The present invention relates to the field of network communications on mobile devices. More particularly, the present invention relates to the combined practices of Network Security, Network Control, Network Performance Management and Mobile Device Management.
Even more particularly, the present invention provides visibility and control for all network applications to expand the set of application traffic mobility clients can act upon to include traffic sent outside the VPN tunnel, on all platforms to apply policy and publish data for non-tunneled and tunneled traffic. The present invention also provides the ability to “bridge” DNS queries with the other packets that pertain to the resolved address and control all of those connections with name-based policy rules.
The present invention also provides the ability to process information of the network traffic through machine learning algorithms and use the results to control traffic with policy rules. More particularly, the present invention relates to aggregating the collected information using statistical algorithms and processing the aggregated information through Machine Learning algorithms to automatically detect abnormal data transfers. More particularly, the present invention relates to aggregating the collected information using statistical algorithms and processing the aggregated information through Machine Learning algorithms to automatically detect usage that is abnormal for a device's typical user. More particularly, the present invention relates to the usage of the machine learning algorithms of Variational Autoencoder, Undercomplete Autoencoder, and Overcomplete Autoencoder to process aggregated network traffic information without human supervision or pre-labeled data.
Within the last several decades, mobile enterprise workers using mobile computing devices have become commonplace. With the widespread adoption, many enterprises have realized the need for greater visibility and control of the network communications taking place on the mobile devices used by their mobile workers. Many enterprises have also realized the need for greater flexibility over the way in which policy rules that govern the treatment of network flows are expressed.
Moreover, until recently, companies have turned to ever-more complex network monitoring systems in an attempt to cope. Such systems helped mitigate the problem by “scaling up” traditional methods, but still relied on statistical algorithms driven by human interpretation. As the number of computer applications relying on computer networks continued to multiply, that approach, just like the more traditional methods they were derived from, became too cumbersome for the network administrators that relied on them.
Historically, enterprises have turned to network performance management tools to help control the problems listed above. Unfortunately, most existing products in the marketplace were designed for wired networks and for wireless networks that are fully controlled by the enterprise. Also, most existing products that provide control over a network do so via centralized mechanisms—and these can represent bottlenecks or chokepoints that degrade network performance and user experience.
Recently, some VPN solutions have been used to provide the visibility and control of the mobile network communications for devices using public networks. But even here, these VPN solutions can only monitor and control network flows that are sent over the VPN tunnel and cannot do so for network flows that are configured to bypass the VPN tunnel.
Also, with the widespread adoption of mobile enterprise workers using mobile computing devices, enterprises have had to deal with scaling the administration of the rules that govern mobile network control and visibility. For example, in the case of a split tunneling rule (a rule that governs which network flows are sent over the VPN tunnel and which bypass the VPN tunnel), current industry practice is to define the rules based on network addresses, ports, or some other bit of information that is actually present in the packets of the network flow. However, it is often impractical for users of these systems to express split tunnel rules using network addresses. Often, the most natural way to express a split tunnel rule is using host names (i.e. send all xyz.com over the tunnel and send everything else outside the tunnel). And, as the size of a mobile workforce grows, the ability to easily express these types of rules or have the rules automatically created or applied by an AI engine becomes more and more important.
In the marketplace, many VPNs currently support the ability to define a set of search domains. By configuring these search domains, any name queries that match the configured search domain will be sent to the VPN and any that do not will bypass the VPN. One problem with this model is that the VPN loses visibility into any name queries that do not match the search domain. But any name queries that do match the search domain are specifically sent to the VPN's DNS servers rather than the name servers of the local network. An unfulfilled need exists to have visibility into all name queries from a mobile device while allowing, without requiring, that the name query be fulfilled by the name servers defined for the VPN itself.
The market has not yet been able to meet the needs for monitoring and controlling network communications from mobile devices when those network communications take place over public networks and which were not sent over the VPN tunnel to the protected enterprise network. Also, there is presently an unfulfilled need to support visibility into all name queries generated on a device, control to steer any name query either inside or outside the VPN tunnel, and control to apply the same policy (inside/outside VPN tunnel) to any subsequent network flow that uses the same address to which the name query resolved. Also, there is an unfulfilled need to monitor the data stream of network behavior collected on a mobile device for the purpose of automatically creating and applying customized network policy rules and alleviating the human of the burden of doing so.
In an effort to relieve overburdened network administrators some network monitoring systems have recently started incorporating “machine learning” algorithms. Machine learning (ML) algorithms, as the name implies, can “learn” patterns within a given set of data. Once “trained”, a ML algorithm can be used to identify when a pattern repeats or when a subset of data does not conform to a recognized pattern, thus relieving network administrators from having to identify recognizable or anomalous data patterns manually.
Currently there are still big challenges to applying ML algorithms, with the most significant being the data required to train them. ML algorithms require copious amounts of data and most ML algorithms require target patterns to be identified within the data in order to train properly (in ML parlance, this is called “supervised learning”).
Current network monitoring systems gather the amount of data required by collecting meta-data on a packet-by-packet basis. This means they must analyze and record information about every packet sent and received over all monitored networks. This set of meta-data, while smaller than the actual network packets, is a non-trivial amount of data to transmit and analyze.
Also, to utilize “supervised learning” ML algorithms, network monitoring systems require all target patterns to be identified within the data used for training, thus shifting burden back onto network administrators.
The market is still struggling to efficiently apply ML algorithms in a way that minimizes human interaction. The more successful network monitoring systems collect copious amounts of data and often require the “interesting” parts of the data be identified interactively by a network administrator or by utilizing third party data sets where the “interesting” parts have been manually identified.
In view of the foregoing, embodiments are directed to a system and method that combines Network Security, Network Control, Network Performance Management and Mobile Device Management.
Embodiments are directed to a system and method that provides for a data collection, control and monitoring system that has visibility to network flow data that may go over a VPN tunnel but may instead be rewritten to the local network stack in such a way that it bypasses the VPN entirely.
In other embodiments, the system and method are directed to capturing all name queries on a mobile device, steering name queries either inside or outside the VPN tunnel based on policy rules expressed using host names or partial hostnames with wildcards, tracking name queries and mapping them to the associated responses, storing the name to address associations from the queries and responses, and applying the same policy to any flows that use an address from a name resolution as the policy that was applied to the original name query.
Embodiments are directed to a method and system for capturing all network flows on a mobile device as well as a method and system for re-introducing the network flows back into the original network stack on the mobile device such that they will subsequently avoid being captured for monitoring any further. The method and system utilize steering name query flows according to configured policy defined using full or partial host names, tracking responses to name queries, and applying the same policy to flows that uses the resolved address for a name query as was used for the original name query. The method and system further include processing the stream of collected data in real-time for the purpose of automatically creating and applying the most appropriate network policy rules based on actual user and device behavior on the network and the goals of the enterprise.
In further embodiments, the system and method provide for real-time monitoring of user and device network behavior data collected on the mobile device in order to automatically create and apply the most appropriate network rules for the current environment.
