AU2012241073B2 - System and method for providing network security to mobile devices - Google Patents

System and method for providing network security to mobile devices Download PDF

Info

Publication number
AU2012241073B2
AU2012241073B2 AU2012241073A AU2012241073A AU2012241073B2 AU 2012241073 B2 AU2012241073 B2 AU 2012241073B2 AU 2012241073 A AU2012241073 A AU 2012241073A AU 2012241073 A AU2012241073 A AU 2012241073A AU 2012241073 B2 AU2012241073 B2 AU 2012241073B2
Authority
AU
Australia
Prior art keywords
mobile
security system
security
system
mobile security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
AU2012241073A
Other versions
AU2012241073A1 (en
Inventor
Shlomo Touboul
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cupp Computing AS
Original Assignee
Yoggie Security Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US60/750,326 priority Critical
Priority to US11/376,919 priority
Priority to AU2006324929A priority patent/AU2006324929A1/en
Application filed by Yoggie Security Systems Ltd filed Critical Yoggie Security Systems Ltd
Priority to AU2012241073A priority patent/AU2012241073B2/en
Publication of AU2012241073A1 publication Critical patent/AU2012241073A1/en
Assigned to CUPP COMPUTING AS reassignment CUPP COMPUTING AS Request for Assignment Assignors: YOGGIE SECURITY SYSTEMS LTD.
Application granted granted Critical
Publication of AU2012241073B2 publication Critical patent/AU2012241073B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Abstract

SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY TO MOBILE Abstract A small piece of hardware connects to a mobile device and fillers out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy. 6777806_1

Description

S&F Ref: 864070D1 AUSTRALIA PATENTS ACT 1990 COMPLETE SPECIFICATION FOR A STANDARD PATENT Name and Address Yoggie Security Systems Ltd., of 42870 Beit Halevy, of Applicant: Israel Actual Inventor(s): Shlomo Touboul Address for Service: Spruson & Ferguson St Martins Tower Level 35 31 Market Street Sydney NSW 2000 (CCN 3710000177) Invention Title: System and method for providing network security to mobile devices The following statement is a full description of this invention, including the best method of performing it known to me/us: 5845c(6779239_1) SYSTEM AND METHOD FOR PROVIDINGNETVORK SECURITY TO MOBILE. :DEVICES PRIORITY CLAIM This application claims benefit of and hereby incorporates by reference provisjona patent application serial-number 60/750,326, entitled "Personal Security Appliance," filed-on December 11,1005, by inventor Shlom Touboul. TECHNICAL FIELD This~invention relates generallyto network security, and more particularly provides.a system and method for providing network securitytomdbile devices.

2 BACKGROUND The internet is an interconnection of millions of individual computer networks owned by governments, universities, nonprofit groups, companies and individuals. While the internet is a great source of valuable information and entertainment, the internethas also become a major source of system damaging and system fatal application code, such as "viruses," "spyware," "adware,""worms,"'"Trojan horses," and other malicious code. To protect users, programmers-design computer and computer-network security systems for blockingmalicious code from attacking bothindividual and network computers. !On the most part,network security-systems have been relatively successful. A-computei that connects to the internet from within an enterprise's network typically has two lines of defense. The -first line of defense includes a network security system, WMich may be part of tienetwoik gateway, that includes-firewals, anti-virus, anti-spyware and content filtering. The second line of defense includes individual security software on individual inachines, which is not typically as secure as the network security system and is thus more vulnerable to:attacks. In combination, the firsthand second lines-of defense together provide.pretty good security protection. However, when a device connects to the interniet without the intervening network security'system, the device loses its first line of defense. Thus, mobile devices (e.g., laptops, deskiops, PDAs such as RIM's Blackberry, cell phones, any Wirelessdevice tlaitconnects tothe internet, etc.) hen traveling outside the enterprise network are more vulnerable to attacks. Figure 1 illustrates an example network system-100 ofthe prior art Ntivork system 100 includes a desktop 165 and a mobile device 110, each.coupled to an-enterprise's intranet 115. The intranet 115 is coupled viainetvork security system 120 (Which may be p part of the enterprisd's:gateway) to the untrustedintemer130. Accordingly the desktop 105 and mobile device 110 access the internet 130 via the network security:system 120. A sediirity administrator 125 typically manages thenetwork security system 120 to assure that it includes the most current security.protection-and thus that the desktop 105 and mobile device 1.10 are protected from malicious code. Demarcation -135 divides the trusted enterprise 140 and the untrusted public internet '130. Because the desktop 105 and the mobile device 110 are connected to the internet 3 130 via the network security system 120, both have two lines of defense (namely, the network security system 120 and the security software resident on the device itself) against malicious code from the. internet 130. Ofcoursci although trusted, the intranet,1 15 can also be a source of maliciduscode. Figure 2 illustrates an example:networksystem 200 of the prior art,.when the mobile device-1A0 has traveled outside the trusted enterprise 140 and reconnected to the untrusted internet.130. This could occur perhaps when the user takes mobile device 110 on travel and -connectsto the internet 130:at a cybereafd, at a hotel,.or via any untrusted wired or wireless. connection.- Accordingly, as shown, the mobile device 1,10:is no longerprotectedbythe first line of defense (by thenetwork security.system 120) andthus has increased its risk of roceiVing mnligious code. Further, by physically-bringing the mobile device 110 back into the trusted enterprise-140 andireconnecting from-within, the-mobile device .110'risks transferring any malicious code received tothe intranet 115. As the number of mobile devices and the number of attacks grow, mobile security is becoming increasingly important. The problem was.emphasized in the recent Info-Security Conference in New York on December 7-8, 2005. However, no complete solutions were, presented. There is a need for personal security appliances capable of providing levels of network security as provided-by -nterprise network security systems.

