SYSTEMS AND METHODS FOR PROVIDING MOBILE SECURITY BASED ON DYNAMIC ATTESTATION
First Claim
1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:
- generating, by the endpoint trust agent, one or more runtime integrity alerts regarding execution anomalies for applications currently executing on the mobile device;
calculating, by the endpoint trust agent, risks based on a predetermined ruleset;
determining a calculus of risk for the mobile device based at least upon the integrity alerts and identified risks;
sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator; and
generating, by the trust orchestrator, an integrity profile based on the received endpoint events.
3 Assignments
0 Petitions
Accused Products
Abstract
Instrumented networks, machines and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects (including mobile devices) and applications on the instrumented target platform. Methods and systems are disclosed for dynamic attestation of mobile device integrity based upon subject reputation scores. In an embodiment, a method scores trustworthiness of a mobile device based on reputation scores for users associated with the device and/or a device reputation score. The method generates runtime integrity alerts regarding execution anomalies for applications executing on the device, calculates risks based on a ruleset, and determines a calculus of risk for the device. The method sends endpoint events comprising data and content of the integrity warnings to a trust orchestrator, which generates an integrity profile based on the endpoint events.
220 Citations
28 Claims
-
1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:
-
generating, by the endpoint trust agent, one or more runtime integrity alerts regarding execution anomalies for applications currently executing on the mobile device; calculating, by the endpoint trust agent, risks based on a predetermined ruleset; determining a calculus of risk for the mobile device based at least upon the integrity alerts and identified risks; sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator; and generating, by the trust orchestrator, an integrity profile based on the received endpoint events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for providing runtime operational integrity including execution anomalies and a threat posture of a mobile computing device or an application executing on the mobile computing device to a mobile service provider, the system comprising:
a computing platform including a network trust agent, an endpoint trust agent, and a trust orchestrator, wherein the computing platform is configured to; generate, by the endpoint trust agent, runtime integrity alerts regarding execution anomalies of the application and risks based on rulesets and a calculus of risk; send, by the endpoint trust agent, runtime integrity warnings pertaining to data and content as endpoint events to the trust orchestrator; generate, by the trust orchestrator, an integrity profile for the endpoint based on the received endpoint events pertaining to data and content; process and correlate, by the trust orchestrator one or more of; a system integrity profile generated based on a calculus of risk; a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services; and a system infection profile received from a network analyzer; send, by the trust orchestrator, system warnings based on an endpoint execution state of the mobile application or mobile computing device as a threat posture assessment to one or more of; a network trust agent, a mobile policy manager, and a mobile device manager; send, by the network trust agent, messages or directives to network security frameworks and/or wireless access points to apply flow controls based on the received execution state of a mobile endpoint; send, by the mobile policy manager, messages or directives to the mobile device manager to apply controls based on the received execution state of a mobile endpoint; send, by the mobile device manager, messages or directives to an endpoint agent to activate or deactivate specific feature controls; and send, by the trust orchestrator, messages or directives to the endpoint trust agent to apply specific controls on the mobile computing device.
-
21. A non-transitory computer readable medium having instructions stored thereon that, if executed by a computing device hosting an attestation server, cause the computing device to perform operations for providing dynamic attestation of a client mobile device or a client application executing on the mobile device carrying out client-server or peer-to-peer transactions, the operations comprising:
-
correlating temporal and endpoint events based on a plurality of predicate scores; determining a predicate score based upon a deviation from a prescribed attribute constraint or metric; calculating a score that is inversely proportional to the deviation; determining a sample rate needed to achieve a required measurement frequency; determining a recurrence of successive deviations; identifying a weight for the attribute constraint; determining an integrity confidence for the application or device as a weighted average of predicate scores; and identifying outlying integrity confidence scores as exceptions across a plurality of client applications or client mobile devices.
-
-
22. An architecture instrumented to provide runtime operational integrity by identifying execution anomalies and a threat posture of a mobile device and applications executing on the mobile device to a mobile service provider, the architecture comprising:
-
an endpoint trust agent including; a process monitor configured to observe local execution context of the applications, a socket monitor configured to observe network activities of the applications, a resource utilization module monitor configured to observe system and platform resources consumed by the applications, and an application integrity module configured to assess operational integrity of the mobile device based on a ruleset; wherein native machine instrumentation for the mobile device is configured to; represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the mobile device, and generate raw events; extended trust instrumentation; a runtime monitor configured to; subscribe to and receive near real time asynchronous notifications of application events for the applications from the extended trust instrumentation, and generate and send dynamic expressions or rules as application filters linked to running instances of the applications; a system event correlator configured to correlate system events of the mobile device to determine a calculus of risk; a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the mobile device and the applications; and an endpoint trust sensor configured to measure runtime operational integrity of the mobile device by evaluating risk based on actions of an application executing on, or a user of, the mobile device and receiving the raw events from the native machine instrumentation. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
Specification