Computer Security Method and System With Input Parameter Validation

US 20150007321A1
Filed: 09/10/2014
Published: 01/01/2015
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-based method for identifying suspicious downloadables, comprising:

receiving, by a receiving computer, a downloadable;

scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations;

if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor;

overwriting, by the receiving computer, a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function;

executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters;

if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and

if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.

Citations

13 Claims

1. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer, a downloadable;
  
  scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations;
  
  if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor;
  
  overwriting, by the receiving computer, a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function;
  
  executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters;
  
  if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
  
  if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious.
- View Dependent Claims (2, 3)
- - 2. A computer-based method for identifying suspicious downloadables in accordance with claim 1, wherein if no match is found, replacing by the receiving computer, the input parameters that are not valid with valid input parameters and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format.
  - 3. A computer-based method for identifying suspicious downloadables in accordance with claim 1, wherein if no match is found, consulting by the receiving computer, a security policy to determine whether or not to forward the downloadable to a destination computer even though no match is found for the input parameters.

4. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer, a downloadable;
  
  scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations;
  
  if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor;
  
  executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution the receiving computer,(i) overwrites a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function, and(ii) calls the associated validator function for the suspicious object method to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters;
  
  if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
  
  if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious.
- View Dependent Claims (5, 6)
- - 5. A computer-based method for identifying suspicious downloadables in accordance with claim 4, wherein if no match is found, replacing by the receiving computer, the input parameters that are not valid with valid input parameters and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format.
  - 6. A computer-based method for identifying suspicious downloadables in accordance with claim 4, wherein if no match is found, consulting by the receiving computer, a security policy to determine whether or not to forward the downloadable to a destination computer even though no match is found for the input parameters.

7. A computer system with a secure gateway, comprising:
- one or more destination client computers; and
  
  a gateway computer for said one or more destination computers, comprising;
  
  a receiver operative to receive a downloadable in transit to said one or more destination computers;
  
  a scanner operative to scan the received downloadable to detect the presence of suspicious computer operations;
  
  a code monitor operable to (i) append monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is detected by said scanner, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor, and (ii) overwite a call in the downloadable to a suspicious object method with a modified call that invokes the method'"'"'s associated validator function;
  
  a processor operable to (i) execute a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters, (ii) determine that the input parameters are valid and forward the downloadable to said one or more destination computers, if a match is found between the one or more input parameters and their expected values, wherein the forwarded downloadable is in an unmodified format, and (iii) provide an alert that the one or more identified computer operations are potentially malicious, if no match is found.
- View Dependent Claims (8, 9)
- - 8. A computer system with a secure gateway in accordance with claim 7, wherein the processor is operable to replace the input parameters that are not valid with valid input parameters and forwarding the downloadable to one or more destination computers, if no match is found.
  - 9. A computer system with a secure gateway in accordance with claim 7, wherein the processor is operable to consult a security policy to determine whether or not to forward the downloadable to a destination computer even though no match is found for the input parameters.

10. A secure client computer that receives executable downloadables from other computers, comprising:
- a receiver operative to receive a downloadable;
  
  a scanner operative to scan the received downloadable to detect the presence of suspicious computer operations;
  
  a code monitor operable to append monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is detected by said scanner, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor;
  
  a processor operable to (i) execute a run-time loop over the modified downloadable, wherein upon execution, the processor overwrites a call in the downloadable to a suspicious object method with a modified call that invokes the method'"'"'s associated validator function, and calls the associated validator function to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters, (ii) determine that the input parameters are valid, and execute the suspicious object method, if a match is found between the one or more input parameters and their expected values, and (iii) provide an alert that the one or more identified computer operations are potentially malicious, if no match is found.
- View Dependent Claims (11, 12, 13)
- - 11. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the processor is operable to replace the input parameters that are not valid with valid input parameters and forwarding the downloadable to one or more destination computers, if no match is found.
  - 12. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the processor is operable to consult a security policy to determine whether or not to forward the downloadable to a destination computer even though no match is found for the input parameters.
  - 13. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the code modifier is operable to overwrite a call in the downloadable to a suspicious object method with a modified call that invokes the method'"'"'s associated validator function prior to the processor executing a run-time loop.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Holdings, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
Finjan, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Inventors
Ben-Itzhak, Yuval, Yosef, Golan, Taub, Israel

Granted Patent

US 9,294,493 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/54   by adding security routines...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Computer Security Method and System With Input Parameter Validation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Computer Security Method and System With Input Parameter Validation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links