4 SUMMARY One aspect of the present disclosure uses a small piece of hardware that connects to a mobile device and filters out attacks and malicious code. The piece of hardware may be referred to as a "mobile security system" or "personal security appliance." Using the mobile security system, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In an aspect, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy. The connection mechanism may include at least one of a USB connector, a PCMCIA connector, an Ethernet connector, and a BlueTooth communication module. The network connection module may include a network interface card that implements WiFi, WiMAX, GPRS, GSM, UMTS, CDMA, Generation 3, other cell phone internet connection protocols, etc. The security engine may include at least one of an antivirus engine, an antispyware engine, a firewall engine, an IPS/IDS engine, a content filtering engine, a multilayered security monitor, a bytecode monitor, and a URL monitor. The security policy may performs weighted risk analysis based on content type, content source, content category, or historical actions of the user. The remote management module may be capable of receiving security policy updates, security engine updates, and security data updates (including malicious content signatures). The mobile security system may include a distribution module capable of forwarding updates to other mobile security systems, and/or a backup module capable of storing at least a portion of the boot sector of the mobile device should the boot sector of the mobile device become compromised. The mobile security system may include a remote configuration module capable of communicating with a wizard, the wizard being in communication with an enterprise network security system, the wizard capable of substantially automatic generation of policies and data based on the policies and data on the enterprise network security system, the remote configuration module capable of installing the policies and data generated by the wizard. The mobile security system may include a preboot memory that is not accessible during runtime, the preboot memory storing a copy of at least a portion of the operating system of the mobile security system, the mobile security system being configured to load the operating system portion every time the mobile security system is rebooted. 9096410_1 5 In another aspect, a method comprises receiving a network connection request from a mobile device outside of a trusted network; acting as a gateway to a network on behalf of the mobile device; receiving information intended for the mobile device from the network; and determining whether to forward the information to the mobile device in accordance with a security policy. In another aspect, a mobile security system comprises means for acting as a gateway to a network on behalf of a mobile device outside of a trusted network; receiving information intended for the mobile device from the network; and determining whether to forward the information to the mobile device in accordance with a security policy. In yet another aspect, a method comprises receiving internet traffic on a mobile device via a wireless connection; redirecting the internet traffic at the kernel level to a mobile security system; scanning the internet traffic for violations of a security policy; cleaning the internet traffic of any violations of the security policy to generate cleaned internet traffic; and sending the cleaned internet traffic to the mobile device for execution. In still another aspect, a system comprises a wireless network interface card on a mobile device for receiving internet traffic; a kernel-level redirector on the mobile device for redirecting the internet traffic at the kernel level to a mobile security, system; a security engine for scanning the internet traffic for violations of a security policy and for cleaning the internet traffic of any violations of the security policy to generate cleaned internet traffic; and a connection mechanism for receiving the redirected internet traffic from the kernel-level redirector and for sending the cleaned internet traffic to the mobile device for execution. A yet further aspect of the present disclosure provides a mobile security system a mobile security system, comprising: a runtime memory; a preboot memory for storing at least a portion of the operating system, wherein the preboot memory is configured to copy and load the at least a portion of the operating system into the runtime memory when the mobile security system is rebooted; a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device, the mobile device having a mobile device processor; a network connection module for receiving content intended for the mobile device; security policies for defining unacceptable malicious content; security engines for examining the content received by the network connection module for the unacceptable malicious content as defined by the security policies, the security engines operating at different layers of the OSI stack; and a mobile security system processor executing the security engines in the runtime memory using the operating system, the mobile security system processor being different than the mobile device processor. 9096410_1 5a A further aspect of the present disclosure provides, in a mobile security system having a mobile security system processor, a method comprising: storing at least a portion of an operating system of the mobile security system in a preboot memory of the mobile security system; copying and loading the at least a portion of the operating system into a runtime memory of the mobile security system when the mobile security system is rebooted; receiving information intended for the mobile device from the network, the mobile device having a mobile device processor different than the mobile security system processor; and examining by the mobile security system processor the information for unacceptable malicious content as defined by security policies involving different layers of the OSI stack, wherein the mobile security system processor uses the operating system to examine the information for the unacceptable malicious content. A further aspect of the present disclosure provides a mobile security system comprising: means for storing at least a portion of an operating system of the mobile security system in a preboot memory of the mobile security system; means for copying and loading the at least a portion of the operating system into a runtime memory of the mobile security system when the mobile security system is rebooted; means for receiving information intended for the mobile device from the network, the mobile device having a mobile device processor; and a mobile security system processor, the mobile security system processor being different than the mobile device processor, the mobile security system processor for examining the information for unacceptable malicious content as defined by security policies involving different layers of the OSI stack, wherein the mobile security system processor uses the operating system to examine the information for the unacceptable malicious content. 9096410_1 6 BRIEF DESCRIPTION OF THE DRAWINGS Figure I is a block diagram of a-prior art network system in a first-state. Figure 2,is a block diagram of a prior art network system in a second state. Figure 3 is a block diagram of a network system in accordsmce.with an embodiment of the presentinvention. Figure 4 is a block diagram illustrating details of a computer system in accordance with aneinbodiment of the present invention. Figure 5 is a block diagram illustrating details of-the mobile security system in accordance with an embodiment of the present invention. Figure 6 is ablock diagram illustiating.details of the rnobile security systemrin accordance with a Microsoft Window's embodiment. Figures 7 is a block diagram illustrating details of a smart policy updating system in accordance with an embodiment of the present invention. Figure 8 is- block diagram illustrating details-of network security measures-relative to the OSI layers. Figure 9 is ablock diagram illustrating details of the communication-iedinique for spreadirigsedirrity code:to the mobile security systems. Figures iOA-10C are block diagrams illustrating various architectures for connecting a mobile device to a mobile security system, in accordance with various embodiments of the present invention.

