Monitoring computer network security enforcement
First Claim
1. A method for electronically monitoring security enforcement provisions in a computer network, the method comprising:
- receiving, by a security service provider server, a first group of reports including information regarding security violations associated with a network component, wherein the first group of reports was transmitted by a monitoring module of the network component;
detecting, by the security service provider server, a first group of security policy violations based on the first group of reports, the security policy including security rules identifying security enforcement provisions that must be operational on the network component;
detecting, by the security service provider server, a second group of security policy violations based on a failure to receive a second group of reports at a scheduled time, wherein the first group of reports was scheduled to be transmitted by the monitoring module of the network component;
based on the detection of the first and second groups of security policy violations, acting on the network component in a manner in which the computer network operates at a level appropriate to the degree of the first or second group of security violationsdetermining a reason for a reset of the monitoring module; and
determining, based on the reason, that the security policy has been one of violated, modified, or circumvented.
14 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems are disclosed for monitoring activity of a user on a network component, such as an end user computer, in a virtual private network for adherence to a security enforcement provision or policy utilized in the virtual private network. A method of determining whether a security provision in a computer network has been violated is described. It is determined whether the network component has violated, modified or circumvented a security enforcement provision of the computer network. If the detection is affirmative, the network component, such as an end user system, is modified in a manner in which the computer network operates at a level appropriate to the degree of the violation, modification, or circumvention of the security enforcement provision. If instructed to do so, a third party operating the virtual private network is notified of the violation and access to the network by the network component is restricted or terminated. A security enforcement distributed system consists of an agent module on the end user computer and a collector module for receiving data from the agent on a security server computer coupled to a data repository. Also on the security serer are a policy inspector for checking compliance with a security provision and a notifier and access control module for informing the network operator of a violation and restricting access by the end user system to the security server.
111 Citations
18 Claims
-
1. A method for electronically monitoring security enforcement provisions in a computer network, the method comprising:
-
receiving, by a security service provider server, a first group of reports including information regarding security violations associated with a network component, wherein the first group of reports was transmitted by a monitoring module of the network component; detecting, by the security service provider server, a first group of security policy violations based on the first group of reports, the security policy including security rules identifying security enforcement provisions that must be operational on the network component; detecting, by the security service provider server, a second group of security policy violations based on a failure to receive a second group of reports at a scheduled time, wherein the first group of reports was scheduled to be transmitted by the monitoring module of the network component; based on the detection of the first and second groups of security policy violations, acting on the network component in a manner in which the computer network operates at a level appropriate to the degree of the first or second group of security violations determining a reason for a reset of the monitoring module; and determining, based on the reason, that the security policy has been one of violated, modified, or circumvented. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
a security service provider server computer coupled to a computer network, the security service provider server computer being configured to detect security policy violations associated with a network component, the detection based on receipt of a first group of reports and failure to receive a second group of reports at designated times, the security policy including a security rule indicating a group of security provisions that must be operational for the network component; determine a reason for a reset of the monitoring module; and evaluate whether the reason indicates that the monitoring module has been one of violated, modified, or circumvented; and a monitoring module connected to the computer network, the monitoring module configured to transmit the first and second groups of reports at the designated times to the security service provider server computer, the reports including information regarding the network component operation, an access control module included in the security service provider server computer configured to act, based on the detection, on the network component in a manner in which the computer network operates at a level appropriate to the degree of the violation, modification, or circumvention of the monitoring module. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a security service provider server computer coupled to a computer network, and including a detecting means and an acting means; the detecting means for detecting violations within a monitoring module running on a network component included in the network, the monitoring module being utilized to transmit a report to the security service provider server computer, the report including information regarding operation of the network component, the detecting means further for detecting security policy violations based on the report and on absence of the report, the security policy including a security rule identifying security provisions that must be operational for the network component, the detecting means further for determining a reason for a reset of the monitoring module, the detecting means further for determining, based on the reason, that the security policy has been one of violated, modified, or circumvented; and the acting means for selectively acting on the network component, based on the detection, in a manner in which the network operates at a level appropriate to the degree of the violation of the monitoring module.
-
-
17. A machine-readable device comprising instructions executable by a machine, the instructions comprising:
-
instructions for receiving reports from an enforcement provision monitoring module residing in a network component to a security service provider server, wherein the reports include information about security provisions associated with the network component, and wherein the network component and the security service provider server are connected to the computer network; instructions for detecting that the network component has violated a security policy, wherein the detecting including comparing the information about the network component to rules indicating a group of security provisions which must be operational for the network component; instructions for determining that the enforcement provision monitoring module failed to transmit other reports at designated times; instructions for determining, based on the enforcement provision monitoring module'"'"'s failure to transmit the other reports and based on pings sent to the enforcement provision monitoring module, that the enforcement provision monitoring module is not operational; instructions for, after the determining that the enforcement provision monitoring module is not operational and failed to transmit the other reports, preventing the network component from performing certain communications over the network; instructions for transmitting notifications indicating one or more of the enforcement provision monitoring module is not operational and the network component has violated the security policy instructions for determining a reason for a reset of the monitoring module; and instructions for evaluating whether the reason indicates that the monitoring module has been one of violated, modified, or circumvented. - View Dependent Claims (18)
-
Specification