SYSTEMS AND METHODS FOR PROVIDING MOBILE SECURITY BASED ON DYNAMIC ATTESTATION

US 20130298242A1
Filed: 07/27/2012
Published: 11/07/2013
Est. Priority Date: 05/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:

generating, by the endpoint trust agent, one or more runtime integrity alerts regarding execution anomalies for applications currently executing on the mobile device;

calculating, by the endpoint trust agent, risks based on a predetermined ruleset;

determining a calculus of risk for the mobile device based at least upon the integrity alerts and identified risks;

sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator; and

generating, by the trust orchestrator, an integrity profile based on the received endpoint events.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Instrumented networks, machines and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects (including mobile devices) and applications on the instrumented target platform. Methods and systems are disclosed for dynamic attestation of mobile device integrity based upon subject reputation scores. In an embodiment, a method scores trustworthiness of a mobile device based on reputation scores for users associated with the device and/or a device reputation score. The method generates runtime integrity alerts regarding execution anomalies for applications executing on the device, calculates risks based on a ruleset, and determines a calculus of risk for the device. The method sends endpoint events comprising data and content of the integrity warnings to a trust orchestrator, which generates an integrity profile based on the endpoint events.

220 Citations

28 Claims

1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:
- generating, by the endpoint trust agent, one or more runtime integrity alerts regarding execution anomalies for applications currently executing on the mobile device;
  
  calculating, by the endpoint trust agent, risks based on a predetermined ruleset;
  
  determining a calculus of risk for the mobile device based at least upon the integrity alerts and identified risks;
  
  sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator; and
  
  generating, by the trust orchestrator, an integrity profile based on the received endpoint events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising sending, by the trust orchestrator, system warnings based on endpoint execution state assessments to:
    - a network trust agent;
      
      a mobile policy manager; and
      
      a mobile device manager,wherein the execution state assessments include threat postures of the one or more applications currently executing on the mobile device.
  - 3. The method of claim 1, further comprising processing and correlating, by the trust orchestrator:
    - a system integrity profile generated based on the calculus of risk;
      
      temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services; and
      
      a system infection profile received from a network analyzer.
  - 4. The method of claim 3 wherein the network analyzer is associated with a network administered by the mobile service provider.
  - 5. The method of claim 1 further comprising a network trust agent is associated with a network administered by the mobile service provider.
  - 6. The method of claim 1, further comprising sending, by the network trust agent, messages or directives to network security frameworks and/or wireless access points to apply flow controls based on the received execution state of a mobile endpoint.
  - 7. The method of claim 2, further comprising sending, by the mobile policy manager, messages or directives to the mobile device manager to apply controls based on the received execution state of a mobile endpoint.
  - 8. The method of claim 2, further comprising sending, by the mobile device manager, messages or directives to an endpoint agent to activate or deactivate specific feature controls.
  - 9. The method of claim 1, further comprising sending, by the trust orchestrator, messages or directives to the endpoint trust agent to apply specific controls on the mobile device.
  - 10. The method of claim 1, further comprising notifying a user of a state of an infected or compromised mobile device as at least one of:
    - an asynchronous push notification to the mobile device;
      
      a text alert message sent to the mobile device;
      
      an email alert message;
      
      a warning message during initiation of a transaction with a service from the mobile device.
  - 11. The method of claim 1, wherein the calculus of risk is based on:
    - an endpoint assessment of correlated mobile network activity, system configuration, resource utilization and mobile application integrity for the mobile device using a plurality of sensory inputs from network and endpoint sensors, wherein the endpoint assessment is based on one or more of;
      
      a network security scan report for the mobile network;
      
      parsing a plurality of received reports for categorization by a network address or a geo-location of the mobile device;
      
      evaluating application contexts for the applications currently executing on the mobile device;
      
      evaluating user contexts for users currently logged into or associated with the mobile device; and
      
      classifying threats identified for the mobile device, the applications, and/or the users,wherein the ruleset is stored in a rules repository of object attributes and wherein the attributes include constraints, a sample rate, a recurrence, a score, and a weight for integrity assessments of the mobile device, the applications, and/or the users.
  - 12. The method of claim 11, further comprising generating subject reputation scores for the mobile device, the applications, and/or the users based on the calculus of risk;
    - andgenerating trustworthiness scores for the mobile device, the applications, and/or the users based on the subject reputation scores, applications installed on the mobile device, and a patch level of an operating system (OS) running on the mobile device.
  - 13. The method of claim 12, wherein the trustworthiness scores are further based upon execution anomalies and a threat posture of the applications.
  - 14. The method of claim 12, wherein one or more features or capabilities of the mobile device are altered as a remediation action in response to determining that a trustworthiness score of the mobile device, the applications, or the users is below a predetermined threshold.
  - 15. The method of claim 14, wherein the remediation actions comprise de-activating or activating one or more features or capabilities of the mobile device.
  - 16. The method of claim 14, wherein the one or more features or capabilities of the mobile device include networking capabilities, service access privileges, resource access privileges, application execution privileges, and communications capabilities.
  - 17. The method of claim 14, wherein the remediation action is based on a geo-location of the mobile device.
  - 18. The method of claim 1, wherein the network trust agent, the endpoint trust agent and the trust orchestrator are configured to execute on a computing platform accessible by the mobile service provider.
  - 19. The method of claim 1, wherein the mobile device is one of a personal digital assistant (PDA), a device running a mobile operating system, a smart phone, a mobile phone, a hand held computer, a tablet computer, an electronic reading device, a netbook computer, a palmtop computer, a laptop computer, or an ultra-mobile PC.

