CA2588197A1 - Method to control access between network endpoints based on trust scores calculated from information system component analysis - Google Patents
Method to control access between network endpoints based on trust scores calculated from information system component analysis Download PDFInfo
- Publication number
- CA2588197A1 CA2588197A1 CA002588197A CA2588197A CA2588197A1 CA 2588197 A1 CA2588197 A1 CA 2588197A1 CA 002588197 A CA002588197 A CA 002588197A CA 2588197 A CA2588197 A CA 2588197A CA 2588197 A1 CA2588197 A1 CA 2588197A1
- Authority
- CA
- Canada
- Prior art keywords
- signatures
- modules
- database
- trust score
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
Signatures are generated for modules in a computer system. The signatures can be assembled into an integrity log. The signatures are compared with signatures in a database in an integrity validator. Once signatures are either validated or invalidated, a trust score can be generated. The trust score can then be used to determine whether the computer system should be granted access to a resource using a policy.
Claims (23)
1. ~An apparatus, comprising:
a database arranged to store a first plurality of signatures for a first plurality of modules;
a receiver to receive a second plurality of signatures corresponding to a second plurality of modules in a machine;
a validator operative to compare at least a received one of the second plurality of signatures with the one or more of plurality of signatures in the database, to identify a first subset of the second plurality of modules for which the corresponding signatures are found in the database, and to identify a second subset of the second plurality of modules for which the corresponding signatures are not found in the database; and a trust score generator to generate a trust score for the machine based on the first subset of the second plurality of modules for which the corresponding signatures are found in the database and the second subset of the second plurality of modules for which the corresponding signatures are not found in the database.
a database arranged to store a first plurality of signatures for a first plurality of modules;
a receiver to receive a second plurality of signatures corresponding to a second plurality of modules in a machine;
a validator operative to compare at least a received one of the second plurality of signatures with the one or more of plurality of signatures in the database, to identify a first subset of the second plurality of modules for which the corresponding signatures are found in the database, and to identify a second subset of the second plurality of modules for which the corresponding signatures are not found in the database; and a trust score generator to generate a trust score for the machine based on the first subset of the second plurality of modules for which the corresponding signatures are found in the database and the second subset of the second plurality of modules for which the corresponding signatures are not found in the database.
2. ~An apparatus according to claim 1, wherein the first plurality of signatures for the first plurality of modules includes a first plurality of hashes for the plurality of modules.
3. ~An apparatus according to claim 1, wherein:
the apparatus further comprises a transmitter to transmit the signatures corresponding to the second subset of the second plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures;
the receiver is operative to receive from the second database a second trust score; and the trust score generator is operative to generate the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the second trust score.
the apparatus further comprises a transmitter to transmit the signatures corresponding to the second subset of the second plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures;
the receiver is operative to receive from the second database a second trust score; and the trust score generator is operative to generate the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the second trust score.
4. An apparatus according to claim 1, wherein:
the database is arranged to store a first plurality of identifiers for the first plurality of modules;
the receiver is operative to receive a second plurality of identifiers for the second plurality of modules in the machine; and the validator is operative to compare the second plurality of signatures with the plurality of signatures in the database using the second plurality of identifiers for the plurality of modules in the machine.
the database is arranged to store a first plurality of identifiers for the first plurality of modules;
the receiver is operative to receive a second plurality of identifiers for the second plurality of modules in the machine; and the validator is operative to compare the second plurality of signatures with the plurality of signatures in the database using the second plurality of identifiers for the plurality of modules in the machine.
5. An apparatus according to claim 1, further comprising a policy to control access to a resource, the policy including a threshold score to receive full access to the resource.
6. An apparatus according to claim 5, the policy further comprising a second threshold score to receive partial access to the resource.
7. An apparatus according to claim 1, wherein the receiver is operative to receive a signature of a module to add to the database.
8. A system, comprising:
a network;
a resource connected to the network;
a computer connected to the network, including an integrity log generator to generate an integrity log including a first plurality of signatures for a first plurality of modules; and an apparatus connected to the network, including:
a database arranged to store a second plurality of signatures for a second plurality of modules;
a receiver to receive from the computer the integrity log;
a trust score generator to generate a trust score based on a comparison of the integrity log with the first plurality of signatures; and a policy to control access to the resource, the policy including a threshold score to receive full access to the resource;
wherein access to the resource by the computer is controlled by the policy.
a network;
a resource connected to the network;
a computer connected to the network, including an integrity log generator to generate an integrity log including a first plurality of signatures for a first plurality of modules; and an apparatus connected to the network, including:
a database arranged to store a second plurality of signatures for a second plurality of modules;
a receiver to receive from the computer the integrity log;
a trust score generator to generate a trust score based on a comparison of the integrity log with the first plurality of signatures; and a policy to control access to the resource, the policy including a threshold score to receive full access to the resource;
wherein access to the resource by the computer is controlled by the policy.
