Malicious mobile code runtime monitoring system and methods

DC CAFC

US 7,058,822 B2
Filed: 05/17/2001
Issued: 06/06/2006
Est. Priority Date: 03/30/2000
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A processor-based method, comprising:

receiving downloadable-information;

determining whether the downloadable-information includes executable code; and

causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code,wherein the determining comprises performing one or more analyses of the downloadable-information, the analyses producing detection-indicators indicating whether a correspondence is detected between a downloadable-information characteristic and at least one respective executable code characteristic, and evaluating the detection-indicators to determine whether the downloadable-information includes executable code.

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Reexamination

Accused Products

Abstract

Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java™ applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides, within a server, firewall or other suitable “re-communicator,” for monitoring information received by the communicator, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information, more suitably by forming a protection agent including the MPC, protection policies and a detected-Downloadable. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts, more suitably in conjunction with protection policies.

387 Citations

35 Claims

1. A processor-based method, comprising:
- receiving downloadable-information;
  
  determining whether the downloadable-information includes executable code; and
  
  causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code,wherein the determining comprises performing one or more analyses of the downloadable-information, the analyses producing detection-indicators indicating whether a correspondence is detected between a downloadable-information characteristic and at least one respective executable code characteristic, and evaluating the detection-indicators to determine whether the downloadable-information includes executable code.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein at least one of the detection-indicators indicates a level of downloadable-information characteristic and executable code characteristic correspondence.
  - 3. The method of claim 1, wherein the evaluating includes assigning a weighted level of importance to at least one of the indicators.

4. A processor-based method, comprising:
- receiving downloadable-information;
  
  determining whether the downloadable-information includes executable code; and
  
  causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code,wherein the causing mobile protection code to be communicated comprises forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be communicated to the at least one information-destination.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The method of claim 4, wherein the sandboxed package is formed such that the mobile protection code will be executed by the information-destination before the downloadable-information.
  - 6. The method of claim 5, wherein the sandboxed package further includes protection policies according to which the mobile protection code is operable.
  - 7. The method of claim 6, wherein the sandboxed package is formed for receipt by the information-destination such that the mobile protection code is received before the downloadable-information, and the downloadable information before the protection policies.
  - 8. The method of claim 6, wherein the protection policies correspond with at least one of the information-destination and a user of the information destination.

9. A processor-based system, comprising:
- an information monitor for receiving downloadable-information;
  
  a content inspection engine communicatively coupled to the information monitor for determining whether the downloadable-information includes executable code; and
  
  a packaging engine communicatively coupled to the content inspection engine for causing mobile protection code (“
  
  MPC”
  
  ) to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code,wherein the content inspection engine comprises one or more downloadable-information analyzers for analyzing the downloadable-information, each analyzer producing therefrom a detection indicator indicating whether a downloadable-information characteristic corresponds with an executable code characteristic, and an inspection controller communicatively coupled to the analyzers for determining whether the indicators indicate that the downloadable-information includes executable code.
- View Dependent Claims (10, 11)
- - 10. The system of claim 9, wherein at least one of the detection-indicators indicates a level of downloadable-information characteristic and executable code characteristic correspondence.
  - 11. The system of claim 9, wherein the evaluating includes assigning a weighted level of importance to at least one of the detection-indicators.

12. A processor-based system, comprising:
- an information monitor for receiving downloadable-information;
  
  a content inspection engine communicatively coupled to the information monitor for determining whether the downloadable-information includes executable code; and
  
  a packaging engine communicatively coupled to the content inspection engine for causing mobile protection code (“
  
  MPC”
  
  ) to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code,wherein the packaging engine comprises an MPC generator for providing the MPC, a linking engine coupled to the MPC generator for forming a sandbox package including the MPC and the downloadable-information, and a transfer engine for causing the sandbox package to be communicated to the at least one information-destination.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the packaging engine further comprises a policy generator communicatively coupled to the linking engine for providing protection policies according to which the MPC is operable.
  - 14. The system of claim 13, wherein the sandboxed package is formed for receipt by the information-destination such that the mobile protection code is executed before the downloadable-information.
  - 15. The system of claim 14, wherein the protection policies correspond with policies of at least one of the information-destination and a user of the information destination.