7 DETAILED DESCRIPTION The following description is provided to enable any-person -skilled in the art to make and. use the invention, and is provided in the context of a particular application and its requirements. Various modifications to the embodiments may be possible-to those skilled in the art, and the generic-principles defined herein may be applied to these and other embodiments and applications without departing from the spirit-and scope of the invention. Thus, the present invention is not intended to be-limited to'the embodiments shown, but.is to be accorded the widmst scope consistent with the principles, features and teachings disclosed herein. An embodiment of the present invention uses a small piece of hardware that connects to a mobile device and filters out attacks and malicious code. The piece of hardwaie may be-referred to'as a "mobile security system" or "personal security appliance." Using the mobile security system, a mobile device- can-be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. Figure 3,illustrates a network system 300 in accordance with an pmbodimentof the present invention. Network:system 300 includes a desktop 305, a first mobile device:310a, and a second niobie device-310b. The first mobile device 3 1 0a is illustrated as within the enterprise, network340 at thislime and is coupled via a mobile sectirity system 345a to the enterprise's intranet 315. The desktop305 and'second mobile device31 Ob are also within the enterprise network 340,but in this embodiment are coupled-to the intranet 315 without an intervening mobile security system 345'such as mobile security system.345b. The intranet 345 is coupled via a-network security system 320 (which may be part of the enterprise's gateway) to the untrusted internet 330. Adcordingly, the first'mobile device.310A, the second inobiledevice -31 Ob and the desktop 305 access the untrusted internet 330 via the network security system 320. Each may also be-protected by a personal security system resident thereon (not shown). A third mobile.device 310c is currently outside the enterprise-network 340 and.is coupled visa mobile security system 345b.to the untrusted internet 330. The third mobile device 3-10 may be in use by an employee-of the trusted enterprise 340 who is currently on travel. A security administrator 325 manages-the mobile security system 345a, the mobile security system 345b, and the network 8 security system 320 to assure that they include the most current security protection. One skilled in the atu will recognize that the same security administrator need not manage the various devices. Further, the security administrator could-be the user and need not be within the trusted enterprise 340. Demarcation 335 divides tie trusted enterprise 340 and the untrusted publicly accessible internet 330. Each of mobile device 3 10a, 31 Ob and 31 Oc may be referred to generically as mobile device 310, although they need not be identical. Each mobile security system 345a and 345b may be referred to generically as mobile security system 345, although they need not be identical. As shown, although the mobile device 31 Oc has traveled outside the trusted enterprise 340; the mobile device 310c connects to the untrusted internet 330 via the mobile security system .345b and thus retains two lines of defense (namely, the mobile security system 345b and the security software resident on the device itself). In this embodiment, the mobile security system 345 effectively acts as a rMobile internet-gateway on behalf of the mobile device 10c. Inan embodiment, the mobile security system 345 may be a device dedicated to network security. In an embodiment, each mobile-secuiity system 345 may support multiple mobile devices 10, and possibly only registered mobile devices 310, e.g., those belonging-to ditefprise 340. Each-mobile security sysferi 345 (e.g., 3 4 5a;345b) may be a miniature server, based on commercial.hardware (with Intel's Xscale as the core),.Linux OS and network services, and 6pen-sourcc firewall, IDS/IPS and tivirusprotection. The mobile security system 345 may be based on a hardened embedded Linux 2.6. In this embodiment, because the security administrator'325 is capable of remotely communicating-with the mobile security system 345b, IT can monitor and/or update the security policies/data/engines implemented on the mobile security system 345b. The security administrator 325 can centrally.manage all enterprise devices, remotely-or directly. Further, the security administrator 325 and mobile security systems 345 can interact to automatically translate enterprise security policies into mobile security policies and configurd mobile security 9 systems 345 accordingly. Because the mobile security system 345 may be generated from the relevant security policies-of the enterprise 340, the mobile-device 310c currently traveling may. have the same level.of protection as the devices 305/310 within thetrusted enterprise 340. The mobile security system 345 may be designed as an add-on to. existing software security or to replace all security hardware and software on a traveling mobile device. These security applications will preferably operate on different OSI layers to provide maximum security and malicious code-detection, as shown in the. example system illustrated in Figure 8. Operating on the.lower OSI layers and.doing TCP/IP packets analysis only (by screening firewall or routerpackets) would miss:virus and/or worm behavior. Also, manymodernviruses use mobile code implemented on a "higher"l evel-than the 7 ' OSI layer (Application -- HTP, FTP, etc.) and therefore cannot be interpreted at the packet layer nor at the application layer. For example, applying antivirus analysis only at the session or transport layer on.a malicious Java Scipt (that is included in An HTML page),trying to match the signature with packets and without understanding the content type (Java Script), willnot detect the malicious nature of the Java Script To offer greater protection, the mobile security system 345 may act as corporate class security appliance and engage different security applications based'on the content type and the appropriate OS11ayers, (or even a "higher" level if content is encapsulated inthe.application laye-).. The mobile security systei345 maybe configured topeform ontent analysis at different 0S1 layers, e.g., from the packet level to'the application level. It will be appreciated that performing deep inspection at the application levelis critical to detect malicious content behavior andimprove detection of viruses,.wonmsspyware, Trojan horses, etc. The following, software packages may be impleimentedion the mobile security system 345:. Firewall and VPN- including stateful and stateless firewalls, NAT, packet filtering and manipulation, DOS/DDOS, netfilter, isolate user mobile devices frord the intemet and run VPN program on.the deviceetc. . Optional web accelerator and bandwidth/cache management based on Squid. * D)S/IPS - Intrusion -detection and prevention system based on Snort Snort is:an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol- and anomaly-based inspections.

10 - Antivirus and antispywarc based on ClamAV; additional AV and AS engines, e.g., McAfee, Kaspersky, Pandamay, may be offered for additional subscription fees. - Malicious Content Dctcction- on the fly heuristics that perfoun content analysis to detect malicious content before having signatures. This-will be based on a rule base and updated rules and will be content dependent scanning. *. URL Categorization Filtering- based on a commercial engine, such as Surfcontrol, Smart Filters or Websense. May provide-around 70 categories of URLs such as:gambling, adult content, news, webmail, etc. The mobile device 345 may apply different security policies based on.the URL category, e.g., higher restriction and heuristics for*Gaimnbling or Adult content web sites, etc. FIG. 4 is a block diagram illustrating details of an example. computer system 400, of which each desktop-305,.mobile.device 310, network security system 320, mobile security system 345, and security administrator 325 may-be an instance. Computer system 400 includes a processor 405, such as an Intel'Pentiumo microprocessor or a Motorola 'Power PC microprocessor, coupledto a communications channel 410. The computer system 400 further includes an input device 415 such asa keyboard or mousc,-an.output device.420*such'as a cathode ray tube display, a communications device 425, a data storage device 430 such as a magnetic disk, and.memory 435 suahas Random-Access Memory (RAn), each coupled to the communications channel 410. The communications interface 425 may be coupled directly or via a mobile security 'system 345 to a network such'as theiinternet. One skilled.in the art will recognize that,.although the data storage.device 430 and memory 435 are illustrated as different units, the data'storage device 430 and memory 43 can be parts of-the same-unit, distributed units, virtual memory, etc. The data storage device 430. and/or memory 435 may store an operating system 440 such as the Microsoft Windows XP, the BM OS/2 operating system, the MAC OS, UNIX OS, LINUX OS and/or other programs 445. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned. An embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, possibly using object oriented programming methodology.

