Systems and methods for threat identification and remediation

DC CAFC

US 9,092,616 B2
Filed: 07/27/2012
Issued: 07/28/2015
Est. Priority Date: 05/01/2012
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:

sending, by the endpoint trust agent on a monitored device, a dynamic context including endpoint events and actions of the monitored device and applications executing on the monitored device at runtime;

receiving, at the trust orchestration server, the dynamic context including the endpoint events of the monitored device and the applications executing on the monitored device at runtime;

analyzing, by the trust orchestration server, the received endpoint events;

receiving, by the trust orchestration server, third party network endpoint assessments;

generating, by the trust orchestration server, temporal events based at least in part on analyzing the third party network endpoint assessments;

correlating, by the trust orchestration server, the received endpoint events and the generated temporal events; and

generating, by the trust orchestration server, an integrity profile for the system.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

3 Petitions

Accused Products

Abstract

Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator.

Citations

20 Claims

1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
- sending, by the endpoint trust agent on a monitored device, a dynamic context including endpoint events and actions of the monitored device and applications executing on the monitored device at runtime;
  
  receiving, at the trust orchestration server, the dynamic context including the endpoint events of the monitored device and the applications executing on the monitored device at runtime;
  
  analyzing, by the trust orchestration server, the received endpoint events;
  
  receiving, by the trust orchestration server, third party network endpoint assessments;
  
  generating, by the trust orchestration server, temporal events based at least in part on analyzing the third party network endpoint assessments;
  
  correlating, by the trust orchestration server, the received endpoint events and the generated temporal events; and
  
  generating, by the trust orchestration server, an integrity profile for the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 14, 15, 16)
- - 2. The method of claim 1, wherein the third party network endpoint assessments are received from an endpoint assessment service.
  - 3. The method of claim 2, further comprising:
    - receiving, by the trust orchestration server, integrity measurement and verification reports from the endpoint assessment service.
  - 4. The method of claim 1, wherein the third party network endpoint assessments are received from one or more collaboration services.
  - 5. The method of claim 4, further comprising:
    - receiving, by the trust orchestration server, integrity measurement and verification reports from the one or more collaboration services.
  - 6. The method of claim 1, whereinthe endpoint events of the monitored device are received by a system event correlator of the trust orchestration server from endpoint trust agents, andthe temporal events are generated by a trust broker of the trust orchestration server and are received by the system event correlator from the trust broker.
  - 7. The method of claim 1, further comprising:
    - performing, by a malware analyzer, detection of code obfuscation and evasion techniques in reverse engineered code of the applications, the code obfuscation and evasion techniques including at least one of;
      
      multiple packing, anti-debug, anti-trace, anti-memory, and anti-emulation.
  - 14. The method of claim 1, further comprising:
    - generating, by a trust supervisor, one or more tiered remediation actions based on real time warning associated with the operational runtime integrity of applications executing on an infected system;
      
      receiving, at a remediation controller of the trust orchestrator, the tiered remediation actions; and
      
      sending, by the trust orchestrator, to the network trust agent, one or more system warnings pertaining to a network device associated with the one or more tiered remediation actions.
  - 15. The method of claim 14, further comprising:
    - generating and sending, by the network trust agent, directives to formulate commands for a computer network protocol controller;
      
      sending, by the computer network protocol controller, rules to a computer network protocol enabled network element or switch of the network fabric to divert or block traffic flow to/from the network device; and
      
      enforcing, by the computer network protocol enabled network element or switch, received access restrictions or controls for the network device.
  - 16. The method of claim 15, further comprising:
    - monitoring and sending, by the trust supervisor, reputation score updates for the network device to the remediation controller;
      
      sending, by the trust orchestrator, system security posture status updates for the network device to the network trust agent; and
      
      generating and sending, by the network trust agent, to the computer network protocol security framework, directives to formulate commands for the computer network protocol controller to restore normal flows to/from the network device.

8. A method of providing flow level remediation to isolate infected or compromised systems and platforms from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising:
- generating, by the endpoint trust agent on an endpoint device, runtime system integrity alerts regarding execution anomalies and risks based on rulesets and a calculus of risk hypothesized by runtime actions and activities of monitored applications executing on the endpoint device;
  
  sending, by the endpoint trust agent, runtime system integrity warnings as endpoint events of the endpoint device to the trust orchestrator;
  
  generating, by the trust orchestrator, a system integrity profile for the endpoint device based on analysis of the received endpoint events;
  
  processing and correlating, by the trust orchestrator, one or more of;
  
  a system integrity profile generated based on a calculus of risk,a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports received from a plurality of collaboration services, anda system infection profile received from a network analyzer;
  
