Computer network malicious code scanner

US 5,983,348 A
Filed: 09/10/1997
Issued: 11/09/1999
Est. Priority Date: 09/10/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method of detecting and preventing execution of instructions in an application program provided from a computer network, comprising:

providing the application program over the computer network;

determining whether the provided application program includes any instructions that are members of a particular set of instructions;

executing the application program if it is determined that no members of the set are included in the application program;

if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction, wherein the altering includes inserting a first predefined call before the instruction and a second predefined call after the instruction; and

wherein the first or second predefined call changes a session state of the application program.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network scanner for security checking of application programs (e.g. Java applets or Active X controls) received over the Internet or an Intranet has both static (pre-run time) and dynamic (run time) scanning. Static scanning at the HTTP proxy server identifies suspicious instructions and instruments them e.g. a pre-and-post filter instruction sequence or otherwise. The instrumented applet is then transferred to the client (web browser) together with security monitoring code. During run time at the client, the instrumented instructions are thereby monitored for security policy violations, and execution of an instruction is prevented in the event of such a violation.

Citations

34 Claims

1. A method of detecting and preventing execution of instructions in an application program provided from a computer network, comprising:
- providing the application program over the computer network;
  
  determining whether the provided application program includes any instructions that are members of a particular set of instructions;
  
  executing the application program if it is determined that no members of the set are included in the application program;
  
  if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction, wherein the altering includes inserting a first predefined call before the instruction and a second predefined call after the instruction; and
  
  wherein the first or second predefined call changes a session state of the application program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising associating monitoring code with the application program.
  - 3. The method of claim 1, wherein the altering includes replacing the instruction with a predefined second instruction.
  - 4. The method of claim 1, wherein the application program is an applet.
  - 5. The method of claim 4, wherein the applet is in the Java language.
  - 6. The method of claim 1, wherein the computer network is an Intranet or the Internet.
  - 7. The method of claim 1 wherein the first predefined call is a call to check a security policy.
  - 8. The method of claim 7, wherein the security policy is a state machine.
  - 9. The method of claim 1, wherein the inserting is repeated for each instruction in the application program that is a member of the particular set.
  - 10. The method of claim 1, wherein the particular set of instructions includes instructions that access a predefined set of files.
  - 11. The method of claim 1, wherein the computer network includes a server and a client coupled to the server, and wherein the altering takes place at the server, wherein the executing the application program takes place at the client.
  - 12. The method of claim 1, wherein the instructions are problematic instructions.
  - 13. The method of claim 1, wherein the application program is altered at the point of the instruction.

14. A method of detecting and preventing execution of instructions in an application program provided from a computer network comprising:
- providing the application program over the computer network;
  
  determining whether the provided application program includes any instructions that are members of a particular set of instructions;
  
  executing the application program if it is determined that no members of the set are included in the application program;
  
  if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction;
  
  determining if the application program includes an authentication;
  
  verifying the authentication; and
  
  replacing the verified authentication with a second authentication.

15. A method of detecting and preventing execution of instructions in an application program provided from a computer network, comprising:
- providing the application program over the computer network;
  
  determining whether the provided application program includes any instructions that are members of a particular set of instructions;
  
  executing the application program if it is determined that no members of the set are included in the application program;
  
  if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction;
  
  providing all dependency files associated with the application program;
  
  providing a single monitoring package performing the step of determining for the application program and its associated dependency files; and
  
  executing the application program and its associated dependency files.

16. A scanner for detecting and preventing execution of instructions in an application program provided from a computer network, wherein the scanner determines whether the provided application program includes any instructions that are members of a particular set of instructions, allowing execution of the application program if it is determined that no members of the set are included in the application program;
- and comprising;
  
  an instrumenter which alters the application program at an instruction which is determined to be a member of the set, thereby allowing monitoring of execution of such instructions;
  
  wherein the instrumenter inserts a first predefined call before the instruction and a second predefined call after the instruction; and
  
