Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-12-19
2002-05-28
Beausoleil, Robert (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S154000, C709S229000
Reexamination Certificate
active
06397336
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates in general to data processing and communication systems, and is particularly directed to a data communication security access control mechanism, that is comprised of an integrated arrangement of security services, that are operative to control the ability of an information storage and retrieval network user to have access to and communicates with one or more information resources within the network. The security access control mechanism of the invention includes monitoring activity associated with a user's attempt to and actual conducting of data communications with respect to a system resource, and also the controllable modification of one or more security relationships of a security association that has been established among the users and resources of the system, in dependence upon one or more characteristics of the monitored activity, in such a manner that affects the ability of the system user to conduct data communications with respect to a system resource.
BACKGROUND OF THE INVENTION
The rapid expansion of the data communications industry, in particular the Internet and the World Wide Web (WWW), sometimes referred to as the superinformation highway, has provided data processing system users with what is effectively a global communication network interconnecting a vast number of databases and other network users. The local link between the network and the user is typically by way of a phone line (e.g., analog or ISDN, for example) of a public communication service provider, with the workstation hardware including a modem or terminal adapter equipment that allows dial-up access between the user and a remote party. Since a user's workstation is coupled directly to such interface equipment, any network user ostensibly has the ability to access any information resource coupled to a network node.
As a reduced complexity, non-limiting example,
FIG. 1
diagrammatically illustrates a network user workstation
10
which is coupled via a communication link
11
to a local area network (LAN)
20
by way of a LAN interface
13
. LAN interface
13
also provides access to an external network, such as a public communication services (PCS) network, including the Internet
30
, that provides potential access to any network information resource (e.g., processor-accessible digital database). The local area network
20
to which user
10
is connected customarily includes one or more computer-based units, such as the illustrated workstations
21
and
22
, network server
23
and printer
24
, which are interconnected via a hub
25
. The hub
25
is connected to the LAN interface
13
, so that the end user workstation
10
may access any ‘local’ information resource of the LAN
20
. In order to connect to the external network
30
, the network interface
13
may be coupled through an electronic mail gateway
32
and a modem
33
, whereby a dial-up connection may be provided to an Internet connection or other global resource provider
34
, through which access to any node in the overall network is achieved.
Because the network provides a potential window into any information resource linked to any of its nodes, it is customary to both wrap or embed all communications in a ‘security blanket’ (some form of encryption) at a communication sourcing end, and to employ one or more permission (authorization and authentication) layers that must be used to gain access to another system resource (e.g., another computer). Once installed, such schemes operate as micro security systems, primarily as binary permission filters—the user is either permitted or denied access to a destination information resource, and are customarily limited to a relatively limited (and often fixed) set of access permission criteria. Now, while such schemes provide some measure of access control, they do not provide a macro perspective or control of all of the resources for which a given network security system may be configured.
SUMMARY OF THE INVENTION
In accordance with the present invention, this problem is effectively remedied by a new and improved network resource security access control mechanism that includes protection control, access control, event management and a pro-active security agent routines integrated within the communications control software resident in a data communications network control processor, for controlling the ability of a network user to have access to and communicate with one or more information resources of the network.
The protection control routine comprises cryptography algorithms and authentication mechanisms for protecting data transported over the network. The access control routine is used in conjunction with the protection control routine and includes right to access control factors, such as time of day, length of session, etc., components, with which a user's request for access and continued activity are compared to derive inputs to the event manager. The event manager is a principal control routine that is operative to monitors activity among users and resources of the network. As it monitors these events, the event manager may take action that will controllably intervene in the current network activity for a user of interest, in response to one or more relationships associated with such activity being satisfied.
For this purpose, each network resource object has a security association with respect to every other resource object in the network, that defines the ability and permission of a respective resource object to communicate with and gain access to that other resource object. These security associations may include one or more of the users' authorization and authentication codes, lists of other objects with whom the users may or may not communicate, access time limitations, what cryptography mechanisms may be or must be used, etc. As will be described, controlled intervention by the event manager includes the ability to affect or modify this security association and thereby a user's ability to gain access to or continue to be granted access to another resource object in the network.
The event manager may employ a separate set of policy rules that are not known to the user and serve as an additional layer of access control for enhancing the security of the network. Such policy rules are established external to the network and may include a prescribed activity intensity level associated with the number of or total length of time a resource object may communicate with another resource. In the event a policy rule is violated, the event manager may take relatively limited action, such as sourcing a query to the user to provide further authentication or other information, such as a request to the protection control routine to employ an increased level of cryptography complexity associated with a higher network usage level. On the other hand, if the security rule set employed by the event manager classifies excessive user activity as a substantial network security ‘threat’, it may call up the pro-active security agent routine, so as to impair the user's ability to use the network. The security rules themselves, as objects of the overall security access control system, may be modified or updated, as required to accommodate event changes, without necessarily terminating access to the network.
The pro-active security agent routine is a data communications impairment routine, which may be selectively called up by the event manager to perform one or more data communication interference exercises with respect to a data path or user data resource object of interest. As will be described, this routine is invoked in extreme cases where the event manager has determined that a user's further use of the network would constitute a substantial security threat.
REFERENCES:
patent: 3245045 (1966-04-01), Randlev
patent: 3798605 (1974-03-01), Feistel
patent: 3858182 (1974-12-01), Delagi et al.
patent: 3931504 (1976-01-01), Jacoby
patent: 4827508 (1989-05-01), Shear
patent: 4961224 (1990-10-01), Yung
patent: 5204
Allen Dyer Doppelt Milbrath & Gilchrist, P.A.
Baderman Scott T.
Beausoleil Robert
Harris Corporation
LandOfFree
Integrated network security access control system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Integrated network security access control system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Integrated network security access control system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2857526