Computer Security Method and System With Input Parameter Validation
First Claim
1. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer, a downloadable;
scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations;
if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor;
overwriting, by the receiving computer, a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function;
executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters;
if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious.
5 Assignments
0 Petitions
Accused Products
Abstract
A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.
-
Citations
13 Claims
-
1. A computer-based method for identifying suspicious downloadables, comprising:
-
receiving, by a receiving computer, a downloadable; scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations; if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor; overwriting, by the receiving computer, a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function; executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters; if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious. - View Dependent Claims (2, 3)
-
-
4. A computer-based method for identifying suspicious downloadables, comprising:
-
receiving, by a receiving computer, a downloadable; scanning, by the receiving computer, the downloadable to detect the presence of suspicious computer operations; if at least one suspicious computer operation is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor; executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution the receiving computer, (i) overwrites a call in the downloadable to a suspicious object method with a modified call that invokes its associated validator function, and (ii) calls the associated validator function for the suspicious object method to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters; if a match is found between the one or more input parameters and the expected values determining, by the receiving computer, that the input parameters are valid and forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and if no match is found, providing by the receiving computer, an alert that the one or more identified computer operations are potentially malicious. - View Dependent Claims (5, 6)
-
-
7. A computer system with a secure gateway, comprising:
-
one or more destination client computers; and a gateway computer for said one or more destination computers, comprising; a receiver operative to receive a downloadable in transit to said one or more destination computers; a scanner operative to scan the received downloadable to detect the presence of suspicious computer operations; a code monitor operable to (i) append monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is detected by said scanner, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor, and (ii) overwite a call in the downloadable to a suspicious object method with a modified call that invokes the method'"'"'s associated validator function; a processor operable to (i) execute a run-time loop over the modified downloadable, wherein upon execution, the associated validator function for the suspicious object method is called to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters, (ii) determine that the input parameters are valid and forward the downloadable to said one or more destination computers, if a match is found between the one or more input parameters and their expected values, wherein the forwarded downloadable is in an unmodified format, and (iii) provide an alert that the one or more identified computer operations are potentially malicious, if no match is found. - View Dependent Claims (8, 9)
-
-
10. A secure client computer that receives executable downloadables from other computers, comprising:
-
a receiver operative to receive a downloadable; a scanner operative to scan the received downloadable to detect the presence of suspicious computer operations; a code monitor operable to append monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is detected by said scanner, wherein the monitoring program code includes a dictionary of objects including for each object at least one name of a suspicious object method and an associated validator function therefor; a processor operable to (i) execute a run-time loop over the modified downloadable, wherein upon execution, the processor overwrites a call in the downloadable to a suspicious object method with a modified call that invokes the method'"'"'s associated validator function, and calls the associated validator function to compare one or more input parameters for the suspicious object method against a list of expected values for each of the one or more input parameters, (ii) determine that the input parameters are valid, and execute the suspicious object method, if a match is found between the one or more input parameters and their expected values, and (iii) provide an alert that the one or more identified computer operations are potentially malicious, if no match is found. - View Dependent Claims (11, 12, 13)
-
Specification