Systems and methods for network vulnerability assessment and protection of Wi-fi networks using a cloud-based security system

US 10,630,724 B2
Filed: 09/12/2017
Issued: 04/21/2020
Est. Priority Date: 09/12/2017
Status: Active Grant

First Claim

Patent Images

1. A method assessing Wi-Fi network vulnerability and enforcing policy based thereon in a cloud-based security system, the method comprising:

obtaining and storing security risk scores for a plurality of Wi-Fi networks based in part on analysis of physical properties of the plurality of Wi-Fi networks performed by user equipment in range of each of the plurality of Wi-Fi networks, the physical properties comprising at least one of Service Set Identifier (SSID), Dynamic Host Configuration Protocol (DHCP) options, geolocation, security protocol and encryption standards, and router properties;

detecting user equipment associated with the cloud-based security system either desiring to connect to or establishing a connection to a Wi-Fi network;

obtaining a security risk score of the Wi-Fi network from the user equipment associated with the cloud-based security system via one of a separate wireless network and the Wi-Fi network; and

enforcing policy for the user equipment associated with the cloud-based security system based on the obtained security risk score of the Wi-Fi network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of assessing Wi-Fi network vulnerability and enforcing policy based thereon in a cloud-based security system include obtaining and storing security risk scores for a plurality of Wi-Fi networks based in part on analysis performed by user equipment in range of each of the plurality of Wi-Fi networks; detecting user equipment associated with the cloud-based security system either desiring to connect to or already connected to a Wi-Fi network; obtaining a security risk score of the Wi-Fi network; and enforcing policy for the user equipment based on the obtained security risk score of the Wi-Fi network.

10 Citations

View as Search Results

18 Claims

1. A method assessing Wi-Fi network vulnerability and enforcing policy based thereon in a cloud-based security system, the method comprising:
- obtaining and storing security risk scores for a plurality of Wi-Fi networks based in part on analysis of physical properties of the plurality of Wi-Fi networks performed by user equipment in range of each of the plurality of Wi-Fi networks, the physical properties comprising at least one of Service Set Identifier (SSID), Dynamic Host Configuration Protocol (DHCP) options, geolocation, security protocol and encryption standards, and router properties;
  
  detecting user equipment associated with the cloud-based security system either desiring to connect to or establishing a connection to a Wi-Fi network;
  
  obtaining a security risk score of the Wi-Fi network from the user equipment associated with the cloud-based security system via one of a separate wireless network and the Wi-Fi network; and
  
  enforcing policy for the user equipment associated with the cloud-based security system based on the obtained security risk score of the Wi-Fi network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the security risk scores are determined locally by an associated user equipment in range of each of the plurality of Wi-Fi networks based on a combination of a static analysis and a dynamic analysis of the physical properties.
  - 3. The method of claim 2, wherein the static analysis and the dynamic analysis are in part performed based on obtaining data from the cloud-based security system.
  - 4. The method of claim 2, wherein the dynamic analysis comprises a live sampling of Wi-Fi network data through one or more of:
    - pinging known malware and phishing sites to determine reachability;
      
      Secure Sockets Layer (SSL) interception checks to determine if man-in-the-middle SSL scanning is performed;
      
      Domain Name Server (DNS) redirection to determine if a DNS server is malicious;
      
      contacting known Botnet command and control servers and attempting to download benign files to determine if successful;
      
      scanning the Wi-Fi network for hosts and services that have potential for harm; and
      
      checking data loss prevention over the Wi-Fi network.
  - 5. The method of claim 1, wherein the security risk scores are determined locally by an associated user equipment in range of each of the plurality of Wi-Fi networks using an application operated on the user equipment.
  - 6. The method of claim 1, wherein the security risk scores are determined by a plurality of mobile devices spread across a geography and configured to monitor the plurality of Wi-Fi networks in range, to provide crowd sourced analysis of the plurality of Wi-Fi networks.
  - 7. The method of claim 1, wherein the policy comprises one of preventing the user equipment from associating with the Wi-Fi network or causing the user equipment to disassociate from the Wi-Fi network.
  - 8. The method of claim 1, wherein the policy comprises requiring the user equipment to utilize a secure tunnel over the Wi-Fi network to the cloud-based security system.
  - 9. The method of claim 1, wherein the policy comprises preventing the user equipment from accessing one or more sites and using one or more applications.

