Apparatus, method and system for context-aware security control in cloud environment
US-2015237027-A1 · Aug 20, 2015 · US
Offloaded security as a service
US10231120B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10231120-B2 |
| Application number | US-201213652825-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 16, 2012 |
| Priority date | Oct 16, 2012 |
| Publication date | Mar 12, 2019 |
| Grant date | Mar 12, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one implementation, traffic in a mobile network is offloaded to a security as a service server or a cloud server. A mobile access gateway (MAG) in the mobile network identifies one or more mobile nodes that are configured for communication on the mobile network. The MAG receives a message that includes an address of a mobile node and sends a request based on the message to the security as a service server. The MAG forwards traffic flows to the security as a service server according to the message, which is configured to detect an indication of malicious software in the traffic flows and/or filter content of the traffic flows according to a user profile.
First claim
Opening claim text (preview).
We claim: 1. A method comprising: identifying a mobile node, wherein the mobile node is configured for communication on a cellular network; receiving an identification message including a security policy for the mobile node; based on the identification message, generating a request that identifies the security policy, wherein the request includes a token that permits access to a security as a service server configured to enforce the security policy on a traffic flow in route to an internet; sending the request to the security as a service server; and forwarding the traffic flow directly from the mobile node to the security as a service server over another network different from the cellular network, wherein the security as a service server enforces the security policy for the traffic flow. 2. The method of claim 1 , wherein the security policy in the identification message originates from a home authentication, authorization, and accounting server. 3. The method of claim 1 , further comprising: sending a proxy binding update to a local mobility anchor; wherein receiving the identification message includes receiving, from the local mobility anchor, the identification message in response to the proxy binding update. 4. The method of claim 1 , further comprising: subscribing as an extensible messaging and presence protocol client to a local mobility anchor; and wherein receiving the identification message includes receiving the identification message from the local mobility anchor. 5. The method of claim 1 , wherein the security as a service server enforces the security policy for the traffic flow by detecting an indication of malicious software in the traffic flow, and/or by filtering content of the traffic flow according to a user profile. 6. The method of claim 1 , wherein the identification message includes a network access identifier. 7. The method of claim 1 , wherein the security policy for the mobile node corresponds to a service level agreement indicating one or more security services to apply to the traffic flow. 8. A network device comprising: a communication interface configured to communicate with a mobile node and a security as a service server; a memory; and a controller coupled to the memory, wherein the controller is configured to: identify the mobile node, wherein the mobile node is configured for communication on a cellular network; receive an identification message including a security policy for the mobile node; based on the identification message, generate a request that identifies the security policy, wherein the request includes a token that permits access to the security as a service server configured to enforce the security policy on a traffic flow in route to an internet; send the request to the security as a service server; and forward the traffic flow directly from the mobile node to the security as a service server over another network different from the cellular network, wherein the security as a service server enforces the security policy for the traffic flow. 9. The network device of claim 8 , wherein the security policy in the identification message originates from a home authentication, authorization, and accounting server. 10. The network device of claim 8 , wherein the controller is further configured to: send a proxy binding update to a local mobility anchor; wherein the controller is configured to receive the identification message by receiving, from the local mobility anchor, the identification message in response to the proxy binding update. 11. The network device of claim 8 , wherein the controller is further configured to: subscribe as an extensible messaging and presence protocol client to a local mobility anchor; wherein the controller is configured to receive the identification message by receiving the identification message from the local mobility anchor. 12. The network device of claim 8 , wherein the security as a service server enforces the security policy for the traffic flow by detecting an indication of malicious software in the traffic flow, and/or by filtering content of the traffic flow according to a user profile. 13. The network device of claim 8 , wherein the security policy for the mobile node corresponds to a service level agreement indicating one or more security services to apply to the traffic flow. 14. The network device of claim 8 , wherein the identification message includes a network access identifier. 15. One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, are configured to: identify a mobile node, wherein the mobile node is configured for communication on a cellular network; receive an identification message including a security policy for the mobile node; based on the identification message, generate a request that identifies the security policy, wherein the request includes a token that permits access to a security as a service server configured to enforce the security policy on a traffic flow in route to an internet; send the request to the security as a service server; and forward the traffic flow directly from the mobile node to the security as a service server over another network different from the cellular network, wherein the security a service server enforces the security policy for the traffic flow. 16. The non-transitory computer readable media of claim 15 , wherein the instructions further cause the processor to: send a proxy binding update to a local mobility anchor; wherein the instructions that cause the processor to receive the identification message include instructions that cause the processor to receive, from the local mobility anchor, the identification message in response to the proxy binding update. 17. The non-transitory computer readable media of claim 15 , wherein the instructions further cause the processor to: subscribe as an extensible messaging and presence protocol client to a local mobility anchor; and wherein the instructions that cause the processor to receive the identification message include instructions that cause the processor to receive the identification information from the local mobility anchor. 18. The non-transitory computer readable media of claim 15 , wherein the security policy for the mobile node corresponds to a service level agreement indicates one or more security services to apply to the traffic flow. 19. The non-transitory computer readable media of claim 15 , wherein the security policy in the identification message originates from a home authentication, authorization, and accounting server. 20. The non-transitory computer readable media of claim 15 , wherein the security as a service server enforces the security policy for the traffic flow by detecting an indication of malicious software in the traffic flow, and/or by filtering content of the traffic flow according to a user profile.
Assignees
Inventors
Classifications
- H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services · CPC title
- H04W12/02Primary
Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII] · CPC title
Protecting confidentiality, e.g. by encryption · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10231120B2 cover?
- In one implementation, traffic in a mobile network is offloaded to a security as a service server or a cloud server. A mobile access gateway (MAG) in the mobile network identifies one or more mobile nodes that are configured for communication on the mobile network. The MAG receives a message that includes an address of a mobile node and sends a request based on the message to the security as a …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1408. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 12 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).