Malicious Mobile Code Runtime Monitoring System and Methods

US 20150180885A1
Filed: 02/11/2015
Published: 06/25/2015
Est. Priority Date: 11/08/1996
Status: Active Grant

First Claim

Patent Images

1. A system for determining whether a downloadable is suspicious, comprising:

a plurality of operating system probes operating substantially in parallel for monitoring a plurality of subsystems of the operating system during runtime for an event caused from a request made by a downloadable;

an interrupter for interrupting processing of the request;

a first comparator coupled to the plurality of operating system probes for comparing information pertaining to the downloadable against a predetermined security policy, wherein the information pertaining to the downloadable includes information pertaining to an operation of the downloadable and distinct from information pertaining to the request; and

a response engine for performing a predetermined responsive action based on the comparison.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts.

4 Citations

30 Claims

1. A system for determining whether a downloadable is suspicious, comprising:
- a plurality of operating system probes operating substantially in parallel for monitoring a plurality of subsystems of the operating system during runtime for an event caused from a request made by a downloadable;
  
  an interrupter for interrupting processing of the request;
  
  a first comparator coupled to the plurality of operating system probes for comparing information pertaining to the downloadable against a predetermined security policy, wherein the information pertaining to the downloadable includes information pertaining to an operation of the downloadable and distinct from information pertaining to the request; and
  
  a response engine for performing a predetermined responsive action based on the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the plurality of operating system interfaces operating substantially in parallel for monitoring the operating system includes means for monitoring a request sent to a downloadable engine.
  - 3. The system of claim 2, wherein the downloadable engine includes a Java™
    - virtual machine having Java™
      
      classes; and
      
      wherein the plurality of operating system interfaces operating substantially in parallel for monitoring the operating system includes means for monitoring each Java™
      
      class for receipt of the request.
  - 4. The system of claim 2, wherein the downloadable engine includes an AppletX™
    - platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
      
      wherein the plurality of operating system interfaces operating substantially in parallel for monitoring the operating system includes means for monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
  - 5. The system of claim 1, further comprising means for determining whether information pertaining to the downloadable violates a security rule.
  - 6. The system of claim 5, further comprising means for determining whether violation of the security rule violates the security policy.
  - 7. The system of claim 1, further comprising:
    - a comparator for comparing information pertaining to the downloadable with information pertaining to a predetermined suspicious downloadable; and
      
      a response engine for performing a predetermined responsive action based on the comparison with the information pertaining to the predetermined suspicious downloadable.
  - 8. The system of claim 1, wherein the predetermined responsive action includes storing results of the comparison in an event log.
  - 9. The system of claim 1, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
  - 10. The system of claim 1, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
  - 11. The system of claim 1, wherein the predetermined responsive action includes discarding the Downloadable.

12. A system for reviewing an operating system call issued by a downloadable, comprising:
- an operating system probe associated with an operating system function for intercepting an operating system call being issued by a downloadable to an operating system and associated with the operating system function;
  
  a runtime environment monitor for comparing the operating system call against a predetermined security policy including multiple security rules to determine if execution of the operating system call violates one or more of the multiple security rules before allowing the operating system to process the operating system call and for forwarding a message to a response engine when the comparison by the runtime environment monitor indicates a violation of one or more of the multiple security rules;
  
  a response engine for compiling each rule violation indicated in the messages forwarded by the runtime environment monitor, for blocking execution of operating system calls that are forbidden according to the security policy when execution of the operating system calls would result in a violation of a predetermined combination of multiple security rules of the predetermined security policy and for allowing execution of operating system calls that are permitted according to the security policy.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the downloadable is one of a Java component, an ActiveX control, executable code, or interpretable code.
  - 14. The system of claim 12, further comprising:
    - a request broker for receiving a notification message from the downloadable engine regarding the extension call;
      
      a file system probe and a network system probe each being associated with an operating system function for receiving the request message from the downloadable engine and intercepting an operating system call being issued by the downloadable to an operating system and associated with the operating system function;
      
      an event router for receiving the notification message from the request broker regarding the extension call and an event message from one of the file system probe and the network system probe regarding the operating system call;
      
      the runtime environment monitor for receiving the notification message and the event message from the event router and comparing the extension call and the operating system call against a predetermined security policy before allowing the operating system to process the extension call and the operating system call; and
      
      the response engine for receiving a violation message from the runtime environment monitor when one of the extension call and the operating system call violate one or more rules of the predetermined security policy and blocking extension calls and operating system calls that are forbidden according to the predetermined security policy, and for allowing extension calls and operating system calls that are permitted according to the predetermined security policy.
  - 15. The system of claim 14, wherein the downloadable is one of a Java component, an ActiveX control, executable code, or interpretable code.

