Monitoring computer network security enforcement

US 8,001,594 B2
Filed: 06/10/2002
Issued: 08/16/2011
Est. Priority Date: 07/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method for electronically monitoring security enforcement provisions in a computer network, the method comprising:

receiving, by a security service provider server, a first group of reports including information regarding security violations associated with a network component, wherein the first group of reports was transmitted by a monitoring module of the network component;

detecting, by the security service provider server, a first group of security policy violations based on the first group of reports, the security policy including security rules identifying security enforcement provisions that must be operational on the network component;

detecting, by the security service provider server, a second group of security policy violations based on a failure to receive a second group of reports at a scheduled time, wherein the first group of reports was scheduled to be transmitted by the monitoring module of the network component;

based on the detection of the first and second groups of security policy violations, acting on the network component in a manner in which the computer network operates at a level appropriate to the degree of the first or second group of security violationsdetermining a reason for a reset of the monitoring module; and

determining, based on the reason, that the security policy has been one of violated, modified, or circumvented.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for monitoring activity of a user on a network component, such as an end user computer, in a virtual private network for adherence to a security enforcement provision or policy utilized in the virtual private network. A method of determining whether a security provision in a computer network has been violated is described. It is determined whether the network component has violated, modified or circumvented a security enforcement provision of the computer network. If the detection is affirmative, the network component, such as an end user system, is modified in a manner in which the computer network operates at a level appropriate to the degree of the violation, modification, or circumvention of the security enforcement provision. If instructed to do so, a third party operating the virtual private network is notified of the violation and access to the network by the network component is restricted or terminated. A security enforcement distributed system consists of an agent module on the end user computer and a collector module for receiving data from the agent on a security server computer coupled to a data repository. Also on the security serer are a policy inspector for checking compliance with a security provision and a notifier and access control module for informing the network operator of a violation and restricting access by the end user system to the security server.

111 Citations

View as Search Results

18 Claims

1. A method for electronically monitoring security enforcement provisions in a computer network, the method comprising:
- receiving, by a security service provider server, a first group of reports including information regarding security violations associated with a network component, wherein the first group of reports was transmitted by a monitoring module of the network component;
  
  detecting, by the security service provider server, a first group of security policy violations based on the first group of reports, the security policy including security rules identifying security enforcement provisions that must be operational on the network component;
  
  detecting, by the security service provider server, a second group of security policy violations based on a failure to receive a second group of reports at a scheduled time, wherein the first group of reports was scheduled to be transmitted by the monitoring module of the network component;
  
  based on the detection of the first and second groups of security policy violations, acting on the network component in a manner in which the computer network operates at a level appropriate to the degree of the first or second group of security violationsdetermining a reason for a reset of the monitoring module; and
  
  determining, based on the reason, that the security policy has been one of violated, modified, or circumvented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - transmitting a notification to an operator of the computer network, the notification indicating the detection of the first or second groups of security policy violations.
  - 3. The method of claim 2, wherein the operator is a system administrator of the computer network.
  - 4. The method of claim 1, including storing network component information within the monitoring module.
  - 5. The method of claim 1 further comprising:
    - determining, based on the first group of reports, that the network component has been operational over a specified duration.
  - 6. The method of claim 1 further comprising determining, based on the first group of reports, the monitoring module has not been running continuously since a most recent boot up of the network component.
  - 7. The method of claim 1, wherein the acting on the network component comprises at least one of disconnecting the network component from the computer network, disabling a user virtual private network (VPN) service of the network component, shutting down the network component, and denying an access of the network component to the computer network.
  - 8. The method of claim 1 further comprising:
    - transmitting, by the security service provider server, the scheduled time.
  - 9. The method of claim 1 wherein the receiving of the first group of reports is done over a connection created by the network component.

