Security system with methodology for defending against security breaches of peripheral devices

US 8,281,114 B2
Filed: 12/23/2003
Issued: 10/02/2012
Est. Priority Date: 12/23/2003
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a computer from security breaches involving a hardware-based key logger installed between the computer and an attached input device, the method comprising:

when the computer is first powered on, storing authorization information received from an administrative user to indicate that the input device is authorized to communicate with the computer;

detecting a potential tampering attempt by an unauthorized user comprising detachment of the input device from the computer, installation of a hardware-based key logger, and reattachment of the input device, so that the hardware-based key logger is installed between the computer and the input device;

requiring entry of a password for authorizing the input device;

if the required password is entered, authorizing the input device to communicate with the computer and, otherwise, continuing to block communication from the input device to the computer;

storing authorization information indicating whether or not the input device is allowed to communicate with the computer;

detecting detachment of the input device from the computer;

when said potential tampering attempt is detected, updating the authorization information to indicate that the input device is no longer authorized to communicate with the computer; and

upon said reattachment of the input device, blocking communication from the input device to the computer until the input device is again authorized.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system with methodology for defending against security breaches of peripheral devices is described. In one embodiment, for example, a method is described for protecting a computer from security breaches involving devices that may be attached to the computer, the method comprises steps of: when a device is first attached to the computer, specifying authorization information indicating that the device is allowed to communicate with the computer; detecting detachment of the device from the computer; updating the authorization information to indicate that the device is no longer authorized to communicate with the computer; and upon reattachment of the device, blocking communication with the device while the device remains unauthorized, thereby preventing a security breach involving the device.

62 Citations

View as Search Results

42 Claims

1. A method for protecting a computer from security breaches involving a hardware-based key logger installed between the computer and an attached input device, the method comprising:
- when the computer is first powered on, storing authorization information received from an administrative user to indicate that the input device is authorized to communicate with the computer;
  
  detecting a potential tampering attempt by an unauthorized user comprising detachment of the input device from the computer, installation of a hardware-based key logger, and reattachment of the input device, so that the hardware-based key logger is installed between the computer and the input device;
  
  requiring entry of a password for authorizing the input device;
  
  if the required password is entered, authorizing the input device to communicate with the computer and, otherwise, continuing to block communication from the input device to the computer;
  
  storing authorization information indicating whether or not the input device is allowed to communicate with the computer;
  
  detecting detachment of the input device from the computer;
  
  when said potential tampering attempt is detected, updating the authorization information to indicate that the input device is no longer authorized to communicate with the computer; and
  
  upon said reattachment of the input device, blocking communication from the input device to the computer until the input device is again authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, further comprising:
    - specifying a password for authorizing the device.
  - 3. The method of claim 1, wherein saidinput device comprises a keyboard device.
  - 4. The method of claim 1, wherein the input device is attached to the computer via a port.
  - 5. The method of claim 4, wherein the port is a selected one of a USB port, an RS-232 port, a parallel port, a SCSI port, and an IEEE 1394 port.
  - 6. The method of claim 1, wherein said input device comprises a keyboard device and wherein said blocking step includes blocking input from the keyboard device.
  - 7. The method of claim 6, wherein said blocking step includes blocking any request by the keyboard device for outgoing data from the computer.
  - 8. The method of claim 7, further comprising:
    - upon reattachment of the keyboard device, trapping keystrokes from the keyboard device.
  - 9. The method of claim 8, further comprising:
    - determining whether keystrokes trapped from the keyboard comprise a password that may be used to authorize the device.
  - 10. The method of claim 1, wherein said input device comprises a detachable storage device and wherein said blocking step includes blocking any data stream from the storage device.
  - 11. The method of claim 1, wherein said blocking step includes:
    - blocking communication from the computer to the input device while the input device remains unauthorized.
  - 12. The method of claim 1, further comprising:
    - receiving input of a password to be utilized for authorizing the input device.
  - 13. The method of claim 12, wherein the password comprises an input device specific password input by an authorized user.
  - 14. The method of claim 1, further comprising:
    - upon detecting detachment of the input device from the computer, generating an alert that reports the detachment.
  - 15. The method of claim 14, wherein the alert is automatically transmitted to a system administrator.
  - 16. The method of claim 14, wherein the alert is automatically transmitted to a remote administration module operating on a different computer.
  - 17. The method of claim 16, further comprising:
    - receiving authorization from a remote administration module; and
      
      thereafterallowing communication with the input device.
  - 18. The method of claim 1, wherein said detecting step includes:
    - specifying an operating system hook that allows attachment and detachment of input devices to be detected.
  - 19. The method of claim 1, wherein said updating step includes:
    - updating the authorization information to indicate that the input device is currently untrusted.
  - 20. The method of claim 1, wherein said updating step includes:
    - treating the detachment as a security breach and blocking communication with a network node that the computer resides on.
  - 21. A non-transitory computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 22. The method of claim 1, further comprising:
    - downloading a set of processor-executable instructions for performing the method of claim 1 on a computer having a processor and a memory.

