System and method for providing exploit protection for networks

US 7,134,142 B2
Filed: 04/12/2002
Issued: 11/07/2006
Est. Priority Date: 04/13/2001
Status: Expired due to Term

First Claim

Patent Images

1. A system for providing protection from exploits to devices connected to a network, comprising:

(a) a content filter that receives a message that is directed to at least one of the devices and that includes a header, a body, and an attachment, wherein the content filter determines an encapsulation that has been applied to the attachment prior to the system receiving the message and unencapsulates the attachment;

(b) a decompression component that is coupled to the content filter and that performs at least one decompression of the attachment when the attachment is compressed;

(c) a scanner component that is coupled to the decompression component and that determines whether the header includes an exploit, wherein exploit protection software from at least two vendors is employed and wherein the header includes a field having a defined size and the scanner determines that the header includes the exploit when a size of data in the field is other than the defined size;

(d) a quarantine component that is coupled to the scanner component and that holds the message when the message includes an exploit; and

(e) a device that receives messages that are directed to the network and that employs at least the scanner component to provide exploit protection for at least one of the messages.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing protection from exploits to devices connected to a network. The system and method include a component for determining whether an encapsulation has been applied to an attachment and unencapsulating such encapsulated attachments, a component that performs at least one decompression of the attachment when the attachment is compressed, a component that determines whether a header, body, and/or attachment of a message includes an exploit, and a component that holds and optionally cleans messages that include exploits. A device that receives messages that are directed to the network employs the components above to provide exploit protection for at least one of the messages.

28 Citations

View as Search Results

21 Claims

1. A system for providing protection from exploits to devices connected to a network, comprising:
- (a) a content filter that receives a message that is directed to at least one of the devices and that includes a header, a body, and an attachment, wherein the content filter determines an encapsulation that has been applied to the attachment prior to the system receiving the message and unencapsulates the attachment;
  
  (b) a decompression component that is coupled to the content filter and that performs at least one decompression of the attachment when the attachment is compressed;
  
  (c) a scanner component that is coupled to the decompression component and that determines whether the header includes an exploit, wherein exploit protection software from at least two vendors is employed and wherein the header includes a field having a defined size and the scanner determines that the header includes the exploit when a size of data in the field is other than the defined size;
  
  (d) a quarantine component that is coupled to the scanner component and that holds the message when the message includes an exploit; and
  
  (e) a device that receives messages that are directed to the network and that employs at least the scanner component to provide exploit protection for at least one of the messages.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
- - 3. The system of claim 1, wherein the scanner component further determines whether the attachment includes an exploit.
  - 4. The system of claim 3, further comprising a client that automatically applies an update to at least one of the content filter, the decompression component, the scanner component, and the quarantine component to enable detection of at least one exploit.
  - 5. The system of claim 4, wherein the client determines when the update is available by polling servers associated with vendors of exploit protection software.
  - 6. The system of claim 5, wherein the client automatically retrieves the available update.
  - 7. The system of claim 1, wherein the scanner component employs at least two separate exploit protection applications to determine whether the header, body, or both includes an exploit.
  - 8. The system of claim 1, wherein the content filter, the decompression component, the scanner component, and the quarantine component are each implemented in software.
  - 9. The system of claim 1, wherein the content filter, the decompression component, the scanner component, and the quarantine component are all included on at least one of a firewall, router, switch, and traffic manager.
  - 10. The system of claim 1, wherein the encapsulation includes at least one of Multipurpose Internet Mail Extensions (MIME), Base 64, and uuencode.
  - 11. The system of claim 1, wherein the quarantine component removes the exploit from the message and forwards the message towards a recipient of the message.
  - 20. The system of claim 1, wherein the scanner component determines whether at least one of the header, the body, and the attachment includes content that should not be forwarded outside the network.

