Identity based behavior measurement architecture

US 10,356,116 B2
Filed: 04/06/2017
Issued: 07/16/2019
Est. Priority Date: 04/07/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory; and

a processor executing;

instructions for a behavior measurement architecture (BMA) derived from an integrity measurement architecture (IMA), which is executed using an identity model to express a deterministic measurement value representative of behavior of an endpoint device of a group of service-providing network endpoints or a platform of the group of service-providing network endpoints hosted on the endpoint device; and

instructions for a security supervisor provided by the BMA and implemented through a daemon or an operating system program, which are executed to;

generate a unique identity for the endpoint device based on the identity model including a hash function, wherein the deterministic measurement value includes the unique identity for the endpoint device;

verify behavior of the endpoint device or the platform using the unique identity;

uphold a pre-defined behavioral state of the endpoint device or the platform and support execution of application instructions stored in memory of the endpoint device using the unique identity; and

execute a pre-determined action, via itself or a device derived from the security supervisor, when a behavior of the endpoint device or the platform is inconsistent with the pre-defined behavioral state of the endpoint device or the platform, according the unique identity of the endpoint device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Identity Based Behavior Measurement Architecture (such as the BMA) and related technologies are described herein. In an exemplary embodiment, the BMA can be derived from an IMA and use an identity model to express a deterministic measurement value for platform behavior.

17 Citations

20 Claims

1. An apparatus, comprising:
- a memory; and
  
  a processor executing;
  
  instructions for a behavior measurement architecture (BMA) derived from an integrity measurement architecture (IMA), which is executed using an identity model to express a deterministic measurement value representative of behavior of an endpoint device of a group of service-providing network endpoints or a platform of the group of service-providing network endpoints hosted on the endpoint device; and
  
  instructions for a security supervisor provided by the BMA and implemented through a daemon or an operating system program, which are executed to;
  
  generate a unique identity for the endpoint device based on the identity model including a hash function, wherein the deterministic measurement value includes the unique identity for the endpoint device;
  
  verify behavior of the endpoint device or the platform using the unique identity;
  
  uphold a pre-defined behavioral state of the endpoint device or the platform and support execution of application instructions stored in memory of the endpoint device using the unique identity; and
  
  execute a pre-determined action, via itself or a device derived from the security supervisor, when a behavior of the endpoint device or the platform is inconsistent with the pre-defined behavioral state of the endpoint device or the platform, according the unique identity of the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The apparatus of claim 1, wherein the BMA is based on three premises consisting of:
    - a first premise implemented by instructions stored on a non-transitory computer readable medium and executed to generate a behavior identity of an actor process that is expressed by a functional projection of identity factors of the actor process over identity factors of an acted upon a subject identity;
      
      a second premise implemented by instructions stored on the non-transitory computer readable medium and executed to generate functional projections of the first premise that represent a mutually exclusive and collectively exhaustive set of contours that represent a set of values derived from a total number of unique actors and a total number of unique subjects associated with the platform; and
      
      a third premise implemented by instructions stored on the non-transitory computer readable medium and executed to neglect inter-contour and extra-contour time dependencies and perform a single deterministic measurement of the behavior of the service-providing network endpoints that is given by the hash function on an arbitrary ordering of contour points of the set of contours generated by the second premise.
  - 3. The apparatus of claim 2, wherein the behavior identity of the actor process is given by the following equation A_M=H_M(FA₁. . . FA_N), where A_Mis an actor identity, FA is actor identity dimensions, and H_Mis the hash function with a digest size M, and wherein the subject identity is given by the following equation S_M=H_M(FS₁. . . FS_N), where S_Mis the subject identity, and FS is subject identity dimensions.
  - 4. The apparatus of claim 3, wherein each point of the contour points for a given actor identity operating on a subject identity is given by the following equation C_M=H_M(A_MS_M), where C_Mis a contour point.
  - 5. The apparatus of claim 4, wherein the contour point C_Mis projected into the unique identity for the endpoint device through the following equation P_M=H_M(DM∥
    - CM), where D_Mis an identity for the endpoint device, C_Mis the contour point, and ∥
      
      is a concatenation.
  - 6. The apparatus of claim 2, further comprising instructions for management interfaces to the BMA, which are configured to be accessible via a pseudo-filesystem, wherein the pseudo-filesystem includes a pseudodirectory having files that implement the management interfaces, and wherein the files within the pseudodirectory include a host identity file that is configured to generate the unique identity for the endpoint device that can serve as a range value for projecting contour points of the second premise.
  - 7. The apparatus of claim 6, wherein the files within the pseudodirectory further include a contours file configured to provide contour points based on an actor identity and a subject identity of respective components within the endpoint device or the platform, the contour points including a history of interactions between actor and subject components within the endpoint device or the platform.
  - 8. The apparatus of claim 7, wherein the files within the pseudodirectory further include a map file configured to extend the contour points of the contours file by an identity for the endpoint device to generate the unique identity of the endpoint device.
  - 9. The apparatus of claim 8, wherein the files within the pseudodirectory further include a measurement file to provide a measurement status of the platform derived from a hash sum of respective unique identities of the group of service-providing network endpoints.
  - 10. The apparatus of claim 7, wherein execution of the pre-determined action by the security supervisor includes disabling at least the contours file by a sealed file of the pseudodirectory such that afterwards interactions between actor and subject components within the endpoint device or the platform are recorded in a forensics file of the pseudodirectory, the forensics file being configured to provide a log of events leading to a deviation in device behavior.
  - 11. The apparatus of claim 1, wherein the instructions for the security supervisor are further executed to generate the unique identity for the endpoint device by applying the hash function over at least two components of the endpoint device or the platform, a range selector, and a credential.
  - 12. The apparatus of claim 11, wherein the instructions for the security supervisor are further executed to generate the unique identity for the endpoint device according to the following equation:
    - I_M=H_M(RM∥
      
