System and method of monitoring and controlling application files

US 20040181788A1
Filed: 03/14/2003
Published: 09/16/2004
Est. Priority Date: 03/14/2003
Status: Active Grant

First Claim

Patent Images

1. A system for collecting program data for use in updating a monitoring system which controls programs operating on a workstation, comprising:

a workstation having a database of categorized application programs along with one or more policies associated with each program, the workstation being configured for a user to request execution of a program;

a workstation management module coupled to the workstation and configured to detect the program requested by the user, determine whether the program is in the categorized application database, send the program and program data associated with the program to an application server module if the program is not in the categorized application database, and apply one or more policies that are associated with the program, wherein the one or more policies are received from the application server module;

an application server module coupled to the workstation and configured to receive the program data from the workstation management module if the program was not in the categorized application database at the workstation management module, determine whether the program was previously categorized at the application server module, if the program was not previously categorized at the application server module, then send the program data to an application database factory, if the program was previously categorized at the application server module, then provide the one or more policies associated with one or more categories that were previously associated with the program to the workstation management module.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module. Upon receipt of the hash/policy table, the workstation management module applies the policy that is associated with the launched application to control access to the application on the workstation.

180 Citations

View as Search Results

60 Claims

1. A system for collecting program data for use in updating a monitoring system which controls programs operating on a workstation, comprising:
- a workstation having a database of categorized application programs along with one or more policies associated with each program, the workstation being configured for a user to request execution of a program;
  
  a workstation management module coupled to the workstation and configured to detect the program requested by the user, determine whether the program is in the categorized application database, send the program and program data associated with the program to an application server module if the program is not in the categorized application database, and apply one or more policies that are associated with the program, wherein the one or more policies are received from the application server module;
  
  an application server module coupled to the workstation and configured to receive the program data from the workstation management module if the program was not in the categorized application database at the workstation management module, determine whether the program was previously categorized at the application server module, if the program was not previously categorized at the application server module, then send the program data to an application database factory, if the program was previously categorized at the application server module, then provide the one or more policies associated with one or more categories that were previously associated with the program to the workstation management module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The system of claim 1 further comprising an application database factory configured to receive the program data from the application server module if the program was not previously categorized at the application server module, determine whether the program was previously categorized by the application database factory, if the program was not previously categorized by the application database factory, then determine the one or more categories to associate with the program and provide the one or more categories to the application server module, if the program was previously categorized by the application database factory, then provide the one or more categories that were previously associated with the program to the application server module.
  - 3. The system of claim 2, wherein the database of categorized application programs includes hash values.
  - 4. The system of claim 3, wherein the program is in the database of categorized application programs and is associated with the one or more policies.
  - 5. The system of claim 2, wherein the application server module is further configured to analyze the program data associated with the program for a data characteristic that is indicative of the one or more categories, and to associate one or more indicators with the program.
  - 6. The system of claim 5, wherein analyzing the program data is performed on text strings that are associated with the program.
  - 7. The system of claim 5, wherein the one or more indicators includes a category flag.
  - 8. The system of claim 7, wherein the application server module uses the one or more indicators to screen the program prior to sending the program to the application database factory.
  - 9. The system of claim 2, wherein the workstation management module comprises an application digest generator configured to determine the program data to associate with the program.
  - 10. The system of claim 9, wherein the program data includes a suite.
  - 11. The system of claim 9, wherein the program data includes a publisher.
  - 12. The system of claim 9, wherein the program data includes a source directory.
  - 13. The system of claim 9, wherein the application server module comprises:
    - a classification user interface configured to provide an interface for a network administrator to select the one or more policies that are applied to the one or more categories associated with the program;
      
      an uncategorized application database configured to store the program and associated data if the program was not previously categorized; and
      
