End point context and trust level determination

US 8,839,397 B2
Filed: 12/22/2010
Issued: 09/16/2014
Est. Priority Date: 08/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by a server device, the method comprising:

receiving, by the server device and from a proxy server, a request, by a user device, to access a network associated with the server device;

obtaining, by the server device and in response to the request, information associated with the user device, including;

obtaining, from the request, all or fewer than all of one or more identifiers associated with the user device,retrieving, from another server device, all or a portion of context information associated with the user device, andsending, to the user device, a query to obtain more of the one or more identifiers or the context information when a quantity of the one or more identifiers or the context information, obtained from the request or retrieved from the other server device, is less than a threshold;

determining, by the server device, a level of trust associated with the user device based on the one or more identifiers and the context information, where the level of trust is a measure of security risk associated with each of the one or more identifiers and the context information;

generating, by the server device, an access token based on the level of trust, where the access token identifies a level at which the user device is authorized to access the network; and

sending, by the server device and to the user device via the proxy server, the access token, where the access token enables the proxy server to authorize the user device to access the network at the level identified by the access token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server device is configured to receive, from a proxy server, a request by a user device to access a network; obtain information associated with the user device that includes an identifier associated with the user device and context information associated with the user device; determine a level of trust associated with the user device based on the identifier and the context information, where the level of trust is a measure of security risk associated with the user device; generate an access token based on the level of trust, where the access token identifies a level at which the user device is authorized to access the network; and send, to the user device via the proxy server, the access token that enables the proxy server to authorize the user device to access the network at the level identified by the access token.

Citations

22 Claims

1. A method performed by a server device, the method comprising:
- receiving, by the server device and from a proxy server, a request, by a user device, to access a network associated with the server device;
  
  obtaining, by the server device and in response to the request, information associated with the user device, including;
  
  obtaining, from the request, all or fewer than all of one or more identifiers associated with the user device,retrieving, from another server device, all or a portion of context information associated with the user device, andsending, to the user device, a query to obtain more of the one or more identifiers or the context information when a quantity of the one or more identifiers or the context information, obtained from the request or retrieved from the other server device, is less than a threshold;
  
  determining, by the server device, a level of trust associated with the user device based on the one or more identifiers and the context information, where the level of trust is a measure of security risk associated with each of the one or more identifiers and the context information;
  
  generating, by the server device, an access token based on the level of trust, where the access token identifies a level at which the user device is authorized to access the network; and
  
  sending, by the server device and to the user device via the proxy server, the access token, where the access token enables the proxy server to authorize the user device to access the network at the level identified by the access token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - storing, within one or more entries of a plurality of entries associated with a data structure, a portion of the information associated with the user device obtained from the request or from the other server device;
      
      determining that one or more other entries, of the plurality of entries, do not store any of the information associated with the user device; and
      
      storing, within the one or more other entries, the other portion of the one or more identifiers or the context information.
  - 3. The method of claim 1, where determining the level of trust associated with the user device further includes:
    - storing, within a plurality of entries associated with a data structure, a plurality of data items that correspond to the information associated with the user device;
      
      assigning a value to each of the plurality of data items that corresponds to a relative quantity of security risk associated with the each of the plurality of data items; and
      
      calculating the level of trust based on a sum of the values assigned to the plurality of data items.
  - 4. The method of claim 3, where assigning the value to the each of the plurality of data items further includes:
    - assigning a first value to one of the plurality of data items, where the first value indicates that the one of the plurality of data items increases a security risk associated with the user device;
      
      assigning a second value to another one of the plurality of data items, where the second value indicates that the other one of the plurality of data items decreases the security risk associated with the user device; and
      
      assigning a third value to a further one of the plurality of data items, where the third value indicates that the further one of the plurality of data items neither increases nor decreases the security risk associated with the user device.
  - 5. The method of claim 1, further comprising:
    - identifying that a potential security event, associated with another user device, has occurred based on a determination that a level of trust, associated with the other user device, is less than a threshold; and
      