11 One skilled in the art will recognize that the computer system 400 may also include additional information, such as network connections, additional memory, additional processors, LANs, input/output lines for transferring information across a hardware channel, the intemet or an intranet, etc. One skilled in the art will also recognize that the programs and data may be received by and stored in.the systeinin alternative ways. For example, a computer-readable storage medium (CRSM) reader 450 such-as a magnetic disk drive, hard disk drive, magneto optical reader, CPU, etc. may be coupled toithe communications bus 410 for reading'a computer readable storage medium (CRSM) 455 such as a magnetic disk, a hard disk, a magneto-optical disk, RAM, etc. Accordingly, the computer system 400 may receive-programns and/or data via. the ONSM reader 450. Further, it-will be appreciated that the term "memory":herein is intended tooverall data storage media whether permanent or temporary. Figure-5,is-a block diagrim illistrating details of the mobile security'system 345 in accordance with an embodinent ofthe present inVention. Mobile security system 345 includes adapters/ports/drivers:505, memory 510, aprocessor 515, a preboot flash/ROM memory module 520 storing a secure version of the mobile security system's operating'systemiand other applications, network connection module 525, security engines 530, secWity policies 535, security-data 540, remote management module 550, distribution module 555jand backup module 560. Although these modules are illustrated as within thd mobile sechirity system 345,.one skilled in the art-will recognize that:many of them could be located cisewhere, e:g., op the security administrator 325 or on third-party-systems iii communidation with the-mobile security system 345. The mobile security system:345 may be in a pocket-size, handheld-size or key chainisize housing, or possibly smaller. Further, the mobile security system 345 may be incorporated within the mobile device3 10. The adapters/ports/dvers 505.inbludesconnection mechanisms (including software, e.g., drivers) for USB, Ethemnet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection data ports on the inobile security.system 345. In one embodiment, the adapters/ports/drivers 505-may be capable of connection to multiple devices:3-10 to provide network security to the multiple devices 310.