      HM(C)), where I_Mis the unique identity, R_Mis a range value of size M, C is the credential, ∥
      
      is a concatenation, and H_Mis the hash function with digest size M.
  - 13. The apparatus of claim 11, wherein the endpoint device belongs to an organization provisioning devices, and wherein the instructions for the security supervisor are further executed to generate the unique identity for the endpoint device according to the following equation:
    - D_M=H_M(OM∥
      
      HM(D_C)), where D_Mis the unique identity, O_Mis an identity of an associated organization, D_Cis a credential of the endpoint device, ∥
      
      is a concatenation, and H_Mis the hash function with digest size M.
  - 14. The apparatus of claim 1, wherein the hash function includes a secure hash algorithm 2 (SHA-2) function.
  - 15. The apparatus of claim 14, wherein the hash function includes a SHA-256 or SHA-512 function.
  - 16. The apparatus of claim 1, wherein the pre-determined action includes issuing an alert indication, halting the system or resetting the system to a pre-defined state.
  - 17. The apparatus of claim 1, further comprising instructions for a dynamic root of trust, which are executed to provide a reference to a behavior-based identity state of the endpoint device or the platform.
  - 18. The apparatus of claim 1, wherein the security supervisor is implemented through a LINUX kernel and the derived IMA includes a modified version of a native IMA implemented through the LINUX kernel.

19. An apparatus, comprising:
- a memory configured to contain an operating system kernel, a security bootloader, and a security supervisor program; and
  
  a processor configured to execute;
  
  the operating system kernel to initiate a launch sequence and compile the launch sequence into a kernel image that maintains integrity of the launch sequence;
  
  the security bootloader to initialize a system identity and root filesystem after launch of the kernel; and
  
  the security supervisor program, which is launched after launch of the security bootloader, to;
  
  host applications or execution environments with documented system behavior, the applications or execution environments including a native binaries environment, a virtual machine environment, or a container environment;
  
  use an anonymous key agreement protocol that allows at least two endpoint devices to establish a shared secret over an insecure channel using a key exchange;
  
  generate a unique identity for at least one of the endpoint devices based on an identity model including a hash function;
  
  generate a key for the key exchange through key scheduling based on the generated unique identity and an epoch associated with a period of the key exchange;
  
  verify behavior of the endpoint devices or a platform running on the endpoint devices against a respective pre-defined behavioral state for each one of the endpoint devices or the platform; and
  
  execute a pre-determined action when a behavior of at least one of the endpoint devices or the platform is inconsistent with the respective pre-defined behavioral state.

20. A method, comprising:
- initiating a launch sequence and compiling the launch sequence into a kernel image that maintains integrity of the launch sequence;
  
  initializing a system identity and root filesystem; and
  
  after compiling the launch sequence and initializing the system identity and root filesystem, the method further comprising;
  
  hosting, by a security supervisor, applications or execution environments with documented system behavior, the applications or execution environments including a native binaries environment, a virtual machine environment, or a container environment;
  
  using an anonymous key agreement protocol that allows at least two endpoint devices to establish a shared secret over an insecure channel using a key exchange;
  
  generating a unique identity for at least one of the endpoint devices based on an identity model including a hash function;
  
  generating a key for the key exchange through key scheduling based on the generated unique identity and an epoch associated with a period of the key exchange;
  
  verifying behavior of the endpoint devices or a platform running on the endpoint devices against a respective pre-defined behavioral state for each one of the endpoint devices or the platform; and
  
  executing a pre-determined action when a behavior of at least one of the endpoint devices or the platform is inconsistent with the respective pre-defined behavioral state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IDfusion, LLC
Original Assignee
IDfusion, LLC
Inventors
Wettstein, Gregory Henry, Stofferahn, Scott Byron, Engen, Richard William, Grosen, Johannes Christian
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/480,985
Publication Number

US 20170295195A1
Time in Patent Office

831 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/72   in cryptographic circuits

H04L 2209/127   Trusted platform modules [TPM]

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0877   using additional device, e....

H04L 9/0897   involving additional device...

H04L 9/3234   involving additional secure...

H04L 9/3239   involving non-keyed hash fu...

H04W 12/106   Packet or message integrity

H04W 12/108   Source integrity

Identity based behavior measurement architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity based behavior measurement architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links