`(10) Patent N0.:
`US 6,480,962 B1
`
`Touboul
`(45) Date of Patent:
`*Nov. 12, 2002
`
`U8006480962B1
`
`(54) SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`5.724.425 A
`5,740,248 A
`5,761,421 A
`
`3/1998 Chang et al.
`/1998 rims et a1.
`/1998 van Hoff el al.
`
`(75)
`
`Inventor: Shlomo ’l‘ouboul, Kefar-Haim (IL)
`
`*
`
`N ‘
`Otice:
`
`(73) Assignee: Finjan Software, Ltd., Kefar-Haim
`(IL)
`s b'
`d'
`1
`'
`h
`f h'
`u Ject to any 150 a1mer,t etermo t is
`patent is extended or adjusted under 35
`U 51c, 1540,) by 0 davs.
`'
`This patent is subject to a terminal dis-
`claimer.
`
`1
`,
`(21) Appl, N0” 09/551’302
`(22) Filed:
`Apr. 18, 2000
`
`(63)
`,
`(60)
`
`Related U-S- Application Data
`‘
`,
`~
`~
`~
`‘
`(,ontmuation 0f applrcation NO. 08/790,097, filed onian. 29,
`1997‘
`Provisional application No, 60/030,639, filed on Nov. 8,
`1996‘
`7
`.................................................. H02H 3/05
`Int. Cl.
`(51)
`........................................ 713/200; 713/201
`(52) us. Cl.
`(58) Field of Search ................................. 713/200, 201,
`713/202; 714/38, 704; 709/225, 229
`
`,
`(56)
`
`References Cited
`
`US; PATENT DOCUMENTS
`5,077,677 A
`12/1991 Murphy et a1.
`5 359 659 A
`10/1994 Rosenthal
`5,361,359 A
`11/1994 Tajalli et all.
`5,485,409 A
`1/1996 Gupta et a].
`5,485,575 A
`1/1996 Chess et a1.
`5,572,643 A
`11/1996 1“de
`5,606,668 A
`”1?? Shwed
`5’623’600 A
`4/1))7 J1 Ct. a1.
`5,638,446 A
`6/1997 Rubin
`5 692 047 A
`11/1997 McManis
`5,692,124 A
`11/1997 Holden et a1.
`5,720,033 A
`2/1998 Dec
`
`(List continued on next page.)
`OTHER PUBLICATIONS
`.
`,
`.
`.
`.
`Jim K. Omura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga-
`7ine May 1990- pp 21 29
`f
`7
`9
`9
`-
`—
`-
`Okamoto, E. et al., “ID—Based Authentication System For
`Computer Virus Detection”, IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26,
`Issue
`15,
`ISSN
`0013—5194, Jul. 19, 1990, Abstract and pp. 1169—1170.
`URL:littp:/iel.ilis.com:80/cgi—bin/iel,cgi?se
`.
`2ehts%26VieWTemplate%3ddocview%5fb%2ehts.
`IBM AntiVirus User’s Guide Version 2.4, International
`Business Machines Corporation, NOV. 15, 1995, pp. 6—7.
`Norvin Leach et al, “IE 3.0 Applets Will barn Certification”,
`PC Week, vol. 13, N0. 29, Jul. 22, 1996, 2 pages.
`“Finj an Software Releases SurfinBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Fm] an Software Ltd., Jul. 29,
`1996 1
`a e
`’
`P g '
`
`(List continued on next page.)
`.
`.
`.
`,
`572’)"“X[ymErza’f/“firjwuflln254 Hire
`Dem 56, Left, g
`’
`q
`P 3’
`‘
`‘
`‘
`
`’
`
`(57)
`
`ABSTRACT
`
`Sanders &
`
`A system protects a client from hostile Downloadables. The
`system includes security rules defining suspicious actions
`and security policies defining the appropriate responsive
`actions to rule violations. The system includes an interface
`for receiving incoming Downloadable and requests made by
`the Downloadable. The system still further includes a com—
`parator coupled to the interface for examining the
`Downloadable, requests made by the Downloadable and
`runtime events to determine whether a security policy has
`been violated, and a response engine coupled to the com-
`.