In still other embodiment, the method can be performed on and the system can be operable with a roaming client moving between same or dissimilar networks including, but not limited to, WiFi, cellular networks technologies such as WiMax, 3G, 4G, 5G and Long Term Evolution (LTE), as well as other radio networks. By way of non-limiting example, a client may roam between two networks A and B, such that the DNS query is processed while the VPN tunnel is established over network A, but by the time the subsequent flow to the actual remote host occurs, the VPN tunnel has been established over network B. This may also apply to the sending the network flow vs the sending of the network flow metadata to the data gateway in the VPN server pool. Additional information regarding mobile devices roaming over plural dissimilar networks and maintaining connection between the roaming mobile device and an enterprise network through a VPN tunnel can be found in, e.g., U.S. Pat. Nos. 7,778,260, 7,602,782, 7,574,208, 7,346,370, 7,136,645, 6,981,047, 6,826,405, 6,418,324, 6,347,340, 6,198,920, 6,193,152, U.S. Patent Application Publication Nos. US2010/0046436, US2009/0307522, US2009/0083835, US2007/0206591, US2006/0203804, US2006/0187956, US2006/0146825, US20060046716, US2006/0023676, US2006/0009213, US2005/0237982, US2005/0002419, US2004/0264402, US2004/0170181, US2003/0017845, US2005/0223115, US2005/0223114, US2003/0120811, and US2002/0122394, the disclosures of which are expressly incorporated by reference herein in their entireties.
In another non-limiting example, the method and system can be employed as a standalone solution or can be built on top of an existing VPN. As a standalone solution, the method and system can be configured to capture all network flows so that information about them may be collected and then the method and system could rewrite all network flows back to the local network stack. If built on top of an existing VPN, after reading network flows and collecting information, control over the network flows may be asserted, thereby causing some flows to be rewritten to the local network stack, other flows to be sent over the VPN tunnel and other flows to be blocked.
For any name queries, a policy lookup would occur for the (potentially wildcarded) hostname from a local table and then either send the name query over the tunnel, send it outside the tunnel, or block it.
Since policy may be dynamic and user configurable, it may be necessary to ensure that any name query can be sent to a DNS server either inside or outside the tunnel. One method to accomplish this may be to proxy the name queries and responses to the appropriate server. Another method to accomplish this may be to simply forward the name query packets and rely on the underlying operating system behavior to generate name query packets to the appropriate name server.
The system must track name queries and responses so that it can apply the same policy to the flow resulting from a name resolution as the policy applied to the name resolution itself. In one embodiment, this name resolution cache may be used to “short-circuit” subsequent name lookups to the same name. In another embodiment, it might be advantageous to always resolve every query to ensure the local cache is kept up to date.
Moreover, embodiments are directed to a system and method to provide for a data collection and monitoring system that centralizes and aggregates the data and then uses the aggregated data to train and execute machine learning (ML) algorithms.
According to other embodiments, the system and method are directed to provide a ML algorithm that outputs the detection of possible data exfiltration by one or more computers based solely on previously gathered data, having such detections customizable by a network administrator in terms of overall sensitivity, and applying the ML algorithm to customizable groups of computers.
In still other embodiments, the system and method provide for the generation of reports, notifications, and alerts based on the output of the ML algorithm.
In further embodiments, the system and method provide conditions for accessing one or more computer networks and/or limiting the usage of said networks by one or more computers based on the output of the ML algorithm.
Embodiments are directed to a mobile management method that includes receiving from an application on a client a DNS query for a host name; retrieving reputation data associated with the host name from a local cache on the client; determining whether a policy associated with the host name and the reputation data associated with the host name exists; and one of: sending network flows one of: through a VPN tunnel to a server or out a local proxy on the client to a private or public network; or blocking the network flow based on the determined policy for the host name.
Further, embodiments are directed to a mobile management system that includes at least one data base comprising a stored set of instructions; and at least one processor coupled to the least one data base, wherein processor is configured to execute the stored set of instructions to: receive from an application on a client a DNS query for a host name; retrieve reputation data associated with the host name from a local cache on the client; determine whether a policy associated with the host name and the reputation data associated with the host name exists; and one of: send network flows one of: through a VPN tunnel to a server or out a local proxy on the client to a private or public network; or block the network flow based on the determined policy for the host name.
Moreover, embodiments are directed to a mobile management method that includes sending at least network flow metadata to a collector on a client; transmitting the network flow metadata in the collector to a VPN server pool via the VPN tunnel; processing the network flow metadata to find and detect events and conditions within the network; sending the found and detected events and conditions to the client; determining whether a policy associated with the found and detected events and conditions exists; and changing at least one of network usage or device behaviors based on the determined policy.
Embodiments are directed to a mobile management system that includes a VPN server pool; and a client device connectable to the VPN server pool via a VPN tunnel. The client device includes a reputation data store, a policy rules store and a VPN policy engine coupled to perform a policy lookup based upon a policy rule stored in the policy rules store for host name and reputation data for the host name stored in the reputation data store. Based upon the policy lookup, the VPN policy engine is configured to one of: send network flows one of: through a VPN tunnel to a server or out a local proxy on the client to a private or public network; or block the network flow.
Embodiments are directed to a mobile management method that includes receiving a DNS query for a host name from an application on a client; retrieving reputation data associated with the host name from a local cache on the client; determining a policy for the host name, which is associated with the host name and the reputation data associated with the host name; based on the determined policy for the host name, blocking attempted network flows to a host corresponding to the host name; sending at least attempted network flow metadata related to the blocked attempted network flows to a collector on the client; and transmitting the attempted network flow metadata in the collector to a VPN server pool via a VPN tunnel.
According to embodiments, the VPN server pool can include comprises a data gateway that receives the attempted network flow metadata, and a data publisher coupled to the data gateway instructs at least one of: a reporting engine to generate at least one of reports or dashboards; or a machine learning unit to find anomalies, determine cohorts, deduce trends, determine location boundaries, detect network security issues, detect compromised clients, and/or optimize network usage. Based upon the found anomalies, determined cohorts, deduced trends, determined location boundaries, detected network security issues, detected compromised clients, and optimized network usage, the machine learning unit can send an alert to the VPN server pool; and the VPN server pool can send one of an alert to the client or an update to the client. Further, the machine learning unit may include a data storage server collecting and storing the attempted network flow metadata from the VPN server pool and an analysis server, and the method can further include aggregating in the analysis server the collected attempted network flow metadata stored on the data storage server with other collected attempted network flow metadata using statistical algorithms; and processing the aggregated metadata through machine learning algorithms to automatically detect at least one of an abnormal data transfer or usage that is abnormal for a user of the client.
In embodiments, the VPN server pool may include a machine learning unit using artificial intelligence and machine learning to determine boundaries of normal locations of at least one of individual clients or client cohorts and to detect when an individual client or client cohort is outside of the normal locations.
In accordance with embodiments, the VPN server pool can include a machine learning unit using artificial intelligence and machine learning to make findings and detections based upon at least the attempted network flow metadata, and based on the findings and detections of the artificial intelligence and machine learning, the method further comprises at least one of: switching between using different network interfaces; using multiple network interfaces; using or not using a proxy server; switching between different proxy servers; forcing compression between the client and another client; forming forward error detection between the client and the other client; causing the client to launch an application; causing the client to run diagnostics; forcing advanced authentication; enabling advanced logging; throttling network usage; limiting network destinations; quarantining the client; or forcing traffic through encrypted tunnels.
In other embodiments, the mobile management method can include updating the reputation data for the host name each time another DNS query for the host name is received by the client. The updating of the reputation data for the host name may include sending a request through the VPN tunnel to retrieve updated reputation data for the host name from the VPN server pool; and receiving the retrieved updated reputation data for the host name from the VPN server pool through the VPN tunnel.
According to other embodiments, when a DNS query for a further host name is resolved in the client, the method can further include, based on a further policy for the further host name: returning the resolved further host name to the application; receiving a request for forwarding further attempted network flows to a further host for the further resolved host name; retrieving further reputation data associated with the further host from the local cache on the client; and determining whether a further policy associated with the further host and the further reputation data associated with the further host exists.