23. A system for protecting a computer from security breaches involving an unauthorized user installing a hardware-based key logger between a computer and an attached peripheral device, the system comprising:
- a computer having at least a processor and memory and including an operating system service that monitors connection and disconnection of peripheral devices that may be attached to the computer via an available external port;
  
  a filter module for receiving notification of connection and disconnection events from the operating system service when peripheral devices are attached to and detached from the computer, including connection and disconnection events that occur during installation of a hardware-based key logger on a given peripheral device attached to the computer, reporting such connection and disconnection events, and blocking communication with the given peripheral device attached to the computer until communication with the given peripheral device is authorized; and
  
  a desktop agent that determines, in response to reported connection events relating to a given peripheral device, whether or not the given peripheral device is authorized to communicate with the computer based on obtaining user input as to whether to allow communication with the given peripheral device, and for revoking the authorization of the given peripheral device to communicate with the computer in response to reported connection and disconnection events relating to the given peripheral device.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 24. The system of claim 23, wherein the desktop agent includes:
    - program logic for specifying a password for authorizing the given peripheral device.
  - 25. The system of claim 23, wherein the desktop agent includes:
    - program logic for specifying at least one user with sufficient privileges to authorize the given peripheral device.
  - 26. The system of claim 23, wherein the given peripheral device is a keyboard device attached to the computer via a port.
  - 27. The system of claim 26, wherein the port is a selected one of a USB port, an RS-232 port, a parallel port, a SCSI port, and an IEEE 1394 port.
  - 28. The system of claim 23, wherein said given peripheral device comprises an input device and wherein the filter module includes program logic for blocking input from the input device.
  - 29. The system of claim 28, wherein said input device is a keyboard device.
  - 30. The system of claim 29, wherein said filter module includes:
    - program logic for trapping keystrokes from the keyboard device.
  - 31. The system of claim 30, wherein said filter module further includes:
    - program logic for determining whether keystrokes trapped from the keyboard comprise a password that may be used to authorize the device.
  - 32. The system of claim 23, wherein said given peripheral device comprises a detachable storage device and wherein the filter module includes program logic for blocking any data stream from the storage device.
  - 33. The system of claim 23, wherein the filter module includes:
    - program logic for blocking communication from the computer to the given peripheral device until the given peripheral device is authorized.
  - 34. The system of claim 23, further comprising:
    - program logic for receiving user input of a password for authorizing the given peripheral device, and thereafterprogram logic for allowing communication with the given peripheral device.
  - 35. The system of claim 34, wherein the password comprises a device specific password provided by an authorized user.
  - 36. The system of claim 23, wherein said desktop agent further comprises:
    - program logic for generating, in response to reported disconnection events, an alert that reports the detachment.
  - 37. The system of claim 36, wherein the alert is automatically transmitted to a system administrator.
  - 38. The system of claim 36, wherein the alert is automatically transmitted to a remote administration module operating on a different computer.
  - 39. The system of claim 23, further comprising:
    - program logic for receiving authorization of the given peripheral device from a remote administration module; and
      
      thereafterprogram logic for allowing communication with the given peripheral device.
  - 40. The system of claim 23, wherein the filter module includes:
    - program logic for specifying an operating system hook that intercepts connection and disconnection events from the operating system service allowing attachment and detachment of peripheral devices to be detected.
  - 41. The system of claim 23, wherein the desktop agent includes:
    - program logic for notifying the filter module as to whether or not the given peripheral devices is authorized to communicated with the computer.
  - 42. The system of claim 23, wherein the desktop agent includes:
    - program logic for treating a disconnection event as a security breach and blocking communication with a network node that the computer resides on.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Linetsky, Gene
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US10/707,602
Publication Number

US 20050138433A1
Time in Patent Office

3,206 Days
Field of Search

None
US Class Current

713/2
CPC Class Codes

G06F 21/31   User authentication

G06F 21/82   Protecting input, output or...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2129   Authenticate client device ...

Security system with methodology for defending against security breaches of peripheral devices

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Security system with methodology for defending against security breaches of peripheral devices

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links