  sending, by the trust orchestrator to the network trust agent, system warnings based on endpoint execution state assessments; and
  
  sending, by the network trust agent, messages or directives to computer network protocol security frameworks and/or controllers to apply flow controls based on the received execution state as a threat posture of a connection endpoint.
- View Dependent Claims (9, 10, 11, 12, 13, 17, 18, 19)
- - 9. The method of claim 8, wherein the integrity warnings comprise warnings regarding data events and content events;
    - and wherein the endpoint events comprise data events and content events.
  - 10. The method of claim 8, wherein the remediation of an infected system is achieved without adversely reducing the total operating capacity or availability of the computing platform through on-demand instantiation and scaling of workloads.
  - 11. The method of claim 10, further comprising forwarding a notification conveying by a service accessed by a user from a mobile computing device an infected or compromised state of a mobile computing application on the mobile computing device associated with the user, wherein the notification is one or more of:
    - an asynchronous push notification to an account associated with the user;
      
      a short messaging service (SMS) text alert message forwarded to a phone number associated with the mobile computing device;
      
      an email alert message forwarded to an email address associated with the user; and
      
      a warning message displayed by a service on a display of the mobile computing device during initiation of a transaction with a service from the mobile computing device.
  - 12. The method of claim 11, wherein one or more services accessed by the mobile computing device are configured to be denied or restricted as a remediation action by a service provider.
  - 13. The method of claim 12, wherein the remediation action is based on the geo-location of the device, user and associated service accessed by the user.
  - 17. The method of claim 8, further comprising:
    - determining, by the network analyzer, threat behaviors based on network activity correlation and malware detection based on a threat life cycle model; and
      
      dispatching, by the trust orchestrator, the image files and attributes of an application for binary analysis, wherein the image files comprise compiled, intermediate, or interpreted code or scripts;
      
      receiving a result of the binary analysis result identifying malicious activity as a set of threats identified based on the analysis; and
      
      caching, by the trust broker, the results of the analysis indexed by a unique identifier for the image; and
      
      generating and returning an image profile to the endpoint trust agent comprising assertions of malicious capabilities of the image to be monitored at runtime for subsequent generation of endpoint events by the endpoint trust agent.
  - 18. The method of claim 17, wherein the binary analysis is performed by one or more third party malware analyzers, and wherein the dispatch mechanism uses trigger filter expressions that specify a set of criteria that warrant initiation of image analysis such as frequency and volume of requests for analysis associated with the application image across deployed endpoint trust agents.
  - 19. The method of claim 18, wherein the third party malware analyzers are configured to perform static and dynamic analysis of application images based on policies specified by the trust broker.

20. A system for providing runtime operational integrity by determining execution anomalies and a threat posture of applications executing on computing platforms including mobile devices and client-server systems, the system comprising:
- (i) an endpoint trust agent including;
  
  a process monitor configured to observe the runtime execution context of applications executing on the computer platforms and transient operating states,a socket monitor configured to observe runtime network activities of the applications for transient states, anda resource utilization module monitor configured to observe the types and extent of system and platform resources consumed by the applications that may provide evidence of infected systems; and
  
  an application integrity module configured to assess runtime operational integrity of a monitored application instance running on an instrumented device based on a ruleset to deem local actions and activities of the application to be at risk;
  
  wherein native machine instrumentation for the computing platform is configured to (a) represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the computing platforms, and (b) generate raw events;
  
  (ii) extended trust instrumentation;
  
  (iii) a runtime monitor configured to;
  
  subscribe to and receive near real time asynchronous notifications of runtime operation invocations by applications executing on the computer platforms from the extended trust instrumentation, andgenerate and send dynamic expressions or rules as application activity filters linked to runtime operation invocations of running instances of the applications;
  
  (iv) a system event correlator configured to correlate system events of the computing platforms to determine a calculus of risk;
  
  (v) a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the computing platforms and the applications; and
  
  (vi) an endpoint trust sensor configured to measure runtime operational integrity of the computing platforms by evaluating risk based on actions of an application executing on, or a user of, the computing platforms and receiving the raw events from the native machine instrumentation.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
Taasera, Inc. (Full Circle Investments, Inc.)
Inventors
Kumar, Srinivas, Pollutro, Dennis
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US13/559,766
Publication Number

US 20130298244A1
Time in Patent Office

1,096 Days
Field of Search

726/25, 726/22, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/564   by virus signature recognition

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 67/10   in which an application is ...

Systems and methods for threat identification and remediation

First Claim

3 Assignments

Litigations

3 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for threat identification and remediation

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

3 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links