METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS

US 20150128205A1
Filed: 11/04/2013
Published: 05/07/2015
Est. Priority Date: 11/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing on a mobile communications device a security policy to manage network connections;

collecting context information at the mobile communications device to evaluate a first network connection between the mobile communications device and a target destination;

applying the security policy using the collected context information at the mobile communication device; and

based on the application of the security policy, determining whether or not there should be a second network connection between the mobile communications device and the target destination, wherein the second network connection offers a level of security different from a level of security offered by the first network connection.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Context information associated with a mobile communications device and a network connection for the mobile communications device is collected. A security policy is applied to determine whether the security offered by the network connection is appropriate for the context. If the security offered by the network connection is not appropriate for the context, the network connection may be made more secure, less secure, or a different network connection having an appropriate level of security may be used for the data associated with the context.

199 Citations

96 Claims

1. A method comprising:
- storing on a mobile communications device a security policy to manage network connections;
  
  collecting context information at the mobile communications device to evaluate a first network connection between the mobile communications device and a target destination;
  
  applying the security policy using the collected context information at the mobile communication device; and
  
  based on the application of the security policy, determining whether or not there should be a second network connection between the mobile communications device and the target destination, wherein the second network connection offers a level of security different from a level of security offered by the first network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method of claim 1 comprising:
    - if the step of determining whether there should be a new network connection between the mobile communication device and the target destination is that a second network connection should be established, terminating the first network connection; and
      
      establishing the second network connection between the mobile communications device and the target destination, wherein the level of security offered by the second network connection is greater than the level of security offered by the terminated first network connection.
  - 3. The method of claim 1 comprising:
    - if the step of determining whether there should be a new network connection between the mobile communication device and the target destination is that a second network connection should be established, terminating the first network connection; and
      
      establishing the second network connection between the mobile communications device and the target destination, wherein the level of security offered by the second network connection is less than the level of security offered by the terminated first network connection.
  - 4. The method of claim 1 wherein the context information includes a location of the mobile communications device.
  - 5. The method of claim 1 wherein the context information includes an identifier of the target destination.
  - 6. The method of claim 1 wherein the context information includes user activity.
  - 7. The method of claim 6 wherein the user activity comprises any combination of:
    - an identification of a specific application program on the mobile communications device, an identification of a web application, an identification of a website, a category of the specific application program, a day of week, or a time of day, and wherein the category of the specific application program comprises at least one of a financial services application, a web application, or an enterprise application.
  - 8. The method of claim 1 wherein the policy originates from any combination of a user, an administrator for the mobile device, an administrator for a physical network to which the first network connection is made, or a network destination.
  - 9. The method of claim 1 wherein the level of security offered by one of the first or second network connection includes encryption of the respective network connection, the one of the first or second network connection thereby offering a greater level of security than another of the first or second network connection.
  - 10. The method of claim 1 wherein one of the first or second network connection includes providing safe browsing by controlling a domain name system (DNS) server for resolving network addresses of all connections via whitelisting or blacklisting by specific domains or TLDs or categories of destinations, the one of the first or second network connection thereby offering a greater level of security than another of the first or second network connection.
  - 11. The method of claim 1 wherein the first network connection, second network connection, or both includes any combination of Wi-Fi, virtual private network (VPN), macro cell network, small cell network, micro cell network, Bluetooth, near field communication (NFC), Zigbee/802.15.x/wireless personal area network (WPAN), mobile ad hoc network (MANET), or mesh network.
  - 12. The method of claim 1 wherein the mobile communications device includes a sessile thing of an Internet of Things (IoT).
  - 13. The method of claim 1 wherein the security policy is selected as a user preference.
  - 14. The method of claim 1 wherein the collected context information comprises a category to which the target destination belongs.
  - 15. The method of claim 14 wherein the category comprises at least one of a cloud services provider, a financial services website, or a shopping website.
  - 16. The method of claim 1 comprising:
    - storing at the mobile communications device a list including a plurality of target destinations, and a plurality of categories, each target destination being categorized into a category of the plurality of categories;
      
      scanning the list to identify a category of the target destination;
      
      if the target destination is in a first category, determining that there should be the second network connection between the mobile communications device and the target destination; and
      
      if the target destination is in a second category, different from the first category, determining that there should not be the second network connection between the mobile communications device and the target destination.
  - 17. The method of claim 1 comprising:
    - transmitting from the mobile communications device to a server a request to identify a category of the target destination;
      
      receiving from the server the category of the target destination;
      
      if the target destination is in a first category, determining that there should be the second network connection between the mobile communications device and the target destination; and
      
