[특허]Method and apparatus for network wide policy-based analysis of configurations of devices

Method and apparatus for network wide policy-based analysis of configurations of devices 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-015/16
출원번호	US-0270806 (2005-11-08)
등록번호	US-8135815 (2012-03-13)
발명자 / 주소	Mayer, Alain Jules
출원인 / 주소	Redseal Systems, Inc.
대리인 / 주소	Kilpatrick Townsend & Stockton LLP
인용정보	피인용 횟수 : 40 인용 특허 : 24

초록 ▼

A method for a computer system includes determining network devices within a network topology, wherein the network devices includes a first application server hosting a first application, receiving a policy for the network comprising requirements of a first application server including a description of a set of required network traffic, receiving a plurality of configuration files associated with the plurality of network devices, determining a network configuration model in response to the plurality of configuration files, computing network traffic on all network paths to and from the first application server to determine a plurality of computed paths, determining if the network traffic includes at least the set of required network traffic associated with the first server, and generating a report indicating whether the network traffic includes at least the set of required network traffic.

대표청구항 ▼

1. A computer implemented method performed by an analysis platform including a processor and a memory programmed to perform the method, the method comprising: determining by the analysis platform a plurality of network devices within a network arranged in a network topology, wherein the plurality of network devices includes a first application server hosting a first application; and a client computer hosting a client application;receiving by the analysis platform a policy for the network, wherein the policy comprises requirements; and wherein the requirements include a description of a first set of required network traffic associated with the first application server, the first application, the client computer and the client application;receiving by the analysis platform a plurality of configuration files associated with the plurality of network devices in the processor;building by the analysis platform an internal software configuration model of the network using the plurality of configuration files, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;analyzing the software network configuration model against the network policy, comprising:simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; andsimulating, by the analysis platform, a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computerdetermining by the analysis platform when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; andgenerating by the analysis platform a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy. 2. The method of claim 1wherein the first set of required network traffic comprises IP traffic. 3. The method of claim 2wherein the first set of required network traffic includes traffic between the first application server and the client computer. 4. The method of claim 3wherein the first application server is selected from a group consisting of: e-commerce server, domain name server, e-mail server, database server, financial data server, CRM server, ERP server, and data storage server; andwherein the client application is selected from a group consisting of: worm, virus, Trojan, spyware, and key logger. 5. The method of claim 2wherein the plurality of network devices also includes a second application server hosting a negative application;wherein the policy also comprises additional requirements associated with the second application server, wherein the additional requirements include a description of a second set of required network traffic and an additional targeted server associated with the second set of required network traffic;wherein the method further comprises simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the second application server; andsimulating, by the analysis platform, a configuration of the second application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the second application server to the first client computerwherein generating the report further comprises generating by the computer system the report indicating whether the simulated actions of the second application server processed the set of required network traffic as required by the policy. 6. The method of claim 5wherein generating the report further comprises determining a first plurality of threat metrics associated with the first application server and a second plurality of threat metrics associated with the second application server by the analysis platform. 7. The method of claim 6wherein the report includes a prioritization of the first application server over the second application server;wherein the prioritization is based upon threat metrics from the first plurality of threat metrics and the second plurality of threat metrics; andwherein threat metrics are selected from a group consisting of: probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both the first plurality of computed paths and the second plurality of computed paths. 8. The method of claim 2wherein first application server also hosts a business application;wherein the requirements include a description of a second set of required network traffic and a second server associated with the second set of required network traffic;wherein the report also indicates whether the second network traffic includes at least the second set of required network traffic. 9. The method of claim 8wherein the report indicates that the business application was successful when the second network traffic includes at least the second set of required network traffic. 10. The method of claim of claim 9wherein a specific type of network traffic belongs to both the first set of required network traffic and the second set of required network traffic; andwherein the report also indicates the specific type of network traffic. 11. The method of claim 10 wherein the report also indicates that inhibiting the specific type of network traffic would violate the policy. 12. The method of claim of claim 10 wherein the report also suggests an action selected from a group consisting of: upgrade to a different software version of the business application, install a software patch to the business application, upgrade to a different software version of an operating system of the first application server, install a software patch to the operating system. 13. An analysis platform comprising: a memory storing a network topology of a network including a plurality of network devices, wherein the plurality of network devices includes a first application on a first application host, a client application on a client computer and wherein the memory stores a policy associated with the network, wherein the policy comprises requirements, wherein the requirements include a description of a first required set of network traffic associated with the first application, the first application server, the client application and the client computer and wherein the memory stores a plurality of configuration data for at least some of the plurality of network devices; anda processor coupled to the memory, wherein the processor is configured to: build an internal software configuration model of the network using the plurality of configuration data, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;analyze the software network configuration model against the network policy, comprising: simulating actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and simulating a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computerdetermine when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; andgenerate a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy. 14. The analysis platform of claim 13wherein the packets relating to the first set of required network traffic comprise IP packets. 