9. A system according to claim 8, wherein:
the system includes a second apparatus, the second apparatus including a second database arranged to store a third plurality of signatures for a third plurality of modules; and the apparatus includes a transmitter to transmit the signatures corresponding to a subset of the first plurality of modules for which the corresponding signatures are not found in the database to the second apparatus.
the system includes a second apparatus, the second apparatus including a second database arranged to store a third plurality of signatures for a third plurality of modules; and the apparatus includes a transmitter to transmit the signatures corresponding to a subset of the first plurality of modules for which the corresponding signatures are not found in the database to the second apparatus.
10. A system according to claim 9, further comprising a second network, the apparatus and the second apparatus connected to the second network.
11. A method, comprising:
receiving a first plurality of signatures corresponding to a plurality of modules in the machine;
comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database;
identifying a first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database; and generating a trust score for the machine based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database.
receiving a first plurality of signatures corresponding to a plurality of modules in the machine;
comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database;
identifying a first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database; and generating a trust score for the machine based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and a second subset of the plurality of modules for which the corresponding signatures are not found in the database.
12. A method according to claim 11, further comprising controlling access to a resource on a network based on the trust score.
13. A method according to claim 12, wherein controlling access to a resource on a network based on the trust score includes:
accessing a policy for access to the resource on the network; and using the policy to control access to the resource based on the trust score.
accessing a policy for access to the resource on the network; and using the policy to control access to the resource based on the trust score.
14. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting full access to the resource if the trust score exceeds a threshold score according to the policy.
15. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes granting partial access to the resource if the trust score is higher than a first threshold score but lower than a second threshold score according to the policy.
16. A method according to claim 13, wherein using the policy to control access to the resource based on the trust score includes denying access to the resource if the trust score is lower than a threshold score according to the policy.
17. A method according to claim 11, wherein generating a trust score includes weighting at least a first module more highly than at least a second module in generating the trust score.
18. A method according to claim 11, wherein receiving a first plurality of signatures includes receiving an integrity log including the first plurality of signatures corresponding to the plurality of modules.
19. A method according to claim 11, wherein:
the method further comprises:
forwarding the signatures corresponding to the second subset of the plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures; and receiving from the second database a third subset of the plurality of modules for which the corresponding signatures are found in the second database and a fourth subset of the plurality of modules for which the corresponding signatures are not found in the second database; and generating a trust score includes generating the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the third subset of the plurality of modules for which the corresponding signatures are found in the third database.
the method further comprises:
forwarding the signatures corresponding to the second subset of the plurality of modules for which the corresponding signatures are not found in the database to a second database of signatures; and receiving from the second database a third subset of the plurality of modules for which the corresponding signatures are found in the second database and a fourth subset of the plurality of modules for which the corresponding signatures are not found in the second database; and generating a trust score includes generating the trust score based on the first subset of the plurality of modules for which the corresponding signatures are found in the database and the third subset of the plurality of modules for which the corresponding signatures are found in the third database.
20. A method according to claim 11, wherein:
receiving a first plurality of signatures corresponding to a plurality of modules includes receiving the first plurality of signatures and a plurality of identifiers for the plurality of modules; and comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database includes comparing the first plurality of signatures for the plurality of modules with the second plurality of signatures in the database using the plurality of identifiers for the plurality of modules.
receiving a first plurality of signatures corresponding to a plurality of modules includes receiving the first plurality of signatures and a plurality of identifiers for the plurality of modules; and comparing the first plurality of signatures for the plurality of modules with a second plurality of signatures in a database includes comparing the first plurality of signatures for the plurality of modules with the second plurality of signatures in the database using the plurality of identifiers for the plurality of modules.
21. An apparatus according to claim 1, further comprising a transmitter to transmit said trust score to the machine.
22. A system according to claim 8, wherein the apparatus further includes a transmitter to transmit said trust score to the computer.