Memory 510 and processor 515 execute the operating~ system and applications on the mobile securi.ty system 345. In this example, the preboot flash 520 stores the operating system and applications. At boot time, the operating system and applications are loaded from the preboot flash 520 into-memory 510 for execution. Since theoperating system and applications are stored in the preboot flash 520, which cannot be accessed during runtime by the user, the operating system and applications in the preboot flash 520 are not corruptible. Should the copy of the operating system-and applications in.memory 510 be corrupted, e,g., by malicious code, the operating system and applications may be reloaded into the memory 510 from the reboot flash 520, e.g., upon restart. Although described as stored within the preboot flash 520, the OS and applications can be securely stored within other read-only memory devices, such as ROM, PROM, EEPROM, etc. Memory (including memory 510 and preboot flash 520) on the mobile security system 345 may be divided into zones as shown in Fig. 11. Upon each "hard" restart, the boot loader(resident at area 1) of the mobile security system 345 copies the kernel and security applications (a fresh unchanged copy) from area I to 2. This causes a clean version of the OS and applications to be loaded into area 2 each time. That way, if a special mobile security system 345 attack is developed, the attack 'will be unable to infect the 12 13 system, since the OS and applications are precluded from accessing memory area I during runtime. Further, any attack that does reach memory 510 will be able to nm only once and will disappear upon a hard restart. A triggering mechanism may be available to restart the mobile security system 345 automatically upon infection detection. The network connection module 525 enables network connection, e.g., to the internet 330 :oi.the intranet 31 5,via network communication hardware/software including WiFi, WiMAX CDMA, GSM, GPRS, Ethernet, modem, etc. .For example, if the mobile device 310 wishes to connect to the internet 330 via a WiFi connection, the adapters/ports/drivers:505 may be connected o the PCLport, USB port or PCMCIA port of the mobile-device"310, and the network connection module 525 of the mobile security system 345 may include a Wifi network interface card for connecting-to wireless access points. Using the network connection module 425, the mobile security system 345 may communicate with the network as a secure gateway for the mobile device 310. Other connection architectures are described in Figures 10A-10C. The-security engines 530 execute security programs based on.the security policies 535 and on security data540, both of which may be-developed by IT managers Secuiity engines 530 may include firewalls, VPN, IPS/IDS,;anti-virus, anti-spyware, malicious content filtering, multilayered security monitors, Java and bytecode-nonitors, etc. Each security engine 530 may haverdedicated security policies 535 and security data 540 to-indicate which prodedures, content, URLs,;system calls, etc. the:engines 530 may or may not allow. The security engines 50r, security policies 535 and security data 540 may be the same as,-a subset of,,and/dr developed from the engines, policies and data on the network security system 320. To provide-a higher security iovel provided by antivirus and antispywwe software, the -security engines 530.on each mobile'security system 345 may implement content analysis and risk assessment-algorithms. Operating for. example at OSI Layer 7 and above (mobile code encapsulated within Liyer 7), tiese'algorithms may be executed by dedicated High Risk Content Filtering (HRCF) that can be controlled by a rules engine and rule updates. The HRCF Will be based on a powerful detection library that can perform deep.content analysis to verify'real content types. This is because many attacks are hidden within wrong mime typesand/or may use 14 sophisticated tricks to present a text file type to a dangerous active script-or Activ6X content type. The HRCF may integrate with a URL categorization security enginc530 for automatic rule adjustment based on- the URL category. In one embodiment, when the risk level increases (using the described mechanism) thermobile security system 345 may automatically adjust and increase filtcring to remove more active content from the traffic. For example, if greater risk is determined, every piece of mobile code, e.g.,.Java script, VB script, etc. may be stripped out. Three aspects for integration With corporate policy server legacy systems include rules, LDAP and active directory, and logging and reporting as discussed below. In one embodiment, a policy airport agent running on-the security administrator 325 will access the rule base-of Checkpoint FirewallIand Cisco PDC Firewalls and import them into a local copy. Arule analysis module will process the important rules and will offer out-of-the-box rules and policies for mobile security systems.345 This proposed policy will 6ffer all mobile security systems 345 a best fit of rules that conform the firewall policy of the enterprise 340. The agent will run periodibally to reflect any changes and generate.updates for mobile security system 345 policies .535. TheLDAP and Active Directory may be integrated with the directory service tonaintain mobile-security system 345 security policies 535 that respond to the enterprise's directory definitions. For example, a.corporate policy for LDAP user Group "G"-may automatically propagate to all mobile security:systems 345 in "G" group.' M6bile security system 345 local logs-im&udit trails maybe sentin accordance to a logging and reporting policy to a central log stored at-the security kdministrator 325. Using a web interface, IT may b'e abl' todnerate Reports and audit views related to all.mobile device 310 users, their internetexperiences, and attempts to bring infected devices back to the enterprise 340. IT will be able:toforwrdevents and log records. into legacy management-systems via SYSLOG and SNMP Traps. . The security engines 530 may perform weighted risk analysis. For exanile, the security engine 530 may analyze .HTTP, FTP, SMTP, POP3, IM, P2P, etc. including any traffic arriving from theintemet 330. The security engine 530 may assign-a weight and rank'forievery object, based on its type, complexity, richness in-abilities, source of the object, etc. The security engine. 530 may assign Weight based on the source'using a list of known dangerous or known safe sources. The security engine 530 may assign weight to objects based on the category of the 15 source, e.g., a gambling source, an adult content source, a news source, a reputable company source, a banking source, etc. The security engine 530 may calculate the weight, and based on the result determine whether to allow or disallow access to the content, the script-to run, the system modification to occur,. etc. The security engine 530 may "learn" user content (by analyzing for a predetermined period of time the general content that the user accesses) and accordingly may create personal contdnt profiles. The personal content profile may be used to calibrate the weight assigned to content during runtime analysis.to improve accuracy and tailor weighted risk analysis for specific user-characteristics. In soie embodiments, the security engines 530, security policies 535 and security data 540 may enable bypassing the mobile security system 345. The security policy 535, set by the security administrator 325, may include a special: attribute to force network connection through the mobile security system 325 when outside the- trusted enterprise 340. Thus, if this attribute is set "on," when a mobile device.310 attempts to connect to -the internet 330 without the mobile security-system 345 and not from within the trusted enterprise 340, all data transfer connections including LAN connection, USB-net, modem, Bluetooth, WIFi, etc.-may be closed. The mobile device 3i0 may be totally isolated and unable toconnect to any network,.including the internet 330. In one embodiment, to enable this, when.first connecting the mobile security system 345 to the mobile device.3i0Ausing forexample the USB cable.(for both.power and USB connection creation), the USB plug & play device driver will be sent into the mobile device 310. The installed driver may be "Linuxinf" which allows-a USB-aet connection for themobile security system 345. This connection allows the mobile security system 345 to access the internet 330 via the USB port-and using themobile dcvice.310 -network connection plus additional code ("the connection client"). In a Windows example, the connection client may be installed at the NDIS level of the mobile device 310 above all the network interface cards of every network connection as-shownin Figure 6. The implementation will be as an NDIS Intermediate (IM) Driver or 'NDIS-Hfooking Filter Driver. Both implementations may be at the kernel level, soithat an end user cannot stop or remove it. When starting the mobile device 310, the connectioil client may attempt to connect to the.security administrator 325 or the network security system320 locally 16 within the trusted enterprise 340. If the-node is not found (finding via VPN is considered as not found in local LAN),-the connection client will assure iis working from outside the trusted enterprisee 340 and expects to find the mobile security system 345 connected, e.g., via USB-net or other connection mechanism. If the mobile security system 345 is not found, the connection client may:avoid any communication to any network connection. By a policy definition, this behaviorican be modified to allow communication to-the enterprise .340 via VPN.instaled.in the mobile device 310' Similarly, in case'ofa mobile device system 345 failure, all traffic'may be disabled, except for the VPN connection into the enterprise.340. It will be appreciated that NDIS-is ond possible.implementation of intercepting traffic at the kemel leyel. For example; in another embodiment, the system may'h obk Winsock or apply, otherways that may be infuture Windows versions. In an embodiment where them6bilesecurity system345 supports multiple mobile devices 310,the security-engines 530, security policies 535 and security data 540 may be different for each mobile device 31 0.(e.g., based on for example user preferences or IT decision). Alternatively, it'can apply the same engines 530 policies 535 and data 540 for alt connected devices31 0. The remote 'management module 550'enables communication with security administrator 325 (and/or other security-administrators), andenables local.updating of security erigines 530, security policies 535, security data 540 including signatures and other applications. In one: embodiment, modification to the security policies 535 and data 540:can be done by the security administrator 325 only. The remote management module 550 of the mobile security system 345 may -receive updates from an update authoities device (UAD), e.g., on-the security 'administrator 325 via a secured connection. A UAD may operate on an update server at a customer IT center located on the internet.330 to forward updates to mobile security systems 345 thatpossibly do not belong to an enterprise 540 in-charge of managing updates. A UAD may operate on a mobile security system 345. Security engine 530 updates may modify the antivirus engine DLL, etc. OS and security application updates may be-implemented only from.within the enterprise 540 17 while connecting to the security administrator 325 and via an encrypted and authenticated connection. The security administrator 325 can modify URL black and white lists for remote-support to traveling users. [n case of false positives, the security administrator 325 may. allow access to certain URLs, by bypassing the proactive heuristics security but still monitoring by firewall, antivirus, IPS/IDS, etc. Additionaltremote device-management features may enable the security administrator 325 to perform.remote diagnostics, access local logs, change configuration parameters, etc. on the mobile security system 345. The security administrator 325 may delegate tasks to a helpdesk for support. The remote management module 550 may commlinicate-with a wizard(e.g., wizard 745), which may he on the security administrator 325,.as illustrated'ih Figure .7 or on another system. Details ofthe wizard 745 and details of the communication schemes between the remote management module 550 and the wizard 745 are described below withireference to Figure 7. The distribution module 555 enables'distribution of updates, e.g., security-policy 535 updates including role updates,.security data 540 updates includingsignature updates, security engine 530 updates, applidationOS updates, etc. by the mobile security system 345 to N other mobile security: systems 3q45. A routing table identifying-the N other mobile security systems. 345 to whom to forwardthe updates may be provided to the distribution module 555 to enable system 345 to system.345 communication. Updates-may be implemented according to policies set by the.seciirity administrator 325. When forwarding updates, the distribution module 555 acts as.a UAD. - Each mobile security system 345 may obtain its routingtable.with securty information updates, periodically, at predetermined times, upon login, etc. The routing tables may be maintained on aserver, e.g., thersecurity-administrator325 or another.mobile security system 345. In oneembodimentthe mobile security systems 345 may contact the server to retrievethe routing tables. Alternatively, the server may push the routing tables-to the mobile security systems 345.