In accordance with embodiments, when a DNS query for a further host name cannot be resolved in the client, the method may further include: sending the DNS query for the further host name to the VPN server pool through the VPN tunnel; receiving a resolved further host name through the VPN tunnel; and based on a further policy for the further host name: forwarding the resolved further host name to the application; receiving a request for forwarding further attempted network flows to a further host for the further host name; retrieving further reputation data associated with the further host from the local cache on the client; and determining whether a further policy associated with the further host and the further reputation data associated with the further host exists.
In still other embodiments, when a DNS query for a further host name cannot be resolved in the client, the method can further include sending the DNS query for the further host name to a local network; receiving a resolved further host name through the local network; and based on a further policy for the further host name: forwarding the resolved further host name to the application; receiving a request for forwarding further attempted network flows to a further host for the further resolved host name; retrieving further reputation data associated with the further host from a local cache on the client; and determining whether a further policy associated with the further host and the further reputation data associated with the further host exists.
In further embodiments, the method can include: sending at least further attempted network flow metadata associated with further attempted network flows to the collector; transmitting the further attempted network flow metadata in the collector to the VPN server pool via the VPN tunnel; processing the further attempted network flow metadata to find and detect events and conditions within a network; sending the found and detected events and conditions to the client; determining that the policy or a further policy is associated with the found and detected events and conditions; and changing at least one of network usage or client behavior based on the policy or the further policy. When the further policy blocks the further attempted network flows within the client, the further attempted network flow metadata associated with the further attempted network flows can be sent to a data gateway in the VPN server pool. Further, a data publisher coupled to the data gateway may instruct at least one of: a reporting engine to generate at least one of reports or dashboards; or a machine learning unit to find anomalies, determine cohorts, deduce trends, determine location boundaries, detect network security issues, detect compromised clients, and/or optimize network usage. Based upon the found anomalies, determined cohorts, deduced trends, determined location boundaries, detected network security issues, detected compromised clients, and optimized network usage, the machine learning unit can send an alert to the VPN server pool; and the VPN server pool may send at least one of an alert to the client or an update to the client. Still further, the machine learning unit can include a data storage server collecting and storing the further attempted network flow metadata from the VPN server pool and an analysis server, and the method may further include: aggregating in the analysis server the collected further attempted network flow metadata stored on the data storage server using statistical algorithms; and processing the aggregated metadata through machine learning algorithms to automatically detect at least one of an abnormal data transfer or usage that is abnormal for a user of the client. The processing of the aggregated metadata through the machine learning algorithms comprises at least one of: processing the aggregated metadata through a variational autoencoder machine learning algorithm to automatically find and detect the events and the conditions without human aid; processing the aggregated metadata through an overcomplete autoencoder machine learning algorithm to automatically find and detect the events and the conditions without human aid; or processing the aggregated metadata through an undercomplete autoencoder machine learning algorithm to automatically find and detect the events and the conditions without human aid. Further still, the VPN server pool may include a machine learning unit using artificial intelligence and machine learning to determine boundaries of normal locations of at least one of individual clients or client cohorts and to detect when an individual client or client cohort is outside of the normal locations. The VPN server pool may include a machine learning unit using artificial intelligence and machine learning for processing the further attempted network flow metadata to find and detect the events and conditions within the network based upon at least the further attempted network flow metadata, and based on the events and conditions found and detected by the artificial intelligence and machine learning, the method further comprises at least one of: allowing or blocking traffic; switching between using different network interfaces; using multiple network interfaces; using or not using a proxy server; switching between different proxy servers; forcing compression between the client and another client; forming forward error detection between the client and another client; causing the client to launch an application; causing the client to run diagnostics; forcing advanced authentication; enabling advanced logging; throttling network usage; limiting network destinations; quarantining the client; or forcing traffic through encrypted tunnels.
According to still further embodiments, the method may also include receiving a DNS query for a further host name from the application; retrieving further reputation data associated with the further host name from the local cache; determining a further policy for the further host name, which is associated with the further host name and the further reputation data associated with the further host name; based on the determined further policy for the further host name, either: blocking further attempted network flows to a further host corresponding to the further host name; sending the further attempted network flows through the VPN tunnel to the VPN server; or sending the further attempted network flows out of a local proxy on the client to a private or public network.
In accordance with still further embodiments, the method can also include receiving DNS queries for further host names from the application; retrieving further reputation data associated with each of the further host names from the local cache; determining a further policy for each of the further host names, each of which is associated with the corresponding further host name and the further reputation data associated with the corresponding further host name; based on the determined further policies for the further host names: blocking further attempted network flows to one or more further hosts corresponding to the further host names; sending other further attempted network flows through the VPN tunnel to the VPN server; and sending yet other further attempted network flows out of a local proxy on the client to a private or public network. The method may further include collecting network performance metrics from the client and from other clients from which other network flows are sent; detecting a trend of increasing network connection problems experienced by a cohort of clients selected from the client and the other clients; and determining where the cohort is. Further, the network performance metrics may relate to throughput, latency, connection failure, signal to interference and noise ratio (SINR) and/or signal quality; and the method can include identifying a carrier, a cellular tower, a wireless local area network (WLAN) and/or a WLAN access point that the cohort is using. The cohort can be a geographic region and the geographic region may include a city, a state or a town.
Embodiments are directed to a mobile management system that includes a VPN server pool; and a client connectable to the VPN server pool via a VPN tunnel. The client includes a reputation data store, a policy rules store and a VPN policy engine coupled to perform a policy lookup based upon (a) a policy rule stored in the policy rules store for a host name and (b) associated reputation data for the host name stored in the reputation data store, and further includes a collector coupled to the VPN policy engine. Based upon the policy lookup, the VPN policy engine is configured to block attempted network flows to a host corresponding to the host name, the collector is arranged to receive attempted network flow metadata for the blocked attempted network flows from the VPN policy engine; and the collector is configured to transmit the attempted network flow metadata to the VPN server pool via the VPN tunnel.
According to embodiments, the VPN server pool may include a data gateway that is configured to receive the attempted network flow metadata for the blocked attempted network flows. The VPN server pool may further include a data publisher coupled to the data gateway and the data publisher can be coupled to at least one of a reporting engine or a machine learning unit. Further, the reporting engine can be configured to generate at least one of reports or dashboards, and the machine learning unit can be configured to find anomalies, determine cohorts, deduce trends, determine location boundaries, detect network security issues, detect compromised clients, and/or optimize network usage and, based on the found anomalies, determined cohorts, deduced trends, determined location boundaries, detected network security issues, detected compromised clients, and/or optimized network usage, to send at least one of an alert to the client or an update to the client. Still further, the machine learning unit may include a data storage server configured to collect and store attempted network flow metadata from the VPN server pool and an analysis server configured to aggregate the collected attempted network flow metadata stored on the data storage server with other collected attempted network flow metadata using statistical algorithms and to process the aggregated metadata through machine learning algorithms to automatically detect at least one of an abnormal data transfer or usage that is abnormal for a user of the client.
In accordance with embodiments, the VPN server pool may include a machine learning unit configured to use artificial intelligence and machine learning to determine boundaries of normal locations of at least one of individual clients or client cohorts and to detect when an individual client or client cohort is outside of the normal locations.
Embodiments are directed to a client that includes a processor; and a memory storing computer-readable instructions, which, when executed by the processor cause the processor to: receive a DNS query for a host name from an application on the client; retrieve reputation data associated with the host name from a local cache on the client; determine a policy for the host name, which is associated with the host name and the reputation data associated with the host name; based on the determined policy for the host name, block attempted network flows to a host corresponding to the host name; send at least attempted network flow metadata elated to the blocked attempted network flows to a collector on the client; and transmit the attempted network flow metadata in the collector to a VPN server pool via a VPN tunnel.
