Systems and methods for implementing computer security

US 10,153,906 B2
Filed: 11/01/2016
Issued: 12/11/2018
Est. Priority Date: 08/09/2011
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

one or more processing units;

memory; and

a first security control module, wherein the first security control module is stored in the memory and executed by the one or more of the processing units to monitor integrity of files and directories, the first security control module including instructions for;

obtaining an Application Programming Interface (API) key;

transmitting to a remote security server the API key;

receiving from the remote security server a first cryptographic key uniquely associated with the first security control module responsive to the transmitting of the API key;

transmitting to the remote security server a policy identifier, wherein the policy identifier identifies a security policy that applies to a first operating system running on the computing device and applies to one or more applications running in the first operating system;

obtaining from the remote security server a plurality of commands to be executed according to the security policy assigned to the first security control module, wherein the plurality of commands to be executed are received through encrypted communication between the first security control module and the remote security server using the first cryptographic key, and wherein the plurality of commands to be executed includes a specification of a first set of files and directories that are being monitored according to the security policy, wherein each of the files or directories in the first set is associated with the first operating system or associated with one of the one or more applications running in the first operating system;

periodically collecting metadata for the first set of files and directories and computing a content signature for each file in the first set; and

using the first cryptographic key to securely transmit the collected metadata and computed content signatures to the remote security server for evaluation of integrity against baseline data for the first set of files and directories, wherein the baseline data is stored at the remote security server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security server transmits a specification of a first set of files and directories to a computing device for monitoring according to a security policy. Each of the files or directories in the first set is associated with the operating system of the computing device or associated with an application running on the computing device. The server securely receiving data collected at the remote computing device, which includes metadata for the files and directories and content signatures computed for each file. The server compares the received metadata and content signatures for each file or directory against corresponding baseline metadata and baseline content signatures. The baseline metadata and baseline content signatures are stored at the security server. When there is a mismatch between the received metadata and corresponding baseline metadata or a mismatch between a received content signature and a corresponding baseline content signature, the server performs a remedial action.

Citations

34 Claims

1. A computing device, comprising:
- one or more processing units;
  
  memory; and
  
  a first security control module, wherein the first security control module is stored in the memory and executed by the one or more of the processing units to monitor integrity of files and directories, the first security control module including instructions for;
  
  obtaining an Application Programming Interface (API) key;
  
  transmitting to a remote security server the API key;
  
  receiving from the remote security server a first cryptographic key uniquely associated with the first security control module responsive to the transmitting of the API key;
  
  transmitting to the remote security server a policy identifier, wherein the policy identifier identifies a security policy that applies to a first operating system running on the computing device and applies to one or more applications running in the first operating system;
  
  obtaining from the remote security server a plurality of commands to be executed according to the security policy assigned to the first security control module, wherein the plurality of commands to be executed are received through encrypted communication between the first security control module and the remote security server using the first cryptographic key, and wherein the plurality of commands to be executed includes a specification of a first set of files and directories that are being monitored according to the security policy, wherein each of the files or directories in the first set is associated with the first operating system or associated with one of the one or more applications running in the first operating system;
  
  periodically collecting metadata for the first set of files and directories and computing a content signature for each file in the first set; and
  
  using the first cryptographic key to securely transmit the collected metadata and computed content signatures to the remote security server for evaluation of integrity against baseline data for the first set of files and directories, wherein the baseline data is stored at the remote security server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 32, 33, 34)
- - 2. The computing device of claim 1, wherein the specification of the first set of files and directories includes a schedule for performing the periodic collection, and the periodic collection is performed according to the schedule.
  - 3. The computing device of claim 1, wherein the first security control module further includes instructions for:
    - receiving an updated specification for an updated first set of files and directories that are being monitored according to the security policy;
      
      periodically collecting metadata for the updated first set of files and directories and computing a content signature for each file in the updated first set; and
      
      using the first cryptographic key to securely transmit the collected metadata for the updated first set of files and directories and computed content signatures for each file in the updated first set, to the remote security server for evaluation of integrity against baseline data for the updated first set of files and directories.
  - 4. The computing device of claim 1, wherein each content signature for a respective file in the first set is computed as a hash of content of the respective file.
  - 5. The computing device of claim 1, wherein the collected metadata for a respective file or directory includes owner, access permissions, creation datetime, and last modification datetime.
  - 6. The computing device of claim 1, wherein baseline data for a respective file or directory includes one or more corresponding baseline samples, each baseline sample having an associated time span specifying when the respective baseline sample is active.
  - 7. The computing device of claim 6, wherein baseline data for a first file includes a plurality of baseline samples, and wherein two or more of the baseline samples for the first file have associated time spans that overlap.
  - 8. The computing device of claim 1, wherein securely transmitting the collected metadata and computed content signatures includes using the first cryptographic key and data shared with the remote security server to digitally sign and encrypt the collected metadata and computed content signatures prior to transmission to the remote security server.
  - 9. The computing device of claim 1, wherein the specification of the first set of files and directories includes a list of individual files and directories.
  - 10. The computing device of claim 1, wherein the specification of the first set of files and directories includes a name of a first directory and a designation for recursive selection of files in the first directory and files in nested subdirectories of the first directory.
  - 11. The computing device of claim 1, wherein the specification of the first set of files and directories includes one or more pattern expressions that identify the files and directories for inclusion in the first set.
  - 12. The computing device of claim 1, wherein the plurality of commands to be executed includes a command to collect information regarding one or more processes running in the memory.
  - 13. The computing device of claim 1, wherein the first operating system is the sole operating system running on the computing device.
  - 14. The computing device of claim 13, wherein the computing device is an embedded component of an automobile or an embedded component of an electrical appliance.
  - 15. The computing device of claim 1, further comprising a hypervisor module, wherein the hypervisor module instantiates virtual machines on the computing device, and the first operating system is executed within a first virtual machine instantiated in the memory by the hypervisor module.
  - 16. The computing device of claim 15, wherein the memory stores a second virtual machine instantiated by the hypervisor module, the second virtual machine includes a second operating system and a second security control module, the second security control module is executed by the one or more of the processing units to monitor integrity of files and directories associated with the second operating system, and memory allocated to the first virtual machine is distinct from memory allocated to the second virtual machine.
  - 17. The computing device of claim 1, wherein the first security control module initiates all communication with the remote security server, the remote security server cannot initiate communication with the first security control module, and the remote security server identifies for the first security control module the plurality of commands to be executed by placing them in a command queue associated with the first control security module.
  - 32. The security server of claim 13, wherein the specification of the first set of files and directories includes a list of individual files and directories.
  - 33. The security server of claim 13, wherein the specification of the first set of files and directories includes a name of a first directory and a designation for recursive selection of files in the first directory and files in nested subdirectories of the first directory.
  - 34. The security server of claim 13, wherein the specification of the first set of files and directories includes one or more pattern expressions that identify files and directories for inclusion in the first set.

