CA2588197A1 - Method to control access between network endpoints based on trust scores calculated from information system component analysis - Google Patents

Method to control access between network endpoints based on trust scores calculated from information system component analysis Download PDF

Info

Publication number
CA2588197A1
CA2588197A1 CA002588197A CA2588197A CA2588197A1 CA 2588197 A1 CA2588197 A1 CA 2588197A1 CA 002588197 A CA002588197 A CA 002588197A CA 2588197 A CA2588197 A CA 2588197A CA 2588197 A1 CA2588197 A1 CA 2588197A1
Authority
CA
Canada
Prior art keywords
signatures
modules
database
trust score
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
CA002588197A
Other languages
French (fr)
Inventor
David Maurits Bleckmann
William Wyatt Starnes
Bradley Douglas Andersen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SignaCert Inc
Original Assignee
David Maurits Bleckmann
William Wyatt Starnes
Bradley Douglas Andersen
Harris Corporation
Signacert, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by David Maurits Bleckmann, William Wyatt Starnes, Bradley Douglas Andersen, Harris Corporation, Signacert, Inc. filed Critical David Maurits Bleckmann
Publication of CA2588197A1 publication Critical patent/CA2588197A1/en
Abandoned legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

Signatures are generated for modules in a computer system. The signatures can be assembled into an integrity log. The signatures are compared with signatures in a database in an integrity validator. Once signatures are either validated or invalidated, a trust score can be generated. The trust score can then be used to determine whether the computer system should be granted access to a resource using a policy.

Claims (23)

