On device policy enforcement to secure open platform via network and open network

US 9,467,858 B2
Filed: 02/07/2011
Issued: 10/11/2016
Est. Priority Date: 02/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method of using policy enforcement for securing open devices and networks, the method comprising:

monitoring, by a policy enforcer executing on a mobile device, an integrity of the policy enforcer;

determining, by the policy enforcer executing on the mobile device, if the policy enforcer has been compromised;

in response to determining that the policy enforcer has not been compromised, allowing, by the policy enforcer executing on the mobile device, the mobile device to access a network;

accessing, by the policy enforcer executing on the mobile device, a policy database storing a plurality of policies configured to enforce network integrity on the network providing a plurality of services, the plurality of services including at least a cellular communication service, and an Internet service;

retrieving, by the policy enforcer executing on the mobile device, the plurality of policies from the policy database;

monitoring, at random intervals by the policy enforcer executing on the mobile device, programs, services, O/S, firmware, drivers, hardware, and peripherals running on the mobile device;

based on at least one of the plurality of policies, comparing, by the policy enforcer executing on the mobile device, the programs, the services, the O/S, the firmware, the drivers, the hardware, and the peripherals running on the mobile device against programs, services, O/S, firmware, drivers, hardware, and peripherals allowed by the at least one of the plurality of policies; and

based on the comparison and in response to determining, by the policy enforcer executing on the mobile device, that the mobile device is running one or more programs, services, O/S, firmware, drivers, hardware, and peripherals not allowed by the at least one of the plurality of policies, prohibiting, by the policy enforcer executing on the mobile device, access of the mobile device to one or more services of the plurality of services provided by the network based on the at least one of the plurality of policies; and

implementing a mitigation process while continuing to allow the mobile device to access the network and one or more other services of the plurality of services provided by the network based on the at least one of the plurality of policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide methods and systems for using policy enforcement for securing open devices and networks. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce network integrity and monitoring programs and/or services running on a device. The method further includes based on at least one of the plurality of policies, comparing the programs and/or services running on the device against the programs and/or services allowed by the at least one of the plurality of policies, and based on the comparison, determining that the device is running at least one program and/or service disallowed by the at least one policy. Further, the method includes in response, prohibiting access of the device to the network.

Citations

17 Claims

1. A method of using policy enforcement for securing open devices and networks, the method comprising:
- monitoring, by a policy enforcer executing on a mobile device, an integrity of the policy enforcer;
  
  determining, by the policy enforcer executing on the mobile device, if the policy enforcer has been compromised;
  
  in response to determining that the policy enforcer has not been compromised, allowing, by the policy enforcer executing on the mobile device, the mobile device to access a network;
  
  accessing, by the policy enforcer executing on the mobile device, a policy database storing a plurality of policies configured to enforce network integrity on the network providing a plurality of services, the plurality of services including at least a cellular communication service, and an Internet service;
  
  retrieving, by the policy enforcer executing on the mobile device, the plurality of policies from the policy database;
  
  monitoring, at random intervals by the policy enforcer executing on the mobile device, programs, services, O/S, firmware, drivers, hardware, and peripherals running on the mobile device;
  
  based on at least one of the plurality of policies, comparing, by the policy enforcer executing on the mobile device, the programs, the services, the O/S, the firmware, the drivers, the hardware, and the peripherals running on the mobile device against programs, services, O/S, firmware, drivers, hardware, and peripherals allowed by the at least one of the plurality of policies; and
  
  based on the comparison and in response to determining, by the policy enforcer executing on the mobile device, that the mobile device is running one or more programs, services, O/S, firmware, drivers, hardware, and peripherals not allowed by the at least one of the plurality of policies, prohibiting, by the policy enforcer executing on the mobile device, access of the mobile device to one or more services of the plurality of services provided by the network based on the at least one of the plurality of policies; and
  
  implementing a mitigation process while continuing to allow the mobile device to access the network and one or more other services of the plurality of services provided by the network based on the at least one of the plurality of policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the mobile device periodically syncs with a server or with a server from which the plurality of policies are obtained.
  - 3. The method of claim 1, further comprising:
    - determining, by the policy enforcer executing on the mobile device, that the policy enforcer has been compromised; and
      
      in response, prohibiting, by the policy enforcer executing on the mobile device, the mobile device from accessing to the network.
  - 4. The method of claim 1, wherein the policy enforcer is compromised based in part on one or more of the following situations:
    - hardware associated with the policy enforcer has been modified, software of the policy enforcer has been modified and/or deleted, files associated with the policy enforcer have been modified and/or deleted, and software and/or hardware has been added to the mobile device to circumvent operation of the policy enforcer.
  - 5. The method of claim 1, wherein the mitigation process comprises:
    - gathering, by the policy enforcer executing on the mobile device, information about the one or more programs, services, O/S, firmware, drivers, hardware, and peripherals not allowed by the at least one of the plurality of policies;
      
      implementing, by the policy enforcer executing on the mobile device, a corrective strategy; and
      
      propagating, by the policy enforcer executing on the mobile device, the corrective strategy to the network.
  - 6. The method of claim 1, wherein the mitigation process further comprises:
    - determining, by the policy enforcer executing on the mobile device, if invalid files and/or software are present on the mobile device; and
      