16. A processor-based method, comprising:
- receiving, at an information re-communicator, downloadable-information, including executable code; and
  
  causing mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code,wherein the causing is accomplished by forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be delivered to the downloadable-information destination.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The method of claim 16, wherein the sandboxed package further includes protection policies according to which the processing by the mobile protection code is conducted.
  - 18. A sandboxed package formed according to the method of claim 17.
  - 19. The method of claim 17, wherein the forming comprises generating the mobile protection code, generating the sandboxed package, and linking the mobile protection code, protection policies and downloadable-information.
  - 20. The method of claim 19, wherein the generating of at least one of the mobile protection code and the protection policies is conducted in accordance with one or more destination-characteristics of the destination.
  - 21. The method of claim 20, wherein the destination-characteristics include characteristics corresponding to at least one of a destination user, a destination device and a destination process.
  - 22. A sandboxed package formed according to the method of claim 16.
  - 23. The method of claim 16, wherein the causing the sandboxed package to be executed includes communicating the sandboxed package to a communication buffer of the information re-communicator.
  - 24. The method of claim 16, wherein the re-communicator is at least one of a firewall and a network server.
  - 25. The method of claim 16, wherein the sandboxed package has a same file type as the downloadable-information, thereby causing the mobile code executor to be unaware that the protected package is not a normal downloadable.
  - 26. The method of claim 25, wherein the sandboxed package is formed using concatenation of a mobile protection code, a policy, and a downloadable.
  - 27. The method of claim 16, wherein executing the mobile protection code at the destination causes downloadable interfaces to resources at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.

28. A processor-based system, comprising:
- receiving means for receiving, at an information re-communicator, downloadable-information, including executable code; and
  
  mobile code means communicatively coupled to the receiving means for causing mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code,wherein the causing is accomplished by forming a sandboxed package including the mobile protection code and the downloadable-information, and causing the sandboxed package to be delivered to the downloadable-information destination.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The system of claim 28, wherein the sandboxed package further includes protection policies according to which the processing by the mobile protection code is conducted.
  - 30. The system of claim 29, wherein the forming comprises generating the mobile protection code, generating the protection policies, and linking the mobile protection code, protection policies and downloadable-information.
  - 31. The system of claim 30, wherein the generating of at least one of the mobile protection code and the protection policies is conducted in accordance with one or more destination-characteristics of the destination.
  - 32. The system of claim 31, wherein the destination-characteristics include characteristics corresponding to at least one of a destination user, a destination device and a destination process.
  - 33. The system of claim 28, wherein the causing the sandboxed package to be executed includes communicating the sandboxed package to a communication buffer of the information re-communicator.
  - 34. The system of claim 33, wherein the re-communicator is at least one of a firewall and a network server.
  - 35. The system of claim 34, wherein executing the mobile protection code at the destination causes downloadable interfaces a resource at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan Software Limited (SoftBank Group Corp.)
Inventors
Kroll, David R., Vered, Nimrod Itzhak, Edery, Yigal Mordechai
Primary Examiner(s)
Revak, Christopher

Application Number

US09/861,229
Publication Number

US 20020013910A1
Time in Patent Office

1,846 Days
Field of Search

713/176, 713/175, 713/200, 713/201, 713/150, 713/168, 701/223, 701/229, 717/120, 717/124, 717/126, 717/127, 717/130, 717/131, 717/134, 717/135, 709223-229
US Class Current

726/22
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 2221/033   Test or assess software

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Malicious mobile code runtime monitoring system and methods

First Claim

6 Assignments

Litigations

1 Petition

Reexamination

Accused Products

Abstract

387 Citations

35 Claims

Specification

30 Family Members

Thank you for your feedback