      if the target destination is in a second category, different from the first category, determining that there should not be the second network connection between the mobile communications device and the target destination.
  - 18. The method of claim 1 wherein the context information includes a security level of the first network connection.
  - 19. The method of claim 1 comprising:
    - determining that there should be the second network connection between the mobile communications device and the target destination because the level of security offered by the first network connection is not appropriate based on user activity included in the collected context information.
  - 20. The method of claim 1 comprising:
    - determining that there should be the second network connection between the mobile communications device and the target destination because the level of security offered by the first network connection is not appropriate based on a location of the mobile communications device included in the collected context information.
  - 21. The method of claim 1 wherein the context information includes an identity of a physical provider of the first network connection.
  - 22. The method of claim 1 comprising:
    - storing at the mobile communications device a list identifying a plurality of physical network connection providers;
      
      scanning the list to determine whether a physical network connection provider for the first network connection is listed in the list;
      
      if the physical network connection provider for the first network connection is listed in the list, allowing the mobile communications device to maintain the first network connection; and
      
      if the physical network connection provider for the first network connection is not listed in the list, not allowing the mobile communications device to maintain the first network connection.
  - 23. The method of claim 22 comprising:
    - receiving the list at the mobile communications device in response to a request to a server for the list.
  - 24. The method of claim 1 comprising:
    - storing at the mobile communications device a list identifying a plurality of physical network connection providers;
      
      scanning the list to determine whether a physical network connection provider for the first network connection is listed in the list;
      
      if the physical network connection provider for the first network connection is listed in the list, not allowing the mobile communications device to maintain the first network connection; and
      
      if the physical network connection provider for the first network connection is not listed in the list, allowing the mobile communications device to maintain the first network connection.
  - 25. The method of claim 24 comprising:
    - receiving the list at the mobile communications device in response to a request to a server for the list.
  - 26. The method of claim 1 comprising:
    - storing at the mobile communications device a list including a plurality of physical network connection providers, and a plurality of categories, each physical network connection provider being categorized into a category of the plurality of categories;
      
      scanning the list to identify a category of a physical network connection provider for the first network connection;
      
      determining that the physical network connection provider for the first network connection is in a first category; and
      
      upon the determination, allowing the mobile communications device to maintain the first network connection.
  - 27. The method of claim 26 comprising receiving the list at the mobile communications device in response to a request to a server for the list.
  - 28. The method of claim 1 comprising:
    - storing at the mobile communications device a list including a plurality of physical network connection providers, and a plurality of categories, each physical network connection provider being categorized into a category of the plurality of categories;
      
      scanning the list to identify a category of a physical network connection provider for the first network connection;
      
      determining that the physical network connection provider for the first network connection is in a first category; and
      
      upon the determination, not allowing the mobile communications device to maintain the first network connection.
  - 29. The method of claim 28 comprising receiving the list at the mobile communications device in response to a request to a server for the list.
  - 30. The method of claim 1 comprising:
    - sending a request to a server for the server to evaluate a physical network connection provider for the first network connection;
      
      receiving a result from the server in response to the request; and
      
      based on the result, allowing or not allowing the mobile communications device to maintain the first network connection.
  - 31. The method of claim 1 wherein the security policy comprises a collection of user choices or preferences.
  - 32. The method of claim 1 wherein the context information is collected while the first network connection is established between the mobile communications device and the target destination.
  - 33. The method of claim 1 wherein the context information is collected after the first network connection is established between the mobile communications device and the target destination.

34. A method comprising:
- storing on a mobile communications device a security policy to manage network connections;
  
  on the mobile communications device, intercepting an attempt by the mobile communications device to establish a first network connection between the mobile communications device and a target destination; and
  
  applying the security policy on the mobile communications device according to context information associated with the mobile communications device to determine whether or not a second network connection should be established between the mobile communications device and the target destination, wherein a level of security offered by the first network connection is different from a level of security offered by the second network connection.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 44, 45, 46, 47)
- - 35. The method of claim 34 wherein the context information was collected prior to the attempt by the mobile communications device to establish the first network connection.
  - 36. The method of claim 34 wherein the context information was collected in response to the attempt by the mobile communications device to establish the first network connection.
  - 37. The method of claim 34 wherein the context information comprises information collected prior to the attempt by the mobile communications device to establish the first network connection, and information collected in response to the attempt by the mobile communications device to establish the first network connection.
  - 38. The method of claim 34 wherein the step of intercepting is an operating system event, a network driver event, a baseband processor event, a security application event, or an Android intent filtering event.
  - 39. The method of claim 34 further comprising:
    - in the applying step, determining that the second network connection need not be established, and allowing the first network connection to be established between the mobile communications device and the target destination;
      