  wherein the first or second predefined call changes a session state of the application program.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The scanner of claim 16, further comprising a packer which associates monitoring code with the application program.
  - 18. The scanner of claim 16, wherein the instrumenter replaces the instruction with a predefined second instruction.
  - 19. The scanner of claim 16, wherein the application program is an applet.
  - 20. The scanner of claim 19, wherein the applet is in the Java language.
  - 21. The scanner of claim 16, wherein the computer network is an Intranet or the Internet.
  - 22. The scanner of claim 16, wherein the first predefined call is a call to check a security policy.
  - 23. The scanner of claim 22, wherein the security policy is a state machine.
  - 24. The scanner of claim 16, wherein the instrumenter repeats the inserting for each instruction in the application program that is a member of the particular set.
  - 25. The scanner of claim 16, wherein the particular set of instructions includes instructions that access a predefined set of files.
  - 26. The scanner of claim 16, wherein the computer network includes a server and a client coupled to the server, wherein the altering by the instrumenter takes place at the server, and wherein the executing the application program takes place at the client.
  - 27. The scanner of claim 16, wherein the instructions that are members of the particular set are problematic instructions.
  - 28. The scanner of claim 16, wherein the alteration is at the point of the instruction.

29. A scanner for detecting and preventing execution of instructions in an application program provided from a computer network, wherein the scanner determines whether the provided application program includes any instructions that are members of a particular set of instructions, allowing execution of the application program if it is determined that no members of the set are included in the application program;
- and comprising;
  
  an instrumenter which alters the application program at an instruction which is determined to be a member of the set, thereby allowing monitoring of execution of such instruction;
  
  a verifier which determines if the application program includes an authentication and verifies the authentication; and
  
  a signer which replaces the verified authentication with a second authentication.

30. A scanner for detecting and preventing execution of instructions in an application program provided from a computer network, wherein the scanner determines whether the provided application program includes any instructions that are members of a particular set of instructions, allowing execution of the application program if it is determined that no members of the set are included in the application program;
- and comprising;
  
  an instrumenter which alters the application program at an instruction which is determined to be a member of the set, thereby allowing monitoring of execution of such instruction;
  
  a prefetcher which fetches all dependency files associated with the application program; and
  
  a security policy generator which provides a single monitoring package for the application program and its associated dependency files.

31. A method of detecting and preventing execution of instructions in an application program provided from a computer network, comprising:
- providing the application program over the computer network;
  
  determining whether the provided application program includes any instructions that are members of a particular set of instructions;
  
  executing the application program if it is determined that no members of the set are included in the application program;
  
  if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction;
  
  wherein the computer network includes a server and a client coupled to the server, and wherein the altering takes place at the server, wherein the executing the application program takes place at the client; and
  
  performing the monitoring at the client.

32. A method of detecting and preventing execution of instructions in an application program provided from a computer network, comprising:
- providing the application program over the computer network;
  
  determining whether the provided application program includes any instructions that are members of a particular set of instructions;
  
  executing the application program if it is determined that no members of the set are included in the application program;
  
  if it is determined that an instruction is a member of the set, then altering the application program, thereby allowing monitoring of execution of the instruction, andcarrying out the method for each of a plurality of application programs as each application program is provided from the computer network.

33. A scanner for detecting and preventing execution of instructions in an application program provided from a computer network, wherein the scanner determines whether the provided application program includes any instructions that are members of a particular set of instructions, allowing execution of the application program if it is determined that no members of the set are included in the application program;
- and comprising;
  
  an instrumenter which alters the application program at an instruction which is determined to be a member of the set, thereby allowing monitoring of execution of such instruction;
  
  wherein the computer network includes a server and a client coupled to the server, wherein the altering by the instrumenter takes place at the server, and wherein the executing the application program takes place at the client; and
  
  wherein the monitoring is performed at the client.

34. A scanner for detecting and preventing execution of instructions in an application program provided from a computer network, wherein the scanner determines whether the provided application program includes any instructions that are members of a particular set of instructions, allowing execution of the application program if it is determined that no members of the set are included in the application program;
- and comprising;
  
  an instrumenter which alters the application program at an instruction which is determined to be a member of the set, thereby allowing monitoring of execution of such instruction; and
  
  wherein the instrumenter alters each of a plurality of application programs as each application program is provided from the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Ji, Shuang
Primary Examiner(s)
WRIGHT, NORMAN M

Application Number

US08/926,619
Time in Patent Office

790 Days
Field of Search

395/186, 395/187.01, 395/188.01, 395/183.14, 395/183.13, 395/200.54, 395/200.55, 395/200.32, 380/3, 380/4, 380/23, 380/25, 713/200, 713/201, 713/202, 714/38, 714/37
US Class Current

726/13
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/123   received data contents, e.g...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Computer network malicious code scanner

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Computer network malicious code scanner

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links