In accordance with still yet other embodiments, the client may further include a reputation data store in which the associated reputation data for the host name can be stored, the reputation data store may be present in the local cache; a policy rules store; and a VPN policy engine coupled to perform a policy lookup based upon a policy rule stored in the policy rules store for the host name and the associated reputation data for the host name. The collector can be coupled to the VPN policy engine.
The particulars shown herein are by way of example and for purposes of illustrative discussion of the embodiments of the present invention only and are presented in the cause of providing what is believed to be the most useful and readily understood description of the principles and conceptual aspects of the present invention. In this regard, no attempt is made to show structural details of the present invention in more detail than is necessary for the fundamental understanding of the present invention, the description taken with the drawings making apparent to those skilled in the art how the several forms of the present invention may be embodied in practice.
A mobile cloud performance, security and cost management system according to the embodiments provide visibility and control for all network applications. The system expands the set of application traffic mobility clients can act upon to include traffic sent outside a VPN tunnel, on all platforms and applies policy and publishes data for both tunneled and non-tunneled traffic. Thus, regardless of mobile operating system, e.g., iOS, Android, Windows, Mac, etc., and whether the mobile user's traffic is tunnel or non-tunneled, policy can be review and applied and reports can be prepared and published.
Monitoring remote network clients for technological and legally risky behavior is difficult due to their separation from the enterprise network. Existing solutions depend on services running on a gateway network appliance, such as a router. Due in part to their scalability requirements, these routers typically remediate traffic based upon a security policy without any advanced reporting. Remote clients can also be difficult to reference when associating with traffic as their source addresses can change more often than on premise clients. This loose association adds to the complexity of connecting an agent/client (user or device) with its network traffic and its reputation data.
The reputation data collected from the client activity to the VPN server can be fed into a Security Information and Event Management (SIEM) system, a reporting engine (or business intelligence engine), and/or a machine learning algorithm of a machined learning engine Reporting engine to quickly identify suspicious network behavior. Because the reputation data is collected at the time of the client's connection, Reporting engine the reporting engine can quickly identify risky network activity coming from the VPN clients without any additional processing.
Each time a DNS request packet with the host name is received by VPN policy engine 22, VPN policy engine 22 can retrieve reputation data of the requested host name from reputation data store 34 based upon policy from policy rules store 32 perform a policy lookup for the requested (potentially wildcarded) host name. If the host name can be resolved in the client, the resolved host name is returned to application 12. If the host name cannot be resolved in client 10, the DNS query is sent through tunnel 26 to VPN server pool 100 via DNS proxy 24 to be resolved, and a DNS response with the resolved host name is returned application 12. VPN policy engine 22 looks up the reputation of the requested host name in reputation data store 34. If reputation data for the host is not found in the local cache (reputation data store 34), VPN policy engine 22 can request reputation data for the host from a VPN server pool 100, which can be located on a server on premises and/or in the cloud, and record the retrieved reputation data for the host in reputation data store 34. This reputation data can include things such as, e.g.: risk level, category, popularity, and potential security incidents noticed in the past. VPN policy engine 22 can also enforce policy rules based on the DNS host name and the reputation. When a policy exists, the packets can be treated according to the policy, e.g., to establish a connection through VPN tunnel 26 to the server or to establish a local connection to the host through a public or private network, thereby bypassing the VPN tunnel.
Moreover, to ensure that the local reputation data on the client is up to date, each time VPN policy engine 22 sees a DNS query, even when there is reputation data for the resolved host in the local cache and an established policy, VPN policy engine 22 can request and retrieve reputation data for that host from VPN server pool 100 and store (or update) that data in reputation data store 34 on client 10 in a table where, e.g., the key is the host name and the value is the reputation data.
Thus, in embodiments, regardless of whether policy rules pertaining to the host exist in VPN policy engine 22, reputation data can always be retrieved. This can be advantageous in that, because policy is dynamic and can change at any time, the reputation cache is up to date for all hosts for which DNS queries have been made. Therefore, even when VPN policy engine 22 does not find a policy rule for the host name, VPN policy engine 22 will retrieve reputation data for that host from VPN server pool 100 to update the reputation data in the local cache or reputation data store 34. In particular, DNS proxy 24 can resolve the packet request with the host name and send the host name through VPN tunnel 26 to a VPN server 110 of a VPN server pool 100. VPN server 110 can access a reputation data store 112, which can be a local cache in VPN server pool 100. The reputation data for the resolved host name is sent back to client 10 through VPN tunnel 26 and reputation data store 34 is updated and policy rules based upon the reputation data retrieved from VPN server pool 100 can be stored in policy rules store 32 for the host. Based on this new policy, a determination is made whether to establish a connection through VPN tunnel 26 or to establish a connection outside of VPN tunnel 26 to a private or public network or to block the flow.
When the server does not have reputation data in its local cache for the resolved host, VPN server 110 can query, e.g., an internet accessible reputation service that can resolve a hostname or URL into a reputation score. This retrieved reputation data can then be sent back through VPN tunnel 26 to VPN policy engine 28 to be stored in reputation data store 34.
Whether the DNS request is resolved locally or via the server, when the response comes back, application 12 will make a new request to the actual remote host. At this point another policy lookup can occur in VPN policy engine, as well as checking reputation data. The activities of the various processes can be collected or stored, preferably temporarily, on the client by collector 28. That is, after VPN policy engine 22 has processed the request packet and its associated reputation data, VPN policy engine 22 informs collector 28 of the packet and reputation. After VPN policy engine 22 has processed the packet to the actual host, its associated reputation data and a determination of how to handle the packet will have been made, i.e., connect through local proxy, connect through VPN tunnel 26, or block, VPN policy engine 22 informs collector 28 of the packet, reputation and network flow metadata. Collector 28 can store cached data about client 10, e.g., WiFi connection, data about the VPN tunnel, data about connection made through the VPN, etc., and, periodically, this collector data can be flushed to a data gateway 114 of VPN server pool 100, which is a server side data collection point.
Moreover, in embodiments, it is possible for no policy to exist that matches a given flow or for a remote host to be unknown in terms of reputation. If no policy exists and no reputation can be retrieved, a default behavior, e.g. to tunnel the flow to the VPN server pool, can be executed.
A non-limiting example of the cached collector data, which can be stored as textual data or JSON data is shown in
Data gateway 114 receives the network flow information and/or metadata from the downloaded collector data and unpacks or normalizes the downloaded data. Data gateway 114 can forward the data to data publisher 116, which can instruct reporting engine 118 to prepare reports or dashboards. Reporting engine 118, e.g., can use the reputation data to prioritize and filter application flow data to present an overall cybersecurity posture of the network. Data publisher 116 can also send the data to a machine learning unit 120, which can use artificial intelligence and machine learning algorithms to update information based upon what it learns. Machine learning unit 120 can be coupled to transmit alerts to VPN server 110 for alerting clients or updating client's policies.
An exemplary flow diagram of an operation of the client 10 and VPN server pool 100 is depicted in
At 208, a determination is made whether to connect through the tunnel or through a local proxy. When connecting through the local proxy, the local proxy at 209 writes back to the local TCP/IP stack that the network flow is protected with the VPN enabled. When connecting through the tunnel, the packet is forwarded through the VPN tunnel to the server at 210.
An exemplary sequence diagram that shows the order of events when an application is opened on the client in accordance with embodiments. This sequence diagram generally corresponds to the exemplary flow diagram depicted in
The VPN server can send a DNS response to the application at 307 and can send a reputation response to the VPN policy engine at 308. At 309, the application sends a request for a network flow to the VPN policy engine. The VPN policy engine will then determine at 310 whether the network flow should be through the tunnel or through a local proxy for local connection to the public or private network or whether the network flow should be blocked. Whether the existing policy requires the network flow to be directed through the tunnel or the local proxy or to be blocked, the VPN policy engine will record the event in the collector at 312. Periodically or asynchronously, the data stored in the collector is sent to the data gateway at 313. The data gateway instructs the data publisher to publish the received data at 314 and the data publisher sends the data it receives to the reporting engine and the machine learning unit at 315.
