| 发明名称 |
AUTOMATED GENERATION OF ACCESS CONTROL RULES FOR USE IN A DISTRIBUTED NETWORK MANAGEMENT SYSTEM THAT USES A LABEL-BASED POLICY MODEL |
| 摘要 |
An access control rule authorizing communication between a plurality of managed servers within an administrative domain is determined. Communication information describing past communication between the plurality of managed servers is obtained. A subset of managed servers from the plurality of managed servers is identified by grouping the plurality of managed servers based on the obtained communication information. A group-level label set is determined to associate with the subset of managed servers. Role labels are determined for managed servers in the subset of managed servers. A managed server is associated with one role label. Based on the group-level label set and the role labels, an access control rule is generated authorizing communication between a first managed server of the subset of managed servers and a second managed server. The access control rule is stored as part of an administrative domain-wide management policy. |
| 申请公布号 |
US2017026418(A1) |
申请公布日期 |
2017.01.26 |
| 申请号 |
US201615283590 |
申请日期 |
2016.10.03 |
| 申请人 |
Illumio, Inc. |
发明人 |
Kirner Paul J.;Glenn Matthew K.;Gupta Mukesh;Nakashima Roy N.;Verghese Thukalan V. |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for processing alerts from managed servers implementing one or more access control rules, the method comprising:
obtaining an alert from a first managed server configured to generate the alert in response to past communication with a second managed server and responsive to the first managed server determining that the one or more access control rules do not authorize the past communication between the first managed server and the second managed server; obtaining contextual information including communication information describing the past communication between the first managed server and the second managed server; classifying the past communication as being legitimate or malicious based on the communication information; responsive to classifying the past communication as legitimate, generating an access control rule configured to authorize the past communication between the first managed server and the second managed server; and storing the access control rule as part of an administrative domain-wide management policy. |
| 地址 |
Sunnyvale CA US |