      an upload/download manager module configured to send the stored program and associated data to the application database factory and to receive the one or more categories from the application database factory.
  - 14. The system of Claim 13, wherein the uncategorized application database includes a request frequency that is associated with the program and indicates the frequency of requests for the program in the uncategorized application database.
  - 15. The system of claim 14, wherein the upload/download manager module is configured to send the request frequency from the uncategorized application database to the application database factory.
  - 16. The system of claim 15, wherein the categorized application database includes a request frequency that is associated with the program and indicates the frequency of requests for the program in the uncategorized application database.
  - 17. The system of claim 16, wherein the one or more policies include allowing the program to run on the workstation based on the one or more policies associated with the program and the user.
  - 18. The system of claim 13, wherein the one or more policies include not allowing the program to run on the workstation based on the one or more policies associated with the program and the user.
  - 19. The system of claim 2, wherein the application database factory comprises:
    - an upload/download module configured to receive the program and data associated with the program from the application server module, determine whether the program has been previously categorized by the application database factory, and provide the one or more categories to the application server module;
      
      an application analyst'"'"'s classification module configured to categorize the program if not previously categorized by the application database factory; and
      
      a master application database configured to store the program and the one or more categories.
  - 20. The system of claim 19, wherein the upload/download module is configured to receive a request frequency from the application server module to prioritize processing of the program in the application database factory.
  - 21. The system of claim 19, further comprising:
    - a second workstation; and
      
      a second application server module coupled to the second workstation and the application database factory.
  - 22. The system of claim 19, wherein the upload/download module is further configured to merge and sort the program and a second program received from the second workstation.

23. A method of updating a system which controls operation of programs on a workstation, the method comprising:
- detecting a launch of an application on the workstation;
  
  generating an application digest for the launched application;
  
  determining whether the application is categorized, wherein a categorized application is associated with one or more policies;
  
  if the application is categorized, then applying the one or more policies that are associated with the application;
  
  if the application is not categorized, then posting the application to a logging database;
  
  uploading the logging database to an application server module;
  
  determining whether the application is in an application inventory database of categorized applications, wherein a categorized application is associated with one or more categories; and
  
  if the application is not in the application inventory database of the application server module, then posting the application to an uncategorized application database, if the application is in the application inventory database, then applying one or more policies associated with the application.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 24. The method of claim 23, further comprising:
    - uploading the uncategorized application database to an application database factory;
      
      determining whether each application has been previously categorized by the application database factory;
      
      for each application that was not previously categorized, categorizing each application and/or data associated with the application to select one or more categories to associated with each application;
      
      posting each application along with its selected one or more categories into a database of categorized applications; and
      
      downloading the database of categorized applications for incorporation into the application inventory database.
  - 25. The method of claim 24, further comprising:
    - updating a request frequency in the application inventory database if the application is in the application inventory database; and
      
      uploading the application inventory database request frequency and the associated application to the application database factory.
  - 26. The method of claim 24, wherein the one or more policies include allowing or disallowing the application to run based on the one or more categories associated with the application and the user.
  - 27. The method of claim 24, wherein the one or more policies include allowing the application to run on the workstation based on the one or more categories associated with the application and the user.
  - 28. The method of claim 24, wherein the logging database further includes additional data associated with the application.
  - 29. The method of claim 28, wherein the additional data includes a request frequency.
  - 30. The method of claim 28, wherein the additional data includes a suite.
  - 31. The method of claim 28, wherein the additional data includes a publisher.
  - 32. The method of claim 28, wherein the additional data includes a source directory.
  - 33. The method of claim 23, further comprising:
    - analyzing the application and/or the additional data associated with the application for data characteristics that are indicative of the one or more categories; and
      
      associating one or more indicators with the application.
  - 34. The method of claim 33, wherein the analyzing the program data is performed on text strings that are associated with the application and/or the additional data associated with the application.
  - 35. The method of claim 33, wherein the one or more indicators can include a category flag.
  - 36. The method of claim 35, further comprising screening the application using the one or more indicators prior to uploading the uncategorized application database to the application database factory.

37. A method of collecting collection data for use in updating a system which controls execution of programs on a workstation, the method comprising:
- launching a program at the workstation;
  
  determining whether the program is stored in a table;
  
  if the program is stored, applying a first rule that is associated with the program; and
  
  if the program is not stored, posting the program to a database.
- View Dependent Claims (38)
- - 38. The method of claim 37, further comprising:
    - pre-filtering the program and/or data associated with the program for data characteristics that are indicative of one or more categories; and
      
      associating a second rule with the program based on at least in part the one or more categories indicated by the data characteristics.