18 The dist-ibution.inodule 555 may enable rapid updates as shown in Figure 9. Currently, all commercial antivirus products available do not update devices faster than viruses spread. To assure that a new virus attack does not spread. faster than for example signature updates, each mobile security system 345 may be an active UAD. In one embodiment,.as-shown in Figure 9, each mobile security system 345 is responsible for forwarding the-signature updates to four other devices.345. As ae skilled in the art will recognize, all devices 345 need to:forward-to the same number of other devices 345. Multiple devices 345 may be responsible for forwarding to the same device-345. When necessary, offline devices 345,being-activatedmay-poll the server, e.g., the security administrator 325, for routing table.updates. Many other updating techniques are also.possible. The backup module 560 may constantly backup image and changes of the boot sector and system files of the mobile device 310-into-the flash memory 520,or into another.persistent memory device.' That way, in case of majorfailure, including a loss of the system or boot sector of the mobile device 310, the-mobile'secwity system 345 may be identified as a CD-ROM during reboot and may launch the backup module (or separate program) to restore the.boot sector and system files on the mobile.device 310, thereby recovering the imobiledevice 310 without the need for IT support. In an embodiment where the network security system 345 suppbrtsmiultiple mobile devices 310, the backup-module 560 may contain separate boot sector and, ystemfiles for each of the mobile devices 310, if different. Figure 7 is a block diagram illustrating details of asrart policy 'pdating.system.700 in accordance With an embodiment of the present invention. System 70 includes the security administrator 325 coupledito the network security system 320 ando the mobile-securityisystem 345. The-network security system 320 includes:secuiity engines 705, including antivirus engine 715, an IPSIIDS engine 720, a firewall engine 725, and other security engines. The network- security system 320 also includes security joficies- and data 710, including antivirus policies and~data-730, IPS/IDS policies and data 735, fiiewall policies and data 740, and'other policies and data. Similarly, the mobile security system 345 includes an antivirus engine 755, an IPS/IDS engine 760, a firewall engine.765, and other engines. The mobile security system,345 19 alsoincludes security policies and data 535/540, including antivirus security policies and data .170 IPS/IDS security policies and data 775, firewall security policies and data 780, and other security policies and data. The security administrator 325 includes a wizard 745 for-enabling substantially automatic initial and possibly dynamic.setup of the security engines 530, security policies 535 and security data 540 on the mobile security system 345. In one embodimentthe wizard 745 may .automatically-load -all security engines 705 and policies and data 710 of the network security system 320 as the security engines 530 and policies and data 535/540 on the mobile security systeni 345. -In.andther embodiment, the wizard 745 may includeall security engines 705 and policies and data 710:except those known to be irrelevant,- e.g:, those-related to billing software used by accounting, those relating to web software running only on the web serversetc. In another embodiment, the engines 530 would need to be.loaded-by anIT manager, and wouldn't berloaded automatically by the wizard 745. In one embodiment, the wizard 745 may determine whether the mobile security system 345 requkes a particular security engine:530, e.g., an antivirus engine 755, IPS/IDS engine .760, firewall engine 765, etc. If so determined, then the wizard 745 would loaa the engine 530 onto the mobile security system 345. The wizard 745 would then determine which policies and data sets, e.g., sdme for antivius engine 755,some for the IPS/IDS engine 760, some for the firewall engine.765, etc. are important to-the mobile security system 345. The wizard 745 will then determine which of the antivirus policies and data 730:dn the network security system 320 are relevant to the antivirus policies and data 770 on the mobile security system 345, which of the. IPS/IDS policies and data 735 on-the network security system 320 are relevant to the IPS/IDS policies and data 775 on the mobile security system 3:45, which of the firewall.policies and data 740 on the network security system 320 are relevant to the firewall policies anddata 750 on the mobile security system 345: and which of the other-policies and data on the network security system 320 are teleyant to the policies and data on the mobile security system 345. As stated above, the wizard 745 may determine that all security engines 705 or just a subset are: needed on the mobile security system 345. The.wizard 745 may determine:that all policies and data 710 for a given engine type o just a subset should be forwarded. The wizard 745 rriay determine which 20 relevant policies and data 710 should be forwarded to the mobile security system 345 based on rules developed by an IT manager, based on item-by-item selection during the setup proccdure, etc.. Alternative to the wizard 745, an.IT manager can setup the engines 530 and policies and data 535/540 on the mobile security system 345 without the wizard 745. The security administrator 325 may also include an update authorities device 750. The update authorities device 750 may obtain security system updates (e.g.,. signature updates) and may send the updates to the network security-system 320 and to the mobile security system 345. One skilled in the art will recognize that the updates to the network security system 320 and the updates. to the mobile-security system 345 need not be the same. Further, the update authorities device 750 may obtain the updates.from security managers, security engine developers, antivirus specialists, ctc. The update authorities device 750 may forward the updates: to all network. security. systems 320 and all mobile security systems 345;. or may forwardrouting tables to all mobile security systems 345 and the updates only to an initial set-of mobile security systems 345. Theinitial set of mobile security systems 345 may forward the updates to the mobile security systems 345 identified in the routing tables in a P2P manner, similar to the process illustrated in Figure 9. As stated above, each mobile security system 345 operating to forward-updates is itself acting as an update authorities device 750. Other applications may be included on the mobile security system 345. For example, add-on:applications for recurring revenue from existing customers may-include general email, anti-spam, direct and secured email delivery, information vaults, safe skype and other instant messaging services, etc. - Email Security and Anti-spam - implementation of mail relay on mobile security systems 345 (including the web security engine above) and a local spam-quarantine-(based on SendMail or similar process) may implement a complete mail security suite (SMTP and POP3) including anti-spam with real time indexing (via online web span quarries). Users may have access to-the quarantine to review spain messages, releasemessages, modify and custom spam rules,.etc., via a web interface. - Direct and Secured Email Delivery based on mail relay will allow-the mobile:sectirity system 345 .to send.user e-mail directly from one mobile security system 345 to another 21 mobile security system 345 without using in route mail shivers. This allows corporate users to send emails-thatneed not travel in the intent, thus leaving race and duplicates on different unknown mail servers in route. This combined with the ability to use a secured pipe between two mobile security systems is valuable to corporations. Without such methodology, people could trace emails exchange without accessingsto the enterprise's mail server,-by trackirig down copies in ihtermediate-mail servers that were used to deliver the messages. * Information Vault - Application.to encrypt and store end usei information on the mobile security system 345 may be available only to authorized users via a web interfaed and'a web server implemented on every-mobile security system 345 (e.g., BOA, Apache, etc.) * Safe.Skype. and Other IM- implementing an instant messagingclient on the mobile security system 345 can guarantee that the instant messagirig system or P2P application has no access to data on: the mobile device 310. Adding a chipset of AC/97-to provide a. sound interface oithe mobile security -system 325 could allow users to'talk and receive callstdirectly~from/to the mobile security system 325. Although not shown, a small battery may be included with the mobile security system 345. This battery may be charged by the USB connection during runtime or-using the power adapter at any time.. The battery may guarantee proper shutdown, e.g., when user disconnects the USB cable from:the:mobile security system 345. It will be signaled by the system which will. launch applications:and system shutd6wi This will ensure a proper state:of the file system and flashing open files buffers. A multi-layered defense and detection abilities is required. This may be done by a speciiLcode that is constantly monitoring the scanning result by different systeni S(antivirus, -IDS/IPS, fiewall, antisfyware, URL category, etc.) and at different levels to build a puzzle and idcntif y an attack even if its not recognized by each of the individual subsystems. By doing this, theimobile security system-345 will maintAin and in some cases even.improvsthe security level provided within the enterprise 540.

