METHOD AND DEVICE FOR MANAGING SECURITY EVENTS

US 20110161848A1
Filed: 12/26/2009
Published: 06/30/2011
Est. Priority Date: 12/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a security event manager on a mobile computing device;

retrieving security policy data with the security event manager, the security policy data defining a set of security event rules for determining the occurrence of a security event;

receiving security event data with the security event manager, the security event data being generated from at least one security event source of the mobile computing device;

determining an occurrence of a security event with the security event manager based on the security event data and the security policy data; and

responding to the security event with the security event manager.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and device for managing security events includes establishing a security event manager on a mobile computing device. The security event manager may be embodied as software and/or hardware components. The security event manager receives security event data from a plurality of security event sources of the mobile computing device and correlates the security event data based on a security policy to determine whether a security event has occurred. The security event manager responds to the security event based on the security policy.

53 Citations

View as Search Results

24 Claims

1. A method comprising:
- establishing a security event manager on a mobile computing device;
  
  retrieving security policy data with the security event manager, the security policy data defining a set of security event rules for determining the occurrence of a security event;
  
  receiving security event data with the security event manager, the security event data being generated from at least one security event source of the mobile computing device;
  
  determining an occurrence of a security event with the security event manager based on the security event data and the security policy data; and
  
  responding to the security event with the security event manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein establishing the security event manager comprises establishing the security event manager in a secured boot environment.
  - 3. The method of claim 1, wherein receiving security event data comprises receiving security event data generated from a plurality of security event sources of the mobile computing device.
  - 4. The method of claim 1, wherein receiving the security event data comprises receiving security event data generated from at least one of a firmware of the mobile computing device, an operating system of the mobile computing device, and a software application executed on the mobile computing device.
  - 5. The method of claim 1, wherein determining the occurrence of the security event comprises normalizing the security event data into a predetermined data format.
  - 6. The method of claim 1, wherein determining the occurrence of the security event comprises aggregating the security event data to summarize the security event data.
  - 7. The method of claim 1, wherein determining the occurrence of the security event comprises correlating the security event data to determine an occurrence of a security event based on the security policy data.
  - 8. The method of claim 7, wherein determining the occurrence of the security event comprises correlating the security event data to determine an occurrence of a security event based on the security policy and on context data associated with the mobile computing device.
  - 9. The method of claim 8, wherein the context data comprises data indicative of at least one of a location of a user of the mobile computing device, an activity of the user, an aspect of the environment in which the user is located, and biometric data related to the user.
  - 10. The method of claim 1, wherein determining the occurrence of the security event comprises:
    - normalizing the security event data to generate normalized security event data, the normalized security event data having a predetermined data format;
      
      aggregating the normalized security event data to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and
      
      correlating the aggregated security event data to determine an occurrence of a security event based on the security policy data.
  - 11. The method of claim 1, further comprising:
    - retrieving context data with the security event manager from a context database stored on the mobile computing device,wherein determining the occurrence of the security event comprises determining an occurrence of a security event based on the security event data and the context data.
  - 12. The method of claim 1, wherein responding to the security event comprises performing at least one of the following actions on the mobile computing device:
    - changing a connectivity state of the mobile computing device, modifying access to a software application on the mobile computing device, modifying an event data filter of the security event manager, denying access to data, rebooting the mobile computing device, modifying a power state of the mobile computing device, and quarantining a software application or service executed on the mobile computing device.
  - 13. The method of claim 1, further comprising:
    - receiving sensor data generated from a sensor of the mobile computing device; and
      
      updating a context database stored on the mobile computing device with the sensor data.
  - 14. The method of claim 1, further comprising:
    - displaying a user interface on the mobile computing device to receive user input data; and
      
      updating the security policy data based on the user input data.
  - 15. The method of claim 1, further comprising:
    - establishing a network communication connection with an enterprise security event manager server; and
      
      transmitting the security event data from the mobile computing device to the enterprise security event manager server.

16. A mobile computing device comprising:
- a security event manager;
  
  a processor; and
  
  a memory device having stored therein a plurality of instructions, which when executed by the processor, cause the security event manager to;
  
  receive security event data generated from a plurality of security event sources of the mobile computing device;
  
  correlate the security event data based on a security policy to determine an occurrence of a security event, the security policy being stored on the mobile computing device and defining a set of security event rules for determining the occurrence of a security event; and
  
  respond to the security event based on the security policy.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The mobile computing device of claim 16, wherein to correlate the security event data comprises to determine an occurrence of a security event in response to the security event data having a predetermined relationship with at least one security event rule of the security policy.
  - 18. The mobile computing device of claim 16, wherein the plurality of instructions further cause the security event manager to:
    - normalize the security event data into a predetermined data format; and
      
      aggregate the security event data to summarize the security event data.
  - 19. The mobile computing device of claim 16, wherein the plurality of instructions further cause the security event manager to:
    - retrieve context data related to a user of the mobile computing device from a context database stored on the mobile computing device,wherein to correlate the security event data comprises to correlate the security event data based on security policy and the context data.
  - 20. The mobile computing device of claim 16, further comprising a sensor and wherein the plurality of instructions further cause the security event manager to:
    - receive sensor data generated from the sensor, andupdate a context database stored on the mobile computing device with the sensor data.
  - 21. The mobile computing device of claim 16, wherein the plurality of instructions further cause the security event manager to:
    - establish a network communication connection with an enterprise security event manager server; and
      
      transmit the security event data from the mobile computing device to the enterprise security event manager server.

22. A tangible, machine readable medium comprising a plurality of instructions, that in response to being executed, result in a computing device:
- establishing a security event manager;
  
  receiving security event data with the security event manager, the security event data being generated from a plurality of security event sources of the computing device;
  
  normalizing the security event data, using the security event manager, to generate normalized security event data, the normalized security event data having a predetermined data format;
  
  aggregating the normalized security event data, using the security event manager, to generate aggregated security event data, the aggregated security event data summarizing the normalized security event data; and
  
  correlating the aggregated security event data based on a predetermined security policy, using the security event manager, to determine whether a security event has occurred.
- View Dependent Claims (23, 24)
- - 23. The tangible, machine readable medium of claim 22, wherein correlating the aggregated security event data comprises determining whether the security event data has a predetermined relationship with at least one security event rule defined by the predetermined security policy.
  - 24. The tangible, machine readable medium of claim 22, wherein the plurality of instructions further result in the computing device responding to a security event based on the predetermined security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Purcell, Stacy P., Morgan, Dennis M., Baca, Jim S., Aissi, Selim, Ross, Alan D., Kohlenberg, Tobias M.

Granted Patent

US 8,806,620 B2
Time in Patent Office

Days
Field of Search
US Class Current

715/764
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/04   specially adapted for termi...

METHOD AND DEVICE FOR MANAGING SECURITY EVENTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND DEVICE FOR MANAGING SECURITY EVENTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links