Systems and methods for threat identification and remediation
DC CAFCFirst Claim
1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
- sending, by the endpoint trust agent on a monitored device, a dynamic context including endpoint events and actions of the monitored device and applications executing on the monitored device at runtime;
receiving, at the trust orchestration server, the dynamic context including the endpoint events of the monitored device and the applications executing on the monitored device at runtime;
analyzing, by the trust orchestration server, the received endpoint events;
receiving, by the trust orchestration server, third party network endpoint assessments;
generating, by the trust orchestration server, temporal events based at least in part on analyzing the third party network endpoint assessments;
correlating, by the trust orchestration server, the received endpoint events and the generated temporal events; and
generating, by the trust orchestration server, an integrity profile for the system.
3 Assignments
Litigations
3 Petitions
Accused Products
Abstract
Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator.
-
Citations
20 Claims
-
1. A method of providing an attestation service for providing runtime operational integrity of a system using a computing platform comprising a network trust agent, an endpoint trust agent, and a trust orchestration server, the method comprising:
-
sending, by the endpoint trust agent on a monitored device, a dynamic context including endpoint events and actions of the monitored device and applications executing on the monitored device at runtime; receiving, at the trust orchestration server, the dynamic context including the endpoint events of the monitored device and the applications executing on the monitored device at runtime; analyzing, by the trust orchestration server, the received endpoint events; receiving, by the trust orchestration server, third party network endpoint assessments; generating, by the trust orchestration server, temporal events based at least in part on analyzing the third party network endpoint assessments; correlating, by the trust orchestration server, the received endpoint events and the generated temporal events; and generating, by the trust orchestration server, an integrity profile for the system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 14, 15, 16)
-
-
8. A method of providing flow level remediation to isolate infected or compromised systems and platforms from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator, the method comprising:
-
generating, by the endpoint trust agent on an endpoint device, runtime system integrity alerts regarding execution anomalies and risks based on rulesets and a calculus of risk hypothesized by runtime actions and activities of monitored applications executing on the endpoint device; sending, by the endpoint trust agent, runtime system integrity warnings as endpoint events of the endpoint device to the trust orchestrator; generating, by the trust orchestrator, a system integrity profile for the endpoint device based on analysis of the received endpoint events; processing and correlating, by the trust orchestrator, one or more of; a system integrity profile generated based on a calculus of risk, a plurality of temporal events generated based on a normalization and collation of elements in endpoint assessment reports received from a plurality of collaboration services, and a system infection profile received from a network analyzer; sending, by the trust orchestrator to the network trust agent, system warnings based on endpoint execution state assessments; and sending, by the network trust agent, messages or directives to computer network protocol security frameworks and/or controllers to apply flow controls based on the received execution state as a threat posture of a connection endpoint. - View Dependent Claims (9, 10, 11, 12, 13, 17, 18, 19)
-
-
20. A system for providing runtime operational integrity by determining execution anomalies and a threat posture of applications executing on computing platforms including mobile devices and client-server systems, the system comprising:
-
(i) an endpoint trust agent including; a process monitor configured to observe the runtime execution context of applications executing on the computer platforms and transient operating states, a socket monitor configured to observe runtime network activities of the applications for transient states, and a resource utilization module monitor configured to observe the types and extent of system and platform resources consumed by the applications that may provide evidence of infected systems; and an application integrity module configured to assess runtime operational integrity of a monitored application instance running on an instrumented device based on a ruleset to deem local actions and activities of the application to be at risk; wherein native machine instrumentation for the computing platform is configured to (a) represent event subscriptions, callbacks, notification mechanisms provided by an operating system (OS) on the computing platforms, and (b) generate raw events; (ii) extended trust instrumentation; (iii) a runtime monitor configured to; subscribe to and receive near real time asynchronous notifications of runtime operation invocations by applications executing on the computer platforms from the extended trust instrumentation, and generate and send dynamic expressions or rules as application activity filters linked to runtime operation invocations of running instances of the applications; (iv) a system event correlator configured to correlate system events of the computing platforms to determine a calculus of risk; (v) a trust orchestrator configured to orchestrate actionable intelligence based on the calculus of risk by integrating security intelligence about the computing platforms and the applications; and (vi) an endpoint trust sensor configured to measure runtime operational integrity of the computing platforms by evaluating risk based on actions of an application executing on, or a user of, the computing platforms and receiving the raw events from the native machine instrumentation.
-
Specification