20. A system for providing runtime operational integrity including execution anomalies and a threat posture of a mobile computing device or an application executing on the mobile computing device to a mobile service provider, the system comprising:
- a computing platform including a network trust agent, an endpoint trust agent, and a trust orchestrator, wherein the computing platform is configured to;
  
  generate, by the endpoint trust agent, runtime integrity alerts regarding execution anomalies of the application and risks based on rulesets and a calculus of risk;
  
  send, by the endpoint trust agent, runtime integrity warnings pertaining to data and content as endpoint events to the trust orchestrator;
  
  generate, by the trust orchestrator, an integrity profile for the endpoint based on the received endpoint events pertaining to data and content;
  
  process and correlate, by the trust orchestrator one or more of;
  
  a system integrity profile generated based on a calculus of risk;
  
  a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services; and
  
  a system infection profile received from a network analyzer;
  
  send, by the trust orchestrator, system warnings based on an endpoint execution state of the mobile application or mobile computing device as a threat posture assessment to one or more of;
  
  a network trust agent,a mobile policy manager, anda mobile device manager;
  
  send, by the network trust agent, messages or directives to network security frameworks and/or wireless access points to apply flow controls based on the received execution state of a mobile endpoint;
  
  send, by the mobile policy manager, messages or directives to the mobile device manager to apply controls based on the received execution state of a mobile endpoint;
  
  send, by the mobile device manager, messages or directives to an endpoint agent to activate or deactivate specific feature controls; and
  
  send, by the trust orchestrator, messages or directives to the endpoint trust agent to apply specific controls on the mobile computing device.

21. A non-transitory computer readable medium having instructions stored thereon that, if executed by a computing device hosting an attestation server, cause the computing device to perform operations for providing dynamic attestation of a client mobile device or a client application executing on the mobile device carrying out client-server or peer-to-peer transactions, the operations comprising:
- correlating temporal and endpoint events based on a plurality of predicate scores;
  
  determining a predicate score based upon a deviation from a prescribed attribute constraint or metric;
  
  calculating a score that is inversely proportional to the deviation;
  
  determining a sample rate needed to achieve a required measurement frequency;
  
  determining a recurrence of successive deviations;
  
  identifying a weight for the attribute constraint;
  
  determining an integrity confidence for the application or device as a weighted average of predicate scores; and
  
  identifying outlying integrity confidence scores as exceptions across a plurality of client applications or client mobile devices.

22. An architecture instrumented to provide runtime operational integrity by identifying execution anomalies and a threat posture of a mobile device and applications executing on the mobile device to a mobile service provider, the architecture comprising:
- an endpoint trust agent including;
  
  a process monitor configured to observe local execution context of the applications,a socket monitor configured to observe network activities of the applications,a resource utilization module monitor configured to observe system and platform resources consumed by the applications, andan application integrity module configured to assess operational integrity of the mobile device based on a ruleset;
  
  wherein native machine instrumentation for the mobile device is configured to;
  
  represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the mobile device, andgenerate raw events;
  
  extended trust instrumentation;
  
  a runtime monitor configured to;
  
  subscribe to and receive near real time asynchronous notifications of application events for the applications from the extended trust instrumentation, andgenerate and send dynamic expressions or rules as application filters linked to running instances of the applications;
  
  a system event correlator configured to correlate system events of the mobile device to determine a calculus of risk;
  
  a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the mobile device and the applications; and
  
  an endpoint trust sensor configured to measure runtime operational integrity of the mobile device by evaluating risk based on actions of an application executing on, or a user of, the mobile device and receiving the raw events from the native machine instrumentation.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The architecture of claim 22, wherein the trust orchestrator is configured to use an application programming interface (API) collaboration bus to integrate the security intelligence.
  - 24. The architecture of claim 22, wherein the application events include one or more of registry, file system, network, storage, input, output, memory, process operation events, and resource events stemming from usage of a system resource by the applications.
  - 25. The architecture of claim 22, wherein the extended trust instrumentation is comprised of layered extensions to the native machine instrumentation.
  - 26. The architecture of claim 22, wherein the application filters are expressed using standards based schema definitions.
  - 27. The architecture of claim 23, wherein the runtime monitor is configured to use application programming interfaces (APIs) to subscribe to the asynchronous application events.
  - 28. The architecture of claim 22, wherein the endpoint trust sensor configured to:
    - identify security patches for a browser on the mobile device, updates for one or more of the applications, updated device drivers, and/or updates for one or more operating systems; and
      
      perform signature-less network activity correlation using a threat life cycle model for clustering and classification of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
Taasera, Inc. (Full Circle Investments, Inc.)
Inventors
KUMAR, Srinivas, Pollutro, Dennis

Granted Patent

US 8,850,588 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/564   by virus signature recognition

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

SYSTEMS AND METHODS FOR PROVIDING MOBILE SECURITY BASED ON DYNAMIC ATTESTATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

220 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS AND METHODS FOR PROVIDING MOBILE SECURITY BASED ON DYNAMIC ATTESTATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

220 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others