System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages

US 20030159070A1
Filed: 11/22/2002
Published: 08/21/2003
Est. Priority Date: 05/28/2001
Status: Abandoned Application

First Claim

Patent Images

1. A security system for computers, adapted to creating automatic segregation between programs.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious software attacks (such as for example stealing data, changing data or destroying data) on personal computers and/or servers and/or other computerized gadgets (especially through the Internet) are becoming more and more common and more and more dangerous, causing damages of tens of billions of dollars each year. The state-of the-art solutions are inherently limited because they solve only a limited number of problems on the surface, instead of going deeply into the roots of the problem. The most common solutions are Anti-viruses and firewalls. Anti-viruses are limited because they can only detect known viruses or worms that have already been identified (usually after they have already attacked many computers). Network firewalls are typically based on packet filtering, which is limited in principle, since the rules of which packets to accept or not may contain for example subjective decisions based on trusting certain sites or certain applications. However, once security is breached for any reason, for example due to an error or intended deception, a hostile application may take over the computer or server or the entire network and create unlimited damages (directly or by opening the door to additional malicious applications). They are also not effective against security holes for example in browsers or e-mail programs or in the operating system itself According to an article in ZDnet from Jan. 24, 2001, security holes in critical applications are discovered so often that just keeping up with all the patches is impractical. Also, without proper generic protection for example against Trojan horses, which can identify any malicious program without prior knowledge a about it, even VPNs (Virtual Private Networks) and other form of data encryption, including digital signatures, are not really safe because the info can be stolen before or below the encryption. Even personal firewalls are typically limited, because once a program is allowed to access the Internet, there are no other limitations for example on what files it may access and send or what it might do. The present invention creates a general generic comprehensive solution by going deeply into the roots of the problem. One of the biggest absurdities of the state-of-the-art situation is that by default programs are allowed to do whatever they like to other programs or to their data files or to critical files of the operating system, which is as absurd as letting a guest in a hotel bother any other guests as he pleases, steal their property or copy it or destroy it, destroy their rooms, etc., or for example have free access to the hotel'"'"'s safe or electronic switchboard or phone or elevator control room. The present concept is based on automatic segregation between programs: It is like limiting each guest by default to his room and limiting by default his access to the Hotel'"'"'s strategic resources, so that only by explicit permission each guest can get additional privileges.

469 Citations

153 Claims

1. A security system for computers, adapted to creating automatic segregation between programs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 49, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 96, 97, 98, 101, 102, 103, 104, 105, 106, 108, 110, 112, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148)
- - 2. The system of claim 1, further comprising:
    - a. A monitoring and capturing system;
      
      b. A database of security rules, comprising at least one of;
      
      a set of default rules, a set of pre-distribution acquired rules that are good for many users of the selected operating system, and acquired additional user-defined rules;
      
      c. A user interface, which can interact with the user in order to at least one of;
      
      learn acceptable behavior patterns, warn the user of perceived dangers and wait for his authorization whenever necessary.
  - 3. The system of claim 2, wherein:
    - a. Said monitoring and capturing system constantly monitors the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detects and selectively intercepts any security-sensitive or suspicious or dangerous behaviors and acts upon it in accordance with at least one of default and acquired sets of security rules, and may ask for user authorization and guidance whenever necessary;
      
      b. Said database of security rules comprises at least one of;
      
      a set of default rules, a set of pre-distribution acquired rules that are good for most users of the selected operating system, and acquired additional user-defined rules, said database being constantly monitored as a high-security protected area;
      
      c. Said user interface, which can interact with the user for at least one of;
      
