome comprising;
      
      at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological order.
  - 36. The system of claim 35, further comprising:
    - an agent field for representing said agent associated with said event, wherein said agent field is associated with an agent credential and wherein said rule is applied when said agent credential is satisfied.
  - 37. The system of claim 35, further comprising:
    - a prerequisite having a plurality of rules, such that said prerequisite is satisfied when at least one of said plurality of rules is applied to a prior event.
  - 38. The system of claim 1, further comprising:
    - an annotated specification language;
      
      wherein said first policy specification further comprises;
      
      a plurality of credentials, a plurality of conditions, a plurality of rules;
      
      wherein means for compiling comprises;
      
      means for checking said first policy specification for syntax errors and semantics errors;
      
      means for checking said first policy specification for credential errors;
      
      means for checking said first policy specification for condition errors;
      
      means for checking said first policy specification for completeness and coverage of said plurality of rules;
      
      means for ordering said plurality of credentials by using said annotated specification language, whereby for each of said plurality of credentials a credential rank is determined; and
      
      means for ordering said plurality of rules by using said annotated specification language.
  - 39. The system of claim 38, further comprising:
    - an annotated specification language for providing additional information to said means to evaluate;
      
      means for said policy engine to receive said plurality of protocol events and to provide a sequencing of said plurality of protocol events by using said associated predefined protocol layers;
      
      means for said policy engine to select a policy rule associated with each of said plurality of protocol events, using a specificity of said policy rule;
      
      means for said policy engine to determine said policy rule outcome;
      
      means for said policy engine to render said policy rule as a pending policy rule; and
      
      means for said policy engine to render one of said policy rule and said pending policy rule as final.
  - 40. The system of claim 39, wherein said policy engine is adapted to receive and evaluate incomplete data in any of said plurality of protocol events.
  - 41. The system of claim 38, wherein said means for ordering said plurality of credentials further comprises:
    - means for computing a combined weight for each of said plurality of credentials of each attribute weight, having a plurality of attribute-value assertions of said plurality of credential attributes, wherein each attribute weight comprises;
      
      an attribute rank;
      
      an assertion type rank;
      
      an attribute assertion count;
      
      means for computing a second combined weight of a subset of said plurality of attribute-value assertions operated on by a logical operator;
      
      means for computing a credential weight penalty for each of said plurality of credentials; and
      
      means for comparing said plurality of credentials.
  - 42. The system of claim 41, wherein said attribute weight is represented by a 3-tuple having a weight keyword in said annotated specification language.
  - 43. The system of claim 41, wherein said logical operator is any of and, or, and not.
  - 44. The system of claim 41, wherein means for compiling comprises means for a security administrator to configure said attribute rank.
  - 45. The system of claim 38, wherein means for ordering said plurality of rules comprises:
    - a plurality of predetermined protocols;
      
      a plurality of predetermined protocol-action groups;
      
      means to assign each of said rules to one of said predetermined protocols;
      
      means to assign each of said rules to one of said predetermined protocol-action groups;
      
      means to rank each of said rules in said predetermined protocol-action groups by using said credential ranking value for said target credential of said rule and by using said credential ranking value for said initiator credential of said rule;
      
      means to sort in increasing order each of said ranked rules in said predetermined protocol-action groups.
  - 46. The system of claim 45, further comprising:
    - means to force said rule ranking value for any of each of said rules using said annotated specification language, said annotated specification language having a rank-above expression having a rule-name parameter.
  - 47. The system of claim 45, further comprising:
    - a 2-tuple for each said rule, said 2-tuple having a first element and a second element;
      
      wherein said first element is a highest credential ranking value of said target credential and initiator credential; and
      
      wherein said second element is a lowest credential ranking value of said target credential and initiator credential; and
      
      wherein means to sort uses said 2-tuple of each rule.

48. A method for evaluating a policy using a plurality of policy rules, each rule having a ranking and a disposition, to a protocol event reported by an agent, said protocol event having a protocol, a protocol action, a target credential, and an initiator credential, comprising the steps of:
- selecting a first set of rules from said plurality of policy rules, such that each rule is associated with said agent;
  
  selecting a second set of rules from said first set of rules, such that each rule is associated with said protocol from said event;
  
  selecting a third set of rules from said second set of rules, such that each rule is associated with said protocol action from said event;
  
  searching for a most specific policy rule from said third set, such that said most specific policy rule is satisfied by said protocol event and generating an error disposition when said most specific policy rule is undetermined;
  
  checking said third set of rules for a fourth set of rules having same said ranking as said selected most specific policy rule; and
  
  providing means to select a single applicable rule from said fourth set of rules.
- View Dependent Claims (49, 50)
- - 49. The method of claim 48, further comprising the step of:
    - producing a final disposition for a network event, wherein said network event comprises said protocol event.
  - 50. The method of claim 48, wherein the step of searching for a most specific policy rule further comprises the steps of:
    - satisfying any of a plurality of prerequisite rules by a previous protocol event in an order corresponding to an order of said plurality of prerequisite rules; and
      
      matching a rule target credential and a rule initiator credential with said event target credential and said event initiator credential.

51. A method for processing an outcome of a policy rule associated with a protocol event of a network event, comprising the steps of:
- if said outcome is specified and immediate, executing said outcome, producing thereby a disposition for said protocol, and designating said disposition final for said network event if said disposition comprises a final disposition code;
  
  designating said policy rule a pending policy rule for said network event;
  
  promoting said pending policy rule to selected policy rule, if further protocol events are absent;
  
  executing a final outcome of said selected policy rule; and
  
  producing a final disposition for said network event of said selected policy rule final outcome.

52. A computer implemented system for interpreting different protocols, comprising:
- a language;
  
  a policy editor adapted to use said language;
  
  a policy specification generated by said policy editor and written in said language;
  
  a policy engine receiving at least one event, wherein said policy engine is associated with said policy specification, and wherein said policy engine interprets said language; and
  
  a disposition generated by said policy engine using said event and said policy specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing LLC (McAfee, LLC)
Inventors
Cooper, Geoffrey Howard, Sherlock, Kieran Gerard, Shaw, Robert Allen, Valente, Luis Filipe Pereira

Granted Patent

US 7,478,422 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

H04L 41/0609   based on severity or priority

H04L 41/069   using logs of notifications...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/22   comprising specially adapte...

H04L 41/50   Network service management,...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Declarative language for specifying a security policy

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Declarative language for specifying a security policy

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links