10. A system comprising:
- a security service provider server computer coupled to a computer network, the security service provider server computer being configured todetect security policy violations associated with a network component, the detection based on receipt of a first group of reports and failure to receive a second group of reports at designated times, the security policy including a security rule indicating a group of security provisions that must be operational for the network component;
  
  determine a reason for a reset of the monitoring module; and
  
  evaluate whether the reason indicates that the monitoring module has been one of violated, modified, or circumvented; and
  
  a monitoring module connected to the computer network, the monitoring module configured to transmit the first and second groups of reports at the designated times to the security service provider server computer, the reports including information regarding the network component operation,an access control module included in the security service provider server computer configured to act, based on the detection, on the network component in a manner in which the computer network operates at a level appropriate to the degree of the violation, modification, or circumvention of the monitoring module.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the security service provider server computer includes a notifier module configured to provide, based on the detection of the first and second groups of security policy violations, a notification of the detection to an operator of the computer network.
  - 12. The system of claim 10, wherein the security service provider server computer is to determine whether one or more of the second group of reports are one of absent, late, or not transmitted at a prescheduled time.
  - 13. The system of claim 10, wherein the security service provider server computer is further configured to determine whether the monitoring module has not been running continuously since a most recent boot up of the network component.
  - 14. The system of claim 10, wherein the security service provider server computer is further configured to determine whether the reason for the reset is one of a termination and a reset by a user of the network component.
  - 15. The system of claim 10, wherein the access control module is to disconnect the network component from the computer network, to disable a user virtual private network (VPN) service of the network component, to shut down the network component, and to deny an access of the network component to the computer network.

16. A system comprising:
- a security service provider server computer coupled to a computer network, and including a detecting means and an acting means;
  
  the detecting means for detecting violations within a monitoring module running on a network component included in the network, the monitoring module being utilized to transmit a report to the security service provider server computer, the report including information regarding operation of the network component, the detecting means further for detecting security policy violations based on the report and on absence of the report, the security policy including a security rule identifying security provisions that must be operational for the network component, the detecting means further for determining a reason for a reset of the monitoring module, the detecting means further for determining, based on the reason, that the security policy has been one of violated, modified, or circumvented; and
  
  the acting means for selectively acting on the network component, based on the detection, in a manner in which the network operates at a level appropriate to the degree of the violation of the monitoring module.

17. A machine-readable device comprising instructions executable by a machine, the instructions comprising:
- instructions for receiving reports from an enforcement provision monitoring module residing in a network component to a security service provider server, wherein the reports include information about security provisions associated with the network component, and wherein the network component and the security service provider server are connected to the computer network;
  
  instructions for detecting that the network component has violated a security policy, wherein the detecting including comparing the information about the network component to rules indicating a group of security provisions which must be operational for the network component;
  
  instructions for determining that the enforcement provision monitoring module failed to transmit other reports at designated times;
  
  instructions for determining, based on the enforcement provision monitoring module'"'"'s failure to transmit the other reports and based on pings sent to the enforcement provision monitoring module, that the enforcement provision monitoring module is not operational;
  
  instructions for, after the determining that the enforcement provision monitoring module is not operational and failed to transmit the other reports, preventing the network component from performing certain communications over the network;
  
  instructions for transmitting notifications indicating one or more of the enforcement provision monitoring module is not operational and the network component has violated the security policyinstructions for determining a reason for a reset of the monitoring module; and
  
  instructions for evaluating whether the reason indicates that the monitoring module has been one of violated, modified, or circumvented.
- View Dependent Claims (18)
- - 18. The machine-readable device of claim 17, wherein the network component is a workstation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Channel IP BV
Original Assignee
Ipass Incorporated (Pareteum Corp.)
Inventors
Heintz, Robert Gordon, Christy, Jeffrey A.
Primary Examiner(s)
Pearson; David J

Application Number

US10/170,088
Publication Number

US 20030229808A1
Time in Patent Office

3,354 Days
Field of Search

726/22, 726/23
US Class Current

726/22
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/14   for detecting or protecting...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Monitoring computer network security enforcement

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring computer network security enforcement

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links