TECHNOLOGIES FOR DISTRIBUTED DETECTION OF SECURITY ANOMALIES

US 20160094573A1
Filed: 10/13/2014
Published: 03/31/2016
Est. Priority Date: 09/30/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device for distributed detection of security anomalies, the computing device comprising:

a trusted execution environment module to (i) establish a trusted relationship with a security server, (ii) read one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network in response to establishment of the trusted relationship, and (iii) perform a security threat assessment of the one or more packets; and

a communication module to transmit the security threat assessment to the security server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for distributed detection of security anomalies include a computing device to establish a trusted relationship with a security server. The computing device reads one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network in response to establishing the trusted relationship and performs a security threat assessment of the one or more packets. The computing device transmits the security threat assessment to the security server.

Citations

25 Claims

1. A computing device for distributed detection of security anomalies, the computing device comprising:
- a trusted execution environment module to (i) establish a trusted relationship with a security server, (ii) read one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network in response to establishment of the trusted relationship, and (iii) perform a security threat assessment of the one or more packets; and
  
  a communication module to transmit the security threat assessment to the security server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computing device of claim 1, wherein to establish the trusted relationship comprises to establish the trusted relationship with a corresponding trusted execution environment module of the security server.
  - 3. The computing device of claim 2, wherein to transmit the security threat assessment comprises to transmit the security threat assessment to the corresponding trusted execution environment module of the security server over an out-of-band communication channel established between the trusted execution environment module of the computing device and the corresponding trusted execution environment module of the security server.
  - 4. The computing device of claim 1, wherein to establish the trusted relationship comprises to exchange cryptographic keys with the security server.
  - 5. The computing device of claim 1, wherein to establish the trusted relationship comprises to utilize at least one of a root of trust or a fuse key of the computing device.
  - 6. The computing device of claim 1, wherein the trusted execution environment module is further to establish a trusted tunnel with the security server based on the trusted relationship.
  - 7. The computing device of claim 6, wherein to establish the trusted tunnel further comprises to transmit a security policy of the computing device to the security server.
  - 8. The computing device of claim 6, wherein to establish the trusted tunnel further comprises to transmit heuristic code of the computing device to the security server.
  - 9. The computing device of claim 6, wherein to establish the trusted tunnel further comprises to receive heuristic code from the security server.
  - 10. The computing device of claim 1, wherein the trusted execution environment module is further to boot the computing device in response to establishment of the trusted relationship.
  - 11. The computing device of claim 10, wherein to boot the computing device comprises to retrieve a configuration policy of the computing device.
  - 12. The computing device of claim 1, wherein the trusted execution environment module is further to determine a runtime posture of the computing device;
    - andwherein to perform the security threat assessment comprises to perform the security threat assessment of the one or more packets based on the runtime posture.
  - 13. The computing device of claim 12, wherein to determine the runtime posture of the computing device comprises to determine a runtime posture of a virtual network function of the computing device.
  - 14. The computing device of claim 1, wherein the communication module is further to receive a remediation action instruction for the one or more packets from the security server.
  - 15. The computing device of claim 14, wherein the trusted execution environment module is further to enforce a remediation action corresponding with the remediation action instruction.

16. A method for distributed detection of security anomalies by a computing device, the method comprising:
- establishing, by the computing device, a trusted relationship with a security server;
  
  reading, by the computing device, one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network in response to establishing the trusted relationship;
  
  performing, by the computing device, a security threat assessment of the one or more packets; and
  
  transmitting, by the computing device, the security threat assessment to the security server.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein establishing the trusted relationship comprises establishing the trusted relationship with a corresponding trusted execution environment module of the security server.
  - 18. The method of claim 17, wherein transmitting the security threat assessment comprises transmitting the security threat assessment to the corresponding trusted execution environment module of the security server over an out-of-band communication channel established between the trusted execution environment module of the computing device and the corresponding trusted execution environment module of the security server.
  - 19. The method of claim 16, further comprising determining, by the computing device, a runtime posture of a virtual network function of the computing device;
    - andwherein performing the security threat assessment comprises performing the security threat assessment of the one or more packets based on the runtime posture.
  - 20. The method of claim 16, further comprising:
    - receiving, by the computing device, a remediation action instruction for the one or more packets from the security server; and
      
      enforcing, by the computing device, a remediation action corresponding with the remediation action instruction.

21. A security server for distributed detection of security anomalies, the security server comprising:
- a trusted execution environment module to establish a trusted relationship with a computing device; and
  
  a communication module to receive, from the computing device, a security threat assessment of one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network of the computing device;
  
  wherein the trusted execution environment module is further to correlate the security threat assessment with a security threat database of the security server to determine whether the one or more packets pose a security threat.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The security server of claim 21, wherein to establish the trusted relationship comprises to establish the trusted relationship with a corresponding trusted execution environment module of the computing device;
    - andwherein to receive the security threat assessment comprises to receive the security threat assessment from the corresponding trusted execution environment module of the computing device over an out-of-band communication channel established between the trusted execution environment module of the security server and the corresponding trusted execution environment module of the computing device.
  - 23. The security server of claim 21, wherein the trusted execution environment module is further to establish a trusted tunnel with the computing device based on the trusted relationship.
  - 24. The security server of claim 21, wherein the trusted execution environment module is further to determine a remediation action in response to identification of a security threat based on correlation of the security threat assessment with the security threat database.
  - 25. The security server of claim 24, wherein to determine the remediation action comprises to:
    - request a remediation determination from a remediation server; and
      
      receive a remediation instruction associated with the remediation determination from the remediation server; and
      
      wherein the communication module is further to transmit the remediation instruction to the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Shinae Woo
Inventors
Sood, Kapil, Ergin, Mesut A., Skerry, Brian J., Fastabend, John R., Woo, Shinae, Shaw, Jeffrey B.

Granted Patent

US 9,705,849 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

TECHNOLOGIES FOR DISTRIBUTED DETECTION OF SECURITY ANOMALIES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNOLOGIES FOR DISTRIBUTED DETECTION OF SECURITY ANOMALIES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links