Preventing unauthorized outgoing communications

US 10,616,231 B2
Filed: 03/21/2017
Issued: 04/07/2020
Est. Priority Date: 03/21/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

in response to an attempt to transmit an outgoing communication by a transmitting software entity, obtaining a list of software entities which have performed Inter-Process Communication (IPC) with the transmitting software entity, said obtaining the list comprising;

determining a cone of influence in a communication graph from a node representing the transmitting software entity, wherein the communication graph is a directed graph, wherein a node of the communication graph represents a software entity, wherein a directed edge in the communication graph connecting between a first node and a second node represents an IPC initiated by a first software entity towards a second software entity, wherein the first node represents the first software entity, wherein the second node represents the second software entity;

wherein the cone of influence comprises at least a node representing a software entity that performed IPC directly with the transmitting software entity, and a node representing a software entity that performed IPC indirectly with the transmitting software entity,wherein the list comprises each software entity that is associated with any node that is comprised in the cone of influence;

determining whether any software entity in the list of software entities is an unauthorized software entity; and

in response to detecting an unauthorized software entity in the list of software entities, blocking the outgoing communication,thereby preventing the transmitting software entity from transmitting outgoing communication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, product and method for preventing unauthorized outgoing communications. The method comprises, in response to an attempt to transmit an outgoing communication by a transmitting software entity, obtaining a list of software entities which have performed Inter-Process Communication (IPC), directly or indirectly, with the transmitting software entity. The method further comprises for each software entity in the list of software entities, checking whether the software entity is an unauthorized software entity. In response to detecting an unauthorized software entity in the list of software entities, the outgoing communication may be blocked. As a result, the outgoing communication is prevented from being transmitted.

91 Citations

19 Claims

1. A method comprising:
- in response to an attempt to transmit an outgoing communication by a transmitting software entity, obtaining a list of software entities which have performed Inter-Process Communication (IPC) with the transmitting software entity, said obtaining the list comprising;
  
  determining a cone of influence in a communication graph from a node representing the transmitting software entity, wherein the communication graph is a directed graph, wherein a node of the communication graph represents a software entity, wherein a directed edge in the communication graph connecting between a first node and a second node represents an IPC initiated by a first software entity towards a second software entity, wherein the first node represents the first software entity, wherein the second node represents the second software entity;
  
  wherein the cone of influence comprises at least a node representing a software entity that performed IPC directly with the transmitting software entity, and a node representing a software entity that performed IPC indirectly with the transmitting software entity,wherein the list comprises each software entity that is associated with any node that is comprised in the cone of influence;
  
  determining whether any software entity in the list of software entities is an unauthorized software entity; and
  
  in response to detecting an unauthorized software entity in the list of software entities, blocking the outgoing communication,thereby preventing the transmitting software entity from transmitting outgoing communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said checking comprises checking if the software entity is a member of an authorized programs list.
  - 3. The method of claim 1, wherein said checking comprises checking if the software entity is a member of an unauthorized programs list.
  - 4. The method of claim 1, wherein said checking comprises checking whether the software entity is an Internet browser or a Macro-executing application.
  - 5. The method of claim 1 further comprising:
    - monitoring IPC between the software entities, using the communication graph.
  - 6. The method of claim 1, wherein said obtaining the list comprises analyzing the communication graph to obtain the list.
  - 7. The method of claim 5 further comprises monitoring for loading of processes executing the software entities, wherein in response to a load of a process, adding a node to the communication graph.
  - 8. The method of claim 1, wherein each software entity is selected from the group consisting of:
    - a dynamically-loadable code and executable code.

9. A computer program product comprising a non-transitory computer-readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform a method comprising:
- in response to an attempt to transmit an outgoing communication by a transmitting software entity, obtaining a list of software entities which have performed Inter-Process Communication (IPC) with the transmitting software entity said obtaining the list comprising;
  
  determining a cone of influence in a communication graph from a node representing the transmitting software entity, wherein the communication graph is a directed graph, wherein a node of the communication graph represents a software entity, wherein a directed edge in the communication graph connecting between a first node and a second node represents an IPC initiated by a first software entity towards a second software entity, wherein the first node represents the first software entity, wherein the second node represents the second software entity;
  
  wherein the cone of influence comprises at least a node representing a software entity that performed IPC directly with the transmitting software entity, and a node representing a software entity that performed IPC indirectly with the transmitting software entity,wherein the list comprises each software entity that is associated with any node that is comprised in the cone of influence;
  
  determining whether any software entity in the list of software entities is an unauthorized software entity; and
  
  in response to detecting an unauthorized software entity in the list of software entities, blocking the outgoing communication,thereby preventing the transmitting software entity from transmitting outgoing communication.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product of claim 9, wherein said checking comprises checking whether the software entity is an Internet browser or a Macro-executing application.
  - 11. The computer program product of claim 9, wherein the method further comprises:
    - monitoring IPC between the software entities.
  - 12. The compute r program product of claim 11, wherein the method further comprises monitoring for loading of processes executing the software entities, wherein in response to a load of a process, adding a node to the communication graph.
  - 13. The computer program product of claim 9, wherein each software entity is selected from the group consisting of:
    - a dynamically-loadable code and executable code.
  - 14. An apparatus having a processor and a memory device, wherein the memory device comprises the non-transitory computer-readable storage medium of the computer program product of claim 9.

15. A computer program product comprising a non-transitory computer-readable storage medium retaining program instructions, which program instructions when read by a processor, cause the processor to perform a method comprising:
- in response to an attempt to transmit an outgoing communication by a transmitting software entity, obtaining a list of software entities which have performed Inter-Process Communication (IPC) with the transmitting software entity, said obtaining the list comprising;
  
  determining a cone of influence in a communication graph from a node representing the transmitting software entity, wherein the communication graph is a directed graph, wherein a node of the communication graph represents a software entity, wherein a directed edge in the communication graph connecting between a first node and a second node represents an IPC initiated by a first software entity towards a second software entity, wherein the first node represents the first software entity, wherein the second node represents the second software entity;
  
  wherein the cone of influence comprises at least a node representing a software entity that performed IPC directly with the transmitting software entity, and a node representing a software entity that performed IPC indirectly with the transmitting software entity,wherein the list comprises each software entity that is associated with any node that is comprised in the cone of influence;
  
  determining whether any software entity in the list of software entities is an unauthorized software entity; and
  
  in response to detecting an unauthorized software entity in the list of software entities, logging in an event log an event associated with the outgoing communication,thereby generating the event log for potential future analysis.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15, wherein said checking comprises checking whether the software entity is an Internet browser or a Macro-executing application.
  - 17. The computer program product of claim 15, wherein the method further comprises:
    - monitoring IPC between the software entities.
  - 18. The computer program product of claim 17, wherein the method further comprises monitoring for loading of processes executing the software entities, wherein in response to a load of a process, adding a node to the communication graph.
  - 19. The computer program product of claim 15, wherein each software entity is selected from the group consisting of:
    - a dynamically-loadable code and executable code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyber 2.0 (2015) LTD.
Original Assignee
Cyber 2.0 (2015) LTD.
Inventors
Kaplan Haelion, Erez
Primary Examiner(s)
Bechtel, Kevin

Application Number

US15/464,403
Publication Number

US 20180278617A1
Time in Patent Office

1,113 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/54   Interprogram communication

H04L 41/20   Network management software...

H04L 43/045   for graphical visualisation...

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

Preventing unauthorized outgoing communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing unauthorized outgoing communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links