      sending, to the proxy server and as a response to the identified potential security event, a containment notification that causes the proxy server to erase, purge, or overwrite information associated with the other user device that is stored in a memory associated with the proxy server.
  - 6. The method of claim 5, further comprising:
    - receiving, from the proxy server, a notification that the potential security event has been contained as a result of the erasing, purging, or overwriting of the information associated with the other user device; and
      
      sending, in response to the notification that the potential security event has been contained, information that restores the proxy server to a configuration that includes information that was stored in the memory prior to receiving an access request from the other user device.
  - 7. The method of claim 1, further comprising:
    - receiving, from the proxy server, a request for services to be provided to another user device based on another access token, received by the proxy server and from the other user device, that indicates that the other user device is authorized to access the network and to receive the services; and
      
      sending, to the proxy server, the services in response to the request for the services.
  - 8. The method of claim 1, further comprising:
    - receiving, from the proxy server and at a later point in time relative to when the access token was sent to the user device via the proxy server, another request, by the user device, to access the network based on a determination, by the proxy server, that the access token has expired;
      
      obtaining, in response to the other request, updated information associated with the user device in order to determine another level of trust associated with the user device; and
      
      sending, to the user device via the proxy server, another access token that was generated based on the other level of trust.

9. A server device comprising:
- a memory to store one or more data items corresponding to information associated with a user device; and
  
  a processor to;
  
  receive, from a proxy server, a request, associated with the user device, to access a network associated with the server device,retrieve, from the memory and in response to the request, the one or more data items,assign a respective value to each of the one or more data items and to each of at least one data item obtained from the request, where the value assigned to the each of the one or more data items and the each of at least one data item corresponds to a relative quantity of security risk associated with the user device; and
  
  determine a level of trust, associated with the user device, based on a sum of the values assigned to the one or more data items and the at least one data item,identify a level at which the user device is authorized to access the network based on the level of trust associated with the user device; and
  
  send, to the proxy server, a notification that instructs the proxy server to permit the user device to access the network at the level at which the user device is authorized to access the network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The server device of claim 9, where the processor is further to:
    - receive or generate a notification that a security event, associated with another user device, has been detected, where the notification indicates that a virus has been detected, andsend, to the proxy server and in response to the notification, an instruction for the proxy server to perform a containment operation, where the containment operation does not permit information, received from the other user device, to be sent to the server device.
  - 11. The server device of claim 9, where the processor is further to:
    - receive, from the proxy server, a notification that a security event, associated with the another user device, has been detected, where the notification indicates that a virus has been detected, andsend, to the proxy server and in response to the notification, an instruction for the proxy server to delete, erase or overwrite information stored in a memory associated with the proxy server.
  - 12. The server device of claim 11, where the processor is further to:
    - receive, from the proxy server, another notification that the potential security event has been contained as a result of the deleting, erasing, or overwriting of the information stored in the memory; and
      
      send, to the proxy server and in response to the other notification, configuration information that enables the proxy server to restore the memory to a state that corresponds to a time before a communication with the other user device was received.
  - 13. The server device of claim 9, further comprising:
    - a first application programming interface (API) that enables information, associated with the user device, to be processed or to be sent to or received from the user device or the proxy server; and
      
      a second API that enables information or services, associated with the network, to be sent to or received from the user device or the proxy server.
  - 14. The server device of claim 9, where, when assigning the respective value to the each of the one or more data items and the each of at least one data item, the processor is to:
    - assign a first value that increases the level of trust when a data item corresponds to a level of security risk, associated with the user device, that is less than a risk threshold, andassign a second value that decreases the level of trust when another data item corresponds to another level of security risk, associated with the user device, that is not less than the risk threshold.

