Using mobility tokens to observe malicious mobile code

US 7,337,327 B1
Filed: 03/30/2004
Issued: 02/26/2008
Est. Priority Date: 03/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for tracking movement of files within a network, the method comprising the steps of:

a mobility token manager on a source computer detecting an attempt to write a file to a target computer; and

responsive to the detection, the mobility token manager encrypting a mobility token containing data concerning at least the file and the write operation and writing the mobility token to the target computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more mobility token managers (101) track movement of files (105) within a network. A mobility token manager (101) on a source computer (113) detects an attempt to write a file (105) to a target computer (117). Responsive to the detection, the mobility token manager (101) writes a mobility token (103) containing data concerning at least the file (105) and the write operation to the target computer (117). A mobility token manager (101) on the target computer (117) detects that the mobility token (103) is being written to the target computer (117). The mobility token manager (101) on the target computer (117) reads the mobility token (103), and determines relevant information concerning the file (105) associated with the mobility token (103).

Citations

20 Claims

1. A computer implemented method for tracking movement of files within a network, the method comprising the steps of:
- a mobility token manager on a source computer detecting an attempt to write a file to a target computer; and
  
  responsive to the detection, the mobility token manager encrypting a mobility token containing data concerning at least the file and the write operation and writing the mobility token to the target computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein:
    - the mobility token manager is instantiated within a file system filter driver.
  - 3. The method of claim 1 wherein:
    - the mobility token contains at least one datum concerning the source computer from a group of data consisting of;
      
      an IP address;
      
      a computer name; and
      
      a primary domain controller name.
  - 4. The method of claim 1 wherein:
    - the mobility token contains at least one datum concerning the file from a group of data consisting of;
      
      a file name;
      
      a content-based hash value;
      
      a digital signature;
      
      a version number;
      
      a last modification date; and
      
      a last modification time.
  - 5. The method of claim 1 wherein:
    - the mobility token contains at least one datum concerning a user who has ownership of an application program attempting to write the file to the target computer, the datum being from a group of data consisting of;
      
      a user account name;
      
      a user account number; and
      
      a SID.
  - 6. The method of claim 1 wherein:
    - the mobility token contains at least one datum concerning the attempt to write the file to the target computer, the datum being from a group of data consisting of;
      
      a date of the attempted write operation; and
      
      a time of the attempted write operation.
  - 7. The method of claim 1 further comprising:
    - the mobility token manager compressing at least one mobility token.
  - 8. The method of claim 1 further comprising:
    - the mobility token manager hiding at least one mobility token.
  - 9. The method of claim 1 further comprising:
    - the mobility token manager on the source computer determining whether another mobility token manager is running on the target computer; and
      
      the mobility token manager on the source computer only writing a mobility token to the target computer responsive to determining that another mobility token manager is running on the target computer.
  - 10. The method of claim 1 further comprising:
    - before writing a mobility token to the target computer, the mobility token manager determining whether a mobility token associated with the file exists;
      
      responsive to results of the determination, the mobility token manager performing a step from a group of steps consisting of;
      
      responsive to determining that an associated mobility token exists, writing information concerning at least the file and the write operation to the mobility token; and
      
      responsive to determining that an associated mobility token does not exist, creating an associated mobility token containing information concerning at least the file and the write operation.
  - 11. The method of claim 1 further comprising:
    - the mobility token manager writing at least one instruction directed to a target computer in the mobility token.
  - 12. The method of claim 1 wherein:
    - the mobility token contains an indication that the associated file has been scanned by an anti-malicious code scanning engine, and an indication of a malicious code definition file used for the anti-malicious code scanning.

13. A computer implemented method for tracking movement of files within a network, the method comprising the steps of:
- a mobility token manager on a source computer detecting an attempt to write a file to a target computer, wherein the mobility token manager is instantiated as at least one system call wrapper; and
  
  responsive to the detection, the mobility token manager writing a mobility token containing data concerning at least the file and the write operation to the target computer.

14. A computer implemented method for tracking movement of files within a network, the method comprising the steps of:
- a mobility token manager on a target computer detecting that a mobility token is being written to the target computer;
  
  the mobility token manager reading the mobility token;
  
  the mobility token manager determining relevant information concerning a file associated with the mobility token; and
  
  the mobility token manager merging data from the mobility token into a mobility token data store containing information from at least one other mobility token.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14 further comprising:
    - the mobility token manager reading at least one instruction for a source computer in the mobility token; and
      
      the mobility token manager executing the at least one instruction.
  - 16. The method of claim 14 further comprising:
    - the mobility token manager reading the mobility token; and
      
      in response to contents of the mobility token, the mobility token manager rejecting the associated file.
  - 17. The method of claim 14 further comprising:
    - the mobility token manager reading the mobility token;
      
      from the contents of the mobility token, the mobility token manager determining whether the associated file has been scanned by an anti-malicious code scanning engine using a current malicious code definition file; and
      
      in response to determining that the file has not been scanned using a current malicious code definition file, scanning the file for malicious code.
  - 18. The method of claim 14 wherein:
    - the mobility token manager is instantiated within a file system filter driver.
  - 19. The method of claim 14 wherein:
    - the mobility token manager is instantiated as at least one system call wrapper.

20. A computer system for tracking movement of files within a network, the computer system comprising:
- a software portion configured to detect an attempt to write a file to a target computer; and
  
  a software portion configured to write a mobility token containing data concerning at least the file and the write operation to the target computer, responsive to the detection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sallam, Ahmed
Primary Examiner(s)
Peeso; Thomas R.

Application Number

US10/814,843
Time in Patent Office

1,428 Days
Field of Search

713/189, 713/193, 713/194
US Class Current

713/189
CPC Class Codes

G06F 21/16   Program or content traceabi...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 2221/2151   Time stamp

H04L 63/145   the attack involving the pr...

Using mobility tokens to observe malicious mobile code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using mobility tokens to observe malicious mobile code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links