      in response to invalid files and/or software being present, identifying, by the policy enforcer executing on the mobile device, and reporting information about the invalid files and/or software and formatting a memory of the mobile device.
  - 7. The method of claim 1, wherein the mitigation process further comprises:
    - determining, by the policy enforcer executing on the mobile device, if required files and/or software has been removed or modified within the mobile device; and
      
      in response to required files and/or software being removed or modified, identifying and reporting, by the policy enforcer executing on the mobile device, which required files and/or software have been removed and/or how the required files and/or software have been modified and formatting a memory of the mobile device.
  - 8. The method of claim 1, wherein the mitigation process comprises:
    - checking, by the policy enforcer executing on the mobile device, a validity of a operating system (O/S) present on the mobile device; and
      
      in response to the O/S present on the mobile device being invalid, denying, by the policy enforcer executing on the mobile device, the mobile device access to the network and formatting a memory of the mobile device.
  - 9. The method of claim 1, wherein prohibiting access of the mobile device to one or more services of the network comprises blocking access to the Internet service.
  - 10. The method of claim 1, wherein prohibiting access of the mobile device to one or more services of the network comprises blocking access to the cellular communication service.

11. A system for policy enforcement for securing open devices and networks, the system comprising:
- a network providing a plurality of services, the plurality of services including at least a cellular communication service, and an Internet service;
  
  a mobile device communicatively coupled with the network and configured to execute programs and access files;
  
  a policy enforcer executing on the mobile device, the policy enforcer configured to;
  
  monitor an integrity of the policy enforcer;
  
  determine if the policy enforcer has been compromised;
  
  in response to determining that the policy enforcer has not been compromised, allow the mobile device to access the network;
  
  access a policy database storing a plurality of policies configured to enforce network integrity;
  
  retrieve the plurality of policies from the policy database;
  
  monitor at random intervals programs, services, O/S, firmware, drivers, hardware, and peripherals running on the mobile device;
  
  based on at least one of the plurality of policies, compare the programs, services, O/S, firmware, drivers, hardware, and peripherals running on the mobile device against programs, services, O/S, firmware, drivers, hardware, and peripherals allowed by the at least one of the plurality of policies;
  
  based on the comparison and in response to determining that the mobile device is running one or more programs, services, O/S, firmware, drivers, hardware, and peripherals not allowed by the at least one of the plurality of policies, prohibiting, by the policy enforcer executing on the mobile device, access of the mobile device to one or more services of the plurality of services provided by the network based on the at least one of the plurality of policies; and
  
  implementing a mitigation process while continuing to allow the mobile device to access to the network and one or more other services of the plurality of services provided by the network based on the at least one of the plurality of policies; and
  
  a network provider in connection with the policy enforcer, the network provider configured to receive from the policy enforcer a request to deny access to the one or more services of the network, and implement denial of access to the one or more services of the network to the mobile device.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, further comprising the mobile device including the policy enforcer.
  - 13. The system of claim 11, wherein the mobile device is a closed device.
  - 14. The system of claim 11, wherein the mobile device is an open device.
  - 15. The system of claim 11, wherein the network is an open network.
  - 16. The system of claim 11, wherein the network is a closed network.

17. A non-transitory machine-readable medium including sets of instructions stored thereon for using policy enforcement for securing open devices and networks which, when executed by a machine, causes the machine to:
- monitor, by a policy enforcer executing on a mobile device, an integrity of the policy enforcer;
  
  determine, by the policy enforcer executing on the mobile device, if the policy enforcer has been compromised;
  
  in response to determining that the policy enforcer has not been compromised, allow, by the policy enforcer executing on the mobile device, the mobile device to access a network;
  
  access, by the policy enforcer executing on the mobile device, a policy database storing a plurality of policies configured to enforce network integrity on the network providing a plurality of services, the plurality of services including at least a cellular communication service, and an Internet service;
  
  retrieve, by the policy enforcer executing on the mobile device, the plurality of policies from the policy database;
  
  monitor, at random intervals by the policy enforcer executing on the mobile device, programs, services, O/S, firmware, drivers, hardware, and peripherals running on the mobile device;
  
  based on at least one of the plurality of policies, compare, by the policy enforcer executing on the mobile device, the programs, the services, the O/S, the firmware, the drivers, the hardware, and the peripherals running on the mobile device against programs, services, O/S, firmware, drivers, hardware, and peripherals allowed by the at least one of the plurality of policies;
  
  based on the comparison and in response to determining, by the policy enforcer executing on the mobile device, that the mobile device is running one or more programs, services, O/S, firmware, drivers, hardware, and peripherals not allowed by the at least one of the plurality of policies prohibiting, by the policy enforcer executing on the mobile device, access of the mobile device to one or more services of the plurality of services provided by the network based on the at least one of the plurality of policies; and
  
  implementing a mitigation process while continuing to allow the mobile device to access to the network and one or more other services of the plurality of services provided by the network based on the at least one of the plurality of policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Maes, Stephane H.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/022,377
Publication Number

US 20110197257A1
Time in Patent Office

2,073 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04W 12/08 Access security

On device policy enforcement to secure open platform via network and open network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

On device policy enforcement to secure open platform via network and open network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links