Browse Prior Art Database

Method and Apparatus for Determination of Degree of Compromise of a Computing System

IP.com Disclosure Number: IPCOM000247260D
Publication Date: 2016-Aug-18
Document File: 3 page(s) / 831K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method and apparatus for determining a computing system’s degree of compromise by providing and analyzing netflow data for a device.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 3

Method and Apparatus for Determination of Degree of Compromise of a Computing System

Problem: Determination of security issues, sensitivity rank are essential towards determine the level of security state of a device . Security state of a device determines how "compromised" or "safe" a device is.

Solution approach :


In the following sections, we have described methods for (1) protection measures for a computing device/system based on degrees of, compromise and sensitivity, (2) determination of degree of compromise, (3) determination of degree of sensitivity.

What is given to the system that we have described is netflow data for a device . The Figure 1 shows the types of network communication and content of such communication that each device carries out.

The novel contribution is a method and apparatus for determining a computing system's degree of compromise. The novel approach comprises method for:


• Protection measures for a computing device/system based on degrees of compromise and sensitivity

• Determination of degree of compromise
• Determination of degree of sensitivity

Figure 1: Netflow Data of a Device

What can be inferred from analyzing such data is discussed next. There are four levels of inferences - inference 2 is based on inference 1 and the netflow data, inference 3 is based on inference 2 and 1m and the netflow data, inference 4 is based on inference 3

1


Page 02 of 3

and the netflow data.

What is inferred: the following types of information from netflow data.

We can infer device type, software versions by looking at the traffic headers. Encrypted traffic provides information on DHCP, URL type (m.google.com, appstore, standard IP addresses/URLs used by iPhone/Android). Plaintext traffic, if any, is used to determine info embedded in network packets. Location(s) of device can be known from IP addresses (HTTPS), HTTP headers. Communication network of the device and its apps can be re-constructed from the services/IP addresses from the from TCP/IP headers. What are the apps on a device can be known based on the communication - because several apps communicate via HTTP, not HTTPS; advertisements may give away the type of app (gaming, …); which apps send what data: from plaintext traffic; Usage frequency, duration: from session duration, ads. The types of apps can be known from the above information and they services they connect with ad their communication pattern -- work, games, utility, phone, media, social networks, the way they communicate -- push type, pull type, whether apps are syncing with third-party server: from service address. We can also know the app vendor, version info:...