System and method for managing sensor enrollment

US 10,601,863 B1
Filed: 09/30/2016
Issued: 03/24/2020
Est. Priority Date: 03/25/2016
Status: Active Grant

First Claim

Patent Images

1. A computerized method for enrollment of a sensor for communications with a selected computing node of a cluster operating within a malware detection system, comprising:

receiving advertised features and capabilities for one or more broker computing nodes within the cluster by an enrollment service operating within a management system;

sending a first message to a sensor by the management system, the first message includes address information associated with the enrollment service;

in response to the first message, receiving a second message from the sensor, the second message includes tenant credentials that includes an identifier for the sensor for use by the enrollment service in authenticating the sensor;

determining a selected computing node for communications with the sensor based on consideration of the features and capabilities for the one or more broker computing nodes within the cluster and the tenant credentials associated with the sensor; and

upon authenticating the sensor by the enrollment service, sending keying material associated with the sensor to the selected computing node operating as a first broker computing node of the one or more broker computing nodes and sending a portion of the advertised features and capabilities associated with the first broker computing node to the sensor.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensor enrollment management is conducted where features and capabilities for one or more broker computing nodes within the cluster are received by an enrollment service operating within a management system. The enrollment service is configured to receive advertised features and capabilities for computing nodes that are part of a cluster and provide address information associated with the enrollment service to the sensor. Based on information supplied by the sensor, the enrollment service authenticates the sensor, and upon authentication, forwards keying material associated with the sensor to a computing node selected that is selected for supporting communications to the cluster from the sensor. Also, the enrollment service provides a portion of the advertised features and capabilities associated with the computing node to the sensor to enable the sensor to establish a secure communication path with the computing node for malware analysis of suspicious objects within network traffic monitored by the sensor.

844 Citations

32 Claims

1. A computerized method for enrollment of a sensor for communications with a selected computing node of a cluster operating within a malware detection system, comprising:
- receiving advertised features and capabilities for one or more broker computing nodes within the cluster by an enrollment service operating within a management system;
  
  sending a first message to a sensor by the management system, the first message includes address information associated with the enrollment service;
  
  in response to the first message, receiving a second message from the sensor, the second message includes tenant credentials that includes an identifier for the sensor for use by the enrollment service in authenticating the sensor;
  
  determining a selected computing node for communications with the sensor based on consideration of the features and capabilities for the one or more broker computing nodes within the cluster and the tenant credentials associated with the sensor; and
  
  upon authenticating the sensor by the enrollment service, sending keying material associated with the sensor to the selected computing node operating as a first broker computing node of the one or more broker computing nodes and sending a portion of the advertised features and capabilities associated with the first broker computing node to the sensor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized method of claim 1, wherein the sending of the keying material associated with the sensor to the selected computing node and the sending of the portion of the advertised features and capabilities associated with the first broker computing node to the sensor enables the sensor to establish a secure communication path with the first broker computing node, wherein the secure communication path allows the sensor to operate in cooperation with the first broker computing node by conducting a preliminary evaluation of an object, being a portion of information received by the sensor over a network, to determine whether the object is suspicious and provide the object to the first broker computing node for in-depth malware analysis by the cluster.
  - 3. The computerized method of claim 1, wherein the enrollment service includes a daemon application running on the management system.
  - 4. The computerized method of claim 1 further comprising:
    - receiving a third message by the enrollment service from the sensor in response to a triggering event, the third message being used by the enrollment service to assess whether the sensor is to continue communications with the cluster via the first broker computing node; and
      
      redirecting the sensor to a second broker computing node different than the first broker computing node for subsequent communications with the cluster, the redirecting of the sensor includes transmitting a fourth message that includes advertised features and capabilities for the second broker computing node within the cluster.
  - 5. The computerized method of claim 4, wherein the triggering event includes expiration of an amount of time during which the sensor is in communication with the first broker computing node.
  - 6. The computerized method of claim 4, wherein the triggering event includes detected degradation in operability of the first broker computing node by the sensor.
  - 7. The computerized method of claim 6, wherein the degradation of operability includes a rate of communication failures between the sensor and the first broker computing node exceeding a prescribed threshold.
  - 8. The computerized method of claim 4, wherein the triggering event includes non-compliance with a subscription service level associated with the sensor.
  - 9. The computerized method of claim 1, wherein prior to sending the first message to the sensor, the method further comprisesreceiving a message from the sensor, the message requesting to join the cluster;
    - andconducting a subscription check on the sensor to determine whether a customer associated with the sensor has an active subscription to a particular service provided by the cluster.
  - 10. The computerized method of claim 1, wherein prior to sending the first message to the sensor and after receiving the message requesting to join the cluster, the method further comprisesdetermining a subscription level assigned to the sensor, the subscription level being used as a factor for selection of the selected computing node as the first broker computing node.

