Methods and systems for secure network connections

US 9,973,534 B2
Filed: 11/04/2013
Issued: 05/15/2018
Est. Priority Date: 11/04/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing on a mobile communications device a security policy to manage network connections, the security policy received by the mobile communications device from a network administrator or from a server associated with an ultimate destination, the security policy including a plurality of rules defining events, situations, or conditions that trigger the automatic establishment of a secure network connection by a secure connection manager on the mobile communications device;

collecting, at the secure connection manager on the mobile communications device, a first context information associated with the mobile communications device including system state data of the mobile communications device, user activity on the mobile communications device, and information related to authentication of the mobile communications device;

collecting, at the secure connection manager on the mobile communications device, a second context information associated with a first network connection including a level of security of the first network connection and a provider of the first network connection;

collecting, at the secure connection manager on the mobile communications device, a third context information associated with an ultimate destination with which the mobile communications device is attempting to connect, the ultimate destination consisting of a server or a server system comprising one or more of a website, web server, and an application server;

evaluating, by the secure connection manager, the first network connection, the evaluation using the collected first context information, the collected second context information, the collected third context information, and the security policy, the evaluating occurring before the first network connection is established, after the first network connection is established, or while the first network connection is being established; and

based on the evaluation by the secure connection manager, determining, by the secure connection manager, that a secure network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first network connection between the mobile communications device and the ultimate destination, the secure network connection providing a level of security different from the level of security provided by the first network connection, the establishment of the secure network connection being automatically triggered by at least one rule in the received security policy.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Context information associated with a mobile communications device and a network connection for the mobile communications device is collected. A security policy is applied to determine whether the security offered by the network connection is appropriate for the context. If the security offered by the network connection is not appropriate for the context, the network connection may be made more secure, less secure, or a different network connection having an appropriate level of security may be used for the data associated with the context.

105 Citations

View as Search Results

46 Claims

1. A method comprising:
- storing on a mobile communications device a security policy to manage network connections, the security policy received by the mobile communications device from a network administrator or from a server associated with an ultimate destination, the security policy including a plurality of rules defining events, situations, or conditions that trigger the automatic establishment of a secure network connection by a secure connection manager on the mobile communications device;
  
  collecting, at the secure connection manager on the mobile communications device, a first context information associated with the mobile communications device including system state data of the mobile communications device, user activity on the mobile communications device, and information related to authentication of the mobile communications device;
  
  collecting, at the secure connection manager on the mobile communications device, a second context information associated with a first network connection including a level of security of the first network connection and a provider of the first network connection;
  
  collecting, at the secure connection manager on the mobile communications device, a third context information associated with an ultimate destination with which the mobile communications device is attempting to connect, the ultimate destination consisting of a server or a server system comprising one or more of a website, web server, and an application server;
  
  evaluating, by the secure connection manager, the first network connection, the evaluation using the collected first context information, the collected second context information, the collected third context information, and the security policy, the evaluating occurring before the first network connection is established, after the first network connection is established, or while the first network connection is being established; and
  
  based on the evaluation by the secure connection manager, determining, by the secure connection manager, that a secure network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first network connection between the mobile communications device and the ultimate destination, the secure network connection providing a level of security different from the level of security provided by the first network connection, the establishment of the secure network connection being automatically triggered by at least one rule in the received security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The method of claim 1, further comprising:
    - upon determining that the secure network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first network connection between the mobile communications device and the ultimate destination, terminating the first network connection; and
      
      establishing the secure network connection for use in the communication between the mobile communications device and the ultimate destination, wherein the level of security provided by the secure network connection is greater than the level of security provided by the terminated first network connection.
  - 3. The method of claim 1, further comprising:
    - upon determining that the secure network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first network connection between the mobile communications device and the ultimate destination, terminating the first network connection; and
      