As shown in
Thus, mobile management system 400 is provided with the ability to monitor and control remote and mobile clients outside the firewall. This is particularly advantageous in that, while known systems require all traffic to pass through a server or proxy where network activity is analyzed and policy is enforced, the mobile management system 400 will analyze and control on the mobile client 403 and on servers 401, 402, and policy enforcement is done on the client 403.
In embodiments, where data analysis is done on servers 401, 402, policy triggers can be sent to client 403 for enforcement. Moreover, mobility server 401 can be formed by one or more servers and/or proxy servers residing in the cloud, e.g., AWS, Azure clouds and mobility server 402 which can be formed by one or more servers and/or proxy servers residing on premises. The system will provide diagnostics, visibility and policy control on flows inside the VPN tunnel, which can use, e.g., strong AES encryption, DES or twofish. Further, the system will provide diagnostics, visibility and policy control on flows outside the tunnel going directly to the cloud. This configuration frees up resources at the enterprise and improves performance by removing the need to send all data back to the enterprise or to a server in the cloud.
By way of non-limiting example, cloud based mobility server 401, which is configured to provide a secure tunnel service, that provides first hop security by creating an encrypted tunnel between clients 403 and the tunnel server, includes a data gateway acting as a collection point for client application flow, performance and security data. Moreover, cloud based mobility server 401 can also provide a secure tunnel all the way back to the customer/enterprise internal network by simply setting up another tunnel between the customer's private network and the cloud. Mobility server 401 can also include a policy service that can push mobility policy to attached clients 403 and an alert service that can push mobility alerts to attached clients 403, as well as administrative alerts sent via SMS, email, syslog, SNMP. In embodiments, servers 401, 402 have the ability to identify ad servers, prevent connections to those servers for web browsers and applications, and to push down policy rules to the client to prevent connections. Moreover, a secure tunnel between the cloud server and an on-premises mobility server 402, can be established to provide cloud server configuration and client authentication. Further, the on-premises network can be connected to the cloud based mobility server 401 by using more commodity technologies, e.g., an IPSec tunnel instead of another mobility server running in the customer's on-premises network
Mobility server 401 can be implemented to enhance security and performance of the enterprise. In embodiments, mobility server policy actions and conditions can be provided for routing specific Application Traffic to specific proxy servers. Moreover, the proxy servers can support TLS back to the server pool on premise for configuration and administration, and mobile clients 403 can include policy to direct traffic to specific proxy servers using TLS. Mobile clients 403 can support at a minimum encryption, compression, and roaming when routing application traffic to proxies. Mobile clients 403 operating with a proxy can support all forms of authentication and can support concurrent routing of traffic using pass-through, proxy, and VPN traffic for various applications. For example, an application 1 traffic can be routed to a proxy, application 2 traffic is routed to the Mobility pool on premise and application 3 traffic is pass-through. In another example, flows for the same application can be routed differently based on remote host name, such that, when the application communicates with Remote Host A, it goes out local proxy and when it communicates with Remote Host B, it goes over the tunnel.
The system provides diagnostic information regarding the state of the network, device, and application, while the system server will be able to reside on premise behind the firewall and in the cloud. The server 401, 402 can include a VPN server, anomaly detection data monitor, a server with dashboards, and proxy servers. The system will provide configuration such that authentication is required before permitting network traffic. The system will support multiple factors of authentication. The system analyzes applications, users, devices, networks, network devices such as access points, routers, carrier networks, location, destinations servers, web sites and domains visited by users and performs a lookup of the reputation and category.
As discussed above, the network flow from the client may be established through the tunnel, such that a network flow 511 is established between client 510 and VPN server pool 531 and from VPN server pool 531 to third party server or service 520. Alternatively, based upon policy, a network flow 513 can be established outside of the tunnel to connect client 510 via a local proxy to third party server and services 520.
However, while the network flow may be through the tunnel or outside of the tunnel, network flow information 514 is sent through the tunnel between client 510 and VPN server pool 531. This network flow information can include the collector data from client and metadata about the network flows 511, 512, 513. Further, VPN server pool 531 sends network flow information 515 to data intake server 536 and network flow information of data 516 to reporting engine 535. Data intake server 536 sends network flow information 517 to data storage 533 for recording and analysis server 534 can read network flow information 518 from data storage 533. Analysis server 534 can analyze the metadata, e.g., using artificial intelligence and machine learning algorithms, and send alerts 540 to VPN server pool 531 if it finds something to protect the client or enhance operation of the client. VPN server pool 531 can issue an alert 541 to reporting engine 535. VPN server 531 can also establish a connection for policy updates 542 through the tunnel to client 510.
The network flow information or data can be compiled in reporting engine 535 based upon various categories of interest, e.g., web site reputation, to be presented to administrators and users in dashboards. By way of non-limiting example, reputations can be characterized into five (5) risk levels for dashboards, e.g., severe risk, high_risk, moderate_risk, low_risk and unknown reputation. Further, the system can categorize each visited web sited. By way of non-limiting example, there can be over 85 different categories, such as, e.g., Abortion, Abused drugs, Adult and pornography, adware Security, Alcohol and tobacco, Auctions, Bot nets—Security, Business and economy, CDNs, Cheating, Computer and internet info, Computer and internet security, Confirmed SPAM sources—Security, Cult and occult, Dating, Dead sites, Dynamically generated content, Educational institutions, Entertainment and arts, Fashion and beauty, Financial services, Food and dining, Gambling, Games, Government, Gross, Hacking, Hate and racism, Health and medicine, Home and garden, Hunting and fishing, Illegal. Image and video search, Internet communications, Internet portals, Intranet sites, Job search, Keyloggers and monitoring, Kids, Legal, Local information, Malicious URLs and paths—Security, Malware sites Security, Marijuana, Military, Motor vehicles, Music, News and media, Nudity, Online greeting cards, Open HTTP proxies—Security, Parked domains, Pay to surf, Peer to peer, Personal sites and blogs, Personal storage, Philosophy and political advocacy, Phishing and other frauds—Security, Private IP addresses, Proxy avoid and anonymizers—Security, Questionable, Real estate, Recreation and hobbies, Reference and research, Religion, SPAM URLs—Security, Search engines, Sex education, Shareware and freeware, Shopping, Social network, Society, Sports, Stock advice and tools, Streaming media, Swimsuits and intimate apparel, Training and tools, Translation, Travel, Unconfirmed SPAM sources—Security, Violence, Weapons, Web advertisements, Web hosting sites and Web-based email.
Users may configure specific dashboards with categories of interest. By way of non-limiting example,
Metadata collected on clients for visibility and control will be reported by mobile clients for, e.g., users, devices, networks, applications, destination location, destination servers, destination services, countries, location, and web sites for traffic inside and for traffic outside the VPN tunnel. This metadata will be used to perform anomaly detection and security (entity) behavior. The system can create policy triggers based on results of this analysis. Reputation of, e.g., users, devices, networks, applications, destination location, destination servers, destination services, countries, location, and web sites can also be calculated based on behavior. By way of non-limiting example, the system can detect that a user has accessed a website that is not typically used by other users in the deployment and is uploading large amounts of information, such as uploading data to dropbox. This behavior will create an alert and policy trigger sent down to clients that may be paired with one or more policy actions, discussed below. One such method for analyzing the data can be machine learning algorithms such as Regression, Random Forests, and neural networks.