11. A computerized method for enrollment of a sensor for communications with a selected computing node of a cluster operating within a malware detection system, comprising:
- authenticating the sensor by an enrollment service;
  
  upon authenticating the sensor by the enrollment service, selecting a computing node to operate as a first broker computing node for communications between the cluster and the sensor based on consideration of features and capabilities for one or more broker computing nodes including the first broker computing node within the cluster and information provided by the sensor for authenticating the sensor; and
  
  sending keying material associated with the sensor to the selected computing node operating as the first broker computing node and sending a portion of advertised features and capabilities associated with the first broker computing node to the sensor for use an establishment of a secure communication path between the sensor and the first broker computing node.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computerized method of claim 11 further comprising:
    - establishing of the secure communication path between the sensor and the first broker computing node; and
      
      conduct, by the sensor, a preliminary evaluation of an object that includes a portion of information received by the sensor over a network, the preliminary evaluation to determine whether the object is suspicious and provide the suspicious object to the first broker computing node for in-depth malware analysis by the cluster.
  - 13. The computerized method of claim 11, wherein the enrollment service that authenticates the sensor is deployed in a web server separate from the cluster that includes the first broker computing node.
  - 14. The computerized method of claim 11, wherein the portion of features and capabilities associated with the first broker computing node includes (i) an IP address for the first broker computing node, or (ii) a name of the first broker computing node, or (iii) authentication information associated with the first broker computing node of the cluster.
  - 15. The computerized method of claim 11, wherein the keying material includes a public key of the sensor.
  - 16. The computerized method of claim 11, wherein prior selecting the computing node, the method further comprisesreceiving a message from the sensor, the message requesting to join the cluster;
    - andconducting a subscription check of the sensor to determine whether a customer associated with the sensor has an active subscription to a particular service provided by the cluster.
  - 17. The computerized method of claim 16, wherein after conducting the subscription check and prior to sending the keying material associated with the sensor to the selected computing node and sending the portion of the advertised features and capabilities associated with the first broker computing node to the sensor, the method further comprisingdetermining the selected computing node for communications with the sensor based on consideration of the features and capabilities for the one or more broker computing nodes within the cluster and the tenant credentials of the sensor.
  - 18. The computerized method of claim 16, wherein prior selecting the computing node, the method further comprisesdetermining a subscription level assigned to the sensor, the subscription level being used as a factor for selection of the selected computing node as the first broker computing node.

19. A system comprising:
- a sensor to (i) receive information over a network, the sensor to conduct a preliminary evaluation of one or more objects each including a portion of the information received by the sensor and (ii) determine whether any of the one or more objects is suspicious;
  
  a first computing node; and
  
  a management system communicatively coupled to the sensor and the first computing node, the management system includes an enrollment service that (i) receives advertised features and capabilities for the first computing node and tenant credentials from the sensor, (ii) provides address information associated with the enrollment service to the sensor, (iii) determines the first computing node for communications with the sensor based on consideration of the features and capabilities for one or more computing nodes within a cluster including the first computing node and the tenant credentials associated with the sensor, (iv) receives and forwards keying material associated with the sensor to the first computing node upon authentication of the sensor, and (v) provides a portion of the advertised features and capabilities associated with the first computing node to the sensor to enable the sensor to establish a secure communication path with the first computing node.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 20. The system of claim 19, wherein the first computing node is one of a plurality of computing nodes forming the cluster operating within a malware detection system to perform malware analysis on a suspicious object provided by the sensor, at least the first computing node operating as a broker computing node for the cluster.
  - 21. The system of claim 19, wherein the enrollment service includes a daemon application running on the management system.
  - 22. The system of claim 19, wherein the enrollment service is operating within a public or private cloud.
  - 23. The system of claim 19, wherein the portion of the advertised features and capabilities associated with the first computing node includes a public key of the first computing node and a number of sensors supported by the first computing node operating as a broker computing node.
  - 24. The system of claim 19, wherein the portion of the advertised features and capabilities associated with the first computing node includes a geographical location of the cluster including the first computing node.
  - 25. The system of claim 19, wherein the portion of the advertised features and capabilities associated with the first computing node includes a capacity of the cluster including the first computing node.
  - 26. The system of claim 19, wherein the portion of the advertised features and capabilities associated with the first computing node identifies sensor types supported by the enrollment service.
  - 27. The system of claim 19, wherein the enrollment service of the management system to provide the address information associated with the enrollment service that includes an Internet Protocol address or a Domain Name System name of the management system.
  - 28. The system of claim 19, wherein the enrollment service further (i) receives a first message from the sensor in response to a triggering event for use in determining whether the sensor is to continue communications with the cluster via the first computing node operating as a broker computing node, and (ii) redirects the sensor to a second computing node operating as a broker computing node that is different than the first computing node for subsequent communications with the cluster, the fourth message includes advertised features and capabilities for the second computing node.
  - 29. The system of claim 28, wherein the triggering event includes expiration of an amount of time during which the sensor is in communication with the first computing node.

30. A computerized method for enrollment of a sensor for communications with a selected computing node of a cluster operating within a malware detection system, comprising:
- receiving a request for join the cluster from a sensor;
  
  analyzing information associated with a subscription for the sensor for services provided by the cluster; and
  
  upon determining (i) that the subscription for the sensor is active by the enrollment service and (ii) a selected computing node for communications with the sensor based on consideration of features and capabilities for one or more broker computing nodes within the cluster and tenant credentials associated with the sensor, sending information associated with the sensor to the selected computing node operating as a first broker computing node of the one or more broker computing nodes and sending a portion of the advertised features and capabilities associated with the first broker computing node to the sensor.
- View Dependent Claims (31, 32)
- - 31. The computerized method of claim 30, wherein the analyzing of the information associated with the subscription for the sensor includes analysis of a level of subscription assigned to the sensor, the level of subscription may be used as a factor by the enrollment service in selecting the selected computing node.
  - 32. The computerized method of claim 30, wherein the sending of the portion of the advertised features and capabilities from the enrollment service to the sensor comprises sending one or more of (i) an address of the selected computing node, (ii) a name of the selected computing node, or (iii) information for authenticating the sensor to the selected computing node of the cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Siddiqui, Mumtaz
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen T

Application Number

US15/283,209
Time in Patent Office

1,271 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0876   based on the identity of th...

H04L 63/145   the attack involving the pr...

System and method for managing sensor enrollment

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

844 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing sensor enrollment

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

844 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links