      learning acceptable behavior patterns, warning the user of perceived dangers and waiting for his authorization whenever necessary, and allowing the user to view and modify the database of authorizations.
  - 4. The system of claim 2 wherein said user interface at least also warns the user explicitly in cases of potentially highly dangerous activities.
  - 5. The system of claim 2 wherein said database comprises also at least learned statistics of normal and reasonable behavior of programs in the user'"'"'s computer.
  - 6. The system of claim 2 wherein said user interface at least also allows the user to view statistics of behavior of important programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines.
  - 7. The system of claim 2 wherein said database comprises also at least a log of the questions that the Security System asked the user and his replies kept at least for a certain period.
  - 8. The system of claim 2 wherein said database comprises also at least, when needed, a log of suspicious activities detected kept at least for a certain period.
  - 9. The system of claim 2 wherein said security rules and functions performed by the Security System comprise automatic segregation of programs into their natural environments and at least some of the following functions:
    - a. Constantly monitoring the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detecting and selectively intercepting security-sensitive behaviors, suspicious behaviors and dangerous behaviors and acting upon them in according with default and acquired sets of security rules, b. At least one of Warning the user and request for authorization and automatic interception for security-sensitive activities and especially any first-time attempts to access communication channels, c. Enabling the user to request at least one of automatic blocking and warning of the user of any attempts of external programs from the network to connect to the user'"'"'s computer through the communication channels, d. Interception and more explicit warning of the user about potentially highly dangerous activities.
  - 10. The system of claim 9, comprising also at least warning the user about significant statistical deviations from normal behaviors of applications and operating system and especially as relates to suddenly sending out large amounts of data.
  - 11. The system of claim 9, comprising also at least enabling the user to request enforcing of at least one of additional limitations on the communication ports allowed to be opened and when needed also limitations on types of protocols allowed.
  - 12. The system of claim 9, comprising also at least monitoring and intercepting as much as possible all attempts of applications to gain direct port accesses to security sensitive devices and especially the storage media and the communication channels.
  - 13. The system of claim 9, comprising also at least implementing Virtual Shared data areas on the storage media, for at least one of temporary files and accessing keys in the registry and other files, so that programs are given the illusion that they are accessing the shared area, but in reality are each redirected to a separate private area.
  - 14. The system of claim 2, comprising also pushing at least part of the operating system from the most privileged processor ring to a lower privilege ring and enabling needed functions to run in said lower privilege ring.
  - 15. The system of claim 14 wherein said pushing is done in order to catch also backdoors and loopholes in the operating system itself.
  - 16. The system of claim 2 wherein said monitoring and capturing system includes also a hardware element which monitors hardware accesses, so that the Security System can discover events where access has been made to the security-sensitive ports, especially the storage media and the communication channels, without an apparent corresponding event on the system level as monitored by said Security System'"'"'s software.
  - 17. The system of claim 2 wherein said default automatic segregation is implemented so that, by default, each program is allowed to access, such as read, write, execute, create, and delete, files only within its natural environment.
  - 18. The system of claim 17 wherein said natural environment is mainly the directory in which it is installed, its sub-directories, and—
    - for reading only—
      
      non-strategic shared files, unless the program is explicitly given more rights.
  - 19. The system of claim 1 wherein said computer is at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget.
  - 20. The system of claim 3 wherein high security protected areas are also encrypted.
  - 21. The system of claim 3 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
  - 22. The system of claim 20 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
  - 23. The system of claim 3 wherein said communication devices include also USB interfaces.
  - 24. The system of claim 3 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
  - 25. The system of claim 3 wherein monitoring access to communication devices includes also protocols for sending Faxes.
  - 26. The system of claim 9 wherein high security protected areas are also encrypted.
  - 27. The system of claim 9 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
  - 28. The system of claim 26 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
  - 29. The system of claim 9 wherein said communication devices include also USB interfaces.
  - 30. The system of claim 9 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
  - 31. The system of claim 9 wherein monitoring access to communication devices includes also protocols for sending Faxes.
  - 49. The method of claim 17 wherein said natural environment is mainly the directory in which it is installed, its sub-directories, and—
    - for reading only—
      