2. A system for providing protection from exploits to devices connected to a network, comprising:
- (a) a content filter that receives a message that is directed to at least one of the devices and that includes a header, a body, and an attachment, wherein the content filter determines an encapsulation that has been applied to the attachment prior to the system receiving the message and unencapsulates the attachment;
  
  (b) a scanner component that is coupled to the content filter and that determines whether the header includes an exploit, wherein the header includes a field having a defined size and wherein the scanner determines that the header includes the exploit when a size of data in the field is other than the defined size;
  
  (c) a quarantine component that is coupled to the scanner component and that holds the message when the message includes an exploit; and
  
  (d) a device that receives messages that are directed to the network and that employs at least the scanner component to provide exploit protection for at least one of the messages.

12. A method for providing protection from exploits to devices connected to a network, comprising:
- (a) receiving a message at a node that receives messages that are directed to any of the devices and that causes the message to be scanned for an exploit before forwarding the message toward at least one of the devices, wherein the message includes a header and a compressed attachment;
  
  (b) decompressing the attachment,(c) determining whether the header includes the exploit, wherein exploit protection software from at least two vendors is employed to determine whether the header includes an exploit wherein the header includes a field having a defined size and the header is determined to include an exploit if a size of data in the field is other than a defined size; and
  
  (d) if the header includes the exploit, quarantining the message.
- View Dependent Claims (13, 14, 16, 17)
- - 13. The method of claim 12, further comprising unencapsulating the attachment when the attachment is encapsulated.
  - 14. The method of claim 12, further comprising removing the exploit and forwarding the message towards at least one of the devices.
  - 16. The method of claim 12, further comprising determining whether a body of the message includes an exploit.
  - 17. The method of claim 13, wherein the attachment is encapsulated using at least one of Multipurpose Internet Mail Extensions (MIME), Base 64, and uuencode.

15. A method for providing protection from exploits to devices connected to a network, comprising:
- (a) receiving a message at a node that receives messages that are directed to any of the devices and that causes the message to be scanned for an exploit before forwarding the message toward at least one of the devices, wherein the message includes a header and at least one of a body and an attachment;
  
  (b) determining whether the header includes the exploit, wherein the header includes a field having a defined size and wherein the header includes the exploit when a size of data in the field is other than the defined size; and
  
  (c) if the header of the message includes the exploit, quarantining the message.
- View Dependent Claims (21)
- - 21. The method of claim 15, wherein exploit protection software from at least two vendors is employed to determine whether the header of the message includes an exploit.

18. A system for providing protection from exploits to devices connected to a network, comprising:
- (a) means for receiving a message that includes a header and at least one of a body and an attachment;
  
  (b) means for determining whether the attachment is encapsulated and for unencapsulating the attachment when the attachment is encapsulated;
  
  (c) means for decompressing the attachment at least one time when the attachment is compressed;
  
  (d) means for determining whether the header includes an exploit based on a size of data in a field of the header, wherein the means for determining determines that the header includes an exploit if the size of data in the field is other than a defined size, and wherein the means for determining comprises exploit protection software from at least two vendors; and
  
  (e) means for quarantining the message when the message includes the exploit.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein the header includes a field having a defined size and wherein the means for determining whether at least one of the header and the body includes an exploit is configured and arranged to determine that the header includes the exploit when a size of data in the field is other than the defined size.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Smith, Gregory J.
Primary Examiner(s)
Louis-Jacques, Jacques
Assistant Examiner(s)
Ho, Thomas

Application Number

US10/121,959
Publication Number

US 20020152399A1
Time in Patent Office

1,670 Days
Field of Search

713/200, 713/201, 713/164, 713/188, 713/168, 726/22, 726/34, 726/13, 726/24, 705/51, 380/269, 714/48
US Class Current

726/24
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0823   using certificates cryptogr...

H04L 63/145   the attack involving the pr...

H04L 69/04   Protocols for data compress...

System and method for providing exploit protection for networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing exploit protection for networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links