| US 7,478,422 B2 | ||
| Declarative language for specifying a security policy | ||
| Luis Filipe Pereira Valente, Palo Alto, Calif. (US); Geoffrey Howard Cooper, Palo Alto, Calif. (US); Robert Allen Shaw, Los Altos, Calif. (US); and Kieran Gerard Sherlock, Palo Alto, Calif. (US) | ||
| Assigned to Securify, Inc., Cupertino, Calif. (US) | ||
| Filed on Jun. 15, 2004, as Appl. No. 10/869,172. | ||
| Application 10/869172 is a continuation of application No. 09/479781, filed on Jan. 07, 2000, granted, now 6,779,120. | ||
| Prior Publication US 2004/0250112 A1, Dec. 09, 2004 | ||
| This patent is subject to a terminal disclaimer. | ||
| Int. Cl. H04L 29/00 (2006.01) | ||
| U.S. Cl. 726—4 | 5 Claims |
| 1. A declarative language system for specifying in an annotated policy specification a security policy of a network event,
wherein said network event comprises a stack having a plurality of protocol events, wherein each of said plurality of protocol
events is associated with a predefined protocol layer, and wherein said network event is an interaction between an active
principal and a passive principal, said declarative language system comprising:
a declarative language comprising a plurality of objects, such that each object of said plurality of objects comprises at
least one list having a first element;
a declarative language editor for providing means for specifying in a first policy specification said security policy using
said declarative language;
a declarative language compiler for providing means for compiling said first policy specification and generating said annotated
policy specification;
means for loading said annotated policy specification into a policy engine;
means for said policy engine to receive said network event from an agent;
means for said policy engine to evaluate said security policy against said network event and to generate a disposition for
said network event;
means for said policy engine to communicate agent directives to said agent; and
means for said policy engine to output said network event and said disposition to a datastore; wherein said each object is a first-class object;wherein said first-class object comprises any of:
a policy;
a group;
a credential, said credential having a specificity;
a condition;
a disposition; and
a rule, said rule having an outcome; wherein said rule for evaluating said event comprises:
a protocol field associated with said event;
a plurality of actions associated with said event;
an initiator for representing said active principal of said event;
a target for representing said passive principal of said event, and
means for said outcome to generate a disposition by specifying constraints upon said event, said outcome comprising:
at least one of a plurality of conditional statements and a default statement, wherein each of said plurality of conditional
statement comprises a keyword and a disposition, and wherein said plurality of conditional statements are evaluated in chronological
order; and further comprising;
a prerequisite having a plurality of rule's, such that said prerequisite is satisfied when at least one of said plurality
of rules is applied to a prior event.
|