Systems for network risk assessment including processing of user access rights associated with a network of devices

US 9,100,430 B1
Filed: 12/29/2014
Issued: 08/04/2015
Est. Priority Date: 12/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

by a computing device having one or more computer processors and a non-transitory computer readable storage device storing software instruction for execution by the one or more computer processors,accessing or actively testing for, and processing information describing network traffic between a plurality of network devices;

determining, based on the information describing network traffic, a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, and wherein each node is associated with one or more network devices and each edge represents a communication path between two nodes;

access and process user account access records indicating historical user access to network nodes;

associating identifications of user accounts with respective nodes which records indicate those users have accessed;

access and process user account access rights indicating user account access rights to specific network devices;

associating identifications of user accounts permitted to access network devices with respective nodes associated with the network devices;

integrating user access records with user access privileges in order to identify permissions issues;

generating user interface data comprising an interactive graph expressing the network topology;

overlaying other relevant data sources on the aforementioned graph (like physical access logs or privileges);

including one or more indications of user access rights/user access records to respective nodes of the network topology; and

deriving recommendations or alerts for the system administrator.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network risk assessment. One of the methods includes accessing information describing network traffic between network devices. A network topology of the network is determined based on the information describing network traffic, where the network topology includes nodes connected by an edge to one or more other nodes, and each node is associated with a network device and each edge represents two nodes that can communicate with each other. User account access information indicating access rights and/or access records may be overlaid on the network topology and the system can provide various visualizations of the network topology to illustrate security risks associated with specific user accounts or nodes, identify compromise values/likelihoods/risks of particular user accounts and/or network accounts, and identify network segmentation issues, among others.

89 Citations

View as Search Results

20 Claims

1. A computerized method comprising:
- by a computing device having one or more computer processors and a non-transitory computer readable storage device storing software instruction for execution by the one or more computer processors,accessing or actively testing for, and processing information describing network traffic between a plurality of network devices;
  
  determining, based on the information describing network traffic, a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, and wherein each node is associated with one or more network devices and each edge represents a communication path between two nodes;
  
  access and process user account access records indicating historical user access to network nodes;
  
  associating identifications of user accounts with respective nodes which records indicate those users have accessed;
  
  access and process user account access rights indicating user account access rights to specific network devices;
  
  associating identifications of user accounts permitted to access network devices with respective nodes associated with the network devices;
  
  integrating user access records with user access privileges in order to identify permissions issues;
  
  generating user interface data comprising an interactive graph expressing the network topology;
  
  overlaying other relevant data sources on the aforementioned graph (like physical access logs or privileges);
  
  including one or more indications of user access rights/user access records to respective nodes of the network topology; and
  
  deriving recommendations or alerts for the system administrator.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the user account access rights include access rights identified in one or more access control lists associated with respective nodes or with network privilege control mechanisms.
  - 3. The method of claim 2, wherein the user account access rights further include actual access attempts to nodes in the network indicated in directory service or network node access records.
  - 4. The method of claim 1, wherein said deriving recommendations or alerts comprises determining minimum necessary user or node access privileges and/or maximum possible network segmentation.

5. A computerized method comprising:
- by a computing device having one or more computer processors and a non-transitory computer readable storage device storing software instruction for execution by the one or more computer processors,obtaining information describing network traffic between a plurality of network devices;
  
  determining, based on the information describing network traffic, a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, and wherein each node is associated with one or more network devices and each edge represents a communication path;
  
  access user account access information indicating user account access rights to specific network devices, wherein the user account access information comprises one or more access control lists;
  
  associating, from the user account access information, identifications of user accounts permitted to access network devices with respective nodes associated with the network devices; and
  
  generating user interface data comprising a graph identifying the network topology.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The method of claim 5, wherein the user account access information further indicates actual access attempts to network devices in one or more periods of time.
  - 7. The method of claim 6, further comprising;
    - identifying, for a particular user account, nodes the particular user account has access to, but has not actually accessed in a particular period of time; and
      
      including identifications of the nodes in the graph.
  - 8. The method of claim 6, further comprising:
    - receiving an identifier of a user account;
      