Client policy will allow an administrator to configure policy triggers based on individual web, categories, and risk level. The policy can be configured on the server and pushed down to clients and can be enforced by clients because the clients are context aware, i.e., clients know the network, location, speed, applications, users etc. The server does not. Enforcement of policy on the client is required for highly mobile networks because the context and environment are always changing.
By way of non-limiting example, policy triggers can include Destination Web site, Destination server address and port, Application being launched, Protocol, Network SSID/BSSID, Network name (AT&T, etc.), Network speed, IP Address change, Inside geographical fence and Outside geographical fence. Further examples of policy triggers can be performed from anomaly detection data monitor, Reputation of users, devices, networks, applications, destinations, destination services, countries, location, and web sites. When a client detects that a policy has been triggered, it will perform an associated action, e.g. to block access to the website or to bypass the web site by sending the web site traffic outside the VPN tunnel directly to the cloud service. A non-limiting example of actions can include, e.g., Sending an SMS, email or text to an administrator, Presenting a pop-up or toast message to the end user, Enabling advanced logging, Blocking the access point, Tunneling the application over the VPN, Sending the application traffic outside the VPN, Blocking the web site, Blocking the application, Hiding the network interface, Forcing the user to re-authenticate, Forcing the user to re-authenticate with additional authentication factors, Compressing, Accelerating, Enabling forward error correction, Launching application, Launching network diagnostics and Performing network speed test. In response to the policy trigger, it is understood that one or more actions may be taken to resolve the policy trigger.
Policy triggers and actions may be compounded. For example, if user is on a cellular network outside the firewall and accesses a social media video website, accessing the website will create a policy trigger that is resolved by blocking the website and by presenting a message to the user. However, if the user is inside the firewall and accesses the social media video website, the policy trigger is resolved by allowing the user access to the website.
The anomaly detection data monitor has determined that there are enough changes in user behavior to require the end user to perform a multifactor authentication. The policy trigger is sent down to the client and the multifactor authentication process is started. Network traffic may be blocked until completed. A non-limiting exemplary listing of changes to user behavior may include location, network, device, applications, and destinations.
Policy triggers for risk level can also be supported. One such example may be to create a policy action to block any of the sites with a reputation of “High Risk” or worse.
Blocking web sites by category. One such example is to create a policy action to block all Sports (Sports is one of the categories) web sites.
The client system will have the ability to route traffic for web sites, applications, destinations, protocols, addresses etc. When inside the VPN tunnel, the VPN can provide encryption. When outside the tunnel and transmitting directly to the destination, the applications may typically provide the encryption such as when TLS/SSL is used when accessing an ecommerce site. When sending to a proxy service that may be on premise or inside the cloud, the client and the proxy can negotiate a TLS tunnel to provide encryption.
In an extreme case, policy may be configured to route all traffic outside the firewall, e.g., all application and web site traffic is configured to go directly to the cloud or destination. In this case the application is responsible for encrypting the traffic, while the VPN tunnel is used for administration purposes to collect metadata and provide policy control and configuration.
In another extreme case, policy may be configured such that all traffic is routed through the VPN tunnel.
Policy may be configured to only route traffic through the VPN tunnel when the client determines that the underlying network is not secure. One such example is when the client roams to a Wi-Fi access point that does not have encryption configured.
Policy may be configured to only route traffic through the VPN tunnel when the client determines that the underlying network is slow and compression and other optimizations are required. One such example is when the client roams onto a network that has a historical speed below some preconfigured threshold.
The dashboards can be created from the reports. By way non-limiting example, the system can look up destination by location and report location (e.g., country, town . . . ) and/or can report on the usage of a VPN, network speed, network link quality such as SINR, RSRP, RSRQ, RSSI, and/or active network by carrier or SSID/BSSID. Further, the system can report the network being used to access specific websites or server destinations, the network being used by specific applications, and/or application usage byte counts by application, device, and/or user.
Reporting engine can provide significantly improved filtering capabilities over the known art by allowing the user to drill-down to “User Details” and “Device Details”. The drill-down dashboards for users and device also link to the other dashboards, making it much easier to explore specific device- or user-specific data by keeping the device and data/time context. For the non-limiting example shown in
For analyzing performance and network health, the dashboard in
The Network Bandwidth dashboards provide a statistical analysis of network throughput-send, receive and latency-measured by the mobile devices running Diagnostics bandwidth while connected to cellular, WiFi and Ethernet networks. These dashboards can be configured to default to displaying the statistical average, but also support median, maximum, minimum, 90th percentile and 10th percentile. These dashboards can be populated by manual or automated bandwidth tests run on the mobile devices with the Diagnostics client. The Cellular Bandwidth Summary by Carrier dashboard in
The Cellular Bandwidth Summary by Cell Tower ID dashboard in
The Wi-Fi bandwidth in
The Ethernet Bandwidth Summary dashboard in
The Network Failures Summary dashboard in
The Connect Failure dashboards can help managers and administrators understand where and when mobile devices are unable to connect to a wireless network, Wi-Fi or cellular. For this dashboard, reported events can come from mobile devices running the Diagnostics client. The connect failures can be presented for cellular (
The Diagnostics Reports Summary dashboard in
The Realtime Traffic Audit dashboard in
Traffic Destination Audit in
The VPN Security Audit in
VPN Status in
The Wi-Fi Security Audit dashboard in
The Mobility Impact dashboard in
Network Usage reports are for IT and network managers who need to understand details of the mobile network usage on Carrier, Wi-Fi and Ethernet networks. Events reported in this dashboard can use data gathered from Diagnostics clients. These reports can be presented as a Network Usage Summary, Cellular Network Usage, WiFi Network Usage. The Network Usage Summary in
Cost Control dashboards for Application Usage provide IT, business, and security managers tools to understand application usage behavior over time by device, user, application, domain, and destination (FQDN or IP). These reports offer the ability to understand and analyze traffic patterns on devices that historically do not provide information about applications, including iOS iPhones and iPads. Events reported in the Application Usage dashboard can gather data from devices running the Mobility client. Filtering to a specific device will show network data if the device is also running the Diagnostics client.