      establishing the secure network connection for use in the communication between the mobile communications device and the ultimate destination, wherein the level of security provided by the secure network connection is less than the level of security provided by the terminated first network connection.
  - 4. The method of claim 1 wherein the first context information further includes a location of the mobile communications device.
  - 5. The method of claim 1 wherein the third context information further includes an identifier of the ultimate destination.
  - 6. The method of claim 1 wherein the user activity includes at least one of:
    - an identification of a specific application program on the mobile communications device, a category of the specific application program, a day of week, and a time of day, and further wherein the category of the specific application program includes a financial services application.
  - 7. The method of claim 1 wherein the security policy stored on the mobile communications device originates from at least one of a user, an administrator for the mobile communications device, an administrator for a physical network to which the first network connection is made, and a network destination.
  - 8. The method of claim 1 wherein one of the first or secure network connection includes encryption of the respective network connection, the one of the first or secure network connection including the encryption providing a greater level of security than another of the first or secure network connection.
  - 9. The method of claim 1 wherein one of the first or secure network connection provides safe browsing by controlling a domain name system (DNS) server for resolving network addresses of all connections via whitelisting or blacklisting by specific domains or TLDs or categories of destinations, the one of the first or secure network connection thereby providing a greater level of security than another of the first or secure network connection.
  - 10. The method of claim 1 wherein the first network connection, secure network connection, or both includes at least one of Wi-Fi, virtual private network (VPN), macro cell network, small cell network, micro cell network, Bluetooth, near field communication (NFC), Zigbee/802.15.x/wireless personal area network (WPAN), mobile ad hoc network (MANET), and mesh network.
  - 11. The method of claim 1 wherein the mobile communications device includes a sessile thing of an Internet of Things (IoT).
  - 12. The method of claim 1 wherein the security policy stored on the mobile communications device is selected as a user preference.
  - 13. The method of claim 1 wherein the collected third context information further includes a category to which the ultimate destination belongs.
  - 14. The method of claim 13 wherein the category includes at least one of a cloud services provider, a financial services website, or a shopping website.
  - 15. The method of claim 1, the collecting a third context information further comprising:
    - storing, at the mobile communications device, a list including a plurality of ultimate destinations and a plurality of categories, each of the plurality of ultimate destinations being categorized into at least one category of the plurality of categories; and
      
      the evaluating the first network connection further comprising;
      
      scanning, by the mobile communications device, the list to identify a category of the ultimate destination,wherein the determination that the secure network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first network connection between the mobile communications device and the ultimate destination is made based on an identification of the ultimate destination being in a first category.
  - 16. The method of claim 1, the collecting a third context information further comprising:
    - transmitting, from the mobile communications device to a server, a request to identify a category of the ultimate destination;
      
      receiving from the server the category of the ultimate destination; and
      
      identifying the category of the ultimate destination as being in a first category,wherein the evaluation of the first network connection further uses the identification of the ultimate destination being in the first category.
  - 17. The method of claim 1 wherein the evaluation of the first network connection further uses a determination that the level of security provided by the first network connection is not appropriate based on user activity included in the collected first context information, the user activity including at least one of information identifying application programs used, browsing activity, files accessed and temporal data.
  - 18. The method of claim 1 wherein the evaluation of the first network connection further uses a determination that the level of security provided by the first network connection is not appropriate based on a location of the mobile communications device included in the collected first context information.
  - 19. The method of claim 1, the collecting a second context information further comprising:
    - storing, at the mobile communications device, a list identifying a plurality of physical network connection providers;
      
      scanning, by the mobile communications device, the list to determine whether a physical network connection provider for the first network connection is listed in the list; and
      
      identifying the physical network connection provider for the first network connection not being listed in the list,wherein the evaluation of the first network connection further uses the identification of the physical network connection provider for the first network connection not being listed in the list.
  - 20. The method of claim 19, the collecting a second context information further comprising:
    - receiving the list at the mobile communications device in response to a request to a server for the list.
  - 21. The method of claim 1, the collecting a second context information further comprising:
    - storing, at the mobile communications device, a list identifying a plurality of physical network connection providers;
      
      scanning, by the mobile communications device, the list to determine whether a physical network connection provider for the first network connection is listed in the list; and
      