16. A system for reviewing an operating system call issued by a downloadable, comprising:
- a downloadable engine for intercepting a request message being issued by a downloadable to an operating system, wherein the request message includes an extension call;
  
  a request broker for receiving a notification message from the downloadable engine regarding the extension call;
  
  a file system probe and a network system probe each being associated with an operating system function for receiving the request message from the downloadable engine and intercepting an operating system call being issued by the downloadable to an operating system and associated with the operating system function;
  
  a runtime environment monitor for receiving the notification message and the event message from the event router and comparing the extension call and the operating system call against a predetermined security policy before allowing the operating system to process the extension call and the operating system call; and
  
  a response engine for receiving a violation message from the runtime environment monitor when one of the extension call and the operating system call violate one or more rules of the predetermined security policy and blocking extension calls and operating system calls that are forbidden according to the predetermined security policy, and for allowing extension calls and operating system calls that are permitted according to the predetermined security policy.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein the Downloadable is one of a Java component, an ActiveX control, executable code, or interpretable code.
  - 18. The system of claim 16, wherein the response engine stores results of the comparison in an event log.
  - 19. The system of claim 16, wherein the response engine informs the user when the security policy has been violated.
  - 20. The system of claim 16, wherein the response engine stores information on the Downloadable in a suspicious Downloadable database when it includes extension calls or operating system calls that are forbidden according to the predetermined security policy.
  - 21. The system of claim 16, wherein the response engine discards the Downloadable when it includes extension calls or operating system calls that are forbidden according to the predetermined security policy.

22. A system for reviewing an operating system call issued by a downloadable, comprising:
- a plurality of operating system probes for monitoring substantially in parallel a plurality of subsystems of an operating system during runtime for an event caused from a request made by a Downloadable, wherein the plurality of subsystems includes a network system;
  
  an interrupter for interrupting processing of the request;
  
  a comparator coupled to the plurality of operating system probes for comparing information pertaining to the Downloadable against a predetermined security policy; and
  
  a response engine for performing a predetermined responsive action based on the comparison.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The system of claim 22, wherein the predetermined responsive action includes storing results of the comparison in an event log.
  - 24. The system of claim 22, wherein the predetermined responsive action includes informing the user when the security policy has been violated.
  - 25. The system of claim 22, wherein the predetermined responsive action includes storing information on the Downloadable in a suspicious Downloadable database.
  - 26. The system of claim 22, wherein the predetermined responsive action includes discarding the Downloadable.
  - 27. The system of claim 22, wherein the plurality of operating system probes operating substantially in parallel for monitoring the operating system includes means for monitoring a request sent to a downloadable engine.
  - 28. The system of claim 27, wherein the downloadable engine includes a Java™
    - virtual machine having Java™
      
      classes; and
      
      wherein the plurality of operating system probes operating substantially in parallel for monitoring the operating system includes means for monitoring each Java™
      
      class for receipt of the request.
  - 29. The system of claim 28, wherein the downloadable engine includes an AppletX™
    - platform having a message engine, a dynamic-data-exchange and a dynamically-linked library; and
      
      wherein the plurality of operating system probes operating substantially in parallel for monitoring the operating system includes means for monitoring the message engine, the dynamic-data-exchange and the dynamically-linked library for receipt of the request.
  - 30. The system of claim 22, further comprising means for determining whether information pertaining to the downloadable violates a security rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan, Inc. (SoftBank Group Corp.)
Inventors
Edery, Yigal Mordechai, Vered, Nimrod Itzhak, Kroll, David R., Touboul, Shlomo

Granted Patent

US 9,189,621 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

Malicious Mobile Code Runtime Monitoring System and Methods

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

4 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious Mobile Code Runtime Monitoring System and Methods

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links