Method and systems for controlling access to computing resources based on known security vulnerabilities

US 20070143851A1
Filed: 06/13/2006
Published: 06/21/2007
Est. Priority Date: 12/21/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method operable on a computer for controlling the operation of a computing system in response to a security vulnerability, comprising:

the computing system running software subject to at least one security vulnerability;

establishing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;

receiving information relating to the status of the at least one security vulnerability of the software program;

processing the information relating to the status using the analysis method;

determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and

controlling, based on the determining, the operation of the computing system.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are provided for fine tuning access control by remote, endpoint systems to host systems. Multiple conditions/states of one or both of the endpoint and host systems are monitored, collected and fed to an analysis engine. Using one or more of many different flexible, adaptable models and algorithms, an analysis engine analyzes the status of the conditions and makes decisions in accordance with pre-established policies and rules regarding the security of the endpoint and host system. Based upon the conditions, the policies, and the analytical results, actions are initiated regarding security and access matters. In one described embodiment of the invention, the monitored conditions include software vulnerabilities.

1066 Citations

28 Claims

1. A method operable on a computer for controlling the operation of a computing system in response to a security vulnerability, comprising:
- the computing system running software subject to at least one security vulnerability;
  
  establishing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;
  
  receiving information relating to the status of the at least one security vulnerability of the software program;
  
  processing the information relating to the status using the analysis method;
  
  determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and
  
  controlling, based on the determining, the operation of the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein the software is a commercial product and the information relating to the status of the at least one known security vulnerability is made available to users of the software.
  - 3. The method of claim 2 wherein the step of receiving information includes the steps of:
    - identifying a remote data repository wherein the information relating to the status of the at least one security vulnerability is available;
      
      periodically checking the remote data repository to determine the availability of the information relating to the status; and
      
      retrieving the information relating to the status.
  - 4. The method of claim 3 wherein the step of receiving information further includes the step of storing locally the information relating to the status.
  - 5. The method of claim 4 wherein the information relating to the status is selected from the group including a quantitative value and a non-quantitative value.
  - 6. The method of claim 5 and further including the step of, prior to the processing, converting a non-quantitative value to a quantitative value.
  - 7. The method of claim 6 wherein the analysis method is a quantitative analysis method.
  - 8. The method of claim 1 wherein the step of controlling includes the step of taking a first action to negate the security vulnerability.
  - 9. The method of claim 8 further including the steps of:
    - determining if the first action to negate the security vulnerability was successful; and
      
      taking, if the first action to negate the security vulnerability was not successful, a second action to diminish the threat of the security vulnerability.
  - 10. The method of claim 9 wherein the second action is selected from a list comprising restricting access to a resource accessible using the computing system, automatically initiating an update to the software and automatically notifying an operator of the computing system.
  - 11. The method of claim 1 and further including the steps of:
    - identifying within the computing system a plurality of conditions, each condition having a state; and
      
      the policy further based upon the state of the conditions.
  - 12. The method of claim 11 wherein at least one condition state is a quantitative value and at least one condition state is a non-quantitative value and wherein the analysis method includes the combination of a quantitative analysis method and a non-quantitative analysis method.
  - 13. The method of claim 11 wherein the step of identifying includes using a software agent.
  - 14. The method of claim 13 wherein the step of controlling includes transmitting to the software agent an instruction to take an action.
  - 15. The method of claim 1 wherein the computing system comprises at least one of a host computing system including a computing resource and an end point computing system pursuing access to the resource of the host computing system.
  - 16. The method of claim 15 wherein the steps of establishing, receiving, processing, determining, and controlling are performed on at least one of the group comprising the computing system, the endpoint computing system and a policy management system connected to at least one of the computing system and the endpoint computing system.

17. A system for controlling the operation of a computing system in response to a security vulnerability, comprising:
- a processor;
  
  a memory connected to the processor and storing instructions for controlling the operation of the processor to perform the steps of identifying the computing system running software subject to at least one security vulnerability;
  
  storing a policy based on the status of the at least one security vulnerability including at least one rule and an analysis method for determining compliance with the rule;
  
  receiving information relating to the status of the at least one known security vulnerability of the software program;
  
  processing the information relating to the status using the analysis method;
  
  determining, based on the processing, the compliance of the at least one security vulnerability in relation to the rule; and
  
  controlling, based on the determining, the operation of the host computing system.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 wherein the step of receiving information relating to the status of the security vulnerability includes the steps of:
    - identifying a remote data repository wherein the information relating to the status of the at least one known security vulnerability is available;
      
      periodically checking the remote data repository to determine the availability of the information relating to the status; and
      
      retrieving the information relating to the status.
  - 19. The method of claim 18 wherein the step of receiving information further includes the step of storing locally the information relating to the status.
  - 20. The method of claim 17 wherein the step of receiving information relating to the state of each of the plurality of conditions includes using a plurality of software agents to collect state information and at least one manager to aggregate the state information collected by the software agents.