The Highest Application Usage dashboard in
The Lowest Application Usage dashboard in
The Itemized Application Usage dashboard in
For managers or support personnel, the Devices dashboard in
For managers or support personnel, the Users dashboard in
For managers and support personnel who need to know where a device is, the Device Locator dashboard in
The Cellular Adapter Status dashboard in
The User Details dashboard in
The Device Details dashboard in
The Deployment Status dashboard in
The Application Details dashboard in
The Application Version Details dashboard in
The Applications dashboard in
Traffic categorization is a feature of the Mobility Reputation service. When this service is enabled, destination host names are categorized according to site content, and assigned a risk level based on an analysis of various factors including known malicious content, and the popularity and longevity of the site. Each traffic category is assigned to a category group, configured on the Mobility server. The Approved Traffic Destinations dashboard in
The Batteries dashboard in
The Category Details dashboard in
The Cellular Adapter Firmware Audit dashboard in
The Cellular Adapters dashboard in
The Cellular and Wi-Fi Connection Map dashboard in
The Cellular Bandwidth Tests dashboard in
The Cellular Coverage Map dashboard in
The Cellular Grid Cell Details dashboard in
The Destination Details dashboard in
Use the Device Activity dashboard in
The Device Location Health dashboard in
The Diagnostic Reports List dashboard in
The Ethernet Network Usage dashboard in
Traffic categorization is a feature of the Mobility Reputation service. When this service is enabled, destination host names are categorized according to site content, and assigned a risk level based on an analysis of various factors including known malicious content, and the popularity and longevity of the site. Each traffic category is assigned to a category group, configured on the Mobility server. The Legal Liability Traffic Audit dashboard in
The Licensing dashboard in
The Mobile IQ Status dashboard in
The Mobility Alerts dashboard in
The Mobility Connection Status dashboard in
The Mobility Disconnects dashboard in
Traffic categorization is a feature of the Mobility Reputation service. When this service is enabled, destination host names are categorized according to site content, and assigned a risk level based on an analysis of various factors including known malicious content, and the popularity and longevity of the site. Each traffic category is assigned to a category group, configured on the Mobility server. The Other Traffic Destinations dashboard in
A Mobility client device or user that has been quarantined cannot connect to the Mobility server. Quarantines can be applied to a device, user, or group. A quarantined connection occurs when a quarantined entity (a device, user, or member of a group) attempts to make a connection to Mobility. The Quarantined Connections dashboard in
The NetMotion Reputation service, configured within the Mobility console, uses reputation categories, site history, age, rank, and location, in addition to other contextual and behavioral trends to determine risk level of a destination or application accessed by Mobility clients. Each reputation category (such as Gambling, or Violence) belongs to a larger category group (such as Legal Liability). These category groups are used by Mobile IQ dashboards (such as High Risk Traffic Audit, Legal Liability Traffic Audit, and Approved Traffic Destinations) to classify and analyze network traffic. The Reputation Category Groups dashboard in
The SIM Cards—Last Used Plans dashboard in
The SIM Cards—Low Plan Usage dashboard in
The SIM Card Details dashboard in
The Threat Status dashboard in
The Traffic Destination List dashboard in
The Wi-Fi Bandwidth Tests dashboard in
The Wi-Fi Connection Map dashboard in
The Wi-Fi Grid Cell Details dashboard in
The system and method in the presently disclosed embodiments use artificial intelligence (AI) and machine learning to improve performance, reliability, cost and security. In particular, the system and method are operated to automate performance, cost and security improvements in real-time, to maintain entity behavior awareness, e.g., user, device, application, battery, network, domains, reputation, in real-time and to perform cohort analysis and monitor group behavior in real-time. The AI and machine learning are likewise capable of performing cohort analysis, i.e., to identify entities not performing as others, as well as an entity analysis that can monitor changing usage patterns to determine that an entity is acting out of the ordinary. Moreover, the system and method can use any statistical or machine learning algorithms, or combinations thereof, for the purposes of anomaly detection, cluster analysis, cohort discovery, pattern recognition, etc. using data from groups of users, individual users, and/or discovered cohorts. Non-limiting examples of statistical and machine learning algorithms include deep learning neural networks; variational autoencoders; overcomplete autoencoders; support vector machines; random forests; DBScan, KMeans, and other clustering algorithms; and local outlier factors.
According to embodiments, AI and machine learning can address costs by identifying increases in data usage on metered networks and alert users to significant changes, identifying when users could be using Wi-Fi but are not, e.g., notifying users when in areas that have Wi-Fi coverage and/or offloading and roaming to Wi-Fi when available. Further, cohort analysis can be used to identify entities that are using more/less than others, e.g., doing more/less transactions than others, using more data/less than others, staying on costly metered networks instead of free Wi-Fi, and/or using unusual services.
The AI and machine learning can improve performance and productivity. To address issues of over usage of “recreational” applications, the method and system can be configured to notify, alert, automatically block usage, throttle usage, and/or restrict usage and to address issues of under usage of mission-important applications, the AI and machine learning can notify and alert the VPN server pool, which can issue an alert and log the data to productivity dashboards. Moreover, as performance and productivity changes over time, the method and system can be configured to notify, alert, automatically block usage, throttle usage, and/or restrict usage, and to reduce network wait times by blocking unneeded traffic, such as adware and advertisements. The AI and machine learning can also use cohort analysis to identify devices and users that are underperforming, e.g., specific users that are doing less transactions (productivity) than others, devices with batteries that are failing, devices with unusual applications, devices using unusual services, and/or unusual or changing time patterns. Moreover, the AI and machine learning can identify areas with historically poor network performance and switch to a better network, when available, or alert if nothing better is available. To address cohort analysis identifying devices and users that are underperforming, the AI and machine learning can identify specific users that are doing less transactions (productivity) than others, devices with batteries that are failing, devices with unusual applications, devices using unusual services, and/or unusual or changing time patterns.
With regard to security, the AI and machine learning can provide threat analysis to make it easier for businesses to find potentially malicious activity by sifting through enormous volumes of data to find only “Interesting Information”. In this regard, the AI and machine learning can monitor and learn “normal” behavior for a given Entity (User, Device, Application) and identify behavior changes, monitor cohorts and identify entities that are different, e.g., a device that becomes infected and starts exhibiting strange behavior is placed into a heightened state of monitoring, detect entities uploading or downloading data to unusual services (such as DropBox), detect entities sending/receiving to unusual IP addresses, servers, services, locations and countries, security software enabled/disabled (e.g. firewall, DLP, AV, etc.), valid/invalid certificates, key application absent or present on device, device security controls enabled/disabled and/or frequency of attempts to access blocked sites. The AI and machine learning can also determine the boundaries of “normal” locations of individual devices and/or device cohorts and detect when a device is outside of its normal area.
Based on the findings and/or detections of the AI and machine learning, the method and system can block or allow traffic; switch between the use of different network interfaces; use multiple network interfaces; use or not use a proxy server; switch between different proxy servers; force encryption between two devices; force compression between two devices; force forward error detection between two devices; cause a device to launch an application; cause a device to run diagnostics; force advanced authentication; enable advanced logging; throttle network usage; limit network destinations; quarantine the device; and/or force traffic through encrypted tunnels.
Referring back to
In the view of the above, it is understood that all network flows can be captured so that metadata or information about them may be collected and then all network flows can be rewritten back to the local network stack.
Embodiments are directed to a method and system for capturing all network flows to and from a computer, recording information on all such flows, and sending all information to common data storage. The invention is further comprised of aggregating flows of collected data in real-time and processing the aggregated results through one or more machine learning (ML) algorithms. The method and system further include a specific ML workflow which groups and aggregates flows of previous data, adds statistical metadata to produce specialized data sets, uses the specialized data sets to train a customized ML algorithm, and saves a trained ML model for each group of aggregated flows. As described herein, machine learning workflow can be understood to refer to all processing required to complete a particular task. The method and system further include grouping and aggregating flows of new data into the same specialized data sets and producing an anomaly score for the new data by processing the data sets through a given group's previously saved ML model. The method and system further include producing an anomaly events by comparing anomaly scores to a threshold, and being configured to allow for defining the grouping of data flows and for customizing the thresholds used to produce anomaly events.
The method and system further include a specific ML workflow that generates specialized data sets by processing aggregated network traffic metadata to obtain higher dimensional input data. The aggregated network data has the following fields: date/time of transfer, received bytes, transmitted bytes, number of flows, application name, destination address, and destination port. Application names, destination addresses, and destination ports are treated as non-numeric (categorical) data. Each unique value for all categorical data is treated as a single input (feature) processed by the ML architecture. As described herein, machine learning architecture can be understood to refer to one or more machine learning algorithms that have been combined to accomplish a particular task. As a non-limiting example, if ‘explorer’ is an application name in the aggregated network traffic then all entries in the specialized data set will contain a value called ‘explorer’ which will be the number of times the aggregated network traffic contained ‘explorer’ as an application name within a 15-minute interval. The specialized data set will therefore include the set of all unique categorical values within the aggregated network data appended with the numerical values for received bytes, transmitted bytes, and number of flows. Therefore, a given entry in the specialized data set will be the count of each unique value seen in the aggregated network data over a 15-minute interval along with the numerical averages of received bytes, transmitted bytes, and number of flows reported in the aggregated network data over the same 15-minute interval. Therefore, the number of values in every entry of a given specialized data set is the number of unique application names plus the number of unique destination addresses plus the number of unique destination ports plus three (which are the average of received bytes, average of transmitted bytes, and average of number of flows).
