Systems and methods for providing mobile security based on dynamic attestation
DCFirst Claim
1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:
- generating, by the endpoint trust agent, one or more runtime integrity alerts regarding behavioral risks posed by actions of applications not operating with integrity currently executing on the mobile device;
identifying, by the endpoint trust agent, risks based on a predetermined ruleset;
determining a threat as an infected state on the mobile device by a calculus of risk based at least upon the integrity alerts and identified risks;
sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator to apply flow controls based on the infected state on the mobile device; and
generating, by the trust orchestrator, an integrity profile for applications not operating with integrity based on the received endpoint events, wherein the endpoint events are temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services.
3 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Instrumented networks, machines and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects (including mobile devices) and applications on the instrumented target platform. Methods and systems are disclosed for dynamic attestation of mobile device integrity based upon subject reputation scores. In an embodiment, a method scores trustworthiness of a mobile device based on reputation scores for users associated with the device and/or a device reputation score. The method generates runtime integrity alerts regarding execution anomalies for applications executing on the device, calculates risks based on a ruleset, and determines a calculus of risk for the device. The method sends endpoint events comprising data and content of the integrity warnings to a trust orchestrator, which generates an integrity profile based on the endpoint events.
-
Citations
26 Claims
-
1. A method for providing runtime operational integrity of a mobile device to a mobile service provider using an endpoint trust agent, and a trust orchestrator, the method comprising:
-
generating, by the endpoint trust agent, one or more runtime integrity alerts regarding behavioral risks posed by actions of applications not operating with integrity currently executing on the mobile device; identifying, by the endpoint trust agent, risks based on a predetermined ruleset; determining a threat as an infected state on the mobile device by a calculus of risk based at least upon the integrity alerts and identified risks; sending, by the endpoint trust agent, a plurality of endpoint events comprising data and content of runtime integrity warnings to the trust orchestrator to apply flow controls based on the infected state on the mobile device; and generating, by the trust orchestrator, an integrity profile for applications not operating with integrity based on the received endpoint events, wherein the endpoint events are temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for providing runtime operational integrity to a mobile service provider including execution behaviors and threats posed by an infected mobile computing device or an application not operating with integrity currently executing on the mobile computing device, the system comprising:
-
a memory; a computing platform including a computer processor, a network trust agent, an endpoint trust agent, and a trust orchestrator, wherein the computing platform is configured to; generate, by the endpoint trust agent, runtime integrity alerts regarding execution behaviors of the application and risks based on rulesets and a calculus of risk; send, by the endpoint trust agent, runtime integrity warnings pertaining to data and content as endpoint events to the trust orchestrator; generate, by the trust orchestrator, an integrity profile for the endpoint based on the received endpoint events pertaining to data and content; process and correlate, by the trust orchestrator one or more of; a system integrity profile generated based on a calculus of risk; a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports from a plurality of collaboration services; and a system infection profile received from a network analyzer; send, by the trust orchestrator, system warnings based on an endpoint execution state of the mobile application or mobile computing device as a threat posture assessment to one or more of; a network trust agent, a mobile policy manager, and a mobile device manager; send, by the network trust agent, messages or directives to network security frameworks and/or wireless access points to apply flow controls based on the received execution state of the infected mobile device; send, by the mobile policy manager, messages or directives to the mobile device manager to apply controls based on the received execution state of the infected mobile device; send, by the mobile device manager, messages or directives to an endpoint agent to activate or deactivate specific feature controls on the infected mobile device; and send, by the trust orchestrator, messages or directives to the endpoint trust agent to apply specific controls on the infected mobile device.
-
-
21. An architecture instrumented to provide runtime operational integrity by identifying execution behaviors and threats posed by a mobile device and applications executing on the mobile device to a mobile service provider, the architecture comprising:
-
an endpoint trust agent including; a process monitor configured to observe local execution context of the applications, a socket monitor configured to observe network activities of the applications, a resource utilization module monitor configured to observe system and platform resources consumed by the applications, and an application integrity module configured to assess operational integrity of the mobile device based on a ruleset; wherein native machine instrumentation for the mobile device is configured to; represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the mobile device, and generate raw events; extended trust instrumentation; a runtime monitor configured to; subscribe to and receive near real time asynchronous notifications of application events for the applications from the extended trust instrumentation, and generate and send dynamic expressions or rules as application filters linked to running instances of the applications; a system event correlator configured to correlate system events of the mobile device to determine a calculus of risk; a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the mobile device and the applications; and an endpoint trust sensor configured to measure runtime operational integrity of the mobile device by evaluating risk based on actions of an application executing on, or a user of, the mobile device and receiving the raw events from the native machine instrumentation, wherein the endpoint trust sensor is further configured to perform signature-less behavior based risk correlation using a threat life cycle model to cluster and classify malware for the identification of an infected mobile device. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification