Method and system for verification of an endpoint security scan

US 8,312,261 B2
Filed: 08/12/2011
Issued: 11/13/2012
Est. Priority Date: 01/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method of granting a node access to resources based on information about the node, comprising:

(a) receiving, by a receiver of a gateway, a request from a node operated by a user to access a resource;

(b) selecting, by an agent constructor of the gateway, a subset of scan routines from a plurality of available scan routines to include in a scanning agent, the subset of scan routines identifying information about the node to gather;

(c) embedding, by an encryption function generator of the gateway, at least one encryption module in the scanning agent, the at least one encryption module comprising at least one encryption key;

(d) transmitting, by a transmitter of the gateway, the scanning agent to the node;

(e) receiving, by the receiver of the gateway, information gathered about the node by the subset of scan routines executing on the node, the gathered information encrypted by the at least one encryption module in the scanning agent;

(f) decrypting, by a decryptor of the gateway, the received information; and

(g) granting, by a policy engine of the gateway, one of a plurality of levels of access to the node based on the decrypted information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of granting access to resources includes the step of receiving a request from a node to access a resource. A scanning agent is generated to gather information about the node. A key is generated and embedded in the scanning agent. The scanning agent is transmitted to the node and gathers information regarding the node. The scanning agent encrypts the gathered information using the at least one generated key. The encrypted gathered information is received from the scanning agent and decrypted.

418 Citations

20 Claims

1. A method of granting a node access to resources based on information about the node, comprising:
- (a) receiving, by a receiver of a gateway, a request from a node operated by a user to access a resource;
  
  (b) selecting, by an agent constructor of the gateway, a subset of scan routines from a plurality of available scan routines to include in a scanning agent, the subset of scan routines identifying information about the node to gather;
  
  (c) embedding, by an encryption function generator of the gateway, at least one encryption module in the scanning agent, the at least one encryption module comprising at least one encryption key;
  
  (d) transmitting, by a transmitter of the gateway, the scanning agent to the node;
  
  (e) receiving, by the receiver of the gateway, information gathered about the node by the subset of scan routines executing on the node, the gathered information encrypted by the at least one encryption module in the scanning agent;
  
  (f) decrypting, by a decryptor of the gateway, the received information; and
  
  (g) granting, by a policy engine of the gateway, one of a plurality of levels of access to the node based on the decrypted information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein step (b) comprises selecting, in response to the request, the subset of scan routines from a plurality of available scan routines to include in the scanning agent.
  - 3. The method of claim 1, wherein step (b) comprises determining one or more types of information to gather from the node, and selecting, based on the determination, the subset of scan routines from the plurality of available scan routines to include in the scanning agent.
  - 4. The method of claim 1, wherein step (c) further comprises obfuscating at least a portion of the scanning agent.
  - 5. The method of claim 1, wherein step (c) further comprises configuring access to the at least one encryption key to require execution of the scanning agent.
  - 6. The method of claim 1, wherein step (c) further comprises storing the at least one encryption key in a code section of the scanning agent.
  - 7. The method of claim 1, further comprising transmitting the scanning agent to gather information about the node including at least one of:
    - operating system type, device type, machine identification number, installed software, Active Directory membership, network connection information, Media Access Control address of an installed network card, operating system patch, software patch, digital watermark, virus scanner and firewall.
  - 8. The method of claim 1, further comprising verifying that the received information is from the scanning agent.
  - 9. The method of claim 1, wherein decrypting the received information further comprises decrypting a first portion of the received information encrypted by a first key and decrypting a second portion of the received information encrypted by a second key, the first and second keys from the at least one encryption key in the scanning agent.
  - 10. The method of claim 1, wherein step (g) comprises:
    - generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information; and
      
      granting the one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.

11. A gateway for granting a node access to resources based on information about the node, comprising:
- a receiver, receiving a request from a node operated by a user to access a resource;
  
  an agent constructor, executing on a processor of the gateway, selecting a subset of scan routines from a plurality of available scan routines to include in a scanning agent, the subset of scan routines identifying information about the node to gather;
  
  an encryption function generator embedding at least one encryption module in the scanning agent, the at least one encryption module comprising at least one encryption key;
  
  a transmitter transmitting the scanning agent to the node;
  
  a decryptor decrypting information gathered about the node by the subset of scan routines executing on the node, the gathered information encrypted by the at least one encryption module in the scanning agent; and
  
  a policy engine granting one of a plurality of levels of access to the node based on the decrypted information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the agent constructor selects, in response to the request, the subset of scan routines from a plurality of available scan routines to include in the scanning agent.
  - 13. The system of claim 11, wherein the agent constructor determines one or more types of information to gather from the node, and selects, based on the determination, the subset of scan routines from the plurality of available scan routines to include in the scanning agent.
  - 14. The system of claim 11, wherein the agent constructor obfuscates at least a portion of the scanning agent.
  - 15. The system of claim 11, wherein the agent constructor configures access to the at least one encryption key to require execution of the scanning agent.
  - 16. The system of claim 11, wherein the at least one encryption key is stored in a code section of the scanning agent.
  - 17. The system of claim 11, wherein the gathered information about the node comprises at least one of:
    - operating system type, device type, machine identification number, installed software, Active Directory membership, network connection information, Media Access Control address of an installed network card, operating system patch, software patch, digital watermark, virus scanner and firewall.
  - 18. The system of claim 11, wherein the decryptor verifies that the received information is from the scanning agent.
  - 19. The system of claim 11, wherein a first portion of the received information is encrypted by a first key and a second portion of the received information is encrypted by a second key, the first and second keys from the at least one encryption key in the scanning agent.
  - 20. The system of claim 11, wherein the policy engine comprises:
    - a first component generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information; and
      
      a second component granting the one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Rao, Goutham, McCarthy, Lewis, Simmons, Timothy Ernest
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/208,970
Publication Number

US 20110302409A1
Time in Patent Office

459 Days
Field of Search

None
US Class Current

713/153
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2129   Authenticate client device ...

Method and system for verification of an endpoint security scan

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

418 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for verification of an endpoint security scan

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

418 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links