      identifying the physical network connection provider for the first network connection being listed in the list,wherein the evaluation of the first network connection further uses the identification of the physical network connection provider for the first network connection being listed in the list.
  - 22. The method of claim 21, the collecting a second context information further comprising:
    - receiving the list at the mobile communications device in response to a request to a server for the list.
  - 23. The method of claim 1, the collecting a second context information further comprising:
    - storing, at the mobile communications device, a list including a plurality of physical network connection providers and a plurality of categories, each of the plurality of physical network connection providers being categorized into at least one category of the plurality of categories;
      
      scanning, by the mobile communications device, the list to identify a category of a physical network connection provider for the first network connection; and
      
      determining that the physical network connection provider for the first network connection is not in a first category,wherein the evaluation of the first network connection further uses the determination that the physical network connection provider for the first network connection is not in a first category.
  - 24. The method of claim 23, the collecting a second context information further comprising receiving the list at the mobile communications device in response to a request to a server for the list.
  - 25. The method of claim 1, the collecting a second context information further comprising:
    - storing, at the mobile communications device, a list including a plurality of physical network connection providers and a plurality of categories, each of the plurality of physical network connection providers being categorized into at least one category of the plurality of categories;
      
      scanning, by the mobile communications device, the list to identify a category of a physical network connection provider for the first network connection; and
      
      determining that the physical network connection provider for the first network connection is in a first category,wherein the evaluation of the first network connection further uses the determination that the physical network connection provider for the first network connection is in a first category.
  - 26. The method of claim 25, the collecting a second context information further comprising receiving the list at the mobile communications device in response to a request to a server for the list.
  - 27. The method of claim 1, the collecting a second context information further comprising:
    - sending a request to a server for the server to evaluate a physical network connection provider for the first network connection; and
      
      receiving a result from the server in response to the request,wherein the evaluation of the first network connection and further uses the received result.
  - 28. The method of claim 1 wherein the security policy comprises a collection of user choices or preferences.
  - 29. The method of claim 1 wherein the second context information is collected while the first network connection is established between the mobile communications device and the ultimate destination.

30. A method comprising:
- at a secure connection manager on a mobile communications device connected to an ultimate destination via a first network connection, receiving, from a server associated with the ultimate destination, a security policy specifying a particular type of network connection to be used during a particular situational context, and the particular situational context triggering the automatic establishment of a secure network connection by the secure connection manager on the mobile communications device;
  
  at the secure connection manager on the mobile communications device, collecting a first context information associated with the mobile communications device including system state data of the mobile communications device, user activity on the mobile communications device, and information related to authentication of the mobile communications device;
  
  at the secure connection manager on the mobile communications device, collecting a second context information associated with the first network connection including a level of security of the first network connection and a provider of the first network connection;
  
  at the secure connection manager on the mobile communications device, collecting a third context information associated with the ultimate destination with which the mobile communications device is attempting to connect, the ultimate destination consisting of a server or a server system comprising one or more of a website, web server, and an application server;
  
  evaluating, by the secure connection manager on the mobile communications device, the first network connection, the evaluation using the collected first context information, the collected second context information, the collected third context information, and the received security policy, the evaluating occurring after the first network connection is established; and
  
  upon making a determination that the collected first and second and third context information correspond to the particular situational context specified in the received security policy, determining, based on the evaluation by the secure connection manager, that a type of network connection established for use in a communication between the mobile communications device and the ultimate destination does not match the particular type of network connection specified in the received security policy, the establishment of the secure network connection being automatically triggered by the determining that the type of network connection established does not match the particular type of network connection specified in the received security policy.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30 further comprising:
    - upon determining that the type of network connection established for use in the communication between the mobile communications device and the ultimate destination does not match the particular type of network connection specified in the security policy, terminating the first network connection and establishing the secure network connection for use in the communication between the mobile communications device and the ultimate destination, wherein a level of security provided by the secure network connection is greater than a level of security provided by the terminated first network connection.
  - 32. The method of claim 30 further comprising:
    - upon determining that the type of network connection established for use in the communication between the mobile communications device and the ultimate destination does not match the particular type of network connection specified in the security policy, terminating the first network connection and establishing the secure network connection for use in the communication between the mobile communications device and the ultimate destination, wherein a level of security provided by the secure network connection is less than a level of security provided by the terminated first network connection.

