Method and system to protect software-based network-connected devices from advanced persistent threat

US 10,333,955 B2
Filed: 04/20/2018
Issued: 06/25/2019
Est. Priority Date: 05/06/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

authenticating executable program instructions of a network-connected device using routines installed at a low level of the network device and being correlated to memory instructions holding executable program instructions;

detecting the presence of rogue software in the memory instructions of the network-connected device by running the routines prior to the device running the executable program instructions; and

in response to detecting the presence of rogue software, locking down communications of the network-connected device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of protecting a network-connected device from an advanced persistent threat cyber-attack is provided. A network-connected device having an operating system, a memory, memory instructions holding executable program instructions, and being communication enabled, is protected from an advanced persistent threat by steps of detecting the advanced persistent threat due to the presence of rogue software in the memory instructions of the network-connected device and locking-down the communications of the network-connected device. The network-connected device may be provided with low-level routines that are correlated to the memory instructions. Detecting the advanced persistent threat may be comprised of authenticating the memory instructions of the network-connected device by using the installed low-level routines.

604 Citations

20 Claims

1. A method comprising:
- authenticating executable program instructions of a network-connected device using routines installed at a low level of the network device and being correlated to memory instructions holding executable program instructions;
  
  detecting the presence of rogue software in the memory instructions of the network-connected device by running the routines prior to the device running the executable program instructions; and
  
  in response to detecting the presence of rogue software, locking down communications of the network-connected device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network-connected device has an operating system.
  - 3. The method of claim 1, wherein:
    - the routines are computing checksum blocks routines; and
      
      authenticating executable program instructions comprises;
      
      generating checksums for the memory instructions before the network-connected device is deployed for the first time; and
      
      comparing the checksum block routines to the checksums for the memory instructions.
  - 4. The method of claim 3, wherein generating checksums for the memory instructions is performed when the memory instructions are loaded into the memory.
  - 5. The method of claim 3, wherein generating checksums for the memory instructions is performed prior to executing the instructions for the first time.
  - 6. The method of claim 3, wherein the low level of the network-connected device is part of an operating system.
  - 7. The method of claim 3, wherein locking down communications is initiated if the checksums for the memory instructions are not authenticated by the checksum block routines by comparing the checksum block routines to the checksums for the memory instructions.
  - 8. The method of claim 6, comprising installing the checksum block routines when the operating system is installed.
  - 9. The method of claim 6, comprising installing the checksum block routines into the operating system before the network-connected device is deployed for the first time.
  - 10. The method of claim 3, comprising protecting the checksum block routines from unauthorized changes.

11. A network-connected device, comprising:
- an operating system;
  
  a central processing unit;
  
  a memory;
  
  executable program instructions loaded into the memory; and
  
  routines installed in a low-level of the network-connected device, the routines being correlated to the executable program instructions before the network-connected device is deployed for the first time;
  
  wherein the central processing unit is configured to allow the routines to authenticate the executable program instructions before the central processing unit executes the program instructions; and
  
  wherein the routines are configured to lock down communications between the network-connected device and other devices if the routines find instructions in the memory which do not correlate to the executable program instructions in the memory.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The network-connected device of claim 11, comprising checksums generated for the executable programs in the memory, wherein the routines are computing checksum block routines, the checksum block routines being configured to authenticate the checksums in the executable programs.
  - 13. The network-connected device of claim 11, wherein the central processing unit is configured to allow the routines to authenticate all the executable program instructions in the memory before the central processing unit executes the program instructions.
  - 14. The network-connected device of claim 12, comprising a security scheme to protect the checksum block routines.
  - 15. The network-connected device of claim 14, wherein the security scheme is a public key and private key cryptography.
  - 16. The network-connected device of claim 14, wherein the security scheme is a two-factor authentication, the two-factor authentication requiring that a notification be sent to a party responsible for the network-connected device before any changes in the memory instructions or the checksums can be made.
  - 17. The network-connected device of claim 11, comprising diagnostic routines configured to run on the network-connected device when communications are locked down, the diagnostic routines being configured to identify details of a threat when the routines find instructions in the memory which do not correlate to the executable program instructions in the memory.
  - 18. The network-connected device of claim 11, comprising updating routines configured to run on the network-connected device when communications are locked down, the updating routines being configured to update the executable program instructions to a pre-defined state.
  - 19. The network-connected device of claim 11, comprising an alert indicator communicatively linked to the routines, wherein the alert indicator is initialized when the routines lock down communications.
  - 20. The network-connected device of claim 19, wherein the alert indicator is selected from an audio alarm and a visual indicator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hand Held Products Incorporated (Honeywell International Inc.)
Original Assignee
Hand Held Products Incorporated (Honeywell International Inc.)
Inventors
Hussey, Robert Michael, Figwer, Kai J.
Primary Examiner(s)
Song, Hosuk

Application Number

US15/957,996
Publication Number

US 20180248897A1
Time in Patent Office

431 Days
Field of Search

726 22- 24, 726 26- 30, 713187-188, 709224
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and system to protect software-based network-connected devices from advanced persistent threat

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

604 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system to protect software-based network-connected devices from advanced persistent threat

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

604 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links