EXECUTABLE CONTENT FILTERING

US 20090260087A1
Filed: 04/11/2008
Published: 10/15/2009
Est. Priority Date: 04/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

analyzing a stream of one or more parsed elements of a network message with a set of one or more executable content filters, wherein the stream of one or more elements are streamed from a network message parser; and

modifying the stream of one or more parsed elements to disable executable content in the network message based, at least in part, on a set of one or more rule sets being applied with the set of one or more executable content filters to the stream of parsed elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious executable content in network messages (e.g., request and response hypertext transfer protocol message) can circumvent some security measures. In addition, conventional security measures aimed at capturing malicious executable content noticeably impact system performance. Stream based filtering of network messages allows for efficient processing to remove malicious executable content. Furthermore, an extensible framework for executable content filtering streaming message elements allows for efficient adaptation of an executable content filter to new threats disguised as executable content.

Citations

20 Claims

1. A method comprising:
- analyzing a stream of one or more parsed elements of a network message with a set of one or more executable content filters, wherein the stream of one or more elements are streamed from a network message parser; and
  
  modifying the stream of one or more parsed elements to disable executable content in the network message based, at least in part, on a set of one or more rule sets being applied with the set of one or more executable content filters to the stream of parsed elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said modifying the stream of one or more parsed elements comprises at least one of removing the executable content from the stream of one or more parsed elements, anonymizing the executable content, hiding the executable content, rewriting the executable content, and marking the executable content in the stream of one or more elements for removal.
  - 3. The method of claim 1 further comprising:
    - accessing a set of one or more executable content filtering configuration files that indicate the set of one or more rule sets; and
      
      instantiating the set of one or more executable content filters based on the set of one or more rule sets.
  - 4. The method of claim 1, wherein each of the set of one or more rule sets applies to a particular scope of the network message.
  - 5. The method of claim 1, wherein said analyzing comprises:
    - determining a scope of the network message based on the stream of one or more elements;
      
      modifying a first of the one or more parsed elements to disable executable content indicated by a first of the set of one or more rule sets if the first parsed element is within the scope and if the first parsed element includes the executable content indicated by the first rule set; and
      
      passing the first parsed element to a second executable content filter if not modified by the first executable content filter or if the first parsed element is not within the scope.
  - 6. The method of claim 5, wherein said determining the scope comprises:
    - detecting in the stream of parsed elements a first tag that marks a beginning of the scope; and
      
      setting a value for the first executable content filter to indicate the stream is within the scope.
  - 7. The method of claim 5, wherein said determining the scope comprises:
    - detecting an embedded annotation that specifies the scope.
  - 8. The method of claim 1, wherein a first of the set of one or more rule sets comprises one or more filtering rules, wherein a first of the one or more filtering rules indicates an attribute being filtered, a value for the attribute, a criteria for applying the first filter rule, and an action to be taken if the first filter rule applies.
  - 9. The method of claim 1, wherein a first of the set of one or more rule sets comprises one or more filtering rules, wherein a first of the one or more filtering rules indicates a tag to be filtered, and an action that specifies removal of the tag.

10. A method comprising:
- applying a plurality of executable content filters to a stream of parsed elements of a network message, wherein each of the plurality of executable content filters targets executable content for effective removal;
  
  for each of the plurality of executable content filters, determining if one or more of the stream of parsed elements includes executable content targeted by the executable content filter; and
  
  modifying those of the stream of parsed elements that include the executable content targeted by the plurality of executable content filters to effectively remove the executable content.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 further comprising:
    - for each of the plurality of executable content filters, analyzing the stream of parsed elements for those of the parsed elements within a scope of the network message analyzed by the executable content filter,wherein said determining is contingent upon the parsed elements being within the scope.
  - 12. The method of claim 10, wherein said modifying those of the stream of parsed elements that include the executable content targeted by the plurality of executable content filters comprises at least one of removing the executable content from the stream, anonymizing the executable content, hiding the executable content, rewriting the executable content, and marking the executable content for removal after said applying.
  - 13. The method of claim 10, wherein said applying comprises applying a first set of the plurality of executable content filters in parallel with a second set of the plurality of executable content filters, wherein the first and the second set of executable content filters correspond to different scopes of the network message.
  - 14. The method of claim 10, wherein said applying comprises applying the plurality of executable content filters in series.
  - 15. The method of claim 10, wherein the executable content targeted by the plurality of executable content filters comprises at least one of a tag, a parameter value, an attribute value, and encoded content.

16. One or more machine-readable media having stored therein a program product, which when executed a set of one or more processor units causes the set of one or more processor units to perform operations that comprise:
- analyzing a stream of one or more parsed elements of a network message with a set of one or more executable content filters, wherein the stream of one or more elements are streamed from a network message parser; and
  
  modifying the stream of one or more parsed elements to disable executable content in the network message based, at least in part, on a set of one or more rule sets applied with the set of one or more executable content filters to the stream of parsed elements.
- View Dependent Claims (17)
- - 17. The machine-readable media of claim 16, wherein the operations further comprise:
    - loading a set of one or more executable content filtering configuration files that indicate the set of one or more rule sets; and
      
      instantiating the set of one or more executable content filters based on the set of one or more rule sets.

18. An apparatus comprising:
- a set of one or more processor units;
  
  a network interface operable to receive a network message and coupled with the set of one or more processor units; and
  
  an executable content message stream filter module coupled with the network interface, the executable content message filter module operable to,analyze a stream of one or more parsed elements of a network message with a set of one or more executable content filters, wherein the stream of one or more elements are streamed from a network message parser, andmodify the stream of one or more parsed elements to disable executable content in the network message in accordance with a set of one or more rules sets applied by set of one or more executable content filters to the stream of parsed elements.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18 further comprising the network message parser coupled with the executable content message stream filter module and operable to parse the network message into the one or more parsed elements and operable to stream out the one or more parsed elements.
  - 20. The apparatus of claim 18, wherein the executable content message stream filter module is further operable to load a configuration file that indicates the set of one or more rule sets and operable to instantiate the set of one or more executable content filters based on the set of one or more rule sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Uramoto, Naohiko, Teraguchi, Masayoshi, Makino, Satoshi, Kaplinger, Todd E., Ishida, Ai

Granted Patent

US 8,234,712 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/145 the attack involving the pr...

EXECUTABLE CONTENT FILTERING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EXECUTABLE CONTENT FILTERING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links