Malicious mobile code runtime monitoring system and methods

DC CAFC

US 7,647,633 B2
Filed: 06/22/2005
Issued: 01/12/2010
Est. Priority Date: 03/30/2000
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A computer processor-based method, comprising:

receiving, by a computer, downloadable-information;

determining, by the computer, whether the downloadable-information includes executable code; and

based upon the determination, transmitting from the computer mobile protection code to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

5 Petitions

Reexaminations

Accused Products

Abstract

Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java™ applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides, within a server, firewall or other suitable “re-communicator,” for monitoring information received by the communicator, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information, more suitably by forming a protection agent including the MPC, protection policies and a detected-Downloadable. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts, more suitably in conjunction with protection policies.

101 Citations

View as Search Results

41 Claims

1. A computer processor-based method, comprising:
- receiving, by a computer, downloadable-information;
  
  determining, by the computer, whether the downloadable-information includes executable code; and
  
  based upon the determination, transmitting from the computer mobile protection code to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the receiving includes monitoring received information of an information re-communicator.
  - 3. The method of claim 2, wherein the information re-communicator is a network server.
  - 4. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included type indicator indicating an executable file type.
  - 5. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included type detector indicating an archive file that contains at least one executable.
  - 6. The method of claim 1, wherein the determining comprises analyzing the downloadable-information for an included file type indicator and an information pattern corresponding to one or more information patterns that tend to be included within executable code.
  - 7. The method of claim 1, further comprising receiving, by the computer, one or more executable code characteristics of executable code that is capable of being executed by the information-destination, and wherein the determining is conducted in accordance with the executable code characteristics.

8. A computer processor-based system for computer security, the system comprisingan information monitor for receiving downloadable-information by a computer;
- a content inspection engine communicatively coupled to the information monitor for determining, by the computer, whether the downloadable-information includes executable code; and
  
  a protection agent engine communicatively coupled to the content inspection engine for causing mobile protection code (“
  
  MPC”
  
  ) to be communicated by the computer to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the information monitor intercepts received information received by an information re-communicator.
  - 10. The system of claim 9, wherein the information re-communicator is a network server.
  - 11. The system of claim 8, wherein the content inspection engine comprises a file type detector for determining whether the downloadable-information includes a file type indicator indicating an executable file type.
  - 12. The system of claim 8, wherein the content inspection engine comprises a parser for parsing the downloadable-information and a content analyzer communicatively coupled to the parser for determining whether one or more downloadable-information elements of the downloadable-information correspond with executable code elements.

13. A processor-based system for computer security, the system comprising:
- means for receiving downloadable-information;
  
  means for determining whether the downloadable-information includes executable code; and
  
  means for causing mobile protection code to be communicated to at least one information-destination of the downloadable-information, if the downloadable-information is determined to include executable code.

14. A computer program product, comprising a computer usable medium having a computer readable program code therein, the computer readable program code adapted to be executed for computer security, the method comprising:
- providing a system, wherein the system comprises distinct software modules, and wherein the distinct software modules comprise an information re-communicator and a mobile code executor;
  
  receiving, at the information re-communicator, downloadable-information including executable code; and
  
  causing mobile protection code to be executed by the mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the mobile code executor is a Java Virtual Machine.
  - 16. The method of claim 14, wherein the mobile code executor is the operating system, running native code executables.
  - 17. The method of claim 14, wherein the mobile code executor is a subsystem of the operating system.
  - 18. The method of claim 14, wherein the mobile code executor is a scripting host.
  - 19. The method of claim 14, wherein the re-communicator is at least one of a firewall and a network server.
  - 20. The method claim 14, wherein executing the mobile protection code at the destination causes downloadable interfaces to resources at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.

21. A processor-based system for computer security, the system comprising:
- receiving means for receiving, at an information re-communicator of a computer, downloadable-information, including executable code; and
  
  mobile code means communicatively coupled to the receiving means for causing, by the computer, mobile protection code to be executed by a mobile code executor at a downloadable-information destination such that one or more operations of the executable code at the destination, if attempted, will be processed by the mobile protection code.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The system of claim 21, wherein the mobile code executor is a Java Virtual Machine.
  - 23. The system of claim 21, wherein the mobile code executor is an operating system, running native code executables.
  - 24. The system of claim 21, wherein the mobile code executor is a subsystem of the windows operating system.
  - 25. The system of claim 21, wherein the mobile code executor is a scripting host.
  - 26. The system of claim 21, wherein the re-communicator is at least one of a firewall and a network server.
  - 27. The system of claim 21, wherein executing the mobile protection code at the destination causes downloadable interfaces to resources at the destination to be modified such that at least one attempted operation of the executable code is diverted to the mobile protection code.

