Secure network cache content

US 8,584,234 B1
Filed: 07/07/2010
Issued: 11/12/2013
Est. Priority Date: 07/07/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securing content in a network cache, comprising:

monitoring a computing device associated with the network cache to detect a network activity performed by the computing device, wherein the network activity comprises a network connection establishment with a computer network;

responsive to the detection of the network activity performed by the computing device, examining content in the network cache to identify a piece of suspicious content in the network cache, the examining comprising;

retrieving, through the established network connection, a response from a website from which a piece of cache content originated before the detected network connection establishment;

comparing the piece of cache content with the response; and

responsive to the piece of cache content not matching the response, identifying the piece of cache content as the piece of suspicious content in the network cache; and

responsive to the identification of the piece of suspicious content in the network cache, preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module on a computing device applies security rules to examine content in a network cache and identify suspicious cache content. Cache content is identified as suspicious according to security rules, such as a rule determining whether the cache content is associated with modified-time set into the future, and a rule determining whether the cache content was created in a low-security environment. The security module may establish an out-of-band connection with the websites from which the cache content originated through a high security access network to receive responses from the websites, and use the responses to determine whether the cache content is suspicious cache content. Suspicious cache content is removed from the network cache to prevent the suspicious cache content from carrying out malicious activities.

264 Citations

19 Claims

1. A computer-implemented method for securing content in a network cache, comprising:
- monitoring a computing device associated with the network cache to detect a network activity performed by the computing device, wherein the network activity comprises a network connection establishment with a computer network;
  
  responsive to the detection of the network activity performed by the computing device, examining content in the network cache to identify a piece of suspicious content in the network cache, the examining comprising;
  
  retrieving, through the established network connection, a response from a website from which a piece of cache content originated before the detected network connection establishment;
  
  comparing the piece of cache content with the response; and
  
  responsive to the piece of cache content not matching the response, identifying the piece of cache content as the piece of suspicious content in the network cache; and
  
  responsive to the identification of the piece of suspicious content in the network cache, preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein examining content in the network cache further comprises:
    - determining that the website is a sensitive website subject to loose security control,wherein retrieving the response comprises retrieving, responsive to the determination that the website is a sensitive website subject to loose security control, the response from the sensitive website through an out-of-band communication using the established network connection.
  - 3. The computer-implemented method of claim 1, wherein examining content in the network cache further comprises:
    - examining the content in the cache for compliance with one or more security policies, wherein a piece of suspicious content in the cache is identified as suspicious responsive to non-compliance with a security policy.
  - 4. The computer-implemented method of claim 3, wherein a security policy comprises a security rule, the security rule for determining whether a last-modified time of a piece of cache content is set to be in the future, wherein the piece of cache content is identified as suspicious responsive to having a last-modified time set in the future.
  - 5. The computer-implemented method of claim 3, wherein a security policy comprises a security rule, the security rule for determining whether a piece of cache content is consistent with a cache policy associated with a website from which the piece of cache content originated, wherein the piece of cache content is identified as suspicious responsive to inconsistency with the cache policy associated with the website.
  - 6. The computer-implemented method of claim 5, further comprising:
    - learning the cache policy associated with the website by analyzing responses received from the website.
  - 7. The computer-implemented method of claim 5, further comprising:
    - receiving the cache policy associated with the website from the website.
  - 8. The computer-implemented method of claim 1, wherein the network cache comprises at least one selected from an end-point network cache, a proxy cache, and a gateway cache.
  - 9. The computer-implemented method of claim 1, wherein preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device comprises removing the piece of suspicious content from the network cache.
  - 10. The computer-implemented method of claim 9, wherein removing the piece of suspicious content from the network cache comprises selectively removing a piece of suspicious script code from the network cache.
  - 11. The computer-implemented method of claim 1, wherein the network cache comprises a plurality of cache directories each of which comprising content received from a different computer network, wherein the computing device uses content stored in an active cache directory among the plurality of cache directories, and wherein preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device comprises:
    - making a cache directory that does not include the piece of suspicious content an active cache directory in the computing device.

12. A computer system for securing content in a network cache, comprising:
- a non-transitory computer-readable storage medium storing executable computer program code, the computer program code comprising program code for;
  
  monitoring a computing device associated with the network cache to detect a network activity performed by the computing device, wherein the network activity comprises a network connection establishment with a computer network;
  
  responsive to the detection of the network activity performed by the computing device, examining content in the network cache to identify a piece of suspicious content in the network cache, the examining comprising;
  
  retrieving, through the established network connection, a response from a website from which a piece of cache content originated before the detected network connection establishment;
  
  comparing the piece of cache content with the response; and
  
  responsive to the piece of cache content not matching the response, identifying the piece of cache content as the piece of suspicious content in the network cache; and
  
  responsive to the identification of the piece of suspicious content in the network cache, preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device.
- View Dependent Claims (13, 14, 18)
- - 13. The computer system of claim 12, wherein examining content in the network cache further comprises:
    - determining that the website is a sensitive website subject to loose security control,wherein retrieving the response comprises retrieving, responsive to the determination that the website is a sensitive website subject to loose security control, the response from the sensitive website through an out-of-band communication using the established network connection.
  - 14. The computer system of claim 12, wherein examining content in the network cache further comprises:
    - examining the content in the cache for compliance with one or more security policies, wherein a piece of suspicious content in the cache is identified as suspicious responsive to non-compliance with a security policy.
  - 18. The computer system of claim 14, wherein a security policy comprises a security rule, the security rule for determining whether a last-modified time of a piece of cache content is set to be in the future, wherein the piece of cache content is identified as suspicious responsive to having a last-modified time set in the future.

15. A non-transitory computer-readable storage medium encoded with executable computer program code for securing content in a network cache, the computer program code comprising program code for:
- monitoring a computing device associated with the network cache to detect a network activity performed by the computing device, wherein the network activity comprises a network connection establishment with a computer network;
  
  responsive to the detection of the network activity performed by the computing device, examining content in the network cache to identify a piece of suspicious content in the network cache, the examining comprising;
  
  retrieving, through the established network connection, a response from a website from which a piece of cache content originated before the detected network connection establishment;
  
  comparing the piece of cache content with the response; and
  
  responsive to the piece of cache content not matching the response, identifying the piece of cache content as the piece of suspicious content in the network cache; and
  
  responsive to the identification of the piece of suspicious content in the network cache, preventing the piece of suspicious content in the network cache from carrying out malicious activities in the computing device.
- View Dependent Claims (16, 17, 19)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein examining content in the network cache further comprises:
    - determining that the website is a sensitive website subject to loose security control,wherein retrieving the response comprises retrieving, responsive to the determination that the website is a sensitive website subject to loose security control, the response from the sensitive website through an out-of-band communication using the established network connection.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein examining content in the network cache further comprises:
    - examining the content in the cache for compliance with one or more security policies, wherein a piece of suspicious content in the cache is identified as suspicious responsive to non-compliance with a security policy.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein a security policy comprises a security rule, the security rule for determining whether a last-modified time of a piece of cache content is set to be in the future, wherein the piece of cache content is identified as suspicious responsive to having a last-modified time set in the future.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., Satish, Sourabh
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US12/831,998
Time in Patent Office

1,224 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/5682   Policies or rules for updat...

Secure network cache content

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

264 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Secure network cache content

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others