1. ~An apparatus, comprising:
a database arranged to store a first plurality of signatures for a first plurality of modules;
a receiver to receive a second plurality of signatures corresponding to a second plurality of modules in a machine;
a validator operative to compare at least a received one of the second plurality of signatures with the one or more of plurality of signatures in the database, to identify a first subset of the second plurality of modules for which the corresponding signatures are found in the database, and to identify a second subset of the second plurality of modules for which the corresponding signatures are not found in the database; and a trust score generator to generate a trust score for the machine based on the first subset of the second plurality of modules for which the corresponding signatures are found in the database and the second subset of the second plurality of modules for which the corresponding signatures are not found in the database.
2. ~An apparatus according to claim 1, wherein the first plurality of signatures for the first plurality of modules includes a first plurality of hashes for the plurality of modules.
3. ~An apparatus according to claim 1, wherein:
the apparatus further comprises a transmitter to transmit the signatures corresponding to the second subset of the second plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures;
the receiver is operative to receive from the second database a second trust score; and the trust score generator is operative to generate the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the second trust score.
4. An apparatus according to claim 1, wherein:
the database is arranged to store a first plurality of identifiers for the first plurality of modules;
the receiver is operative to receive a second plurality of identifiers for the second plurality of modules in the machine; and the validator is operative to compare the second plurality of signatures with the plurality of signatures in the database using the second plurality of identifiers for the plurality of modules in the machine.
5. An apparatus according to claim 1, further comprising a policy to control access to a resource, the policy including a threshold score to receive full access to the resource.
6. An apparatus according to claim 5, the policy further comprising a second threshold score to receive partial access to the resource.
7. An apparatus according to claim 1, wherein the receiver is operative to receive a signature of a module to add to the database.
8. A system, comprising:
a network;
a resource connected to the network;
a computer connected to the network, including an integrity log generator to generate an integrity log including a first plurality of signatures for a first plurality of modules; and an apparatus connected to the network, including:
a database arranged to store a second plurality of signatures for a second plurality of modules;
a receiver to receive from the computer the integrity log;
a trust score generator to generate a trust score based on a comparison of the integrity log with the first plurality of signatures; and a policy to control access to the resource, the policy including a threshold score to receive full access to the resource;
wherein access to the resource by the computer is controlled by the policy.
9. A system according to claim 8, wherein:
the system includes a second apparatus, the second apparatus including a second database arranged to store a third plurality of signatures for a third plurality of modules; and the apparatus includes a transmitter to transmit the signatures corresponding to a subset of the first plurality of modules for which the corresponding signatures are not found in the database to the second apparatus.
10. A system according to claim 9, further comprising a second network, the apparatus and the second apparatus connected to the second network.
11. A method, comprising:
receiving a first plurality of signatures corresponding to a plurality of modules in the machine;
comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database;
identifying a first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database; and generating a trust score for the machine based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database.
12. A method according to claim 11, further comprising controlling access to a resource on a network based on the trust score.
13. A method according to claim 12, wherein controlling access to a resource on a network based on the trust score includes:
accessing a policy for access to the resource on the network; and using the policy to control access to the resource based on the trust score.
14. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting full access to the resource if the trust score exceeds a threshold score according to the policy.
15. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting partial access to the resource if the trust score is higher than a first threshold score but lower than a second threshold score according to the policy.
16. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes denying access to the resource if the trust score is lower than a threshold score according to the policy.
17. A method according to claim 11, wherein generating a trust score includes weighting at least a first module more highly than at least a second module in generating the trust score.
18. A method according to claim 11, wherein receiving a first plurality of signatures includes receiving an integrity log including the first plurality of signatures corresponding to the plurality of modules.
19. A method according to claim 11, wherein:
the method further comprises:
forwarding the signatures corresponding to the second subset of the plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures; and receiving from the second database a third subset of the plurality of modules for which the corresponding signatures are found in the second database and a fourth subset of the plurality of modules for which the corresponding signatures are not found in the second database; and generating a trust score includes generating the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the third subset of the plurality of modules for which the corresponding signatures are found in the third database.
20. A method according to claim 11, wherein:
receiving a first plurality of signatures corresponding to a plurality of modules includes receiving the first plurality of signatures and a plurality of identifiers for the plurality of modules; and comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database includes comparing the first plurality of signatures for the plurality of modules with the second plurality of signatures in the database using the plurality of identifiers for the plurality of modules.
21. An apparatus according to claim 1, further comprising a transmitter to transmit said trust score to the machine.
22. A system according to claim 8, wherein the apparatus further includes a transmitter to transmit said trust score to the computer.
23. A method according to claim 11, further comprising transmitting the trust score to the machine.
CA002588197A 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis Abandoned CA2588197A1 (en)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
US63144904P 2004-11-29 2004-11-29
US63145004P 2004-11-29 2004-11-29
US60/631,450 2004-11-29
US60/631,449 2004-11-29
US63706604P 2004-12-17 2004-12-17
US60/637,066 2004-12-17
PCT/US2005/043035 WO2006058313A2 (en) 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis

Publications (1)

Publication Number Publication Date
CA2588197A1 true CA2588197A1 (en) 2006-06-01

Family

ID=36498616

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002588197A Abandoned CA2588197A1 (en) 2004-11-29 2005-11-28 Method to control access between network endpoints based on trust scores calculated from information system component analysis

Country Status (5)

Country Link
EP (1) EP1817862A4 (en)
JP (1) JP4934860B2 (en)
KR (1) KR20070098835A (en)
CA (1) CA2588197A1 (en)
WO (1) WO2006058313A2 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8327131B1 (en) 2004-11-29 2012-12-04 Harris Corporation Method and system to issue trust score certificates for networked devices using a trust scoring service
US7733804B2 (en) 2004-11-29 2010-06-08 Signacert, Inc. Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain
US8266676B2 (en) 2004-11-29 2012-09-11 Harris Corporation Method to verify the integrity of components on a trusted platform using integrity database services
US9450966B2 (en) 2004-11-29 2016-09-20 Kip Sign P1 Lp Method and apparatus for lifecycle integrity verification of virtual machines
US7487358B2 (en) 2004-11-29 2009-02-03 Signacert, Inc. Method to control access between network endpoints based on trust scores calculated from information system component analysis
US7272719B2 (en) * 2004-11-29 2007-09-18 Signacert, Inc. Method to control access between network endpoints based on trust scores calculated from information system component analysis
CN1703004B (en) 2005-02-28 2010-08-25 联想(北京)有限公司 Method for implementing network access authentication
CN100358303C (en) * 2005-02-28 2007-12-26 联想(北京)有限公司 A method for monitoring apparatus being managed
US20070169204A1 (en) * 2006-01-17 2007-07-19 International Business Machines Corporation System and method for dynamic security access
JP4822544B2 (en) * 2006-04-26 2011-11-24 株式会社リコー Image forming apparatus capable of managing a plurality of module configuration information
WO2023112140A1 (en) * 2021-12-14 2023-06-22 日本電気株式会社 Access control device, access control method, and program

