[go: up one dir, main page]

CA2588197A1 - Method to control access between network endpoints based on trust scores calculated from information system component analysis - Google Patents

Method to control access between network endpoints based on trust scores calculated from information system component analysis Download PDF

Info

Publication number
CA2588197A1
CA2588197A1 CA002588197A CA2588197A CA2588197A1 CA 2588197 A1 CA2588197 A1 CA 2588197A1 CA 002588197 A CA002588197 A CA 002588197A CA 2588197 A CA2588197 A CA 2588197A CA 2588197 A1 CA2588197 A1 CA 2588197A1
Authority
CA
Canada
Prior art keywords
signatures
modules
database
trust score
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002588197A
Other languages
French (fr)
Inventor
David Maurits Bleckmann
William Wyatt Starnes
Bradley Douglas Andersen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of CA2588197A1 publication Critical patent/CA2588197A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Signatures are generated for modules in a computer system. The signatures can be assembled into an integrity log. The signatures are compared with signatures in a database in an integrity validator. Once signatures are either validated or invalidated, a trust score can be generated. The trust score can then be used to determine whether the computer system should be granted access to a resource using a policy.

Claims (23)

1. ~An apparatus, comprising:
a database arranged to store a first plurality of signatures for a first plurality of modules;
a receiver to receive a second plurality of signatures corresponding to a second plurality of modules in a machine;
a validator operative to compare at least a received one of the second plurality of signatures with the one or more of plurality of signatures in the database, to identify a first subset of the second plurality of modules for which the corresponding signatures are found in the database, and to identify a second subset of the second plurality of modules for which the corresponding signatures are not found in the database; and a trust score generator to generate a trust score for the machine based on the first subset of the second plurality of modules for which the corresponding signatures are found in the database and the second subset of the second plurality of modules for which the corresponding signatures are not found in the database.
2. ~An apparatus according to claim 1, wherein the first plurality of signatures for the first plurality of modules includes a first plurality of hashes for the plurality of modules.
3. ~An apparatus according to claim 1, wherein:
the apparatus further comprises a transmitter to transmit the signatures corresponding to the second subset of the second plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures;
the receiver is operative to receive from the second database a second trust score; and the trust score generator is operative to generate the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the second trust score.
4. An apparatus according to claim 1, wherein:
the database is arranged to store a first plurality of identifiers for the first plurality of modules;
the receiver is operative to receive a second plurality of identifiers for the second plurality of modules in the machine; and the validator is operative to compare the second plurality of signatures with the plurality of signatures in the database using the second plurality of identifiers for the plurality of modules in the machine.
5. An apparatus according to claim 1, further comprising a policy to control access to a resource, the policy including a threshold score to receive full access to the resource.
6. An apparatus according to claim 5, the policy further comprising a second threshold score to receive partial access to the resource.
7. An apparatus according to claim 1, wherein the receiver is operative to receive a signature of a module to add to the database.
8. A system, comprising:
a network;
a resource connected to the network;
a computer connected to the network, including an integrity log generator to generate an integrity log including a first plurality of signatures for a first plurality of modules; and an apparatus connected to the network, including:
a database arranged to store a second plurality of signatures for a second plurality of modules;
a receiver to receive from the computer the integrity log;
a trust score generator to generate a trust score based on a comparison of the integrity log with the first plurality of signatures; and a policy to control access to the resource, the policy including a threshold score to receive full access to the resource;
wherein access to the resource by the computer is controlled by the policy.
9. A system according to claim 8, wherein:
the system includes a second apparatus, the second apparatus including a second database arranged to store a third plurality of signatures for a third plurality of modules; and the apparatus includes a transmitter to transmit the signatures corresponding to a subset of the first plurality of modules for which the corresponding signatures are not found in the database to the second apparatus.
10. A system according to claim 9, further comprising a second network, the apparatus and the second apparatus connected to the second network.
11. A method, comprising:
receiving a first plurality of signatures corresponding to a plurality of modules in the machine;
comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database;
identifying a first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database; and generating a trust score for the machine based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database.
12. A method according to claim 11, further comprising controlling access to a resource on a network based on the trust score.
13. A method according to claim 12, wherein controlling access to a resource on a network based on the trust score includes:
accessing a policy for access to the resource on the network; and using the policy to control access to the resource based on the trust score.
14. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting full access to the resource if the trust score exceeds a threshold score according to the policy.
15. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting partial access to the resource if the trust score is higher than a first threshold score but lower than a second threshold score according to the policy.
16. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes denying access to the resource if the trust score is lower than a threshold score according to the policy.
17. A method according to claim 11, wherein generating a trust score includes weighting at least a first module more highly than at least a second module in generating the trust score.
18. A method according to claim 11, wherein receiving a first plurality of signatures includes receiving an integrity log including the first plurality of signatures corresponding to the plurality of modules.
19. A method according to claim 11, wherein:
the method further comprises:
forwarding the signatures corresponding to the second subset of the plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures; and receiving from the second database a third subset of the plurality of modules for which the corresponding signatures are found in the second database and a fourth subset of the plurality of modules for which the corresponding signatures are not found in the second database; and generating a trust score includes generating the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the third subset of the plurality of modules for which the corresponding signatures are found in the third database.
20. A method according to claim 11, wherein:
receiving a first plurality of signatures corresponding to a plurality of modules includes receiving the first plurality of signatures and a plurality of identifiers for the plurality of modules; and comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database includes comparing the first plurality of signatures for the plurality of modules with the second plurality of signatures in the database using the plurality of identifiers for the plurality of modules.
21. An apparatus according to claim 1, further comprising a transmitter to transmit said trust score to the machine.
22. A system according to claim 8, wherein the apparatus further includes a transmitter to transmit said trust score to the computer.
23. A method according to claim 11, further comprising transmitting the trust score to the machine.
CA002588197A 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis Abandoned CA2588197A1 (en)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US63145004P 2004-11-29 2004-11-29
US63144904P 2004-11-29 2004-11-29
US60/631,450 2004-11-29
US60/631,449 2004-11-29
US63706604P 2004-12-17 2004-12-17
US60/637,066 2004-12-17
PCT/US2005/043035 WO2006058313A2 (en) 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis

Publications (1)

Publication Number Publication Date
CA2588197A1 true CA2588197A1 (en) 2006-06-01

Family

ID=36498616

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002588197A Abandoned CA2588197A1 (en) 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis

Country Status (5)

Country Link
EP (1) EP1817862A4 (en)
JP (1) JP4934860B2 (en)
KR (1) KR20070098835A (en)
CA (1) CA2588197A1 (en)
WO (1) WO2006058313A2 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9450966B2 (en) 2004-11-29 2016-09-20 Kip Sign P1 Lp Method and apparatus for lifecycle integrity verification of virtual machines
US7272719B2 (en) * 2004-11-29 2007-09-18 Signacert, Inc. Method to control access between network endpoints based on trust scores calculated from information system component analysis
US8266676B2 (en) 2004-11-29 2012-09-11 Harris Corporation Method to verify the integrity of components on a trusted platform using integrity database services
US7487358B2 (en) 2004-11-29 2009-02-03 Signacert, Inc. Method to control access between network endpoints based on trust scores calculated from information system component analysis
US8327131B1 (en) 2004-11-29 2012-12-04 Harris Corporation Method and system to issue trust score certificates for networked devices using a trust scoring service
US7733804B2 (en) 2004-11-29 2010-06-08 Signacert, Inc. Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain
CN100358303C (en) 2005-02-28 2007-12-26 联想(北京)有限公司 A method for monitoring apparatus being managed
CN1703004B (en) 2005-02-28 2010-08-25 联想(北京)有限公司 Method for implementing network access authentication
US20070169204A1 (en) * 2006-01-17 2007-07-19 International Business Machines Corporation System and method for dynamic security access
JP4822544B2 (en) * 2006-04-26 2011-11-24 株式会社リコー Image forming apparatus capable of managing a plurality of module configuration information
US20250045440A1 (en) * 2021-12-14 2025-02-06 Nec Corporation Access control apparatus, access control method, and program

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6330670B1 (en) 1998-10-26 2001-12-11 Microsoft Corporation Digital rights management operating system
US6327652B1 (en) * 1998-10-26 2001-12-04 Microsoft Corporation Loading and identifying a digital rights management operating system
US7085925B2 (en) * 2001-04-03 2006-08-01 Sun Microsystems, Inc. Trust ratings in group credentials
US6944772B2 (en) * 2001-12-26 2005-09-13 D'mitri Dozortsev System and method of enforcing executable code identity verification over the network
WO2004081756A2 (en) * 2003-03-12 2004-09-23 Nationwide Mutual Insurance Co Trust governance framework
US20040107363A1 (en) * 2003-08-22 2004-06-03 Emergency 24, Inc. System and method for anticipating the trustworthiness of an internet site
US20050138417A1 (en) * 2003-12-19 2005-06-23 Mcnerney Shaun C. Trusted network access control system and method

Also Published As

Publication number Publication date
EP1817862A2 (en) 2007-08-15
EP1817862A4 (en) 2014-03-19
JP2008522292A (en) 2008-06-26
WO2006058313A2 (en) 2006-06-01
WO2006058313A3 (en) 2007-01-18
JP4934860B2 (en) 2012-05-23
KR20070098835A (en) 2007-10-05

Similar Documents

Publication Publication Date Title
CN109325351B (en) Security hole automatic verification system based on public testing platform
CN103842985A (en) Security-enhanced cloud system and security management method thereby
KR20140033145A (en) System and method for non-signature based detection of malicious processes
CA2588197A1 (en) Method to control access between network endpoints based on trust scores calculated from information system component analysis
CN111212049B (en) A Threat Intelligence IOC Reputation Analysis Method
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
WO2007115209A3 (en) Identity and access management framework
AU2213800A (en) System penetrating a computer or computer network
KR101964148B1 (en) Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof
CN102647421A (en) Web backdoor detection method and device based on behavioral characteristics
CN102799834A (en) System-asset-based software security requirement analysis method
Saleh et al. A method for web application vulnerabilities detection by using Boyer-Moore string matching algorithm
CN113949577A (en) Data attack analysis method applied to cloud service and server
US10193904B2 (en) Data-driven semi-global alignment technique for masquerade detection in stand-alone and cloud computing systems
CN111092910A (en) Database security access method, device, equipment, system and readable storage medium
US20230412636A1 (en) Risk measurement method for user account and related apparatus
CN108737094A (en) A kind of method and relevant device of the detection of domain cipher safety
JP2008522292A5 (en)
JP2008539482A5 (en)
CN102014131B (en) Device safety check method combining off-line check and central summary
CN113239333A (en) Browser user identity authentication method and system based on cross-domain resource access
CN118018274A (en) Internet access method and system
CN116846610A (en) Network security threat detection method, device, equipment and medium
US9172719B2 (en) Intermediate trust state
Lu et al. The evaluation model for network security

Legal Events

Date Code Title Description
EEER Examination request
FZDE Discontinued

Effective date: 20141014