      while the first network connection is established between the mobile communications device and the target destination, collecting new context information associated with the mobile communications device on the mobile communication device; and
      
      based on the newly collected context information, applying the security policy on the mobile communications device to determine whether or not the second network connection should be established between the mobile communications device and the target destination, wherein the level of security offered by the second network connection is greater than the level of security offered by the first network connection.
  - 40. The method of claim 34 further comprising:
    - in the applying step, determining that the second network connection need not be established and allowing the first network connection to be established between the mobile communications device and the target destination;
      
      while the first network connection is established between the mobile communications device and the target destination, collecting new context information associated with the mobile communications device on the mobile communication device; and
      
      based on the newly collected context information, applying the security policy on the mobile communications device to determine whether or not the second network connection should be established between the mobile communications device and the target destination, wherein the level of security offered by the second network connection is less than the level of security offered by the first network connection.
  - 41. The method of claim 34 further comprising:
    - in the applying step, determining that the second network connection need not be established and allowing the first network connection to be established between the mobile communications device and the target destination;
      
      while the first network connection is established between the mobile communications device and the target destination, collecting new context information associated with the mobile communications device on the mobile communication device; and
      
      based on the newly collected context information, applying the security policy on the mobile communications device to determine whether or not the first network connection should remain established between the mobile communications device and the target destination, wherein the level of security offered by the first network connection is greater than the level of security offered by the second network connection.
  - 42. The method of claim 34 further comprising:
    - in the applying step, determining that the first network connection should be established between the mobile communications device and the target destination;
      
      while the first network connection is established between the mobile communications device and the target destination, collecting new context information associated with the mobile communications device on the mobile communications device; and
      
      based on the newly collected context information, applying the security policy on the mobile device to determine whether or not the first network connection should remain established between the mobile communications device and the target destination, wherein the level of security offered by the first network connection is less than the level of security offered by the second network connection.
  - 44. The method of claim 34 further comprising:
    - if the type of network connection established between the mobile communications device and the target destination does not match the particular type of network connection specified in the security policy, terminating the first network connection and establishing a second network connection between the mobile communications device and the target destination, wherein the second network connection is of the particular type specified in the policy, and wherein a level of security offered by the second network connection is greater than a level of security offered by the terminated first network connection.
  - 45. The method of claim 34 further comprising:
    - if the type of network connection established between the mobile communications device and the target destination does not match the particular type of network connection specified in the security policy, terminating the first network connection and establishing a second network connection between the mobile communications device and the target destination, wherein the second network connection is of the particular type specified in the policy, and wherein a level of security offered by the second network connection is less than a level of security offered by the terminated first network connection.
  - 46. The method of claim 34 wherein the security policy is received while the first network connection is established between the mobile communications device and the target destination.
  - 47. The method of claim 34 wherein the security policy is received after the first network connection is established between the mobile communications device and the target destination.

43. A method comprising:
- at a mobile communications device connected to a target destination via a first network connection, receiving a security policy specifying a particular type of network connection to be used during a particular context;
  
  on the mobile communication device, collecting context information associated with the mobile communications device;
  
  on the mobile communication device, analyzing the collected context information and determining whether or not the context information corresponds to the particular context specified in the security policy; and
  
  upon a determination that the collected context information corresponds to the particular context specified in the security policy, determining whether or not the type of network connection established between the mobile communications device and the target destination matches the particular type of network connection specified in the security policy.

48. A method comprising:
- receiving, at a server, context information associated with a mobile communications device;
  
  at the server, analyzing the context information to determine whether a first existing network connection from the mobile communications device for a first application program executing on the mobile communications device offers a level of security appropriate for the first application program;
  
  if the first existing network connection does not offer the appropriate level of security, sending instructions to the mobile communications device to terminate the first existing network connection; and
  