      non-strategic shared files, unless the program is explicitly given more rights.
  - 69. The system of claim 2 wherein the user is an individual.
  - 70. The system of claim 2 wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator.
  - 71. The system of claim 70 wherein the Security System of the central authority also automatically checks at least once in a while if the Security System is functioning properly on the other computers.
  - 72. The system of claim 70 wherein the Security System on the central authority'"'"'s computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 73. The system of claim 1 wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 74. The system of claim 70 wherein the communications device of each computer can also notice and at least report back to at least one of the computer and the central authority about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 75. The system of claim 70 wherein the communications device of each group of computers can also notice and at least report back to at least one of the relevant computer and the central authority about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 76. The system of claim 1 wherein by default each program can only see itself and the operating system and the resources (software &
    - hardware) that it is allowed to see, so that it lives in a Virtual Environment (VE).
  - 77. The system of claim 9 wherein by default each program can only see itself and the operating system and the resources (software &
    - hardware) that it is allowed to see, so that it lives in a Virtual Environment (VE).
  - 78. The system of claim 1 wherein the Security System also identifies if the user or the application initiated accessing a file outside the natural environment of the program or other potential security-risk commands and so can allow more flexibility and less limitations if the command was initiated directly by the user than if it was initiated by the application.
  - 79. The system of claim 76 wherein the Security System also identifies if the user or the application initiated accessing a file outside the natural environment of the program or other potential security-risk commands and so can allow more flexibility and less limitations if the command was initiated directly by the user than if it was initiated by the application.
  - 80. The system of claim 78 wherein the Security System also makes sure that programs cannot create the false impression that certain actions were initiated by the user by falsifying user input through one of the input devices.
  - 81. The system of claim 79 wherein the Security System also makes sure that programs cannot create the false impression that certain actions were initiated by the user by falsifying user input through one of the input devices.
  - 82. The system of claim 1 wherein the Security System also makes sure that when it requests authorization no other programs can enter false answers as if they were entered by the user through one of the input devices.
  - 83. The system of claim 9 wherein the Security System also makes sure that when it requests authorization no other programs can enter false answers as if they were entered by the user through one of the input devices.
  - 84. The system of claim 1 wherein in the cases where private keys are generated or stored by the browsers, additional rules are used in order to identify the directories where these keys are held, since otherwise accessing the keys by the browser would be within the browser'"'"'s default authorization.
  - 85. The system of claim 9 wherein in the cases where private keys are generated or stored by the browsers, additional rules are used in order to identify the directories where these keys are held, since otherwise accessing the keys by the browser would be within the browser'"'"'s default authorization.
  - 96. The system of claim 72 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.
  - 97. The system of claim 73 wherein the security system also encrypts the outgoing data packets and reports also additional data identifying the packets that are being sent out, so that the communication devices can also find out if outgoing data packets have been changed.
  - 98. The system of claim 74 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.
  - 101. The system of claim 2 wherein the security system intercepts the operating system the moment it is being loaded into memory and transfers it to a higher ring so that any attempt by the operating system to access ring 0 will cause a CPU exception, and in order to increase efficiency the security system rewrites on the fly each such command in the operating system code which is running in the computer'"'"'s RAM to access instead the current ring in which it is in, so that the next time that line of code is accessed in memory, the exception will not occur anymore until the next boot.