17-1. A method operable on a computer for controlling the access of an endpoint computing system to a host computing system in response to a security vulnerability, comprising:
- identifying within at least one of the endpoint and host systems a plurality of conditions, each condition having a state;
  
  operating on at least one of the host computing system and the endpoint computing system a software program subject to at least one security vulnerability;
  
  establishing a policy based on the status of the at least one security vulnerability and the state of each of the plurality of conditions, the policy including at least one rule and an analysis method for determining compliance with the rule;
  
  receiving information relating to the status of the at least one known security vulnerability of the software program;
  
  receiving information relating to the state of each of the plurality of conditions;
  
  processing the information relating to the status of the at least one known security vulnerability and the state of each of the plurality of conditions using the analysis method;
  
  determining, based on the processing, the compliance of the at least one security vulnerability and the plurality of conditions with the rule; and
  
  controlling, based on the determining, access of the endpoint system to a resource of the host computing system.

21. A system for controlling the access of an endpoint computing system to a host computing system in response to a security vulnerability, comprising:
- means for identifying within at least one of the endpoint and host systems a plurality of conditions, each condition having a state;
  
  means for operating on at least one of the host computing system and the endpoint computing system a software program subject to at least one security vulnerability;
  
  means for establishing a policy based on the status of the at least one security vulnerability and the state of each of the plurality of conditions, the policy including at least one rule and an analysis method for determining compliance with the rule;
  
  means for receiving information relating to the status of the at least one known security vulnerability of the software program;
  
  means for receiving information relating to the state of each of the plurality of conditions;
  
  means for processing the information relating to the status of the at least one known security vulnerability and the state of each of the plurality of conditions using the analysis method;
  
  means for determining, based on the processing, the compliance of the at least one security vulnerability and the plurality of conditions with the rule; and
  
  means for controlling, based on the determining, access of the endpoint system to a resource of the host computing system.

22. A method for generating signals to control the access of an endpoint computing system to a resource in a host computing system, comprising:
- collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;
  
  collecting a status of a known security vulnerability for a software program operating on at least one of the host computing system and the endpoint computing system;
  
  identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;
  
  processing, using the analysis method, the state of each of the plurality of conditions and the status of the known security vulnerability;
  
  determining, based upon the processing, if the conditions and the known security vulnerability are in compliance with the rule; and
  
  generating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.
- View Dependent Claims (23)
- - 23. The method of claim 22 wherein the endpoint computing system is selected from the group including a user of the host computing system and an endpoint computing system separate from the host system.

24. A program product containing instructions to control the operation of a computing system to control the access of an endpoint computing system to a resource in a host computing system, the instructions operable on the computing system to cause the computing system to perform a process comprising:
- collecting a state for each of a plurality of conditions in at least one of the endpoint computing system and the host computing system;
  
  collecting a status of a known security vulnerability for a software program operating on at least one of the host computing system and the endpoint computing system;
  
  identifying a policy for determining access of the endpoint computing system to the resource, the policy including at least one rule and an analysis method for determining compliance with the rule;
  
  processing, using the analysis method, the state of each of the plurality of conditions and the status of the known security vulnerability;
  
  determining, based upon the processing, if the conditions and the known security vulnerability are in compliance with the rule; and
  
  generating, based upon the determining, a signal usable to control the access of the endpoint computing system to the resource.

25. A method for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising:
- identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state, at least one of the plurality of conditions relating to a risk of a known security vulnerability; and
  
  developing a policy for determining the access of the endpoint computing system to the resource, the policy including a rule and at least one analysis method for processing the states of the plurality of conditions to determine if the plurality of conditions are in compliance with the rule.
- View Dependent Claims (27)
- - 27. The method of claim 25 wherein the at least one condition relating to a risk of a known security vulnerability includes a state determined at least in part by security risk information provided by a third-party.

28. A system for developing a compliance policy to control the access of an endpoint computing system to a resource in a host computing system, comprising:
- means for identifying a plurality of conditions in at least one of the endpoint computing system and the host computing system, each of the plurality of conditions including an associated state, at least one of the plurality of conditions relating to a risk of a known security vulnerability; and
  
  means for developing a policy for determining the access of the endpoint computing system to the resource, the policy including a rule and at least one analysis method for processing the states of the plurality of conditions to determine if the plurality of conditions are in compliance with the rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daedalus Blue LLC
Original Assignee
Fiberlink
Inventors
Nicodemus, Blair, Stephens, Billy

Application Number

US11/451,950
Publication Number

US 20070143851A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/3495   for systems

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Method and systems for controlling access to computing resources based on known security vulnerabilities

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

1066 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and systems for controlling access to computing resources based on known security vulnerabilities

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1066 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links