Apparatus and method for preventing file access by nodes of a protected system

US 10,205,726 B2
Filed: 03/27/2017
Issued: 02/12/2019
Est. Priority Date: 06/03/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one interface configured to be coupled to a storage device; and

at least one processing device configured to;

detect the storage device;

determine whether the storage device has been checked-in for use with at least the apparatus;

grant access to the storage device in response to determining that the storage device has been checked-in for use with at least the apparatus;

block access to the storage device in response to determining that the storage device has not been checked-in for use with at least the apparatus;

after granting access to the storage device, determine whether a file on the storage device has been checked-in for use with at least the apparatus;

grant meaningful access to the file on the storage device in response to determining that the file has been checked-in for use with at least the apparatus; and

block meaningful access to the file on the storage device in response to determining that the file has not been checked-in for use with at least the apparatus;

wherein, to determine whether the storage device has been checked-in, the at least one processing device is configured to determine whether at least one component of a file system of the storage device has been modified using an encryption method and a locally-stored certificate or private key; and

wherein, when the at least one component of the file system of the storage device has been modified using the encryption method and the locally-stored certificate or private key, nodes outside of a protected system cannot recognize the file system of the storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes detecting a storage device at a protected node and determining whether the storage device has been checked-in for use with at least the protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node. The method may also include determining whether a file on the storage device has been checked-in for use with at least the protected node. Meaningful access to the file is granted or blocked in response to determining that the file has or has not been checked-in for use with at least the protected node.

Citations

22 Claims

1. An apparatus comprising:
- at least one interface configured to be coupled to a storage device; and
  
  at least one processing device configured to;
  
  detect the storage device;
  
  determine whether the storage device has been checked-in for use with at least the apparatus;
  
  grant access to the storage device in response to determining that the storage device has been checked-in for use with at least the apparatus;
  
  block access to the storage device in response to determining that the storage device has not been checked-in for use with at least the apparatus;
  
  after granting access to the storage device, determine whether a file on the storage device has been checked-in for use with at least the apparatus;
  
  grant meaningful access to the file on the storage device in response to determining that the file has been checked-in for use with at least the apparatus; and
  
  block meaningful access to the file on the storage device in response to determining that the file has not been checked-in for use with at least the apparatus;
  
  wherein, to determine whether the storage device has been checked-in, the at least one processing device is configured to determine whether at least one component of a file system of the storage device has been modified using an encryption method and a locally-stored certificate or private key; and
  
  wherein, when the at least one component of the file system of the storage device has been modified using the encryption method and the locally-stored certificate or private key, nodes outside of a protected system cannot recognize the file system of the storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein, to determine whether the storage device has been checked-in, the at least one processing device is further configured to determine whether the storage device has an expected digital signature.
  - 3. The apparatus of claim 1, wherein, to determine whether the file has been checked-in, the at least one processing device is configured to at least one of:
    - determine whether the file has an expected digital signature; and
      
      determine whether the file is encrypted in an expected manner.
  - 4. The apparatus of claim 3, wherein, to determine whether the file has the expected digital signature, the at least one processing device is configured to determine whether the file has a hash value that matches an expected hash value.
  - 5. The apparatus of claim 1, wherein:
    - the at least one processing device is further configured to log information identifying one or more activities involving the storage device on the storage device; and
      
      the logged information includes at least one of;
      
      information about one or more files on the storage device and information about one or more events involving the storage device.
  - 6. The apparatus of claim 1, wherein:
    - the at least one processing device is configured to execute an agent that is configured to control access to the storage device; and
      
      the agent is configured to operate as a kernel-level driver or in kernel mode and is configured to intercept attempts to connect the storage device to the apparatus.
  - 7. The apparatus of claim 1, wherein the storage device comprises a USB drive.