  - 102. The system of claim 2 wherein if an application changes after being given certain permissions, the user is notified about and asked again for permissions or such changes are automatically prevented.
  - 103. The system of claim 2 wherein the security system transfers only physical device drivers to a less privileged ring in order to be able to control direct access to physical devices.
  - 104. The system of claim 2 wherein the operating system itself transfers physical device drivers to a less privileged ring in order to be able to control direct access to physical devices.
  - 105. The system of claim 2 wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area within ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself.
  - 106. The system of claim 73 wherein the communication device is also capable of generating automatically various reports on outgoing and/or incoming data and the security system makes sure that no other applications can interfere with the device driver of the communication card and thus interfere with these reports.
  - 108. The system of claim 2 wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area below ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself.
  - 110. The system of claim 1 wherein at least one part of the security system becomes active even if the computer is booted from any of a floppy drive or CD or network drive, or any other source that is not the normal boot area.
  - 112. The system of claim 111 wherein said activation is done by at least one of the BIOS and the processor itself before the normal boot sequence begins.
  - 116. The system of claim 1 wherein the Security System learns during the installation of new programs which files are related to them outside their directory tree.
  - 117. The system of claim 1 wherein any attempts of programs, initiated by the programs, to exceed their natural environments are automatically blocked by the security system.
  - 118. The system of claim 1 wherein the Security System is an integral part of the operating system.
  - 119. The system of claim 76 wherein if an application launches another application, the newly launched application is limited to the VE of the launching application.
  - 120. The system of claim 1 wherein if users download many files into a single download directory, the security system at least one of:
    - uses context sensitive information, and detects if a downloaded program starts looking at files that were downloaded at different times or starts going over the entire directory or tries to modify other executables in that directory.
  - 121. The system of claim 1 wherein in order to protect the segregation of processes in memory, the Security System asks the user to explicitly authorize programs that he wants to allow to access APIs that allow accessing the memory of other processes.
  - 122. The system of claim 1 wherein in order to prevent device drivers from accessing devices other then those that they are intended to access, each device driver must have a definite type indicator and is allowed to access only devices of the indicated type.
  - 123. The system of claim 122 wherein each device driver is also prevented from accessing other device drivers that can access other types of devices.
  - 124. The system of claim 1 wherein the security system replaces at least some of the Operating System'"'"'s dialogue boxes and other components that can request input from the user, so that the Security System has more control on what is happening in them.
  - 125. The system of claim 76 wherein programs are allowed to send OS messages only to programs which are running within their own Virtual Environments
  - 126. The system of claim 1 wherein the Security system replaces at least some of the OS functions that deal with the OS message system, and attaches to each message an identification that shows if the OS or another application is the source of the message, and the Security System allows certain messages to be initiated only by the OS.
  - 128. The system of claim 78 wherein in order to prevent misleading textual questions the Security system uses also at least partial semantic analysis of what the user is really being asked, by at least one of:
    - analyzing sentence structures or at least significant word combinations and/or using various rules and/or a statistical database of commonly used questions.
  - 129. The system of claim 78 wherein in order to prevent misleading textual questions the Security system guards at least the top line title of the dialogue box, so the when it is an “
    - open file”
      