  if the first existing network connection does offer the appropriate level of security, then allowing the first existing network connection to be maintained on the mobile communications device.
- View Dependent Claims (49, 50, 51, 52, 53)
- - 49. The method of claim 48 further comprising:
    - after the step of sending instructions to the mobile communication device to terminate the first existing network connection, at the server, sending instructions to the mobile communications device to establish a second network connection for the first application program executing on the mobile communications device, wherein a level of security offered by the second network connection is greater than a level of security offered by the terminated first existing network connection.
  - 50. The method of claim 48 further comprising:
    - after the step of sending instructions to the mobile communications device to terminate the first existing network connection, at the server sending instructions to the mobile communications device to establish a second network connection for the first application program executing on the mobile communications device, wherein a level of security offered by the second network connection is less than a level of security offered by the terminated first existing network connection.
  - 51. The method of claim 48 further comprising:
    - at the server, allowing the mobile communications device to maintain a second existing network connection for a second application program executing on the mobile communications device, wherein a level of security offered by the first existing network connection for the first application program is greater than a level of security offered by the second existing network connection.
  - 52. The method of claim 48 further comprising:
    - at the server, allowing the mobile communications device to maintain a second existing network connection for a second application program executing on the mobile communications device, wherein a level of security offered by the first existing network connection for the first application program is less than a level of security offered by the second existing network connection.
  - 53. The method of claim 48 comprising:
    - receiving, at the server, a security policy from the mobile communications device for the step of analyzing the context information.

54. A method comprising:
- storing on a mobile communications device a security policy to manage types of network connections;
  
  collecting context information at the mobile communications device to evaluate a first type of network connection between the mobile communications device and a target destination;
  
  applying the security policy using the collected context information at the mobile communications device; and
  
  based on the application of the security policy, determining whether or not there should be a second type of network connection between the mobile communications device and the target destination.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67)
- - 55. The method of claim 54 wherein the first and second types of network connections include different types of physical network connections.
  - 56. The method of claim 54 wherein the first and second types of network connections include the same type of physical network connection, one of the first or second types of network connections includes an overlay connection, and another of the first or second types of network connection does not include the overlay connection.
  - 57. The method of claim 54 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection includes at least one of a cellular network connection, a Wi-Fi network connection, or a Bluetooth network connection, and the second type network connection includes one of at least another of the cellular network connection, the Wi-Fi network connection, or the Bluetooth network connection.
  - 58. The method of claim 54 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection comprises an overlay connection, and the second type of network connection does not comprise the overlay connection.
  - 59. The method of claim 54 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 60. The method of claim 54 wherein the first and second types of network connections include the same type of physical network connection, andwherein the first type of network connection includes an overlay connection, and the second type of network connection does not include the overlay connection.
  - 61. The method of claim 54 wherein the first and second types of network connections include the same type of physical network connection, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 62. The method of claim 54 wherein the first and second types of network connections include different types of physical network connections, andwherein the first type of network connection includes an overlay connection, and the second type of network connection does not include the overlay connection.
  - 63. The method of claim 54 wherein the first and second types of network connections include different types of physical network connections, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 64. The method of claim 54 comprising:
    - if there should be the second type of network connection, establishing the second type of network connection over the first type of network connection, wherein the first type of network connection includes a physical network connection, and the second type of network connection includes an overlay connection.
  - 65. The method of claim 54 comprising:
    - if there should be the second type of network connection, establishing the second type of network connection over the first type of network connection, wherein the first type of network connection includes a physical network connection, and the second type of network connection includes a new overlay connection.
  - 66. The method of claim 54 comprising:
    - if there should be the second type of network connection, establishing the second type of network connection over the first type of network connection, wherein the first type of network connection includes a physical network connection, and the second type of network connection includes an existing overlay connection.
  - 67. The method of claim 54 comprising:
    - if there should be the second type of network connection, establishing the second type of network connection, wherein the second type of network connection includes a new physical network connection, and an overlay connection over the new physical network connection.

68. A method comprising:
- storing on a mobile communications device a security policy;
  
  collecting context information at the mobile communications device to evaluate a request by an application program to establish an application connection over an existing physical network connection;
  
  applying the security policy using the collected context information at the mobile communications device; and
  
  based on the application of the security policy, allowing or not allowing the request.
- View Dependent Claims (69, 70, 71, 72, 73, 74, 75, 76)
- - 69. The method of claim 68 wherein the allowing the request comprises:
    - establishing an overlay connection over the existing physical network connection for the application program.
  - 70. The method of claim 68 wherein the allowing the request comprises:
    - not establishing an overlay connection over the existing physical network connection for the application program.
  - 71. The method of claim 68 wherein the allowing the request comprises:
    - reusing an existing overlay connection over the existing physical network connection for the application program.
  - 72. The method of claim 68 wherein the not allowing the request comprises:
    - terminating the existing physical network connection; and
      
      establishing a new physical network connection for the request, wherein the new and existing physical network connections comprise different types of physical network connections.
  - 73. The method of claim 68 wherein the not allowing the request comprises:
    - maintaining the existing physical network connection; and
      
      establishing a new physical network connection for the request, wherein the existing physical network connection is maintained for a different application program.
  - 74. The method of claim 73 comprising:
    - establishing an overlay connection over the new physical network connection.
  - 75. The method of claim 68 wherein the allowing the request comprises:
    - routing the application connection over the existing physical network connection because the existing physical network connection includes an overlay connection.
  - 76. The method of claim 68 wherein the allowing the request comprises:
    - routing the application connection over the existing physical network connection because the existing physical network connection does not include an overlay connection.