8. A method comprising:
- detecting a storage device at a protected node;
  
  determining whether the storage device has been checked-in for use with at least the protected node;
  
  granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node;
  
  blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node;
  
  after granting access to the storage device, determining whether a file on the storage device has been checked-in for use with at least the protected node;
  
  granting meaningful access to the file on the storage device in response to determining that the file has been checked-in for use with at least the protected node; and
  
  blocking meaningful access to the file on the storage device in response to determining that the file has not been checked-in for use with at least the protected node;
  
  wherein determining whether the storage device has been checked-in comprises determining whether at least one component of a file system of the storage device has been modified using an encryption method and a locally-stored certificate or private key; and
  
  wherein, when the at least one component of the file system of the storage device has been modified using the encryption method and the locally-stored certificate or private key, nodes outside of a protected system cannot recognize the file system of the storage device.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein determining whether the storage device has been checked-in further comprises determining whether the storage device has an expected digital signature.
  - 10. The method of claim 8, wherein determining whether the file has been checked-in comprises at least one of:
    - determining whether the file has an expected digital signature; and
      
      determining whether the file is encrypted in an expected manner.
  - 11. The method of claim 8, further comprising:
    - logging information identifying one or more activities involving the storage device on the storage device;
      
      wherein the logged information includes at least one of;
      
      information about one or more files on the storage device and information about one or more events involving the storage device.
  - 12. The method of claim 8, wherein:
    - the detecting, determining, granting, and blocking are performed by an agent executed by the protected node, the agent configured to control access to the storage device; and
      
      the agent is configured to operate as a kernel-level driver or in kernel mode and is configured to intercept attempts to connect the storage device to the protected node.
  - 13. The method of claim 8, further comprising:
    - storing, by the protected node, one or more new files on the storage device; and
      
      logging information identifying file activity associated with the one or more new files on the storage device.
  - 14. The method of claim 8, wherein, when the file system of the storage device has not been modified in an expected manner, nodes within the protected system including the protected node cannot recognize the file system of the storage device.
  - 15. The method of claim 8, wherein the protected node is configured to perform functions related to industrial process control in an industrial process control and automation system.
  - 16. The method of claim 8, wherein the storage device comprises a USB drive.

17. A non-transitory computer readable medium containing instructions that, when executed by at least one processing device, cause the at least one processing device to:
- detect a storage device at a protected node;
  
  determine whether the storage device has been checked-in for use with at least the protected node;
  
  grant access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node;
  
  block access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node;
  
  after granting access to the storage device, determine whether a file on the storage device has been checked-in for use with at least the protected node;
  
  grant meaningful access to the file on the storage device in response to determining that the file has been checked-in for use with at least the protected node; and
  
  block meaningful access to the file on the storage device in response to determining that the file has not been checked-in for use with at least the protected node;
  
  wherein the instructions that when executed cause the at least one processing device to determine whether the storage device has been checked-in comprise;
  
  instructions that when executed cause the at least one processing device to determine whether at least one component of a file system of the storage device has been modified using an encryption method and a locally-stored certificate or private key; and
  
  wherein, when the at least one component of the file system of the storage device has been modified using the encryption method and the locally-stored certificate or private key, nodes outside of a protected system cannot recognize the file system of the storage device.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The non-transitory computer readable medium of claim 17, wherein the instructions that when executed cause the at least one processing device to determine whether the storage device has been checked-in further comprise:
    - instructions that when executed cause the at least one processing device to determine whether the storage device has an expected digital signature.
  - 19. The non-transitory computer readable medium of claim 17, wherein the instructions that when executed cause the at least one processing device to determine whether the file has been checked-in comprise:
    - instructions that when executed cause the at least one processing device to at least one of;
      
      determine whether the file has an expected digital signature; and
      
      determine whether the file is encrypted in an expected manner.
  - 20. The non-transitory computer readable medium of claim 17, further containing instructions that when executed cause the at least one processing device to:
    - log information identifying one or more activities involving the storage device on the storage device;
      
      wherein the logged information includes at least one of;
      
      information about one or more files on the storage device and information about one or more events involving the storage device.
  - 21. The non-transitory computer readable medium of claim 17, wherein the instructions implement an agent that is configured to control access to the storage device;
    - andwherein the agent is configured to operate as a kernel-level driver or in kernel mode and is configured to intercept attempts to connect the storage device to the protected node.
  - 22. The non-transitory computer readable medium of claim 17, wherein the storage device comprises a USB drive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Knapp, Eric D., Boice, Eric T.
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/469,714
Publication Number

US 20170353460A1
Time in Patent Office

687 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/602   Providing cryptographic fac...

G06F 21/6209   to a single file or object,...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/10   for controlling access to d...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Apparatus and method for preventing file access by nodes of a protected system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for preventing file access by nodes of a protected system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links