28. A processor-based method, comprising:
- receiving a sandboxed package that includes mobile protection code (“
  
  MPC”
  
  ) and a Downloadable and one or more protection policies at a computer at a Downloadable-destination;
  
  causing, by the MPC on the computer, one or more operations attempted by the Downloadable to be received by the MPC;
  
  receiving, by the MPC on the computer, an attempted operation of the Downloadable; and
  
  initiating, by the MPC on the computer, a protection policy corresponding to the attempted operation.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, wherein the sandboxed package is configured such that the MPC is executed first, the Downloadable is executed by the MPC and the protection policies are accessible to the MPC.
  - 30. The method of claim 28, wherein the causing comprises modifying, by the MPC, interfaces of a corresponding downloadable to resources at the destination.
  - 31. The method of claim 30, wherein the modifying is accomplished by initiating a loading of the Downloadable, thereby causing a mobile code executor to provide and initialize the interfaces, modifying one or more interface elements to divert corresponding attempted Downloadable operations to the MPC, and initiating execution of the Downloadable.
  - 32. The method of claim 30, wherein the interfaces comprise an import address table (“
    - IAT”
      
      ) of a native code executable downloadable.
  - 33. The method of claim 30, wherein modifying the interfaces installs a filter-driver between the downloadable and the resources.

34. A processor-based system for computer security, the system comprising:
- a mobile code executor on a computer for initiating received mobile code; and
  
  a sandboxed package capable of being received and initiated by the mobile code executor on the computer, the sandboxed package including a Downloadable and mobile protection code (“
  
  MPC”
  
  ) for causing one or more Downloadable operations to be intercepted by the computer and for processing the intercepted operations by the computer, if the Downloadable attempts to initiate the operations.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The system of claim 34, wherein the MPC comprises:
    - an MPC installer for causing MPC elements to be installed;
      
      a Downloadable installer communicatively coupled to the MPC installer for installing the Downloadable;
      
      a resource access diverter communicatively coupled to the MPC installer for causing the Downloadable operations to be intercepted;
      
      a resource access analyzer communicatively coupled to the MPC installer for receiving an intercepted Downloadable operation and determining a protection policy corresponding to the intercepted Downloadable operation; and
      
      a policy enforcer communicatively coupled to the resource access analyzer for processing the intercepted Downloadable operation.
  - 36. The system of claim 35, wherein the resource access diverter modifies one or more elements of an interface usable by the Downloadable to effectuate the Downloadable operations.
  - 37. The system of claim 35, wherein the mobile code-executor is a Java Virtual Machine.
  - 38. The system of claim 35, wherein the mobile code executor is an operating system, running native code executables.
  - 39. The system of claim 35, wherein the mobile code executor is a subsystem of the operating system.
  - 40. The system of claim 35, wherein the mobile code executor is a scripting host.

41. A processor-based system for computer security, the system comprising:
- receiving means for receiving a sandboxed package that includes mobile protection code (“
  
  MPC”
  
  ) and a Downloadable and one or more protection policies at a Downloadable-destination;
  
  monitoring means for causing, by the MPC, one or more operations attempted by the Downloadable to be received by the MPC;
  
  second receiving means receiving, by the MPC, an attempted operation of the Downloadable; and
  
  initiating means for initiating, by the MPC, a protection policy corresponding to the attempted operation.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan Software Limited (SoftBank Group Corp.)
Inventors
Touboul, Shlomo, Kroll, David R., Vered, Nimrod Itzhak, Edery, Yigal Mordechai
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/159,455
Publication Number

US 20060026677A1
Time in Patent Office

1,665 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 2221/033   Test or assess software

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Malicious mobile code runtime monitoring system and methods

First Claim

6 Assignments

Litigations

5 Petitions

Reexaminations

Accused Products

Abstract

101 Citations

41 Claims

Specification

30 Family Members

Thank you for your feedback