Security system with methodology for interprocess communication control
First Claim
1. In a computer system operating under control of an operating system, a method for detecting and preventing indirect access to a computer network by potentially malicious applications already installed and executing on the computer system, the method comprising:
- defining rules governing access by applications on the computer system to the computer network including rules indicating which system services of the operating system are monitored for detecting and preventing indirect access to the computer network by potentially malicious applications that are already installed and executing on the computer system, but which are capable of obtaining indirect access to the computer network through system services;
trapping an attempt by a particular application already installed and executing on the computer system to gain indirect access to the computer network through invocation of a particular system service being monitored, wherein said trapping includes rerouting the attempt to invoke the particular system service from a system dispatch table to an interprocess communication controller by replacing an original destination address in the system dispatch table with an address of the interprocess communication controller;
detecting based on the rules governing access by applications to the computer network if the attempt to invoke the particular system service by the particular application rerouted to the interprocess communication controller constitutes an unauthorized attempt by a potentially malicious application already installed and executing on the computer system to obtain indirect access to the computer network by invoking the particular system service which in turn accesses the computer network on behalf of the potentially malicious application; and
if the attempt to invoke the particular system service constitutes an unauthorized attempt by a potentially malicious application to access the computer network indirectly, preventing the potentially malicious application from obtaining indirect access to the computer network by blocking the attempt.
4 Assignments
0 Petitions
Accused Products
Abstract
A security system with methodology for interprocess communication control is described. In one embodiment, a method for controlling interprocess communication is provided that includes steps of: defining rules indicating which system services a given application can invoke; trapping an attempt by a particular application to invoke a particular system service; identifying the particular application that is attempting to invoke the particular system service; and based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service.
-
Citations
41 Claims
-
1. In a computer system operating under control of an operating system, a method for detecting and preventing indirect access to a computer network by potentially malicious applications already installed and executing on the computer system, the method comprising:
-
defining rules governing access by applications on the computer system to the computer network including rules indicating which system services of the operating system are monitored for detecting and preventing indirect access to the computer network by potentially malicious applications that are already installed and executing on the computer system, but which are capable of obtaining indirect access to the computer network through system services; trapping an attempt by a particular application already installed and executing on the computer system to gain indirect access to the computer network through invocation of a particular system service being monitored, wherein said trapping includes rerouting the attempt to invoke the particular system service from a system dispatch table to an interprocess communication controller by replacing an original destination address in the system dispatch table with an address of the interprocess communication controller; detecting based on the rules governing access by applications to the computer network if the attempt to invoke the particular system service by the particular application rerouted to the interprocess communication controller constitutes an unauthorized attempt by a potentially malicious application already installed and executing on the computer system to obtain indirect access to the computer network by invoking the particular system service which in turn accesses the computer network on behalf of the potentially malicious application; and if the attempt to invoke the particular system service constitutes an unauthorized attempt by a potentially malicious application to access the computer network indirectly, preventing the potentially malicious application from obtaining indirect access to the computer network by blocking the attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. In a computer system operating under control of an operating system, a method for detecting and preventing indirect access to the Internet by potentially malicious applications already installed and executing on the computer system, the method comprising:
-
defining a policy indicating which system services of the operating system are monitored for detecting and preventing indirect access to the Internet by potentially malicious applications that are already installed and executing on the computer system but which are capable of obtaining indirect access to the Internet through system services, said policy specifying processes authorized to access the Internet; intercepting an attempt by a first process to communicate with a second process in a manner that provides the first process with indirect access to Internet, wherein said intercepting includes rerouting the attempt by the first process to communicate with the second process from a system dispatch table to an interprocess communication controller by replacing an original destination address in the system dispatch table with an address of the interprocess communication controller; identifying the first process that is attempting to communicate with the second process; identifying the second process; based on said policy, determining whether the first process may communicate with the second process in a manner that provides the first process with indirect access to Internet, including determining if the attempt to invoke the particular system service rerouted to the interprocess communication controller does constitute an unauthorized attempt by a potentially malicious application to access the Internet indirectly; and allowing the first process to communicate with the second process if said policy indicates that the first process may communicate with the second process in a manner that provides the first process with indirect access to Internet and does not constitute an unauthorized attempt by a potentially malicious application to access the Internet indirectly. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. In a computer system operating under control of an operating system, a method for detecting and preventing one application already installed and executing on the computer system from gaining indirect Internet access through other applications, the method comprising:
-
registering a first application to be protected from serving as a proxy by which other applications may gain indirect Internet access for detecting and preventing indirect access to the Internet by potentially malicious applications that are already installed and executing on the computer system but which are capable of obtaining indirect access to the Internet through said first application; detecting an attempt by a second application already installed and executing on the computer system to access the first application for purposes of using the first application as a proxy for indirect Internet access; identifying the second application that is attempting to access the first application for purposes of using the first application as a proxy for indirect Internet access; and rerouting the attempt to access the first application through an interprocess communication controller that determines whether to allow the attempt, based on rules indicating whether the second application is authorized to access the first application using interprocess communication, wherein said rerouting includes replacing an original destination address for the first application in a system dispatch table with an address of the interprocess communication controller. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A system for detecting and preventing indirect access to the Internet access by controlling interprocess communication between applications, the system comprising:
-
a computer having at least one processor, said computer operating under control of an operating system providing interprocess communication; a policy specifying applications that are permitted to communicate with a first application using interprocess communication, said first application capable of providing indirect Internet access to other applications, so as to detect and prevent indirect access to the Internet by potentially malicious applications that are already installed and executing on the computer system but which are capable of obtaining indirect access to the Internet through said first application; a module for detecting an attempt by a second application already installed and executing on the computer system to gain indirect Internet access through the first application using interprocess communication and reroutes the attempt from a dispatch table to an interprocess communication controller by replacing an address of the first application in the dispatch table with an address of the interprocess communication controller; and an interprocess communication controller for identifying the second application attempting to gain indirect Internet access through the first application using interprocess communication and determining whether to permit the communication based upon the identification of the second application and the policy specifying applications permitted to communicate with the first application. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
-
Specification