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5919257A (en) * 1997-08-08 1999-07-06 Novell, Inc. Networked workstation intrusion detection system
US6327652B1 (en) * 1998-10-26 2001-12-04 Microsoft Corporation Loading and identifying a digital rights management operating system
US6330670B1 (en) * 1998-10-26 2001-12-11 Microsoft Corporation Digital rights management operating system
US7085925B2 (en) * 2001-04-03 2006-08-01 Sun Microsystems, Inc. Trust ratings in group credentials
US6944772B2 (en) * 2001-12-26 2005-09-13 D'mitri Dozortsev System and method of enforcing executable code identity verification over the network
AR043588A1 (en) * 2003-03-12 2005-08-03 Nationwide Mutual Insurance Co METHOD FOR IMPLEMENTING A RISK ADMINISTRATION PROGRAM
US20040107363A1 (en) * 2003-08-22 2004-06-03 Emergency 24, Inc. System and method for anticipating the trustworthiness of an internet site
US20050138417A1 (en) * 2003-12-19 2005-06-23 Mcnerney Shaun C. Trusted network access control system and method

Also Published As

Publication number Publication date
EP1817862A2 (en) 2007-08-15
EP1817862A4 (en) 2014-03-19
WO2006058313A3 (en) 2007-01-18
JP2008522292A (en) 2008-06-26
KR20070098835A (en) 2007-10-05
WO2006058313A2 (en) 2006-06-01
JP4934860B2 (en) 2012-05-23

Similar Documents

Publication Publication Date Title
CA2588197A1 (en) Method to control access between network endpoints based on trust scores calculated from information system component analysis
JP2008522292A5 (en)
CN109325351B (en) Security hole automatic verification system based on public testing platform
US8583574B2 (en) Method of and apparatus for combining artificial intelligence (AI) concepts with event-driven security architectures and ideas
CN103841108B (en) The authentication method and system of user biological feature
US8955133B2 (en) Applying antimalware logic without revealing the antimalware logic to adversaries
CN108712426B (en) Crawler identification method and system based on user behavior buried points
CN103842985A (en) Security-enhanced cloud system and security management method thereby
KR20140033145A (en) System and method for non-signature based detection of malicious processes
CN103428196A (en) URL white list-based WEB application intrusion detecting method and apparatus
WO2007115209A3 (en) Identity and access management framework
AU2213800A (en) System penetrating a computer or computer network
CN109190380A (en) The method and system that batch website loophole quickly detects are realized based on web fingerprint
CN111092910B (en) Database security access method, device, equipment, system and readable storage medium
KR101964148B1 (en) Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof
US10193904B2 (en) Data-driven semi-global alignment technique for masquerade detection in stand-alone and cloud computing systems
CN113949577A (en) Data attack analysis method applied to cloud service and server
Saleh et al. A method for web application vulnerabilities detection by using Boyer-Moore string matching algorithm
JP2008539482A5 (en)
CN108737094A (en) A kind of method and relevant device of the detection of domain cipher safety
CN102014131B (en) Device safety check method combining off-line check and central summary
CN106101086A (en) The cloud detection method of optic of program file and system, client, cloud server
EP4293551A1 (en) User account risk measurement method and related apparatus
CN114935923A (en) New energy edge industrial control system vulnerability detection method based on raspberry group
Huang et al. A hybrid decision approach to detect profile injection attacks in collaborative recommender systems

Legal Events

Date Code Title Description
EEER Examination request
FZDE Discontinued

Effective date: 20141014