Computer security method and system with input parameter validation

US 9,294,493 B2
Filed: 09/10/2014
Issued: 03/22/2016
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-based method for identifying suspicious downloadables, comprising:

receiving, by a receiving computer over a network, a downloadable;

scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls;

if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method;

overwriting, by the receiving computer, in accordance with the monitoring program code, the at least one potentially malicious method call in the downloadable;

executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated;

if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and

if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.

35 Citations

13 Claims

1. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer over a network, a downloadable;
  
  scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls;
  
  if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method;
  
  overwriting, by the receiving computer, in accordance with the monitoring program code, the at least one potentially malicious method call in the downloadable;
  
  executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated;
  
  if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
  
  if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious.
- View Dependent Claims (2, 3)
- - 2. A computer-based method for identifying suspicious downloadables in accordance with claim 1, wherein if one of the one or more input parameters is not valid, replacing by the receiving computer, the input parameters that are not valid with valid input parameters and forwarding the downloadable to a destination compute.
  - 3. A computer-based method for identifying suspicious downloadables in accordance with claim 1, further comprising consulting by the receiving computer, a security policy to determine whether or not to forward the downloadable to a destination computer even though one of the one or more input parameters is not valid.

4. A computer-based method for identifying suspicious downloadables, comprising:
- receiving, by a receiving computer over a network, a downloadable;
  
  scanning, by the receiving computer, the downloadable to detect the presence of potentially malicious method calls;
  
  if at least one potentially malicious method call is detected by said scanning, appending, by the receiving computer, monitoring program code to the downloadable thereby generating a modified downloadable, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method;
  
  executing, by the receiving computer, a run-time loop over the modified downloadable, wherein upon execution the receiving computer,(i) overwrites the at least one potentially malicious method call in the downloadable, and(ii) validates one or more input parameters of the potentially malicious method call;
  
  if each of the one or more input parameters is valid, forwarding the downloadable to a destination computer, wherein the forwarded downloadable is in an unmodified format; and
  
  if one of the one or more input parameters is not valid, providing by the receiving computer, an alert that the downloadable is suspicious.
- View Dependent Claims (5, 6)
- - 5. A computer-based method for identifying suspicious downloadables in accordance with claim 4, wherein if one of the one or more input parameters is not valid, replacing by the receiving computer, the input parameters that are not valid with valid input parameters and forwarding the downloadable to a destination computer.
  - 6. A computer-based method for identifying suspicious downloadables in accordance with claim 4, further comprising consulting by the receiving computer, a security policy to determine whether or not to forward the downloadable to a destination computer even though one of the one or more input parameters is not valid.

7. A computer system with a secure gateway, comprising:
- a gateway computer in communication with one or more destination computers, the gateway computer comprising;
  
  a receiver for receiving a downloadable in transit to said one or more destination computers;
  
  a scanner for scanning the received downloadable to detect the presence of potentially malicious method calls;
  
  a code monitor for (i) appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one potentially malicious method call is detected by said scanner, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method, and (ii) overwrite overwriting a call in the downloadable to the at least one potentially malicious method call; and
  
  a microprocessor for operable to (i) executing a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the at least one potentially malicious method call is validated, (ii) forwarding the downloadable to said one or more destination computers, if each of the one or more input parameters is valid, wherein the forwarded downloadable is in an unmodified format, and (iii) provide providing an alert that the downloadable is suspicious one of the one or more input parameters is not valid.
- View Dependent Claims (8, 9)
- - 8. A computer system with a secure gateway in accordance with claim 7, wherein the microprocessor replaces the input parameters that are not valid with valid input parameters and forwards the downloadable to one or more destination computers, if one of the one or more input parameters is not valid.
  - 9. A computer system with a secure gateway in accordance with claim 7, wherein the microprocessor consults a security policy to determine whether or not to forward the downloadable to a destination computer even though one of the one or more input parameters is not valid.

10. A secure client computer that receives executable downloadables from other computers, comprising:
- a receiver for receiving a downloadable;
  
  a scanner for scanning the received downloadable to detect the presence of potentially malicious method calls;
  
  a code monitor for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one potentially malicious method call is detected by said scanner, wherein when executed the monitoring program code calls a function with an array parameter to build a dictionary of method calls, the dictionary including a collection of multi-element arrays, wherein each of the multi-element arrays includes a name of an object, a name of a method of that object, and a function for validating input parameters of that method;
  
  a microprocessor for executing program instructions including (i) executing a run-time loop over the modified downloadable, wherein upon execution, one or more input parameters for the suspicious at least one potentially malicious method call is validated, (ii) forwarding the downloadable to said one or more destination computers, if each of the one or more input parameters is valid, and (iii) providing an alert that the downloadable is suspicious, if one of the one or more input parameters is not valid.
- View Dependent Claims (11, 12, 13)
- - 11. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the microprocessor replaces the input parameters that are not valid with valid input parameters and forwards the downloadable to one or more destination computers, if one of the one or more input parameters is not valid.
  - 12. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the microprocessor consults a security policy to determine whether or not to forward the downloadable to a destination computer even though one of the one or more input parameters is not valid.
  - 13. A secure client computer that receives executable downloadables from other computers in accordance with claim 10, wherein the code modifier overwrites a call in the downloadable to the at least one potentially malicious method call with a modified call that invokes the function for validating input parameters of the potentially malicious method call prior to the microprocessor executing a run-time loop.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Holdings, Inc. (SoftBank Group Corp.)
Original Assignee
Finjan, Inc. (SoftBank Group Corp.)
Inventors
Ben-Itzhak, Yuval, Yosef, Golan, Taub, Israel
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US14/482,434
Publication Number

US 20150007321A1
Time in Patent Office

559 Days
Field of Search

726/23, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/54   by adding security routines...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Computer security method and system with input parameter validation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Computer security method and system with input parameter validation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others