15. A non-transitory computer-readable medium containing instructions executable by at least one processor, the computer-readable medium comprising:
- one or more instructions to receive, from a proxy server, a request by a user device to receive services from a network;
  
  one or more instructions to obtain, in response to the request, information associated with the user device;
  
  one or more instructions to assign a respective value to each of a plurality of data items that correspond to the information associated with the user device, where the assigned values correspond to a relative quantity of security risk associated with the each of the plurality of data items;
  
  one or more instructions to determine a level of trust associated with the user device based on the assigned values, where the level of trust is a measure of security risk associated with the user device;
  
  one or more instructions to generate a notification that directs the proxy server not to authorize the user device to access the network when the level of trust is less than a threshold;
  
  one or more instructions to generate an access token that indicates a level to which the user device is authorized to access the network when the level of trust is not less than the threshold, where the level to which the user device is authorized to access the network corresponds to the level of trust; and
  
  one or more instructions to send the notification or the access token to the proxy server.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The non-transitory computer-readable medium of claim 15, further comprising:
    - one or more instructions to determine whether another level of trust, associated with another user device, is greater than a maximum threshold;
      
      one or more instructions to generate a first access token when the other level of trust is greater than the maximum threshold where the first access token indicates that the other user device is to be granted full access to the network; and
      
      one or more instructions to generate a second access token when the other level of trust is not greater than the maximum threshold, where the second access token indicates that the user device is not to be granted full access to the network.
  - 17. The non-transitory computer-readable medium of claim 15, further comprising:
    - one or more instructions to receive another access token from another user device; and
      
      one or more instructions to identify another level of access to which the other user device is to be authorized to access the network based on the other access token.
  - 18. The non-transitory computer-readable medium of claim 15, further comprising:
    - one or more instructions to receive another access token from another user device;
      
      one or more instructions to determine that the other access token has expired; and
      
      one or more instructions to generate another notification that directs the proxy server not to authorize the user device to access the network based on the determination that the other access token has expired.
  - 19. The non-transitory computer-readable medium of claim 18, further comprising:
    - one or more instructions to retrieve information associated with the other user device based on the determination that the other access token has expired;
      
      one or more instructions to determine another level of trust associated with the other user device based on the retrieved information associated with the other user device; and
      
      one or more instructions to send a further access token to the user device via the proxy server, where the further access token indicates a level of access that corresponds to the other level of trust.
  - 20. The non-transitory computer-readable medium of claim 15, where the one or more instructions to obtain the information associated with the user device include:
    - one or more instructions to send, to a server device, a request for the information associated with the user device; and
      
      one or more instructions to receive, from the server device, the information associated with the user device.
  - 21. The non-transitory computer-readable medium of claim 15, further comprising:
    - one or more instructions to detect a potential security event, associated with another user device, based on a determination that a level of trust, associated with the other user device, is less than a minimum threshold;
      
      one or more instructions to cause, as a result of the detection of the potential security event, information associated with the other user device, not to be received or processed; and
      
      one or more instructions to send, to the proxy server and as the result of the detection of the potential security event, an instruction for the proxy server to contain the information associated with the other user device, where containing the information associated with the other user device does not permit the information associated with the other user device to be sent to the network.
  - 22. The non-transitory computer-readable medium of claim 21, further comprising:
    - one or more instructions to receive, from the proxy server, a notification that the potential security event has been contained; and
      
      one or more instructions to send, in response to the notification that the potential security event has been contained, information that restores the proxy server to a state that existed prior to receiving an access request from the other user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Schultz, Paul T., Hahn, Mark J., Robbins, David C, Sartini, Robert A.
Primary Examiner(s)
McNally, Michael S

Application Number

US12/975,764
Publication Number

US 20120054847A1
Time in Patent Office

1,364 Days
Field of Search

726/9
US Class Current

726/9
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2111   Location-sensitive, e.g. ge...

G06F 2221/2137   Time limited access, e.g. t...

H04L 9/3213   using tickets or tokens, e....

End point context and trust level determination

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

End point context and trust level determination

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links