Two-phase hash value matching technique in message protection systems

US 20050015599A1
Filed: 06/25/2003
Published: 01/20/2005
Est. Priority Date: 06/25/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for filtering out exploits passing through a device, comprising:

receiving an object directed to the device;

determining a first value associated with the object;

determining a second set of values associated with objects that have previously been scanned;

if the first value matches at least one of the values in the second set, determining a third value associated with the object;

determining a fourth set of values associated with the objects that have previously been scanned; and

if the third value matches at least one of the values in the fourth set, immediately processing the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a two-phase hash value matching technique in message protection systems. This invention further improves the performance of message protection systems by avoiding computations associated with sophisticated signature hash value (SSHV) where possible. A message protection system that implements the two-phase hash value matching technique caches rough outline hash values (ROHVs) of previously scanned objects. The system can roughly distinguish one object from another using ROHVs. The system performs an initial check using ROHVs before performing the relatively time-consuming computations associated with SSHVs.

131 Citations

29 Claims

1. A method for filtering out exploits passing through a device, comprising:
- receiving an object directed to the device;
  
  determining a first value associated with the object;
  
  determining a second set of values associated with objects that have previously been scanned;
  
  if the first value matches at least one of the values in the second set, determining a third value associated with the object;
  
  determining a fourth set of values associated with the objects that have previously been scanned; and
  
  if the third value matches at least one of the values in the fourth set, immediately processing the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the object includes at least one of a message, an attachment to a message, an email, a computer-executable file, and a data file.
  - 3. The method of claim 1, wherein the at least one of the first value and the third value further comprises at least one of a hash value, an algorithmic function, a checksum, a public key certificate, and a digital signature.
  - 4. The method of claim 1, wherein the first value includes a rough outline hash value (ROHV).
  - 5. The method of claim 4, wherein the third value includes a sophisticated signature hash value (SSHV) and wherein the ROHV requires less time to compute than the SSHV.
  - 6. The method of claim 1, wherein immediately processing the object further comprises processing the object without scanning the object.
  - 7. The method of claim 6, wherein immediately processing the object further comprises removing an exploit from the object.
  - 8. The method of claim 6, wherein immediately processing the object further comprises forwarding the object to a destination.
  - 9. The method of claim 1, further comprising if the first value does not match any of the values in the second set, scanning the object for an exploit;
    - and updating the second set of values to include the first value.
  - 10. The method of claim 1, further comprising if the third value does not match any of the values in the fourth set, scanning the object for an exploit;
    - and updating the fourth set of values to include the third value.
  - 11. The method of claim 1, wherein the method is operable on at least one of a firewall, a router, a switch, a server, and a dedicated platform.

12. A computer-readable medium encoded with a data-structure, comprising:
- a first indexing data field having indexing entries, each indexing entry including a first value; and
  
  a second data field including object-related entries, each object-related entry having a second value and being indexed to an indexing entry in the first indexing data field, each object-related entry being uniquely associated with an object that has been previously scanned.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-readable medium of claim 12, wherein at least one of the first value and the second value further comprises at least one of a hash value, an algorithmic function, checksum, public key certificate, and a digital signature.
  - 14. The computer-readable medium of claim 12, wherein the first value is a ROHV.
  - 15. The computer-readable medium of claim 12, wherein the second value is a SSHV.
  - 16. The computer-readable medium of claim 12, wherein at least one object-related entry in the second data field includes information about the associated object.

17. A system for protecting a device against an exploit, comprising:
- a message tracker that is configured to determine whether an object has been previously scanned using a two-phase hash value technique; and
  
  a scanner component that is coupled to the message tracker and that is configured to receive an unscanned object and to determine whether the unscanned object includes an exploit.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The system of claim 17, wherein the object includes at least one of a message, an attachment to a message, an email, a computer-executable file, and a data file.
  - 19. The system of claim 17, wherein the two-phase hash value technique comprises:
    - determining a first value associated with the object;
      
      determining a second set of values associated with objects that have previously been scanned; and
      
      if the first value does not match at least one of the values in the second set, determining that the object has not been previously scanned.
  - 20. The system of claim 19, wherein the first value further comprises at least one of a hash value, an algorithmic function, checksum, public key certificate, and a digital signature.
  - 21. The system of claim 19, wherein the first value further comprises a ROHV.
  - 22. The system of claim 19, wherein the two-phase hash value technique further comprises:
    - if the first value matches at least one of the values in the second set, determining a third value associated with the object;
      
      determining a fourth set of values associated with the objects that have previously been scanned;
      
      if the third value does not match at least one of the values in the fourth set, determining that the object has not been previously scanned.
  - 23. The system of claim 22, wherein the third value further comprises at least one of a hash value, an algorithmic function, checksum, public key certificate, and a digital signature.
  - 24. The system of claim 22, wherein the third value further comprises a SSHV.
  - 25. The system of claim 22, wherein the two-phase hash value technique further comprises:
    - if the third value approximately matches at least one of the values in the fourth set, determining that the object has been previously scanned.
  - 26. The system of claim 17, wherein the system is operable on at least one of a firewall, a router, a switch, a server, and a dedicated platform.

27. An apparatus for protecting a device against an exploit, comprising:
- means for receiving an object directed to the device;
  
  means for determining whether the object has been previously scanned using a two-phase hash value technique; and
  
  means for immediately processing the object if the object has been previously scanned.
- View Dependent Claims (28, 29)
- - 28. The apparatus of claim 27, further comprising means for scanning the object if the object has not been previously scanned.
  - 29. The apparatus of claim 27, further comprising:
    - means for maintaining a list of previously scanned objects for the two-phase hash value technique; and
      
      means for updating the list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia, Inc. (Nokia Corporation)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Wang, Bing, Smith, Gregory J., Scott, Robert Paxton, Card, James

Application Number

US10/606,659
Publication Number

US 20050015599A1
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/562   Static detection

H04L 2209/80   Wireless network architectu...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Two-phase hash value matching technique in message protection systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

131 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Two-phase hash value matching technique in message protection systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others