      dialogue box, it will always say so clearly, and if it is a “
      
      save file”
      
      dialog box it will always say so clearly.
  - 130. The system of claim 78 wherein a new protocol is introduced for dialogue boxes, in which only the security systems runs completely the dialogue box and the programs have to indicate in a more structured format, what they want exactly.
  - 131. The system of claim 78 wherein the security system automatically blocks potentially highly dangerous activities or asks the user for explicit authorization, even if the user supposedly allowed this to an application through the dialog box.
  - 132. The system of claim 1 wherein the security system knows automatically about at least some highly important user files and directories.
  - 133. The system of claim 132 wherein said files are at least one of “
    - .doc”
      
      files and source code files, and said directories are at least directories containing such files, at least if these files were created by the user.
  - 134. The system of claim 132 wherein the security system can identify strategic files and/or directories by at least one of:
    - using predefined rules;
      
      automatically marking programs as highly strategic according to the number and/or types of authorizations they have and/or by the fact that the user is using them interactively more than other programs or files or directories; and
      
      allowing the user explicitly to mark certain directories and/or certain file name extensions as highly protected.
  - 135. The system of claim 132 wherein the user is explicitly warned by the security system about attempts of programs to access highly important user files or directories even if the user supposedly allowed the program to access them through the dialogue box—
    - if the program is not normally associated with such files or directories.
  - 136. The system of claim 76 wherein installed drivers can also be associated with Virtual Environments, and thus limited in the scope of their actions.
  - 137. The system of claim 1 wherein the security system prevents running processes from at least one of:
    - changing their code in memory and changing the disk file of their executable code.
  - 138. The system of claim 1 wherein at least one of programs that can access the Internet, Browsers, important Operating system files, and other highly strategic programs, cannot be changed or cannot run EVEN if the user authorizes the change directly to the Security System, unless the update or patch carries a digital certificated that proves that it is indeed an authorized and unchanged official patch by the vendor who made the original program.
  - 139. The system of claim 1 wherein the security system also prevents applications from accessing directly lower level functions that can access devices except by calling them through the normal kernel interface.
  - 140. The system of claim 76 wherein unless explicitly given additional rights by the user all of the actions initiated by a program are automatically limited to the scope of its own VE.
  - 141. The system of claim 76 wherein when a new program is being installed the user has the option of choosing a new VE for that program, or allowing it to become an update of an already existing VE, or allowing it to have free access to the entire computer.
  - 142. The system of claim 140 wherein the user is able to correct mistakes, at least for a certain time, by undoing the installation of programs, at least when they are installed in a limited VE.
  - 143. The system of claim 76 wherein if shared drives are allowed, only the user is allowed to access files on shared drives on other computers, or each program is allowed to see and access in each shared drive only the same VE that it has on its own computer.
  - 144. The system of claim 140 wherein if the user allows a newly installing program to inherit or overwrite an existing VE, the security system first creates a virtual private environment copy of the modified directories, at least for a certain period, so that the user can still request to undo this if he made a mistake, at least for a certain period.
  - 145. The system of claim 140 wherein the security system backs up all the changed files or directories at least for a certain time and/or keeps a rollback log of all changes that were made to the relevant files and directories or even of all changes anywhere in the disk, in order to enable the undo if the user needs it.
  - 146. The system of claim 140 wherein even when the user allows a program to be installed without VE limitations, any changes in the entire hard disk after or during the installation, are completely undo-able at least for a certain time period.
  - 147. The system of claim 1 wherein any changes that happen on at least one of the hard disk and other connected media are completely undo-able at least for a certain time period, by keeping a rollback log of all changes or of all significant changes.
  - 148. The system of claim 140 wherein even if the user requested installation without VE limitation, the new program is first installed in a separate VE, and only after a certain time period or after the user authorizes it (and/or for example after the security system checks various parameters to see that things seem ok), the VE limitations are lifted or this VE is merged with the unlimited VE.

32. A security method for computers, capable of creating automatic segregation between programs.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 86, 87, 88, 89)
- - 33. The method of claim 32, further comprising:
    - a. Providing a monitoring and capturing system;
      
      b. Creating and maintaining a database of security rules, comprising at least one of;
      
      a set of default rules, a set of pre-distribution acquired rules that are good for many users of the selected operating system, and acquired additional user-defined rules;
      
      c. Providing a user interface, which can interact with the user in order to at least one of;
      
      learn acceptable behavior patterns, warn the user of perceived dangers and wait for his authorization whenever necessary.
  - 34. The method of claim 33, wherein said main 3 elements are:
    - a. Providing a monitoring and capturing system, which constantly monitors the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detects and selectively intercepts any security-sensitive or suspicious or dangerous behaviors and acts upon it in accordance with at least one of default and acquired sets of security rules, and may ask for user authorization and guidance whenever necessary;
      
      b. Creating and maintaining a database of security rules, comprising at least one of;
      
      a set of default rules, a set of pre-distribution acquired rules that are good for most users of the selected operating system, and acquired additional user-defined rules, said database being constantly monitored as a high-security protected area;
      
      c. Providing a user interface, which can interact with the user for at least one of;
      
