Computer security method and system with input parameter validation
First Claim
1. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer over a network, a downloadable;
scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls;
if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method;
overwriting, by the receiving computer, in accordance with the monitoring program code, the at least one potentially malicious method call in the downloadable;
executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated;
if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious.
5 Assignments
0 Petitions
Accused Products
Abstract
A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.
-
Citations
13 Claims
-
1. A computer-based method for identifying suspicious downloadables, comprising:
-
receiving, by a receiving computer over a network, a downloadable; scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls; if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method; overwriting, by the receiving computer, in accordance with the monitoring program code, the at least one potentially malicious method call in the downloadable; executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated; if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious. - View Dependent Claims (2, 3)
-
-
4. A computer-based method for identifying suspicious downloadables, comprising:
-
receiving, by a receiving computer over a network, a downloadable; scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls; if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method; executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution the receiving computer, (i) overwrites the at least one potentially malicious method call in the downloadable, and (ii) validates one or more input parameters of the potentially malicious method call; if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious. - View Dependent Claims (5, 6)
-
-
7. A computer system with a secure gateway, comprising:
a gateway computer in communication with one or more destination computers, the gateway computer comprising; a receiver for receiving a downloadable in transit to said one or more destination computers; a scanner for scanning the received downloadable to detect the presence of potentially malicious method calls; a code monitor for (i) appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one potentially malicious method call is detected by said scanner, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method, and (ii) overwrite overwriting a call in the downloadable to the at least one potentially malicious method call; and a microprocessor for operable to (i) executing a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated, (ii) forwarding the downloadable to said one or more destination computers, if each of the one or more input parameters is valid, wherein the forwarded downloadable is in an unmodified format, and (iii) provide providing an alert that the downloadable is suspicious one of the one or more input parameters is not valid. - View Dependent Claims (8, 9)
-
10. A secure client computer that receives executable downloadables from other computers, comprising:
-
a receiver for receiving a downloadable; a scanner for scanning the received downloadable to detect the presence of potentially malicious method calls; a code monitor for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one potentially malicious method call is detected by said scanner, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method; a microprocessor for executing program instructions including (i) executing a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the suspicious at least one potentially malicious method call is validated, (ii) forwarding the downloadable to said one or more destination computers, if each of the one or more input parameters is valid, and (iii) providing an alert that the downloadable is suspicious, if one of the one or more input parameters is not valid. - View Dependent Claims (11, 12, 13)
-
Specification