77. A method for providing a secure network connection to a mobile communications device, the method comprising:
- receiving, at a first server, a request for a secure network account, the request being generated by the mobile communications device in response to a trigger;
  
  generating, at the first server, the secure network account, wherein the secure network account includes credentials for the secure network connection;
  
  transmitting the credentials to the mobile communications device; and
  
  establishing the secure network connection between the first server and the mobile communications device in response to receiving the credentials from the mobile communications device.
- View Dependent Claims (78, 79, 80, 81, 82, 83, 84, 85, 86, 87)
- - 78. The method of claim 77, wherein the secure network connection is a virtual private network (VPN) connection.
  - 79. The method of claim 77, wherein the trigger is an event or condition is defined by a secure network connection policy, the secure network connection policy including one or more rules identifying triggering events or conditions that cause the mobile communications device to automatically generate the request for the secure network account.
  - 80. The method of claim 79, wherein prior to the receiving, the first server provides a user of the mobile communications device with a recommendation for a secure network connection policy and receives a selection of a secure network connection policy from the mobile communications device.
  - 81. The method of claim 80, wherein the secure network connection policy is recommended by the first server based on contextual information retrieved from the mobile communications device.
  - 82. The method of claim 77, wherein the trigger is an action performed by a malware application on the mobile communications device or is an attempt by the mobile communications device to access a website.
  - 83. The method of claim 77, wherein the trigger is an application program on the mobile communications device identifying the mobile communications device as being lost or misplaced.
  - 84. The method of claim 77 further comprising providing, by the first server, a notification to the mobile communications device, the notification identifying a secure network connection status.
  - 85. The method of claim 77 further comprising deleting, by the first server, the credentials and the secure network account in response to the secure network connection being terminated.
  - 86. The method of claim 77, wherein the request for a secure network account is redirected by a second server to the first server based on a domain name system (DNS) address included in the request.
  - 87. The method of claim 77, wherein the request for a secure network account is redirected by a second server to the first server based on a latency between the mobile communications device and the first server.

88. A method for providing a secure network connection to a mobile communications device, the method comprising:
- generating, at a server, a secure network account that includes credentials for the secure network connection;
  
  transmitting the credentials to the mobile communications device;
  
  establishing the secure network connection between the server and the mobile communications device in response to receiving the credentials from the mobile communications device;
  
  identifying a trigger based on an analysis of network traffic in the secure network connection; and
  
  modifying the secure network connection in response to identifying the triggering event or condition.
- View Dependent Claims (89, 90, 91, 92)
- - 89. The method of claim 88, wherein the trigger is defined by a secure network connection policy, the secure network connection policy including one or more rules identifying triggering events or conditions that cause the server to perform one or more actions on the secure network connection.
  - 90. The method of claim 88, wherein the trigger is an action performed by a malware application on the mobile communications device or is an attempt by the mobile communications device to access a website.
  - 91. The method of claim 90, wherein the trigger is identified based on a domain name system (DNS) address retrieved from the network traffic.
  - 92. The method of claim 88 further comprising deleting, by the first server, the credentials and the secure network account in response to the secure network connection being terminated.

93. A method for establishing a secure network connection at a mobile communications device, the method comprising:
- identifying, at the mobile communications device, a trigger;
  
  automatically generating, at the mobile communications device, a request for a secure network account in response to identifying the trigger;
  
  transmitting the request for the secure network account to a server;
  
  receiving, from the server, credentials associated with the secure network account;
  
  automatically, at the mobile communications device, configuring a plurality of secure network connection settings on the mobile communications device based on the received credentials; and
  
  automatically establishing the secure network connection with the server.
- View Dependent Claims (94, 95, 96)
- - 94. The method of claim 93, wherein the trigger is defined by a secure network connection policy, the secure network connection policy including one or more rules identifying triggering events or conditions that cause the mobile communications device to automatically generate the request for the secure network account.
  - 95. The method of claim 94 further comprising providing, by the mobile communications device, a recommendation for a secure network connection policy to a user of the mobile communications device.
  - 96. The method of claim 95, wherein the secure network connection policy is recommended by the mobile communications device based on contextual information retrieved by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Buck, Brian James, Strazzere, Timothy

Granted Patent

US 9,973,534 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04W 12/086   using security domains

METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

96 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

96 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links