22 One available benefit of the mobile security system 345 is its ability to enforce the policy of the enterprise 540 on the end user while they arc traveling or working from home. Since the mobile securitysystem 345 uses similar security engines and policy as when connected from within the enterprise 540 and since the end user-cannot access the internet 330 without it (except via VPN connection-into the enterprise 540), IT may be capable of enforcing its-security policy beyond the boundaries of the enterprise 540. The OS may be under the entire supervision of IT, while t.he.m6bile security system 345 OS acts as an end user OS under his control. This resolves the problems of who controls what and how security and productivity face minimal compromise. A standalone version of the mobile security system 345 may offer the-same-functionality, and may provide a local management interface via web browser. Attractive to home users and small offices that lack an IT department, the mobile security system:345 enables the end user to launch abrowser, connect to.the'mobile security system 345, set the different policies (update policy, security rules, etc.).including modifying the white and black URL lists, etc. There is also an opportunity to provide end users with a service of remote management of the mobile security systems 345 by subscription. Figures IOA,. 1OB and 1 0Cillustrate three example architectures'of connecting a mobile security 'system 345 to~a mobile device 3-10, in accordance with various embodiments of the. present invention.- In Figure 10A, the mobile device 310 is coupled to the mobile security system 345 via USB connections 1015 and 1020 and is coupled to the internet 330 via a NIC:card 1005. The mobile device 310 .receives intemet traffic:from the-internet 330 via its NIC card 1005. A kemel-level redirector 10 10 (e.g., via NDIS, Winsock, etc.) on the mobile device 310 automatically redirects the internet traffic via the USB connections 1015 and 1020 to the mobile security system 345, which, scans, cleans and returns the cleaned internet traffic.to the mobile device 310 via the USB connections 1015 and 1020. In:Figure 1 0B,the mobile device 310 is coupled to the mobile security system-345 via USB connections 1025 and 1030. The mobile security system 345 includes aNIC card 1035 forreceiving internet traffic from theintemet 330. The mobile security.system 345 scans, cleans and forwards the. internet traffic via the USB connections 1025 and 1030 to the mobile device 310. In Figure 1OC, the mobile device 310 is coupled to the mobile security system,345 via NIC cards 1040 and 1045. The mobile security 23 system 345 receives internet traffic from the internet 330 via its NIC card 1045. The mobile security system 345 scans, cleans and forwards the internet traffic wirelessly via the NIC cards 1040 and 1045. to the mobile device 310. Other connection architectures are also possible. The foregoing description of the preferred embodiments of the present invention is by way ofexumple only, and other.variations and. modifications of the above-described enibodiments and methods are possible in light of the foregoing teaching.. Although the network si tes are being.described as separate and distinct sites, one skilled in the art will recognize that these sites may be a part of an integral site, may each include-portions of multiple sites, or may include combinations:of single and multiple sites. The various embodiments set.forth herein may be implemented utilizing hardware, software, or any.desiredcombination thereof. Forthat matter, any type of logic may be utilized which is capable of implementing the various -functionality set forth herein. Components may be implemented using a programmed general purpose digital computer,:using application specific integrated circuits; or using a networkof interconnected conventional:components and circuits. Connections.may be wired, wireless, -modem,:etc. The embodiments described herein are not intended to be:exhaustive or limiting. The present invention is-limited.only by the following claims.

Claims (21)

