System and method for protecting a client during runtime from hostile downloadables
DC CAFCFirst Claim
Patent Images
1. A computer-based method, comprising:
- monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
interrupting processing of the request;
comparing information pertaining to the Downloadable against a predetermined security policy; and
performing a predetermined responsive action based on the comparison.
5 Assignments
Litigations
0 Petitions
Reexaminations
Accused Products
Abstract
A system protects a client from hostile Downloadables. The system includes security rules defining suspicious actions and security policies defining the appropriate responsive actions to rule violations. The system includes an interface for receiving incoming Downloadable and requests made by the Downloadable. The system still further includes a comparator coupled to the interface for examining the Downloadable, requests made by the Downloadable and runtime events to determine whether a security policy has been violated, and a response engine coupled to the comparator for performing a violation-based responsive action.
226 Citations
51 Claims
-
1. A computer-based method, comprising:
-
monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
interrupting processing of the request;
comparing information pertaining to the Downloadable against a predetermined security policy; and
performing a predetermined responsive action based on the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 44)
wherein the Downloadable engine includes a Java™ - virtual machine having Java™
classes; and
wherein monitoring the operating system includes monitoring each Java™
class for receipt of the request.
-
-
4. The method of claim 2,
wherein the Downloadable engine includes an AppletX™ - platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
wherein monitoring the operating system includes monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
-
5. The method of claim 1, further comprising determining whether information pertaining to the Downloadable violates a security rule.
-
6. The method of claim 5, further comprising determining whether violation of the security rule violates the security policy.
-
7. The method of claim 1, further comprising:
-
comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
-
-
8. The method of claim 1, wherein the predetermined responsive action includes storing results of the comparison in an event log.
-
9. The method of claim 1, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
-
10. The method of claim 1, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
-
11. The method of claim 1, wherein the predetermined responsive action includes discarding the Downloadable.
-
44. The system of claim 1, wherein each subsystem includes one of a file system, network system, process system or memory system.
-
12. A system, comprising:
-
a security policy;
a plurality of operating system interfaces operating substantially in parallel, each interface for recognizing a runtime event in a subsystem of the operating system caused from a request made by a Downloadable;
a first comparator coupled to the interfaces for comparing information pertaining to the received Downloadable with the security policy; and
a response engine coupled to the first comparator for performing a predetermined responsive action based on the comparison with the security policy. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 45)
a security rule; - and
a second comparator, coupled to the interfaces and to the response engine, for determining whether information pertaining to the Downloadable violates the security rule.
-
-
16. The system of claim 15, wherein the first comparator determines whether violation of the security rule violates the security policy.
-
17. The system of claim 12, further comprising
a predetermined suspicious Downloadable; - and
a second comparator coupled to the interfaces for comparing information pertaining to the Downloadable with information pertaining to the predetermined suspicious Downloadable;
wherein the response engine is further coupled to the second comparator and performs the responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
- and
-
18. The system of claim 12, further comprising an event log coupled to the first comparator for storing results of the comparison.
-
19. The system of claim 12, further comprising a user interface coupled to the first comparator.
-
20. The system of claim 12, further comprising a suspicious Downloadable database for storing information on known and previously-deemed suspicious Downloadables.
-
21. The system of claim 12, wherein the predetermined suspicious action includes discarding the Downloadable.
-
45. The system of claim 12, wherein each subsystem includes one of a file system, network system, process system or memory system.
-
22. A system for determining whether a Downloadable, which is received by a Downloadable engine, is suspicious, comprising:
-
means for monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
means for interrupting processing of the request;
means for comparing information pertaining to the Downloadable against a predetermined security policy; and
means for performing a predetermined responsive action based on the comparison. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 46)
wherein the Downloadable engine includes a Java™ - virtual machine having Java™
classes; and
wherein the means for monitoring the operating system includes means for monitoring each Java™
class for receipt of the request.
-
-
25. The system of claim 23,
wherein the Downloadable engine includes an AppletX™ - platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
wherein the means for monitoring the operating system includes means for monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
-
26. The system of claim 22, further comprising means for determining whether information pertaining to the Downloadable violates a security rule.
-
27. The system of claim 26, further comprising means for determining whether violation of the security rule violates the security policy.
-
28. The method of claim 22, further comprising:
-
means for comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
means for performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
-
-
29. The system of claim 22, wherein the predetermined responsive action includes storing results of the comparison in an event log.
-
30. The system of claim 22, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
-
31. The system of claim 22, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
-
32. The system of claim 22, wherein the predetermined responsive action includes discarding the Downloadable.
-
46. The system of claim 22, wherein each subsystem includes one of a file system, network system, process system or memory system.
-
33. A computer-readable storage medium storing program code for causing a computer to perform the steps of:
-
monitoring substantially in parallel a plurality of subsystems of the operating system during runtime for an event caused from a request made by a Downloadable;
interrupting processing of the request;
comparing information pertaining to the Downloadable against a predetermined security policy; and
performing a predetermined responsive action based on the comparison. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 47)
wherein the Downloadable engine includes a Java™ - virtual machine having Java™
classes; and
wherein monitoring the operating system includes monitoring each Java™
class for receipt of the request.
-
-
36. The medium of claim 35,
wherein the Downloadable engine includes an AppletX™ - platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
wherein monitoring the operating system includes monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
- platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
-
37. The medium of claim 33, further comprising determining whether information pertaining to the Downloadable violates a security rule.
-
38. The medium of claim 37, further comprising determining whether violation of the security rule violates the security policy.
-
39. The medium of claim 33, further comprising:
-
comparing information pertaining to the Downloadable with information pertaining to a predetermined suspicious Downloadable; and
performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious Downloadable.
-
-
40. The medium of claim 33, wherein the predetermined responsive action includes storing results of the comparison in an event log.
-
41. The medium of claim 33, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
-
42. The medium of claim 33, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
-
43. The medium of claim 33, wherein the predetermined responsive action includes discarding the Downloadable.
-
47. The system of claim 33, wherein each subsystem includes one of a file system, network system, process system or memory system.
-
48. A method, comprising:
-
intercepting, by an operating system probe associated with an operating system function, an operating system call being issued by a downloadable to an operating system and associated with the operating system function;
comparing, by a runtime environment monitor, the operating system call against a predetermined security policy before allowing the operating system to process the operating system call;
blocking, by a response engine, operating system calls that are forbidden according to the security policy; and
allowing, by the response engine, operating system calls that are permitted according to the security policy. - View Dependent Claims (49)
-
-
50. A system, comprising:
-
an operating system probe associated with an operating system function for intercepting an operating system call being issued by a downloadable to an operating system and associated with the operating system function;
a runtime environment monitor for comparing the operating system call against a predetermined security policy before allowing the operating system to process the operating system call; and
a response engine for blocking operating system calls that are forbidden according to the security policy, and for allowing operating system calls that are permitted according to the security policy. - View Dependent Claims (51)
-
Specification