Verifying captured objects before presentation

US 7,774,604 B2
Filed: 11/22/2004
Issued: 08/10/2010
Est. Priority Date: 12/10/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving a request to present a previously captured object to a user, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system;

accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature;

verifying that the object has not been altered since capture using the object signature in the tag associated with the object, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system; and

presenting the object if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Objects can be extracted from data flows captured by a capture device. Each captured object can then be classified according to content. Meta-data about captured objects can be stored in a tag. In one embodiment, the present invention includes receiving a request to present a previously captured object to a user, accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature, and verifying that the object has not been altered since capture using the object signature before presenting the object to the user.

225 Citations

26 Claims

1. A method comprising:
- receiving a request to present a previously captured object to a user, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system;
  
  accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature;
  
  verifying that the object has not been altered since capture using the object signature in the tag associated with the object, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system; and
  
  presenting the object if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the tag includes a tag signature.
  - 3. The method of claim 2, wherein the tag signature comprises a cryptographically secure signature.
  - 4. The method of claim 3, wherein the tag signature is signed using a private key of a capture device that captured the object associated with the tag, the private key being part of a public key cryptosystem.
  - 5. The method of claim 2, further comprising verifying that the tag has not been altered since creation prior to presenting the object to the user.
  - 6. The method of claim 5, wherein verifying that the tag has not been altered comprises alerting the user that the tag has been altered in the event that the verification fails.
  - 7. The method of claim 1, wherein verifying that the object has not been altered comprises alerting the user that the object has been altered in the event that the verification fails.
  - 8. The method of claim 1, wherein verifying that the object has not been altered since capture comprises calculating a new object signature for the requested object, and comparing the new object signature with the object signature in the tag associated with the object.

9. An apparatus comprising:
- an interface to receive a request to present a previously captured object to a user;
  
  a storage medium having the object and a tag associated with the object stored thereon, the tag containing metadata related to the object, the metadata including an object signature; and
  
  a processor to verify the authenticity of the object using the object signature in the tag associated with the object, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system, and wherein the object is presented if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, further comprising a display to present the object to the user.
  - 11. The apparatus of claim 9, wherein the tag includes a tag signature, the tag signature being a cryptographically secure signature signed by a device that captured the object.
  - 12. The apparatus of claim 11, wherein the tag signature is signed using a private key of a public key cryptosystem.
  - 13. The apparatus of claim 11, wherein the processor is further to verify that the tag has not been altered since creation prior to presenting the object to the user.
  - 14. The apparatus of claim 13, wherein the processor is further to alert the user that the tag has been altered in the event that the verification fails.
  - 15. The apparatus of claim 9, wherein the processor is further to alert the user that the object has been altered in the event that the verification fails.

16. A method comprising:
- accessing a content store containing an object captured during transmission over a network;
  
  accessing a tag database containing a tag associated with the object, the tag including an object signature over the object and a tag signature over meta-data included in the tag, the meta-data including the object signature, the tag signature being cryptographically signed by a capture device; and
  
  verifying the authenticity of the tag and the object using the tag signature and the object signature, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system, and wherein the object is presented if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising presenting the object to a user.

18. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a request to present a previously captured object to a user;
  
  accessing a tag associated with the requested object, the tag containing metadata related to the object, the metadata including an object signature;
  
  verifying that the object has not been altered since capture using the object signature in the tag associated with the object; and
  
  presenting the object to the user, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system, and wherein the object is presented if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The machine-readable medium of claim 18, wherein the tag includes a tag signature.
  - 20. The machine-readable medium of claim 19, wherein the tag signature comprises a cryptographically secure signature.
  - 21. The machine-readable medium of claim 20, wherein the tag signature is signed using a private key of a capture device that captured the object associated with the tag, the private key being part of a public key cryptosystem.
  - 22. The machine-readable medium of claim 19, wherein the instructions further cause the processor to verify that the tag has not been altered since creation prior to presenting the object to the user.
  - 23. The machine-readable medium of claim 22, wherein verifying that the tag has not been altered comprises alerting the user that the tag has been altered in the event that the verification fails.
  - 24. The machine-readable medium of claim 18, wherein verifying that the object has not been altered comprises alerting the user that the object has been altered in the event that the verification fails.

25. A machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
- accessing a content store containing an object captured during transmission over a network;
  
  accessing a tag database containing a tag associated with the object, the tag including an object signature over the object and a tag signature over meta-data included in the tag, the meta-data including the object signature, the tag signature being cryptographically signed by a capture device; and
  
  verifying the authenticity of the tag and the object using the tag signature and the object signature, wherein the captured object was intercepted by a capture system configured to intercept packets from data streams, reconstruct the data streams, and store network transmitted objects from the data streams according to a capture rule that defines which objects are to be captured by the capture system, wherein the tag is verified using a hash, which is decrypted with a public key of the capture system, and the object is presented if the object and the tag are verified, and wherein the capture rule is part of a default rule set for the capture system configured to monitor network traffic and capture the object, and wherein the capture system is configured to store a document captured by the capture system according to the capture rule, which identifies a particular internet protocol (IP) address from which the document was sent, and wherein if the object is not verified, then an alert is generated to indicate that the object being presented to the user has been compromised.
- View Dependent Claims (26)
- - 26. The machine-readable medium of claim 25, wherein the instructions further cause the processor to present the object to a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
de la Iglesia, Erik, King, Samuel, Khasgiwala, Ashish, Lowe, Rick, Coleman, Shaun
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US10/995,454
Publication Number

US 20050177725A1
Time in Patent Office

2,087 Days
Field of Search

713/176, 726/23
US Class Current

713/176
CPC Class Codes

H04L 9/3247 involving digital signatures

Verifying captured objects before presentation

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

225 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying captured objects before presentation

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

225 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links