1. A mobile security system, comprising: a runtime memory; a preboot memory for storing at least a portion of the operating system, wherein the preboot memory is configured to copy and load the at least a portion of the operating system into the runtime memory when the mobile security system is rebooted; a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device, the mobile device having a mobile device processor; a network connection module for receiving content intended for the mobile device; security policies for defining unacceptable malicious content; security engines for examining the content received by the network connection module for the unacceptable malicious content as defined by the security policies, the security engines operating at different layers of an OSI stack; and a mobile security system processor executing the security engines in the runtime memory using the operating system, the mobile security system processor being different than the mobile device processor.
2. The mobile security system of claim 1, wherein the connection mechanism includes at least one of a USB connector, a PCMCIA connector, an Ethernet connector, and a wireless communication module.
3. The mobile security system of claim 1, wherein the network connection module includes a wireless network interface card.
4. The mobile security system of claim 1, wherein the security engines include at least one of an antivirus engine, an antispyware engine, a firewall engine, an IPS/IDS engine, a content filtering engine, a multilayered security monitor, a bytecode monitor, and a URL monitor.
5. The mobile security system of claim 1, wherein the security engines perform weighted risk analysis.
6. The mobile security system of claim 5, wherein the weighted risk analysis weighs risk based on content type.
7. The mobile security system of claim 5, wherein the weighted risk analysis weighs risk based on content source. 9096339_1 25
8. The mobile security system of claim 5, wherein the weighted risk analysis weighs risk based on content source category.
9. The mobile security system of claim 5, wherein the weighted risk analysis weighs risk based on historical actions of the user.
10. The mobile security system of claim 1, further comprising a remote management module capable of receiving security policy updates.
11. The mobile security system of claim 1, further comprising a remote management module capable of receiving security engine updates.
12. The mobile security system of claim 1, further comprising security data and a remote management module capable of receiving security data updates.
13. The mobile security system of claim 1, wherein the security data includes malicious content signatures.
14. The mobile security system of claim 1, further comprising a distribution module capable of forwarding updates to other mobile security systems.
15. The mobile security system of claim 1, further comprising a backup module capable of storing at least a portion of the boot sector of the mobile device should the boot sector of the mobile device become compromised.
16. The mobile security system of claim 1, further comprising a remote configuration module capable of communicating with a wizard, the wizard being in communication with an enterprise network security system, the wizard capable of substantially automatic generation of policies and data based on the policies and data on the enterprise network security system, the remote configuration module capable of installing the policies and data generated by the wizard.
17. The mobile security system of claim 1, wherein the preboot memory is not accessible during runtime.
18. In a mobile security system having a mobile security system processor, a method comprising: storing at least a portion of an operating system of the mobile security system in a 9091849_1 26 preboot memory of the mobile security system; copying and loading the at least a portion of the operating system into a runtime memory of the mobile security system when the mobile security system is rebooted; receiving information intended for the mobile device from the network, the mobile device having a mobile device processor different than the mobile security system processor; and examining by the mobile security system processor the information for unacceptable malicious content as defined by security policies involving different layers of the OSI stack, wherein the mobile security system processor uses the operating system to examine the information for the unacceptable malicious content.
19. A mobile security system comprising: means for storing at least a portion of an operating system of the mobile security system in a preboot memory of the mobile security system; means for copying and loading the at least a portion of the operating system into a runtime memory of the mobile security system when the mobile security system is rebooted; means for receiving information intended for the mobile device from the network, the mobile device having a mobile device processor; and a mobile security system processor, the mobile security system processor being different than the mobile device processor, the mobile security system processor for examining the information for unacceptable malicious content as defined by security policies involving different layers of the OSI stack, wherein the mobile security system processor uses the operating system to examine the information for the unacceptable malicious content.
20. The mobile security system of claim 1, wherein the preboot memory comprises a read only memory (ROM) or a flash memory.
21. The method of claim 18, wherein the preboot memory comprises a read only memory (ROM) or a flash memory. CUPP Computing AS Patent Attorneys for the Applicant SPRUSON & FERGUSON 9091849_1
AU2012241073A 2005-12-13 2012-10-12 System and method for providing network security to mobile devices Active AU2012241073B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US60/750,326 2005-12-13
US11/376,919 2006-03-15
AU2006324929A AU2006324929A1 (en) 2005-12-13 2006-12-12 System and method for providing network security to mobile devices
AU2012241073A AU2012241073B2 (en) 2005-12-13 2012-10-12 System and method for providing network security to mobile devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2012241073A AU2012241073B2 (en) 2005-12-13 2012-10-12 System and method for providing network security to mobile devices

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
AU2006324929A Division AU2006324929A1 (en) 2005-12-13 2006-12-12 System and method for providing network security to mobile devices

Publications (2)

Publication Number Publication Date
AU2012241073A1 AU2012241073A1 (en) 2012-11-01
AU2012241073B2 true AU2012241073B2 (en) 2014-10-09

Family

ID=47079564

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2012241073A Active AU2012241073B2 (en) 2005-12-13 2012-10-12 System and method for providing network security to mobile devices

Country Status (1)

Country Link
AU (1) AU2012241073B2 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123153A1 (en) * 2002-12-18 2004-06-24 Michael Wright Administration of protection of data accessible by a mobile device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040123153A1 (en) * 2002-12-18 2004-06-24 Michael Wright Administration of protection of data accessible by a mobile device

Also Published As

Publication number Publication date
AU2012241073A1 (en) 2012-11-01

Similar Documents

Publication Publication Date Title
Schnackengerg et al. Cooperative intrusion traceback and response architecture (CITRA)
US8635695B2 (en) Multi-method gateway-based network security systems and methods
US7409714B2 (en) Virtual intrusion detection system and method of using same
US8935742B2 (en) Authentication in a globally distributed infrastructure for secure content management
US8763071B2 (en) Systems and methods for mobile application security classification and enforcement
US10469514B2 (en) Collaborative and adaptive threat intelligence for computer security
US9258308B1 (en) Point to multi-point connections
US9065800B2 (en) Dynamic user identification and policy enforcement in cloud-based secure web gateways
US8539570B2 (en) Method for managing a virtual machine
US9800608B2 (en) Processing data flows with a data flow processor
US10284574B1 (en) System and method for threat detection and identification
US7979368B2 (en) Systems and methods for processing data flows
US8566946B1 (en) Malware containment on connection
EP1591868B1 (en) Method and apparatus for providing network security based on device security status
US9525696B2 (en) Systems and methods for processing data flows
US8402540B2 (en) Systems and methods for processing data flows
US8010469B2 (en) Systems and methods for processing data flows
US7735116B1 (en) System and method for unified threat management with a relational rules methodology
AU2012259113B2 (en) Malware analysis system
US8195833B2 (en) Systems and methods for managing messages in an enterprise network
US10348771B2 (en) Learned behavior based security
US7664822B2 (en) Systems and methods for authentication of target protocol screen names
US8220050B2 (en) Method and system for detecting restricted content associated with retrieved content
Jakobsson et al. Crimeware: understanding new attacks and defenses
US9306960B1 (en) Systems and methods for unauthorized activity defense

Legal Events

Date Code Title Description
PC1 Assignment before grant (sect. 113)

Owner name: CUPP COMPUTING AS

Free format text: FORMER APPLICANT(S): YOGGIE SECURITY SYSTEMS LTD.

FGA Letters patent sealed or granted (standard patent)