After processing into specialized data sets, we limit subsequent processing to specialized data sets from a single computer or customized group of computers with at least 40 values (features) and at least 10 days' worth of data (approximately 1000 data points when grouped into 15-minute intervals).
The present invention uses a two-stage ML architecture. The first stage applies a Variational Auto-Encoder (VAE) ML algorithm using the specialized data sets as input. The VAE outputs a “mean error” for each entry in the specialized data set by attempting to reproduce the input entry at its output and calculating the difference between the two. The second stage includes multiple statistical methods which independently process the mean error, so that each statistical method produces a score indicative of how anomalous the given mean error is compared to all previous mean errors. A “mean score” is produced by averaging the scores from the statistical methods. The mean score is compared against a customizable threshold to determine if the original input should be considered an anomaly.
The present invention's second stage implements three statistical methods: One-Class Support-Vector Machine (OC-SVM), Isolation Forest (ISF) and Local Outlier Factors (LOF).
Aspects of embodiments of the present disclosure can be implemented by such special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions and/or software, as described above. In embodiments, the software elements can include firmware, resident software, microcode, etc.
As will be appreciated by those ordinarily skilled in the art, aspects of the present disclosure may be embodied as a system, a method or a computer program product. Accordingly, aspects of embodiments of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present disclosure (e.g., the VPN service, the reporting engine, the analysis server, the VPN policy engine) may take the form of a computer program product embodied in any tangible medium of expression having computer-usable program code embodied in the medium.
Any combination of one or more computer usable or computer readable medium(s) may be utilized in the server and in the client. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CDROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, a magnetic storage device, a USB key, and/or a mobile phone.
In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer-usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc.
Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the client or client device and partly on the server, whether on premises or in the cloud. The client or client device may be connected to the VPN server and/or to a destination server or service through any type of network. This may include, for example, a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). Additionally, in embodiments, the present invention may be embodied in a field programmable gate array (FPGA).
The computer system 4502 may incorporated into one or both of the server and client. The computer system 4502, or portions thereof, may be implemented as, or incorporated into, various devices, such as a personal computer, a tablet computer, a set-top box, a personal digital assistant, a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a personal trusted device, a web appliance, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that device. Further, while a single computer system 4502 is illustrated, additional embodiments may include any collection of systems or sub-systems that individually or jointly execute instructions or perform functions.
As illustrated in
As shown in
The computer system 4502 may also include a medium reader 4512 and a network interface 4514. Furthermore, the computer system 4502 may include any additional devices, components, parts, peripherals, hardware, software or any combination thereof which are commonly known and understood as being included with or within a computer system, such as, but not limited to, an output device 4516. The output device 4516 may be, but is not limited to, a speaker, an audio out, a video out, a remote control output, or any combination thereof. As shown in
Furthermore, the aspects of the disclosure may take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. The software and/or computer program product can be implemented in the environment of
Although the present specification describes components and functions that may be implemented in particular embodiments with reference to particular standards and protocols, the disclosure is not limited to such standards and protocols. Such standards are periodically superseded by faster or more efficient equivalents having essentially the same functions. Accordingly, replacement standards and protocols having the same or similar functions are considered equivalents thereof.
The illustrations of the embodiments described herein are intended to provide a general understanding of the various embodiments. The illustrations are not intended to serve as a complete description of all of the elements and features of apparatus and systems that utilize the structures or methods described herein. Many other embodiments may be apparent to those of skill in the art upon reviewing the disclosure. Other embodiments may be utilized and derived from the disclosure, such that structural and logical substitutions and changes may be made without departing from the scope of the disclosure. Additionally, the illustrations are merely representational and may not be drawn to scale. Certain proportions within the illustrations may be exaggerated, while other proportions may be minimized. Accordingly, the disclosure and the figures are to be regarded as illustrative rather than restrictive.
Accordingly, the present disclosure provides various systems, structures, methods, and apparatuses. Although the disclosure has been described with reference to several exemplary embodiments, it is understood that the words that have been used are words of description and illustration, rather than words of limitation. Changes may be made within the purview of the appended claims, as presently stated and as amended, without departing from the scope and spirit of the disclosure in its aspects. Although the disclosure has been described with reference to particular materials and embodiments, embodiments of the invention are not intended to be limited to the particulars disclosed; rather the invention extends to all functionally equivalent structures, methods, and uses such as are within the scope of the appended claims.
While the computer-readable medium may be described as a single medium, the term “computer-readable medium” includes a single medium or multiple media, such as a centralized or distributed database, and/or associated caches and servers that store one or more sets of instructions. The term “computer-readable medium” shall also include any medium that is capable of storing, encoding or carrying a set of instructions for execution by a processor or that cause a computer system to perform any one or more of the embodiments disclosed herein.
The computer-readable medium may comprise a non-transitory computer-readable medium or media and/or comprise a transitory computer-readable medium or media. In a particular non-limiting, exemplary embodiment, the computer-readable medium can include a solid-state memory such as a memory card or other package that houses one or more non-volatile read-only memories. Further, the computer-readable medium can be a random access memory or other volatile re-writable memory. Additionally, the computer-readable medium can include a magneto-optical or optical medium, such as a disk, tapes or other storage device to capture carrier wave signals such as a signal communicated over a transmission medium. Accordingly, the disclosure is considered to include any computer-readable medium or other equivalents and successor media, in which data or instructions may be stored.
While the specification describes particular embodiments of the present disclosure, those of ordinary skill can devise variations of the present disclosure without departing from the inventive concept.
One or more embodiments of the disclosure may be referred to herein, individually and/or collectively, by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any particular invention or inventive concept. Moreover, although specific embodiments have been illustrated and described herein, it should be appreciated that any subsequent arrangement designed to achieve the same or similar purpose may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all subsequent adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the description.
The above disclosed subject matter is to be considered illustrative, and not restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments which fall within the true spirit and scope of the present disclosure. Thus, to the maximum extent allowed by law, the scope of the present disclosure is to be determined by the broadest permissible interpretation of the following claims and their equivalents, and shall not be restricted or limited by the foregoing detailed description.
Accordingly, the novel architecture is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Furthermore, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.
While the disclosure has been described with reference to specific embodiments, those skilled in the art will understand that various changes may be made and equivalents may be substituted for elements thereof without departing from the true spirit and scope of the disclosure. While exemplary embodiments are described above, it is not intended that these embodiments describe all possible forms of the embodiments of the disclosure. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the disclosure. In addition, modifications may be made without departing from the essential teachings of the disclosure. Furthermore, the features of various implementing embodiments may be combined to form further embodiments of the disclosure.
While the specification describes particular embodiments of the present disclosure, those of ordinary skill can devise variations of the present disclosure without departing from the inventive concept.
Insofar as the description above and the accompanying drawing disclose any additional subject matter that is not within the scope of the claims below, the embodiments are not dedicated to the public and the right to file one or more applications to claim such additional embodiments is reserved.
This application is a Continuation of U.S. patent application Ser. No. 17/230,409 filed Apr. 14, 2021, which claims the benefit under 35 U.S.C. § 119(e) of U.S. Provisional Application No. 63/009,830 filed Apr. 14, 2020, the disclosures of which are expressly incorporated by reference herein in their entireties.
Number | Date | Country | |
---|---|---|---|
63009830 | Apr 2020 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 17230409 | Apr 2021 | US |
Child | 18102172 | US |