Method and apparatus for automating controlled computing environment protection

US 8,806,651 B1
Filed: 12/18/2008
Issued: 08/12/2014
Est. Priority Date: 12/18/2008
Status: Active Grant

First Claim

Patent Images

1. A method for automating controlled computing environment protection, comprising:

receiving, at a kiosk from a user computer, user activity information comprising a request for a network service request for content that is subsequently loaded on a browser within the kiosk;

monitoring, at the kiosk, a controlled computing environment to process the user activity information;

comparing, at the kiosk, the user activity information with abnormal behavior indicia to identify hostile user activity caused by the content and associated with browser control circumvention, wherein browser control circumvention comprises performing various activities restricted by browser control comprising at least one of accessing a blacklisted website, accessing an invalid uniform resource locator, downloading a browser plug-in, and attempting to view a file system;

determining, at the kiosk, a uniform resource locator for an illicit computer related to the network service request, wherein the illicit computer is a source of the hostile activity associated with browser control circumvention, wherein the uniform resource locator is added to attack prevention information for a definable time period to protect the controlled computing environment from browser control circumvention; and

preventing, at the kiosk, further data communications with the illicit computer based on the attack prevention information.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for automating controlled computing environment protection is disclosed. In one embodiment, the method for automating controlled computing environment protection includes monitoring a controlled computing environment to process user activity information associated with a user computer and comparing the user activity information with abnormal behavior indicia to identify hostile user activity that denotes browser control circumvention.

15 Citations

View as Search Results

16 Claims

1. A method for automating controlled computing environment protection, comprising:
- receiving, at a kiosk from a user computer, user activity information comprising a request for a network service request for content that is subsequently loaded on a browser within the kiosk;
  
  monitoring, at the kiosk, a controlled computing environment to process the user activity information;
  
  comparing, at the kiosk, the user activity information with abnormal behavior indicia to identify hostile user activity caused by the content and associated with browser control circumvention, wherein browser control circumvention comprises performing various activities restricted by browser control comprising at least one of accessing a blacklisted website, accessing an invalid uniform resource locator, downloading a browser plug-in, and attempting to view a file system;
  
  determining, at the kiosk, a uniform resource locator for an illicit computer related to the network service request, wherein the illicit computer is a source of the hostile activity associated with browser control circumvention, wherein the uniform resource locator is added to attack prevention information for a definable time period to protect the controlled computing environment from browser control circumvention; and
  
  preventing, at the kiosk, further data communications with the illicit computer based on the attack prevention information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising terminating a connection between the controlled computing environment and at least one of the user computer or an illicit computer, wherein the illicit computer is a source of the hostile activity.
  - 3. The method of claim 1 further comprising identifying at least one malicious browser plug-in file associated with the hostile activity.
  - 4. The method of claim 3 further comprising installing a hook that is configured to fail at least one operation by the at least one malicious browser plug-in file.
  - 5. The method of claim 4 further comprising blocking execution of the at least one malicious browser plug-in file.
  - 6. The method of claim 4 further comprising generating at least one fingerprint for the identified at least one browser plug-in file, wherein the at least one fingerprint is added to attack prevention information.
  - 7. The method of claim 1 further comprising establishing at least one connection with at least one computer based on attack prevention information.
  - 8. The method of claim 1, wherein comparing the user activity information with the abnormal behavior indicia further comprises identifying at least one operation for accessing at least one inaccessible file.
  - 9. The method of claim 1, wherein the hostile activity comprises at least one of reconnaissance activity or browser vulnerability exploitation.
  - 10. The method of claim 1, wherein the abnormal behavior indicia comprises information regarding reconnaissance activity and at least one known browser vulnerability.

11. An apparatus for automating controlled computing environment protection, comprising:
- at least one computer processor communicatively coupled to memory, wherein the at least one computer processor comprises;
  
  a user presence monitor for detecting a user computer within a controlled computing environment and processing user activity information comprising a request for a network service request for content that is subsequently loaded on a browser within a kiosk associated with the user computer; and
  
  an attack monitor for comparing the user activity information with abnormal behavior indicia to identify hostile activity caused by the content and associated with browser control circumvention, wherein browser control circumvention comprises performing various activities restricted by browser control comprising at least one of accessing a blacklisted website, accessing an invalid uniform resource locator, downloading a browser plug-in, and attempting to view a file system, wherein the attack monitor determines a uniform resource locator for an illicit computer related to the network service request, wherein the uniform resource locator is used to block data communications for a definable time period from the illicit computer to protect the controlled computing environment from browser control circumvention, and wherein the illicit computer is a source of the hostile activity associated with browser control circumvention, and wherein the attack monitor prevents further data communications with the illicit computer based on the attack prevention information.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the attack monitor identifies at least one malicious browser plug-in file associated with the hostile activity.
  - 13. The apparatus of claim 12, wherein the attack monitor blocks execution of the at least one malicious browser plug-in file using attack prevention information.
  - 14. The apparatus of claim 13, wherein the attack monitor generates at least one fingerprint for the identified at least one malicious browser plug-in file to prevent execution of the identified at least one malicious browser plug-in file.
  - 15. The apparatus of claim 13, wherein the attack monitor installs a hook that is configured to fail at least one operation by the at least one malicious browser plug-in file.

16. A system for automating controlled computing environment protection, comprising:
- a user computer for providing a user with restricted web access within a controlled computing environment; and
  
  a kiosk computer coupled with the user computer, comprising;
  
  a user presence monitor for processing user activity information associated with the user computer comprising a request for a network service request for content that is subsequently loaded on a browser within the kiosk computer, andan attack monitor for comparing the user activity information with abnormal behavior indicia to identify hostile activity caused by the content and associated with browser control circumvention, wherein browser control circumvention comprises performing various activities restricted by browser control comprising at least one of accessing a blacklisted website, accessing an invalid uniform resource locator, downloading a browser plug-in, and attempting to view a file system, wherein the attack monitor determines a uniform resource locator for an illicit computer related to the network service request, wherein the uniform resource locator is used to block data communications for a definable time period from the illicit computer to protect the controlled computing environment from browser control circumvention, wherein the illicit computer is a source of the hostile activity associated with browser control circumvention, and wherein the attack monitor prevents further data communications with the illicit computer based on the attack prevention information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Sobel, William
Primary Examiner(s)
CHAO, MICHAEL W

Application Number

US12/338,618
Time in Patent Office

2,063 Days
Field of Search

726/22, 726/26
US Class Current

726/26
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 2216/15   Synchronised browsing

Method and apparatus for automating controlled computing environment protection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for automating controlled computing environment protection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links