33. A method comprising:
- storing on a mobile communications device a security policy to manage different types of network connections, the security policy received by the mobile communications device from a network administrator or from a server associated with an ultimate destination, the security policy including a plurality of rules defining events, situations, or conditions that trigger the automatic establishment of a second type of network connection by a secure connection manager on the mobile communications device;
  
  collecting, at the secure connection manager on the mobile communications device, a first context information associated with the mobile communications device including system state data of the mobile communications device, user activity on the mobile communications device, and information related to authentication of the mobile communications device;
  
  collecting, at the secure connection manager on the mobile communications device, a second context information associated with a first network connection including a level of security of the first network connection and a provider of the first network connection;
  
  collecting, at the secure connection manager on the mobile communications device, a third context information associated with the ultimate destination with which the mobile communications device is attempting to connect, the ultimate destination consisting of a server or a server system comprising one or more of a website, web server, and an application server;
  
  evaluating, by the secure connection manager, a first type of network connection, the evaluation using the collected first context information, the collected second context information, the collected third context information, and the security policy, the evaluating occurring before the first network connection is established, after the first network connection is established, or while the first network connection is being established; and
  
  based on the evaluation by the secure connection manager, determining, by the secure connection manager, that the second type of network connection for use in the communication between the mobile communications device and the ultimate destination should be established instead of the first type of network connection between the mobile communications device and the ultimate destination, the establishment of the second type of network connection being automatically triggered by at least one rule in the received security policy.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 34. The method of claim 33 wherein the first and second types of network connections include different types of physical network connections.
  - 35. The method of claim 33 wherein the first and second types of network connections include a same type of physical network connection, one of the first or second types of network connections includes an overlay connection, and another of the first or second types of network connection does not include the overlay connection.
  - 36. The method of claim 33 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection includes at least one of a cellular network connection, a Wi-Fi network connection, or a Bluetooth network connection, and the second type network connection includes one of at least another of the cellular network connection, the Wi-Fi network connection, and the Bluetooth network connection.
  - 37. The method of claim 33 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection includes an overlay connection, and the second type of network connection does not include the overlay connection.
  - 38. The method of claim 33 wherein the first and second types of network connections include physical network connections, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 39. The method of claim 33 wherein the first and second types of network connections include a same type of physical network connection, andwherein the first type of network connection includes an overlay connection, and the second type of network connection does not include the overlay connection.
  - 40. The method of claim 33 wherein the first and second types of network connections include a same type of physical network connection, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 41. The method of claim 33 wherein the first and second types of network connections include different types of physical network connections, andwherein the first type of network connection includes an overlay connection, and the second type of network connection does not include the overlay connection.
  - 42. The method of claim 33 wherein the first and second types of network connections include different types of physical network connections, andwherein the first type of network connection does not include an overlay connection, and the second type of network connection includes the overlay connection.
  - 43. The method of claim 33,wherein the first type of network connection includes a physical network connection, and the second type of network connection includes an overlay connection established over the first type of physical connection.
  - 44. The method of claim 33,wherein the first type of network connection includes a physical network connection, and the second type of network connection includes a new overlay connection established over the first type of physical connection.
  - 45. The method of claim 33,wherein the first type of network connection includes a physical network connection, and the second type of network connection includes an existing overlay connection established over the first type of physical connection.
  - 46. The method of claim 33,wherein the second type of network connection includes a new physical network connection, and an overlay connection over the new physical network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Strazzere, Timothy, Buck, Brian James
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
Alata, Ayoub

Application Number

US14/071,366
Publication Number

US 20150128205A1
Time in Patent Office

1,653 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/14   for detecting or protecting...

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04W 12/086   using security domains

Methods and systems for secure network connections

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure network connections

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links