15. The analysis platform of claim 14 wherein the report indicates that the first set of required network traffic was processed as required by the policy. 16. The analysis platform of claim 15 wherein the report includes the plurality of network paths. 17. The analysis platform of claim 14wherein the requirements associated with the first set of network traffic comprise data selected from a group consisting of: a specific application running on the first targeted application host, a specific version number for the application running on the first targeted application host, a specific patch level for the application running on the first targeted application host, a specific operating system running on the first targeted application host, and a specific operating system patch level running on the first targeted application host. 18. The analysis platform of claim 14wherein the first application host is selected from a group consisting of: e-commerce application host, domain name application host, e-mail application host, database application host, financial data application host, ERP application host, CRM application host, and data storage application host; andwherein the client application is selected from a group consisting of: worm, virus, Trojan, spyware, key logger. 19. The analysis platform of claim 14wherein the plurality of network devices also includes a second application server hosting a threat;wherein the policy also comprises additional requirements associated with the second application, wherein the additional requirements includes a second set of required network traffic. 20. The analysis platform of claim 19wherein the report includes a prioritization of the first set of required network traffic over the second set of required network traffic in response to a metric selected from a group consisting of: threat probability, potential threat damage, ease of threat remediation, commonality of application hosts in both the first plurality of predicted computed paths and the second plurality of predicted computed paths. 21. A computer program product embodied in a non-transitory medium for a computer system including a memory comprising: code that directs a processor to determine a network topology in response to a network topology and in response to user input;code that directs the processor to determine a plurality of network devices within a network arranged in the network topology, wherein the plurality of network devices includes a first application on a first application server, and a client computer hosting a client application;code that directs the processor to receive a policy for the network, wherein the policy comprises requirements associated with the first application server, wherein the requirements include a description of a first set of required network traffic;code that directs the processor to receive a plurality of configuration data associated with the plurality of network devices;code that directs the processor to build an internal software configuration model of the network using the plurality of configuration data, the model comprising a plurality of network paths between at least one network gateway, the first application server and the client computer;code that directs the processor to analyze the software network configuration model against the network policy, comprising: simulating, by the analysis platform, actions of the at least one network gateway relating to packets relating to the first set of required network traffic, comprising a request sent from the first client computer to the first application server; and simulating, by the analysis platform, a configuration of the first application server by preparing a response to the request and simulating the actions of the at least one network gateway when the response is sent from the fist application server to the first client computer;code that directs the processor to determine when the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy; andcode that directs the processor to generate a report indicating whether the simulated actions of the plurality of network gateways processed the set of required network traffic as required by the policy. 22. The computer program product of claim 21wherein the packets relating to the first set of required network traffic comprises IP packets. 23. The computer program product of claim 22wherein the network topology includes changes to the network topology selected from a group consisting of: a new network device, a new application server, and moving an application from one application server to another application server. 24. The computer program product of claim 22wherein the first application server is determined based upon criteria selected from a group consisting of: a specific application running on the first application server, a specific version number for the application running on the first application server, a specific patch level for the application running on the first application server, a specific operating system running on the first application server, and a specific patch level of a specific operating system running on the first application server. 25. The computer program product of claim 24 wherein the first application server is selected from a group consisting of: e-commerce server, domain name server, e-mail server, database server, financial data server, ERP server, CRM server, and data storage server. 26. The computer program product of claim 22 wherein the first client application is selected from a group consisting of: worm, virus, Trojan, spyware, key logger. 27. The computer program product of claim 22wherein the plurality of network devices also includes a second server hosting a second application;wherein the policy also comprises additional requirements associated with the second application server, wherein the additional requirements includes a description of a second set of required network traffic. 28. The computer program product of claim 27wherein code that directs the processor to generate the report further comprises code that directs the processor to prioritize the first set of required network traffic over the second set of required network traffic in response to a plurality of metrics. 29. The computer program product of claim 28wherein a metric from the plurality of metrics is selected from a group consisting of: probability of threats, potential harm of threats, ease of remediation of threats, commonality of servers in both a first plurality of traffic paths between the first server and the second server and a second plurality of traffic paths between the second server and the client computer.