23. A method according to claim 11, further comprising transmitting the trust score to the machine.
Applications Claiming Priority (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US63144904P | 2004-11-29 | 2004-11-29 | |
US63145004P | 2004-11-29 | 2004-11-29 | |
US60/631,450 | 2004-11-29 | ||
US60/631,449 | 2004-11-29 | ||
US63706604P | 2004-12-17 | 2004-12-17 | |
US60/637,066 | 2004-12-17 | ||
PCT/US2005/043035 WO2006058313A2 (en) | 2004-11-29 | 2005-11-28 | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2588197A1 true CA2588197A1 (en) | 2006-06-01 |
Family
ID=36498616
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002588197A Abandoned CA2588197A1 (en) | 2004-11-29 | 2005-11-28 | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1817862A4 (en) |
JP (1) | JP4934860B2 (en) |
KR (1) | KR20070098835A (en) |
CA (1) | CA2588197A1 (en) |
WO (1) | WO2006058313A2 (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8327131B1 (en) | 2004-11-29 | 2012-12-04 | Harris Corporation | Method and system to issue trust score certificates for networked devices using a trust scoring service |
US7733804B2 (en) | 2004-11-29 | 2010-06-08 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain |
US8266676B2 (en) | 2004-11-29 | 2012-09-11 | Harris Corporation | Method to verify the integrity of components on a trusted platform using integrity database services |
US9450966B2 (en) | 2004-11-29 | 2016-09-20 | Kip Sign P1 Lp | Method and apparatus for lifecycle integrity verification of virtual machines |
US7487358B2 (en) | 2004-11-29 | 2009-02-03 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US7272719B2 (en) * | 2004-11-29 | 2007-09-18 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
CN1703004B (en) | 2005-02-28 | 2010-08-25 | 联想(北京)有限公司 | Method for implementing network access authentication |
CN100358303C (en) * | 2005-02-28 | 2007-12-26 | 联想(北京)有限公司 | A method for monitoring apparatus being managed |
US20070169204A1 (en) * | 2006-01-17 | 2007-07-19 | International Business Machines Corporation | System and method for dynamic security access |
JP4822544B2 (en) * | 2006-04-26 | 2011-11-24 | 株式会社リコー | Image forming apparatus capable of managing a plurality of module configuration information |
WO2023112140A1 (en) * | 2021-12-14 | 2023-06-22 | 日本電気株式会社 | Access control device, access control method, and program |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5919257A (en) * | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US6327652B1 (en) * | 1998-10-26 | 2001-12-04 | Microsoft Corporation | Loading and identifying a digital rights management operating system |
US6330670B1 (en) * | 1998-10-26 | 2001-12-11 | Microsoft Corporation | Digital rights management operating system |
US7085925B2 (en) * | 2001-04-03 | 2006-08-01 | Sun Microsystems, Inc. | Trust ratings in group credentials |
US6944772B2 (en) * | 2001-12-26 | 2005-09-13 | D'mitri Dozortsev | System and method of enforcing executable code identity verification over the network |
AR043588A1 (en) * | 2003-03-12 | 2005-08-03 | Nationwide Mutual Insurance Co | METHOD FOR IMPLEMENTING A RISK ADMINISTRATION PROGRAM |
US20040107363A1 (en) * | 2003-08-22 | 2004-06-03 | Emergency 24, Inc. | System and method for anticipating the trustworthiness of an internet site |
US20050138417A1 (en) * | 2003-12-19 | 2005-06-23 | Mcnerney Shaun C. | Trusted network access control system and method |
-
2005
- 2005-11-28 EP EP05847593.0A patent/EP1817862A4/en not_active Withdrawn
- 2005-11-28 CA CA002588197A patent/CA2588197A1/en not_active Abandoned
- 2005-11-28 WO PCT/US2005/043035 patent/WO2006058313A2/en active Search and Examination
- 2005-11-28 JP JP2007543583A patent/JP4934860B2/en not_active Expired - Fee Related
- 2005-11-28 KR KR1020077014877A patent/KR20070098835A/en not_active Application Discontinuation
Also Published As
Publication number | Publication date |
---|---|
EP1817862A2 (en) | 2007-08-15 |
EP1817862A4 (en) | 2014-03-19 |
WO2006058313A3 (en) | 2007-01-18 |
JP2008522292A (en) | 2008-06-26 |
KR20070098835A (en) | 2007-10-05 |
WO2006058313A2 (en) | 2006-06-01 |
JP4934860B2 (en) | 2012-05-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2588197A1 (en) | Method to control access between network endpoints based on trust scores calculated from information system component analysis | |
JP2008522292A5 (en) | ||
CN109325351B (en) | Security hole automatic verification system based on public testing platform | |
US8583574B2 (en) | Method of and apparatus for combining artificial intelligence (AI) concepts with event-driven security architectures and ideas | |
CN103841108B (en) | The authentication method and system of user biological feature | |
US8955133B2 (en) | Applying antimalware logic without revealing the antimalware logic to adversaries | |
CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
CN103842985A (en) | Security-enhanced cloud system and security management method thereby | |
KR20140033145A (en) | System and method for non-signature based detection of malicious processes | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
WO2007115209A3 (en) | Identity and access management framework | |
AU2213800A (en) | System penetrating a computer or computer network | |
CN109190380A (en) | The method and system that batch website loophole quickly detects are realized based on web fingerprint | |
CN111092910B (en) | Database security access method, device, equipment, system and readable storage medium | |
KR101964148B1 (en) | Wire and wireless access point for analyzing abnormal action based on machine learning and method thereof | |
US10193904B2 (en) | Data-driven semi-global alignment technique for masquerade detection in stand-alone and cloud computing systems | |
CN113949577A (en) | Data attack analysis method applied to cloud service and server | |
Saleh et al. | A method for web application vulnerabilities detection by using Boyer-Moore string matching algorithm | |
JP2008539482A5 (en) | ||
CN108737094A (en) | A kind of method and relevant device of the detection of domain cipher safety | |
CN102014131B (en) | Device safety check method combining off-line check and central summary | |
CN106101086A (en) | The cloud detection method of optic of program file and system, client, cloud server | |
EP4293551A1 (en) | User account risk measurement method and related apparatus | |
CN114935923A (en) | New energy edge industrial control system vulnerability detection method based on raspberry group | |
Huang et al. | A hybrid decision approach to detect profile injection attacks in collaborative recommender systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
FZDE | Discontinued |
Effective date: 20141014 |