39. A method of processing and uploading identifiers for use in updating an application control system which determines if a program can run on a workstation, the method comprising:
- requesting a download of identifiers and their associated categories from an application database factory;
  
  determining whether at least one identifier from a database of identifiers are to be uploaded to the application database factory;
  
  if the at least one identifier is to be uploaded to the application database factory, retrieving the at least one identifier from the database of identifiers; and
  
  uploading the at least one identifier to the application database factory.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 40. The method of claim 39, wherein the database of identifiers includes a database of uncategorized applications.
  - 41. The method of claim 40, wherein the database of identifiers includes a database of classified applications.
  - 42. The method of claim 40, further comprising uploading additional data associated with the database of uncategorized applications to the application database factory.
  - 43. The method of claim 42, wherein the additional data includes a suite.
  - 44. The method of claim 42, wherein the additional data includes a publisher.
  - 45. The method of claim 42, wherein the additional data includes a source directory.
  - 46. The method of claim 42, further comprising processing the uncategorized identifier and the additional data prior to uploading to the application database factory.
  - 47. The method of claim 46, wherein the processing comprises:
    - formatting the uncategorized identifiers and the additional data using a markup language; and
      
      limiting the size of an upload file which includes the uncategorized identifiers and the additional data.
  - 48. The method of claim 47, further comprising:
    - encrypting the uncategorized identifiers and the additional data; and
      
      compressing the uncategorized identifiers and the additional data.
  - 49. The method of claim 48, wherein encrypting is performed using a data encryption standard (DES).
  - 50. The method of claim 48, wherein uploading the database of identifiers is periodic.
  - 51. The method of claim 48, wherein uploading the database of identifiers is random.
  - 52. The method of claim 48, wherein uploading the database of identifiers is at a set time.
  - 53. The method of claim 48, wherein uploading the database of identifiers is in response to polling by the application database factory.

54. A method of updating a system which controls operation of programs on a workstation, the method comprising:
- detecting a launch of an application on the workstation;
  
  generating a hash value for the launched application;
  
  comparing the generated hash value to one or more hash values in a hash/policy table that includes one or more policies associated with the one or more hash values;
  
  if the generated hash value matches one or more of the hash values in the hash/policy table, then applying the one or more policies that are associated with the one or more hash values;
  
  if the generated hash value does not match one or more hash values in the hash/policy table, then posting the application to a logging database;
  
  uploading the logging database to an application server module;
  
  determining whether the application from the logging database is in an application inventory database; and
  
  if the application is not in the application inventory database, then posting the application to an uncategorized application database.
- View Dependent Claims (55, 56)
- - 55. The method of claim 54, further comprising scanning the logging database to determine a frequency count for the application.
  - 56. The method of claim 54, further comprising:
    - uploading the uncategorized application database to an application database factory;
      
      determining whether the application has been previously categorized by the application database factory;
      
      for each application that was not previously categorized, categorizing each application by selecting one or more categories to associated with that application;
      
      posting each application along with its selected one or more categories into a database of categorized applications; and
      
      downloading the database of categorized applications for incorporation into the application inventory database.

57. A method of controlling applications on a computer, the method comprising:
- identifying an application on the computer;
  
  determining whether the application is in a database; and
  
  if the application is in the database, then applying one or more predetermined policies that are associated with the application.
- View Dependent Claims (58)
- - 58. The method of claim 57, further comprising if the application is not in the database, then storing the application to the database.

59. A method of controlling applications on a workstation, the method comprising:
- detecting a running application on a workstation;
  
  determining whether the running application is in a database; and
  
  if the running application is not in the database, then storing the running application to the database.
- View Dependent Claims (60)
- - 60. The method of claim 59, further comprising:
    - associating one or more policies to the running application; and
      
      controlling the running application based on the one or more policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint LLC
Original Assignee
Forcepoint LLC
Inventors
Dimm, John Ross, Kester, Harold M., Anderson, Mark Richard, Hegli, Ronald B.

Granted Patent

US 7,185,015 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/168
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06Q 20/203   Inventory monitoring

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

Y10S 707/99931   Database or file accessing

Y10S 707/99943   Generating database or data...

Y10S 707/99945   Object-oriented database st...

System and method of monitoring and controlling application files

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of monitoring and controlling application files

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links