System and method for providing exploit protection with message tracking

US 6,941,478 B2
Filed: 12/11/2002
Issued: 09/06/2005
Est. Priority Date: 04/13/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing protection from an exploit to a device connected to a network, comprising:

a content filter that receives a message that is directed to the device;

a message tracker that is coupled to the content filter and is configured to perform actions, including;

determining a size of a message component associated with the message;

if the size is less than or equal to a pre-determined size;

identifying the message as unscanned;

if the size exceeds the pre-determined size, then;

determining a first value associated with the message, and if the first value is the same as a stored second value associated with the message, identifying the message as a scanned message;

if the size exceeds the pre-determined size, then;

determining the first value associated with the message, and if the first value is different from the stored second value, identifying the message as unscanned; and

a scanner component that is coupled to the message tracker and that is configured to receive the unscanned message and to determine whether at least one element of the message includes an exploit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment associated with a message and unencapsulating such encapsulated attachment, and a component that performs at least one decompression of the attachment when the attachment is compressed. If it is determined that the message, including the attachment, is to be scanned, a component is included that determines whether a header, body, and/or attachment of the message includes exploits. A device that receives messages that are directed to the network employs the components above to provide exploit protection for at least one of the messages.

27 Citations

View as Search Results

17 Claims

1. A system for providing protection from an exploit to a device connected to a network, comprising:
- a content filter that receives a message that is directed to the device;
  
  a message tracker that is coupled to the content filter and is configured to perform actions, including;
  
  determining a size of a message component associated with the message;
  
  if the size is less than or equal to a pre-determined size;
  
  identifying the message as unscanned;
  
  if the size exceeds the pre-determined size, then;
  
  determining a first value associated with the message, and if the first value is the same as a stored second value associated with the message, identifying the message as a scanned message;
  
  if the size exceeds the pre-determined size, then;
  
  determining the first value associated with the message, and if the first value is different from the stored second value, identifying the message as unscanned; and
  
  a scanner component that is coupled to the message tracker and that is configured to receive the unscanned message and to determine whether at least one element of the message includes an exploit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein an element of the message is at least one of a header, body, and an attachment.
  - 3. The system of claim 1, wherein the message component further comprises at least one of a message body, a message header, an attachment, and a file within an archive.
  - 4. The system of claim 1, wherein the second value is stored in at least one of a table, database, and a list.
  - 5. The system of claim 1, wherein the message tracker is further configured to set the second value to a nullity when the scanner component is updated.
  - 6. The system of claim 1, wherein at least one of the first value and the second value further comprises at least one of a hash value, an algorithmic function, checksum, public key certificate, and a digital signature.
  - 7. The system of claim 1, wherein the first value and the second value each further comprises a separate value for the message and a separate value for an attachment.
  - 8. The system of claim 1, wherein the system is operable on at least one of a firewall, a router, a switch, a server, and a dedicated platform.

9. A method for providing protection from an exploit to a device connected to a network, comprising:
- receiving a message that is directed to the device;
  
  determining a size of a message component associated with the message;
  
  if the size is less than or equal to a pre-determined size;
  
  identifying the message as unscanned;
  
  if the size exceeds the pre-determined size, then;
  
  determining a first value associated with the message, and if the first value is the same as a stored second value associated with the message, identifying the message as a scanned message;
  
  if the size exceeds the pre-determined size, then;
  
  determining the first value associated with the message, and if the first value is different from the stored second value, identifying the message as unscanned; and
  
  if the message is an unscanned message, performing actions, including;
  
  i. determining whether at least one element of the message includes an exploit; and
  
  ii. if at least one element of the message includes the exploit, quarantining the message.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein an element of the message is at least on of a header, body, and an attachment.
  - 11. The method of claim 9, wherein the second value is stored in at least one of a table, database, and a list.
  - 12. The method of claim 9, wherein the second value is set to a nullity based on a pre-determined condition.
  - 13. The method of claim 9, wherein at least one of the first value, and the second value further comprises at least one of a hash value, an algorithmic function, checksum, public key certificate, and a digital signature.
  - 14. The method of claim 9, wherein the first value and the second value each further comprises a separate value for the message and a separate value for the attachment.
  - 15. The method of claim 9, further comprising:
    - if the size exceeds the pre-determined size;
      
      determining whether at least one of the header and the body includes the exploit; and
      
      if at least one of the header, body, and attachment of the message includes the exploit, quarantining the message.
  - 16. The method of claim 9, wherein the method is operable on at least one of a firewall, a router, a switch, a server, and a dedicated platform.

17. A system for providing protection from an exploit to a device connected to a network, comprising:
- means for receiving a message that includes a header and at least one of a body and an attachment;
  
  a means for determining a size of a message component associated with the message;
  
  a means for identifying the message as unscanned, if the size is less than or equal to a pre-determined size;
  
  if the size exceeds the pre-determined size, then;
  
  employing a means for determining a first value associated with the message, and if the first value is the same as a stored second value associated with the message, employing a means for identifying the message as a scanned message;
  
  if the size exceeds the pre-determined size, then;
  
  employing a means for determining the first value associated with the message, and if the first value is different from the stored second value, employing the means for identifying the message as unscanned; and
  
  means for determining whether at least one of the header, attachment, and the body includes an exploit in the unscanned message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia, Inc. (Nokia Corporation)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Card, James, Smith, Gregory J.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
Ho, Thomas

Application Number

US10/317,296
Publication Number

US 20030088792A1
Time in Patent Office

1,000 Days
Field of Search

714/48, 713/201, 713/200, 713/164
US Class Current

726/24
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0823   using certificates cryptogr...

H04L 63/145   the attack involving the pr...

H04L 69/04   Protocols for data compress...

System and method for providing exploit protection with message tracking

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing exploit protection with message tracking

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links