이 특허에 인용된 특허 (24)

Takahashi,Eiichi; Yokoyama,Ken; Tamura,Naohiro, Apparatus and method of generating network simulation model, and storage medium storing program for realizing the method.
상세보기
Davis Michael L. ; McCollum Raymond W., Automatic software installation on heterogeneous networked computer systems.
상세보기
Kim R. Toll, Computer processable interconnect topology.
상세보기
Shostack Adam ; Allouch David,ILX, Computer security.
상세보기
Chase ; Jr. Robert P. (Newton MA) Spilke Howard (Shrewsbury MA), Device for managing software configurations in parallel in a network.
상세보기
David Zager ; Robert Kostes, Dynamic modeling of complex networks and prediction of impacts of faults therein.
상세보기
Galis Alexandru (London GBX) Richardson Malcolm (Herts GBX) Page Stuart (Herts GBX) Devani Shailen (Middlesex GBX), Expert and data base system and method for communications network.
상세보기
Scott L. Wiegel, Graphical network security policy management.
상세보기
Maloney,Michael P.; Suit,John M.; Scott,Christopher J.; Woodus,Francis M.; Rubel,Rich; Karolchik,Joseph; Dontas,Holly D., Information security analysis system.
상세보기
James E. Kracht, Mechanism for determining actual physical topology of network based on gathered configuration information representing true neighboring devices.
상세보기
Mayer,Alain; Wool,Avishai; Ziskind,Elisha, Method and apparatus for analyzing one or more firewalls.
상세보기
Fudge Bob, Method and apparatus for checking security vulnerability of networked devices.
상세보기
Antur Anand K. ; Sawhney Sanjay ; Puri Hemant ; Bisht Naveen S., Method and apparatus for configuring and managing firewalls and security devices.
상세보기
Lewis Lundy ; Malik Rajiv ; Sycamore Steve ; Thebaut Suzanne ; Scott Walter ; Rustici Eric ; Kaikini Prasan, Method and apparatus for defining and enforcing policies for configuration management in communications networks.
상세보기
Mayer,Alain Jules, Method and apparatus for network wide policy-based analysis of configurations of devices.
상세보기
Liron Moshe (Palo Alto CA), Method and apparatus for optimizing computer networks.
상세보기
Abraham Dalen M. ; Barnes Todd A. ; Grieve Mark G., Method and apparatus for resolving network users to network computers.
상세보기
Gleichauf Robert E. ; Randall William A. ; Teal Daniel M. ; Waddell Scott V. ; Ziese Kevin J., Method and system for adaptive network security using network vulnerability assessment.
상세보기
Rappaport, Theodore; Skidmore, Roger; Reifsneider, Eric, Method and system, with component kits, for designing or deploying a communications network which considers frequency dependent effects.
상세보기
Hanes Charles F. (San Jose CA) Mick Colin K. (Palo Alto CA), Method simulating data traffic on network in accordance with a client/sewer paradigm.
상세보기
Cohen, Alain; Cathey, George; Malloy, Patrick J., Mixed mode network simulator.
상세보기
Kingsford, Bryan; McQueen, Stan; Thrower, Woody, System for penetrating computer or computer network.
상세보기
Chen,Eva; Sun,Jimmy; Chou,Terrence; Deutsch,Steven; Havran,Mark, Tracking and reporting of computer virus information.
상세보기
Love Simon (Bristol GB3) Boswell Elizabeth M. C. (Chippenham GB3) Quy Roger J. (Bristol GB3), User interface simulation and management for program-controlled apparatus.
상세보기

이 특허를 인용한 특허 (40)