10. A cloud node in a cloud-based security system configured to assess Wi-Fi network vulnerability and enforce policy based thereon, the cloud node comprising:
- a network interface;
  
  a processor communicatively coupled to the network interface; and
  
  memory storing instructions that, when executed, cause the processor to;
  
  obtain and store security risk scores for a plurality of Wi-Fi networks based in part on analysis of physical properties of each of the plurality of Wi-Fi networks performed by user equipment in range of each of the plurality of Wi-Fi networks, the physical properties comprising at least one of Service Set Identifier (SSID), Dynamic Host Configuration Protocol (DHCP) options, geolocation, security protocol and encryption standards, and router properties;
  
  detect user equipment associated with the cloud-based security system either desiring to connect to or establishing a connection to a Wi-Fi network;
  
  obtain a security risk score of the Wi-Fi network from the user equipment associated with the cloud-based security system via one of a separate wireless network and the Wi-Fi network; and
  
  enforce policy for the user equipment associated with the cloud-based security system based on the obtained security risk score of the Wi-Fi network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The cloud node of claim 10, wherein the security risk scores are determined locally by an associated user equipment in range of each of the plurality of Wi-Fi networks based on a combination of a static analysis and a dynamic analysis of the physical properties.
  - 12. The cloud node of claim 11, wherein the static analysis and the dynamic analysis are in part performed based on obtaining data from the cloud-based security system.
  - 13. The cloud node of claim 11, wherein the dynamic analysis comprises a live sampling of Wi-Fi network data through one or more of:
    - pinging known malware and phishing sites to determine reachability;
      
      Secure Sockets Layer (SSL) interception checks to determine if man-in-the-middle SSL scanning is performed;
      
      Domain Name Server (DNS) redirection to determine if a DNS server is malicious;
      
      contacting known Botnet command and control servers and attempting to download benign files to determine if successful;
      
      scanning the Wi-Fi network for hosts and services that have potential for harm; and
      
      checking data loss prevention over the Wi-Fi network.
  - 14. The cloud node of claim 10, wherein the security risk scores are determined locally by an associated user equipment in range of each of the plurality of Wi-Fi networks using an application operated on the user equipment.
  - 15. The cloud node of claim 10, wherein the policy comprises one of preventing the user equipment from associating with the Wi-Fi network or causing the user equipment to disassociate from the Wi-Fi network.
  - 16. The cloud node of claim 10, wherein the policy comprises requiring the user equipment to utilize a secure tunnel over the Wi-Fi network to the cloud-based security system.
  - 17. The cloud node of claim 10, wherein the policy comprises preventing the user equipment from accessing one or more sites and using one or more applications.

18. A cloud-based security system configured to assess Wi-Fi network vulnerability and enforce policy based thereon, the cloud-based security system comprising:
- one or more cloud nodes; and
  
  a central authority communicatively coupled to the one or more cloud nodes, wherein the one or more cloud nodes are configured to obtain security risk scores for a plurality of Wi-Fi networks based in part on analysis of physical properties of each of the plurality of Wi-Fi networks performed by user equipment in range of each of the plurality of Wi-Fi networks and provide to the central authority, the physical properties comprising at least one of Service Set Identifier (SSID), Dynamic Host Configuration Protocol (DHCP) options, geolocation, security protocol and encryption standards, and router properties;
  
  detect user equipment associated with the cloud-based security system either desiring to connect to or establishing a connection to a Wi-Fi network;
  
  obtain a security risk score of the Wi-Fi network from the user equipment associated with the cloud-based security system via one of a separate wireless network and the Wi-Fi network; and
  
  enforce policy for the user equipment associated with the cloud-based security system based on the obtained security risk score of the Wi-Fi network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Bansal, Abhinav
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/701,904
Publication Number

US 20190081981A1
Time in Patent Office

952 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0421   Anonymous communication, i....

H04L 63/10   for controlling access to d...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04W 12/03   Protecting confidentiality,...

H04W 12/122   Counter-measures against at...

H04W 12/128   Anti-malware arrangements, ...

H04W 12/67   Risk-dependent, e.g. select...

H04W 84/12   WLAN [Wireless Local Area N...

Systems and methods for network vulnerability assessment and protection of Wi-fi networks using a cloud-based security system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for network vulnerability assessment and protection of Wi-fi networks using a cloud-based security system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links