      learning acceptable behavior patterns, warning the user of perceived dangers and waiting for his authorization whenever necessary, and allowing the user to view and modify the database of authorizations.
  - 35. The method of claim 33 wherein said user interface at least also warns the user more explicitly in cases of potentially highly dangerous activities.
  - 36. The method of claim 33 wherein said database comprises also of at least continuously learned statistics of normal and reasonable behavior of programs in the user'"'"'s computer.
  - 37. The method of claim 33 wherein said user interface at least also allows the user to view statistics of behavior of important programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines.
  - 38. The method of claim 33 wherein said database comprises also of at least a log of the questions that the Security System asked the user and his replies kept at least for a certain period.
  - 39. The method of claim 33 wherein said database comprises also of at least, when needed, a log of suspicious activities detected kept at least for a certain period.
  - 40. The method of claim 33 wherein said security rules and functions performed by the Security System comprise automatic segregation of programs into their natural environments and at least some of the following functions:
    - a. Constantly monitoring the security-sensitive elements of the computer system, and mainly all relevant peripheral device activities, and especially storage devices and communication devices, and detecting and selectively intercepting security-sensitive behaviors, suspicious behaviors and dangerous behaviors and acting upon them in according with default and acquired sets of security rules, b. At least one of Warning the user and request for authorization and automatic interception for security-sensitive activities and especially any first-time attempts to access communication channels, c. Enabling the user to request at least one of automatic blocking and warning of the user of any attempts of external programs from the network to connect to the user'"'"'s computer through the communication channels, d. Interception and more explicit warning of the user about potentially highly dangerous activities.
  - 41. The method of claim 40, comprising also at least warning the user about significant statistical deviations from normal behaviors of applications and operating system and especially as relates to suddenly sending out large amounts of data.
  - 42. The method of claim 40, comprising also at least enabling the user to request enforcing of at least one of additional limitations on the communication ports allowed to be opened and when needed also limitations on types of protocols allowed.
  - 43. The method of claim 40, comprising also at least monitoring and intercepting as much as possible all attempts of applications to gain direct port accesses to security sensitive devices and especially the storage media and the communication channels.
  - 44. The method of claim 40, comprising also at least implementing Virtual Shared data areas on the storage media, for at least one of temporary files and accessing keys in the registry and other files, so that programs are given the illusion that they are accessing the shared area, but in reality are each redirected to a separate private area.
  - 45. The method of claim 40, comprising also at least pushing, to the extent possible, at least part of the operating system from the most privileged processor ring to a lower privilege ring and enabling needed functions to run in said lower privilege ring,
  - 46. The method of claim 45 wherein said pushing is done in order to catch also backdoors and loopholes in the operating system itself.
  - 47. The method of claim 40 wherein said monitoring and capturing system includes also a hardware element which monitors hardware accesses, so that the Security System can discover events where access has been made to the security-sensitive ports, especially the storage media and the communication channels, without an apparent corresponding event on the system level as monitored by said Security System'"'"'s software.
  - 48. The method of claim 40 wherein said default automatic segregation is implemented so that, by default, each program is allowed to access, such as read, write, execute, create, and delete, files only within its natural environment
  - 50. The method of claim 32 wherein said computer is at least one of a personal computer, a network server, a cellular phone, a palm pilot, a car computer, and/or other computerized gadget.
  - 51. The method of claim 33 wherein high security protected areas are also encrypted.
  - 52. The method of claim 33 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
  - 53. The method of claim 51 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
  - 54. The method of claim 34 wherein said communication devices include also USB interfaces.
  - 55. The method of claim 34 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
  - 56. The method of claim 34 wherein monitoring access to communication devices includes also protocols for sending Faxes.
  - 57. The method of claim 40 wherein high security protected areas are also encrypted.
  - 58. The method of claim 40 wherein high security protected areas are also automatically backed up to as least one more area for additional safety.
  - 59. The method of claim 57 wherein high security protected areas are also automatically backed up to as least one more area for additional safety
  - 60. The method of claim 40 wherein said communication devices include also USB interfaces.
  - 61. The method of claim 40 wherein said communication devices include also at least one of Bluetooth devices and other wireless devices.
  - 62. The method of claim 40 wherein monitoring access to communication devices includes also protocols for sending Faxes.
  - 86. The method of claim 34 wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator.
  - 87. The method of claim 86 wherein the Security System on the central authority'"'"'s computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 88. The method of claim 34 wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  - 89. The method of claim 86 wherein the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the Security System of that computer.

63. A computer security system capable of automatic segregation of programs into their natural environments so that each program is allowed to at least one of access, read, write, execute, create, and delete files only within its natural environment, which is mainly the directory in which it is installed, its sub-directories, and—
- for reading only—
  
  non-strategic shared files, unless specifically given more rights.

64. A method of implementing security in computers by automatic segregation of programs into their natural environments so that each program is allowed to at least one of access, read, write, execute, create and delete files only within its natural environment, which is mainly the directory in which it is installed, its sub-directories, and—
- for reading only—
  
  non-strategic shared files, unless specifically given more rights.
- View Dependent Claims (67, 68)
- - 67. The system of claim 64 wherein any attempt to automatically generate an outgoing communication needs explicit permission by the user.
  - 68. The system of claim 64 wherein any attempts to alter at least one of EMROMM and important system files and sensitive data, need explicit permission by the user.

65. A security system in any of cellular phones, car computers, and other computerized gadgets, wherein access to highly sensitive data, such as credit card details or private encryption keys, needs explicit permission by the user.

