US2019020689A1PendingUtilityA1

Network privilege manager for a dynamically programmable computer network

53
Assignee: STANFORD RES INST INTPriority: May 22, 2012Filed: Sep 7, 2018Published: Jan 17, 2019
Est. expiryMay 22, 2032(~5.9 yrs left)· nominal 20-yr term from priority
H04L 63/20H04L 63/126
53
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A network security policy may be implemented at network switches as a set of active packet disposition directives. In a dynamically programmable network, the network switches can be dynamically reprogrammed with new packet disposition directives. An event auditor passively monitors network traffic and provides network activity data indicative of network flows to a network privilege manager. The network privilege manager determines a current network context based on the network activity data. In response to the current network context, the network privilege manager selects a security policy and generates one or more flow policy directives in accordance with the selected policy.

Claims

exact text as granted — not AI-modified
1 . A method comprising:
 obtaining data that (i) corresponds to real-time activity on a network and (ii) comprises at least one of data that corresponds to a state of a network flow, data that identifies an acceptable network flow, data that identifies an unacceptable network flow, or data that is associated with an endpoint of a network flow;   determining a current network context using at least some of the data;   matching a first portion of the current network context to a criterion of a security policy;   adjusting a value of an attribute of the security policy based on the data, wherein the value of the attribute identifies a number of network flows or a duration of a network flow; and   in response to a second portion of the current network context matching the adjusted value of the attribute, causing execution of the security policy to control traffic over the network,   wherein the method is performed by one or more computing devices.   
     
     
         2 . The method of  claim 1 , wherein the data identifies a host or port associated with a vulnerability, and causing execution of the security policy includes redirecting at least some of the network traffic away from the host or port associated with the vulnerability. 
     
     
         3 . The method of  claim 1 , wherein the security policy is selected from a set of candidate security policies when the criterion matches the current network context more than a particular number of times within a particular time period. 
     
     
         4 . The method of  claim 1 , further comprising:
 selecting the security policy from one or more contextual security policies when the criterion matches an event count within an update interval.   
     
     
         5 . The method of  claim 1 , wherein the current network context is determined at least partly based on role data that is associated with an endpoint of a network flow within the network. 
     
     
         6 . The method of  claim 1 , wherein the current network context is determined at least partly based on reputation data that is associated with an endpoint of a network flow within the network. 
     
     
         7 . The method of  claim 1 , further comprising:
 updating the current network context after causing execution of the security policy.   
     
     
         8 . A computing device, comprising:
 one or more processors; and   a non-transitory computer-readable medium including instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising:   obtaining data that (i) corresponds to real-time activity on a network and (ii) comprises at least one of data that corresponds to a state of a network flow, data that identifies an acceptable network flow, data that identifies an unacceptable network flow, or data that is associated with an endpoint of a network flow;   determining a current network context using at least some of the data;   matching a first portion of the current network context to a criterion of a security policy;   adjusting a value of an attribute of the security policy based on the data, wherein the value of the attribute identifies a number of network flows or a duration of a network flow; and   in response to a second portion of the current network context matching the adjusted value of the attribute, causing execution of the security policy to control traffic over the network.   
     
     
         9 . The computing device of  claim 8 , wherein the data identifies a host or port associated with a vulnerability, and causing execution of the security policy includes redirecting at least some of the network traffic away from the host or port associated with the vulnerability. 
     
     
         10 . The computing device of  claim 8 , wherein the security policy is selected from a set of candidate security policies when the criterion matches the current network context more than a particular number of times within a particular time period. 
     
     
         11 . The computing device of  claim 8 , wherein the instructions, when
 executed by the one or more processors, cause the one or more processors to perform operations comprising:   selecting the security policy from one or more contextual security policies when the criterion matches an event count within an update interval.   
     
     
         12 . The computing device of  claim 8 , wherein the current network context is determined at least partly based on role data that is associated with an endpoint of a network flow within the network. 
     
     
         13 . The computing device of  claim 8 , wherein the current network context is determined at least partly based on reputation data that is associated with an endpoint of a network flow within the network. 
     
     
         14 . The computing device of  claim 8 , wherein the instructions, when
 executed by the one or more processors, cause the one or more processors to perform operations comprising:   updating the current network context after causing execution of the security policy.   
     
     
         15 . A computer-program product embodied in a non-transitory machine-readable storage medium of a computing device, including instructions configured to cause one or more data processors to perform operations comprising:
 obtaining data that (i) corresponds to real-time activity on a network and (ii) comprises at least one of data that corresponds to a state of a network flow, data that identifies an acceptable network flow, data that identifies an unacceptable network flow, or data that is associated with an endpoint of a network flow;   determining a current network context using at least some of the data;   matching a first portion of the current network context to a criterion of a security policy;   adjusting a value of an attribute of the security policy based on the data, wherein the value of the attribute identifies a number of network flows or a duration of a network flow; and   in response to a second portion of the current network context matching the adjusted value of the attribute, causing execution of the security policy to control traffic over the network.   
     
     
         16 . The computer-program product of  claim 15 , wherein the data identifies a host or port associated with a vulnerability, and causing execution of the security policy includes redirecting at least some of the network traffic away from the host or port associated with the vulnerability. 
     
     
         17 . The computer-program product of  claim 15 , wherein the security policy is selected from a set of candidate security policies when the criterion matches the current network context more than a particular number of times within a particular time period. 
     
     
         18 . The computer-program product of  claim 15 , wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform operations comprising:
 selecting the security policy from one or more contextual security policies when the criterion matches an event count within an update interval.   
     
     
         19 . The computer-program product of  claim 15 , wherein the current network context is determined at least partly based on a combination of role data and reputation data that is associated with an endpoint of a network flow within the network. 
     
     
         20 . The computer-program product of  claim 15 , wherein the instructions, when
 executed by the one or more processors, cause the one or more processors to perform operations comprising:   updating the current network context after causing execution of the security policy.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.