      determining, from the user account access information, one or more network devices that the user account has accessed in a particular period of time; and
      
      for each of the determined network devices, including information with the respective associated node included in the graph identifying that the user account has accessed the node.
  - 9. The method of claim 5, further comprising:
    - determining compromise values associated with one or more nodes, wherein each compromise value identifies a cost associated with the node being compromised;
      
      determining compromise likelihoods associated with the one or more nodes, wherein each compromise likelihood identifies a probability of the node being compromised; and
      
      determining, for each of the one or more nodes, a compromise risk value associated with the node from the respective compromise value and respective compromise likelihood.
  - 10. The method of claim 9, further comprising:
    - receiving information identifying one or more critical nodes, wherein the critical nodes are associated with high compromise values or high compromise risk values;
      
      identifying a number of nodes not identified as critical nodes that are connected by an edge to a critical node; and
      
      including information identifying the number in the user interface data.
  - 11. The method of claim 9, further comprising:
    - obtaining information identifying a high compromise value, or high compromise risk value;
      
      identifying nodes associated with at least the high compromise value, or at least the high compromise risk value; and
      
      determining a maximum network segmentation of the network topology, wherein the maximum network segmentation identifies network components to include between nodes to reduce edges between nodes associated with high compromise values, or high compromise risk values, and remaining nodes.
  - 12. The method of claim 11, wherein the network components include firewalls and/or proxy servers.
  - 13. The method of claim 5, further comprising:
    - receiving an identifier of a user account;
      
      determining, from the user account access information, one or more network devices that the user account is permitted to access; and
      
      for each of the determined network devices, including information with the respective associated node included in the graph identifying that the user account is permitted to access the node.
  - 14. The method of claim 13, wherein including information with the respective node comprises:
    - including the information as an overlay on the graph.
  - 15. The method of claim 13, further comprising:
    - obtaining information identifying compromise values associated with one or more nodes included in the graph, wherein each compromise value identifies a cost associated with the node being compromised;
      
      computing a total compromise value associated with nodes the user account is permitted to access; and
      
      including the total compromise value in the user interface data.
  - 16. The method of claim 5, wherein the information describing network traffic comprises information included in router logs, firewall logs, network flow logs, and/or proxy logs.
  - 17. The method of claim 5, wherein obtaining information describing network traffic between a plurality of network devices comprises:
    - providing requests to network devices; and
      
      receiving information included in responses to the requests identifying communication paths between network devices.

18. A computer program product, encoded on one or more non-transitory computer storage media, comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
- obtaining information describing network traffic between a plurality of network devices;
  
  determining, based on the information describing network traffic, a network topology of the network, wherein the network topology comprises a plurality of nodes each connected by an edge to one or more of the plurality of nodes, and wherein each node is associated with one or more network devices and each edge represents a communication path;
  
  accessing user account access information indicating user account access rights to specific network devices, wherein the user account access information at least indicates actual access attempts to network devices in one or more periods of time;
  
  associating, from the user account access information, identifications of user accounts permitted to access network devices with respective nodes associated with the network devices; and
  
  generating user interface data comprising a graph identifying the network topology.
- View Dependent Claims (19, 20)
- - 19. The computer program product of claim 18, wherein the operations further comprise:
    - receiving an identifier of a user account;
      
      determining, from the user account access information, one or more network devices that the user account has accessed in a particular period of time; and
      
      for each of the determined network devices, including information with the respective associated node included in the graph identifying that the user account has accessed the node.
  - 20. The computer program product of claim 19, wherein the operations further comprise:
    - obtaining information identifying compromise values associated with one or more nodes included in the graph, wherein each compromise value identifies a cost associated with the node being compromised;
      
      computing a total compromise value associated with nodes the user account has accessed in the particular period of time; and
      
      including the total compromise value in the user interface data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Seiver, Miles, Rosenblum, Charles
Primary Examiner(s)
McNally, Michael S.

Application Number

US14/585,043
Time in Patent Office

218 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/101   Access control lists [ACL]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04W 12/67   Risk-dependent, e.g. select...

Systems for network risk assessment including processing of user access rights associated with a network of devices

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems for network risk assessment including processing of user access rights associated with a network of devices

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links