SYSTEMS AND METHODS FOR THREAT IDENTIFICATION AND REMEDIATION

US 20130298244A1
Filed: 07/27/2012
Published: 11/07/2013
Est. Priority Date: 05/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:

receiving, at the trust orchestration server, a dynamic context including endpoint events;

analyzing, by the trust orchestration server, the received endpoint events;

receiving network endpoint assessments;

generating temporal events based at least in part on analyzing the network endpoint assessments;

correlating the received endpoint events and the generated temporal events; and

generating an integrity profile for the system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator.

408 Citations

20 Claims

1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
- receiving, at the trust orchestration server, a dynamic context including endpoint events;
  
  analyzing, by the trust orchestration server, the received endpoint events;
  
  receiving network endpoint assessments;
  
  generating temporal events based at least in part on analyzing the network endpoint assessments;
  
  correlating the received endpoint events and the generated temporal events; and
  
  generating an integrity profile for the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 14, 15, 16)
- - 2. The method of claim 1, wherein the dynamic context is sent by the endpoint trust agent.
  - 3. The method of claim 1, wherein the network endpoint assessments are received from an endpoint assessment service.
  - 4. The method of claim 3, further comprising:
    - receiving integrity measurement and verification reports from the endpoint assessment service.
  - 5. The method of claim 1, wherein the network endpoint assessments are received from one or more collaboration services.
  - 6. The method of claim 5, further comprising:
    - receiving integrity measurement and verification reports from the one or more collaboration services.
  - 7. The method of claim 1, wherein the endpoint events and temporal events are received by a system event correlator from endpoint trust agents and a trust broker, respectively.
  - 14. The method of claim 1, further comprising:
    - generating, by a trust supervisor, one or more flow remediation actions to be performed on a network fabric;
      
      receiving, at a remediation controller of the trust orchestrator, the flow remediation actions; and
      
      sending, by the trust orchestrator, to the network trust agent, one or more system warnings pertaining to a network device associated with the one or more flow remediation actions.
  - 15. The method of claim 14, further comprising:
    - generating and sending, by the network trust agent, directives to formulate commands for an OpenFlow controller;
      
      sending, by the OpenFlow controller, rules to an OpenFlow enabled network element or switch of the network fabric to divert or block traffic flow to/from the network device; and
      
      enforcing, by the OpenFlow enabled network element or switch, received access restrictions or controls for the network device.
  - 16. The method of claim 15, further comprising:
    - monitoring and sending, by the trust supervisor, reputation score updates for the network device to the remediation controller;
      
      sending, by the trust orchestrator, system security posture status updates for the network device to the network trust agent; and
      
      generating and sending, by the network trust agent, to the OpenFlow security framework, directives to formulate commands for the OpenFlow controller to restore normal flows to/from the network device.

8. A method of providing flow level remediation to isolate infected or compromised systems and platforms from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising:
- generating, by the endpoint trust agent, runtime system integrity alerts regarding execution anomalies and risks based on rulesets and a calculus of risk;
  
  sending, by the endpoint trust agent, runtime system integrity warnings as endpoint events to the trust orchestrator;
  
  generating, by the trust orchestrator, a system integrity profile for the endpoint based on analysis of the received endpoint events;
  
  processing and correlating, by the trust orchestrator, one or more of;
  
  a system integrity profile generated based on a calculus of risk,a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports received from a plurality of collaboration services, anda system infection profile received from a network analyzer;
  
  sending, by the trust orchestrator to the network trust agent, system warnings based on endpoint execution state assessments; and
  
  sending, by the network trust agent, messages or directives to OpenFlow security frameworks and/or controllers to apply flow controls based on the received execution state as a threat posture of a connection endpoint.
- View Dependent Claims (9, 10, 11, 12, 13, 17, 18, 19)
- - 9. The method of claim 8, wherein the integrity warnings comprise warnings regarding data events and content events;
    - and wherein the endpoint events comprise data events and content events.
  - 10. The method of claim 8, wherein the remediation of an infected system is achieved without adversely reducing the total operating capacity or availability of the computing platform through on-demand instantiation and scaling of workloads.
  - 11. The method of claim 10, further comprising forwarding a notification conveying an infected or compromised state of a mobile computing device to a user associated with the mobile computing device, wherein the notification is one or more of:
    - an asynchronous push notification to an account associated with the user;
      
      a short messaging service (SMS) text alert message forwarded to a phone number associated with the mobile computing device;
      
      an email alert message forwarded to an email address associated with the user; and
      
      a warning message displayed by a service on a display of the mobile computing device during initiation of a transaction with a service from the mobile computing device.
  - 12. The method of claim 11, wherein one or more features or capabilities of a mobile device are de-activated or activated as a remediation action.
  - 13. The method of claim 12, wherein the remediation action is based on the geo-location.
  - 17. The method of claim 8, further comprising:
    - determining, by the network analyzer, anomalies based on network activity correlation and malware detection; and
      
      dispatching, by the trust orchestrator, the image files and attributes of an application for binary analysis, wherein the image files comprise compiled, intermediate, or interpreted code or scripts;
      
      receiving a result of the binary analysis result identifying malicious activity as a set of threats identified based on the analysis; and
      
      caching, by the trust broker, the results of the analysis indexed by a unique identifier for the image; and
      
      generating and returning an image profile to the endpoint trust agent comprising assertions of malicious capabilities of the image to be monitored at runtime for subsequent generation of endpoint events by the endpoint trust agent.
  - 18. The method of claim 17, wherein the binary analysis is performed by one or more third party malware analyzers, and wherein the dispatch mechanism uses trigger filter expressions that specify a set of criteria that warrant initiation of image analysis such as frequency and volume of requests for analysis associated with the application image across deployed endpoint trust agents.
  - 19. The method of claim 18, wherein the third party malware analyzers are configured to perform static and dynamic analysis of application images based on policies specified by the trust broker.

20. A system for providing runtime operational integrity by determining execution anomalies and a threat posture of applications executing on computing platforms including mobile devices and client-server systems, the system comprising:
- an endpoint trust agent including;
  
  a process monitor configured to observe local execution context of the applications,a socket monitor configured to observe network activities of the applications, anda resource utilization module monitor configured to observe system and platform resources consumed by the applications; and
  
  an application integrity module configured to assess operational integrities of the computing platforms based on a ruleset;
  
  wherein native machine instrumentation for the computing platform is configured to;
  
  represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the computing platforms, andgenerate raw events;
  
  extended trust instrumentation;
  
  a runtime monitor configured to;
  
  subscribe to and receive near real time asynchronous notifications of application events for the applications from the extended trust instrumentation, andgenerate and send dynamic expressions or rules as application filters linked to running instances of the applications;
  
  a system event correlator configured to correlate system events of the computing platforms to determine a calculus of risk;
  
  a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the computing platforms and the applications; and
  
  an endpoint trust sensor configured to measure runtime operational integrity of the computing platforms by evaluating risk based on actions of an application executing on, or a user of, the computing platforms and receiving the raw events from the native machine instrumentation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
Taasera, Inc. (Full Circle Investments, Inc.)
Inventors
KUMAR, Srinivas, Pollutro, Dennis

Granted Patent

US 9,092,616 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/564   by virus signature recognition

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

SYSTEMS AND METHODS FOR THREAT IDENTIFICATION AND REMEDIATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

408 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR THREAT IDENTIFICATION AND REMEDIATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

408 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links