66. A security system in any of cellular phones, car computers, and other computerized gadgets, wherein any attempt to automatically generate an outgoing communication needs explicit permission by the user.

90. A security system wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator and Security System on the central authority'"'"'s computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the software of that computer.
- View Dependent Claims (99)
- - 99. The system of claim 90 wherein the security system of each computer also encrypts the outgoing data packets with a unique identifier for each computer and reports also additional data identifying the packets that are being sent out, and so that at least one of the communication devices or the central authority can also find out if outgoing data packets have been changed.

91. A security method wherein the user is an organization and at least some of the control over authorizations is in the hands of at least one central authority, such as the system administrator and Security System on the central authority'"'"'s computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the operating system of that computer.

92. A security system wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the software of that computer.
- View Dependent Claims (100, 107)
- - 100. The system of claim 92 wherein the security system also encrypts the outgoing data packets and reports also additional data identifying the packets that are being sent out, so that the communication devices can also find out if outgoing data packets have been changed.
  - 107. The system of claim 92 wherein the communication device is also capable of generating automatically various reports on outgoing and/or incoming data and the security system makes sure that no other applications can interfere with the device driver of the communication card and thus interfere with these reports.

93. A security system wherein the user is an organization and the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the software of that computer.

94. A security method wherein the communications device of each computer can also notice and at least report back to the computer about cases where the amount of actual communication does not fit the amount reported by the software of that computer.

95. A security method wherein the user is an organization and the communications device of each computer can also notice and at least report back to the central control about cases where the amount of actual communication does not fit the amount reported by the software of that computer.

109. A security system for computers wherein at least one of the physical device drivers and the operating system are still in ring 0 but there is at least one more privileged area within ring 0 or below ring 0 which can catch exceptions caused by at least one of device drivers in ring 0 and the operating system itself

111. A security system for computers wherein at least one part of the security system becomes active even if the computer is booted from any of a floppy drive or CD or network drive, or any other source that is not the normal boot area.
- View Dependent Claims (113, 114, 115)
- - 113. The system of claim 111 wherein if the security system discovers that the BIOS has been compromised or corrupted, it can at least one of issue a warning and restore it from various preferably hidden backups.
  - 114. The system of claim 113 wherein the security system can determine that the bios has been compromised or corrupted by at least one of:
    - if it was changed without authorization according to a digital signature and if it starts to behave suspiciously.
  - 115. The system of claim 111 wherein when changes need to be made in at least one of the security system itself and the BIOS, a physical key needs to be physically attached to any of the computer or any of its peripheral devices

127. A security system wherein the Security system replaces at least some of the OS functions that deal with the OS message system, and attaches to each message an identification that shows if the OS or another application is the source of the message, and the Security System allows certain messages to be initiated only by the OS.

149. A security system in computers wherein the security system automatically blocks potentially highly dangerous activities or asks the user for explicit authorization.
- View Dependent Claims (150, 151)
- - 150. The system of claim 149 wherein said potentially highly dangerous activities are at least 1 of:
    - formatting a drive, mass deletion of files, changing hard disk partition information, changing boot area information, installing drivers in levels close to the kernel of the operating system, modifying executables that reside outside the natural environment of the offending executable programs, renaming them, renaming directories, and changing the linking of file types with applications that will be run when clicking on them.
  - 151. The system of claim 149 wherein the security system can identify at least one of strategic files and strategic directories by at least one of:
    - using predefined rules;
      
      automatically marking programs as highly strategic according to the number and/or types of authorizations they have and/or by the fact that the user is using them interactively more than other programs or files or directories; and
      
      allowing the user explicitly to mark certain directories and/or certain file name extensions as highly protected.

152. As security system wherein the communication with at least one of a keyboard and a mouse uses encryption in order to prevent falsifying user responses.
- View Dependent Claims (153)
- - 153. The security system of claim 152 wherein said encryption includes also a date &
    - time stamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yaron Mayer, Zak Dechovich
Original Assignee
Yaron Mayer, Zak Dechovich
Inventors
Mayer, Yaron, Dechovich, Zak

Application Number

US10/301,575
Publication Number

US 20030159070A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/53 by executing in a restricte...

System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

469 Citations

153 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

469 Citations

153 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links