Osterhout, Ralph F.; Haddick, John D.; Lohse, Robert Michael; Cella, Charles; Nortrup, Robert J.; Nortrup, Edward H., AR glasses with event and sensor triggered AR eyepiece interface to external devices.
상세보기
Osterhout, Ralph F.; Haddick, John D.; Lohse, Robert Michael; Cella, Charles; Nortrup, Robert J.; Nortrup, Edward H., AR glasses with event and sensor triggered control of AR eyepiece applications.
상세보기
Osterhout, Ralph F.; Haddick, John D.; Lohse, Robert Michael; Cella, Charles; Nortrup, Robert J.; Nortrup, Edward H., AR glasses with event and user action control of external applications.
상세보기
Haddick, John D.; Osterhout, Ralph F.; Lohse, Robert Michael, Adjustable extension for temple arm.
상세보기
Dalal, Anupam; Lai, Min-Ken; Bhardwaj, Aastha, Automated network configuration of virtual machines in a virtual lab environment.
상세보기
Dalal, Anupam; Lai, Min-Ken; Bhardwaj, Aastha, Automated network configuration of virtual machines in a virtual lab environment.
상세보기
Burchfield, Nancy; Hang, Nathaniel; Hosn, Rafah A.; Murray, James; Ramasamy, Harigovind V., Automatic completeness checks of network device infrastructure configurations during enterprise information technology transformation.
상세보기
Hill, Duncan Christopher, Cloud computing gateway, cloud computing hypervisor, and methods for implementing same.
상세보기
Hill, Duncan Christopher, Cloud computing gateway, cloud computing hypervisor, and methods for implementing same.
상세보기
Hill, Duncan Christopher, Cloud computing gateway, cloud computing hypervisor, and methods for implementing same.
상세보기
Osterhout, Ralph F.; Haddick, John D.; Lohse, Robert Michael; Border, John N.; Miller, Gregory D.; Stovall, Ross W., Eyepiece with uniformly illuminated reflective display.
상세보기
Miller, Gregory D.; Border, John N.; Osterhout, Ralph F., Grating in a light transmissive illumination system for see-through near-eye display glasses.
상세보기
Border, John N.; Bietry, Joseph; Haddick, John D.; Lohse, Robert Michael, Light control in head mounted displays.
상세보기
Malloy, Patrick J.; Strohm, John Wilson; Ryan, Gehl; Dunn, Antoine, Mapping virtual internet protocol addresses.
상세보기
Osterhout, Ralph F.; Lohse, Robert Michael, Method and apparatus for biometric data capture.
상세보기
Sethi, Manish; Kannan, Kalapriya; Gupta, Manish, Method, system and computer program product for solution replication.
상세보기
Miller, Gregory D.; Border, John N.; Osterhout, Ralph F., Optical imperfections in a light transmissive illumination system for see-through near-eye display glasses.
상세보기
Dalal, Anupam, Private ethernet overlay networks over a shared ethernet in a virtual environment.
상세보기
Border, John N.; Haddick, John D.; Lohse, Robert Michael; Osterhout, Ralph F., See-through near-eye display glasses including a modular image source.
상세보기
Border, John N.; Osterhout, Ralph F., See-through near-eye display glasses including an auto-brightness control for the display brightness based on the brightness in the environment.
상세보기
Border, John N.; Osterhout, Ralph F., See-through near-eye display glasses with a fast response photochromic film system for quick transition from dark to clear.
상세보기
Border, John N.; Haddick, John D.; Osterhout, Ralph F., See-through near-eye display glasses with a light transmissive wedge shaped illumination system.
상세보기
Border, John N.; Haddick, John D.; Osterhout, Ralph F., See-through near-eye display glasses with a small scale image source.
상세보기
Border, John N.; Haddick, John D.; Lohse, Robert Michael; Osterhout, Ralph F., See-through near-eye display glasses with the optical assembly including absorptive polarizers or anti-reflective coatings to reduce stray light.
상세보기
Martinez, Frank R.; Pulier, Eric, System and method for a cloud computing abstraction layer with security zone facilities.
상세보기
Martinez, Frank; Pulier, Eric, System and method for a cloud computing abstraction with self-service portal for publishing resources.
상세보기
Gula, Ron; Ranum, Marcus; Deraison, Renaud, System and method for correlating log data to discover network vulnerabilities and assets.
상세보기
Nappier, Jason; Gula, Ron, System and method for correlating network identities and addresses.
상세보기
Nappier, Jason; Gula, Ron, System and method for correlating network identities and addresses.
상세보기
Haddick, John D.; Osterhout, Ralph F., System and method for delivering content to a group of see-through near eye display eyepieces.
상세보기
Deraison, Renaud, System and method for enabling remote registry service security audits.
상세보기
Gula, Ron; Ranum, Marcus, System and method for facilitating data leakage and/or propagation tracking.
상세보기
Gula, Ron; Deraison, Renaud, System and method for identifying exploitable weak points in a network.
상세보기
Gula, Ron; Deraison, Renaud, System and method for identifying exploitable weak points in a network.
상세보기
Gula, Ron; Deraison, Renaud; Hayton, Matthew T., System and method for passively identifying encrypted and interactive network sessions.
상세보기
Haddick, John D.; Osterhout, Ralph F.; Lohse, Robert Michael, System and method for social networking gaming with an augmented reality.
상세보기
Ranum, Marcus J.; Gula, Ron, System and method for strategic anti-malware monitoring.
상세보기
Ranum, Marcus J.; Gula, Ron, System and method for strategic anti-malware monitoring.
상세보기
Hanson, Jim, System and method for three-dimensional visualization of vulnerability and asset data.
상세보기
Gula, Ron; Ranum, Marcus, System and method for using file hashes to track data leakage and document propagation in a network.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Method and apparatus for network wide policy-based analysis of configurations of devices 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (24)

이 특허를 인용한 특허 (40)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Method and apparatus for network wide policy-based analysis of configurations of devices 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (24)

이 특허를 인용한 특허 (40)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트