18. A security server, comprising:
- one or more processing units;
  
  memory;
  
  a token generation module, wherein the token generation module is stored in the memory and executed by the one or more processing units, the token generation module including instructions for;
  
  receiving a request from a security control module running within a first operating system on a remote computing device distinct from the security server, wherein the request includes an Application Programming Interface (API) key and a policy identifier that identifies a security policy;
  
  in accordance with a determination that the API key is valid, generating a unique agent identity token, which includes a cryptographic key; and
  
  transmitting the agent identity token to the security control module responsive to the receiving and the generating; and
  
  an integrity validation module, wherein the integrity validation module is stored in the memory and executed by the one or more of the processing units, the integrity validation module including instructions for;
  
  transmitting to the security control module a specification of a first set of files and directories at the remote computing device that are being monitored according to the security policy, wherein each of the files or directories in the first set is associated with the first operating system or associated with one or more applications running in the first operating system;
  
  securely receiving from the security control module data collected at the remote computing device, wherein the received data includes metadata for the first set of files and directories and content signatures computed for each file in the first set;
  
  comparing the received metadata and content signatures for each file or directory in the first set against corresponding baseline metadata and baseline content signatures for the first set of files and directories, wherein the baseline metadata and baseline content signatures are stored at the security server; and
  
  when there is a mismatch between the received metadata and corresponding baseline metadata or a mismatch between a received content signature and a corresponding baseline content signature, performing a remedial action, and whereinthe security control module initiates all communication with the security server and the security server cannot initiate communication with the security control module.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 19. The security server of claim 18, wherein the remedial action is transmitting an alert message to appropriate security personnel.
  - 20. The security server of claim 18, wherein the remedial action comprises inserting a command into the command queue, and wherein the command is subsequently retrieved by the security control module and executed at the remote computing device.
  - 21. The security system of claim 20, wherein executing the command at the remote computing device terminates execution of at least one of the one or more applications.
  - 22. The security system of claim 20, wherein executing the command at the remote computing device restarts the first operating system or reinitializes the security control module.
  - 23. The security server of claim 18, wherein the specification of the first set of files and directories includes a schedule for periodically collecting metadata for the files and directories in the first set and computing content signatures for each file in the first set.
  - 24. The security server of claim 18, wherein the security control module further includes instructions for:
    - updating the specification based on input from a user, wherein the updated specification identifies an updated first set of files and directories that are being monitored according to the security policy;
      
      transmitting the updated specification to the security control module;
      
      securely receiving updated data collected at the remote computing device, wherein the updated data includes metadata for the updated first set of files and directories and content signatures for each file in the updated first set; and
      
      comparing the received updated data for each file or directory in the updated first set against corresponding baseline data for the updated first set of files and directories; and
      
      when there is a mismatch between the received updated data and corresponding baseline data, performing a remedial action.
  - 25. The security server of claim 18, wherein each content signature for a respective file in the first set is computed as a hash of content of the respective file, and each baseline content signature is computed as a hash of content of a corresponding baseline file.
  - 26. The security server of claim 18, wherein comparing metadata for a respective file or directory includes comparing owner, access permissions, creation datetime, and last modification datetime.
  - 27. The security server of claim 18, wherein baseline data for a respective file or directory includes one or more corresponding baseline samples, each baseline sample having an associated time span specifying when the respective baseline sample is active.
  - 28. The security server of claim 27, wherein baseline data for a first file includes a plurality of baseline samples, and wherein two or more of the baseline samples for the first file have associated time spans that overlap.
  - 29. The security server of claim 27, wherein the received data has an associated timestamp indicating when the received data was collected at the remote computing device, and the received data is compared against baseline samples whose active time spans include the timestamp.
  - 30. The security server of claim 29, wherein, when there are multiple active baseline samples for a respective file or directory, determining that there is a match for the respective file when the received data for the respective file matches any one of the active baseline samples for the respective file.
  - 31. The security server of claim 18, wherein securely receiving the data collected includes using the cryptographic key and data shared with the remote computing device to decrypt the received data and verify a digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Runway Growth Finance Corporation
Original Assignee
CloudPassage Inc.
Inventors
Sweet, Carson, Geraymovych, Vitaliy
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/340,833
Publication Number

US 20170230183A1
Time in Patent Office

770 Days
Field of Search

709203, 709220, 709223
US Class Current
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/53   using third party service p...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0819   Key transport or distributi...

H04L 9/0861   Generation of secret inform...

H04L 9/3247   involving digital signatures

Systems and methods for implementing computer security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for implementing computer security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links