`.
`.
`.
`.
`parator for performing a Violation—based responsrve action.
`
`51 Claims, 7 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`
`
`ms was
`
`/ ML
`\5217
`\n / Mme/m <
`_/\D:.Wm mm m at
`\ wan/s\ ,
`,c
`525
`/ ,\a;
`«3 mA
`5m
`
`\“3
`/ THEEXZWTIg\ w
`/
`
`
`
` mac: ‘1: _
`m\\ivLOADABL
`5.5
`
`3/
`v
`a t“
`‘
`\ \Ls
`‘
`
` \
`
`
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0001
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0001
`
`
`
`US 6,480,962 B1
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`6/1998 Breslau et al.
`5,765,205 A
`7/1998 Devarakonda et a1.
`5,784,459 A
`8/1998 Davis et 211.
`5,796,952 A
`9/1998 Cohen et al.
`5,805,829 A
`11/1998 Chen et al.
`5,832,208 A
`12/1998 Angelo et a1.
`5,850,559 A
`1/1999 IIayman et al.
`5,859,966 A
`1/1999 Boeberl el al.
`5,864,683 A
`4/1999 Atkinson et al.
`5,892,904 A
`9/1999 Chen et 211.
`5,951,698 A
`9/1999 Walsh et al.
`5,956,481 A
`10/1999 Golan
`5,974,549 A
`11/1999 Ji
`5,983,348 A
`.................... 713/200
`7/2000 Touboul
`6,092,194 A *
`6,154,844 A * 11/2000 Touboul et al.
`713/201
`
`..................... 713/200
`6,167,520 A * 12/2000 Touboul
`OTHER PUBLICATIONS
`
`“Powerful PC Security for the New World of JAVATM and
`Downloadables, Surfin ShieldTM” Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`Microsoft® Authenticode Technology, “Ensuring Account-
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996,
`including
`Abstract, Contents, Introduction and pp. 1—10.
`
`“Finjan Announces a Personal JavaTM Firewall For Web
`Browsers—the SurfinShieldTM 1.6 (formerly known as Surf-
`inBoard)”, Press Release of Finjan Releases SurfinShield
`1.6, Oct. 21, 1996, 2 pages.
`Company Profile “Finjan—Safe Surfing, The Java Security
`Solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finj an Announces Major Power Boost and New Features
`for SurfinShieldTM 2.0” Las Vegas Convention Center/Pa-
`vilion 5 P5551, Nov. 18, 1996, 3 pages.
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`“Products” Article published on the Internet, 7 pages.
`Mark LaDue, “Online Business Consultant: Java Security:
`Whose Business Is It?” Article published on the Internet,
`Home Page Press, Inc. 1996, 4 pages.
`Web Page Article “Frequently Asked Questions About
`Authenticode”, Microsoft Corporation, last updated Feb. 17,
`1997, Printed Dec. 23, 1998. URL: http://wwwmicrosoft-
`.com/workshop/security/authcode/signfaq.asp#9, pp. 1—13.
`Zhang, X.N., “Secure Code Distribution”, IEEE/IEE Elec—
`tronic Library online, Computer, vol. 30, Issue 6, Jun. 1997,
`pp.: 76—79.
`
`* cited by examiner
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0002
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0002
`
`
`
`US. Patent
`
`Nov. 12, 2002
`
`Sheet 1 0f 7
`
`US 6,480,962 B1
`
`140
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0003
`
`7 F
`
`/G.
`
`1.35
`
`2L
`
`L]
`,—
`(f)
`>—
`(f)
`
`E0':
`.)
`LIJ
`U)
`
`DC
`
`
`
`DOWNLOADABLE
`
`700
`
`110
`
`COMMUNICATIONS
`
`CHANNEL
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0003
`
`
`
`US. Patent
`
`wN
`
`SU
`
`1B26
`
`25mea.EOEHEESZEQ
`
`7QRM55%.Emamm
`hQRsmww625%mm;
`
`55%025an
`
`
`
`QR.52552,52.5:a:3m
`
`35%556
`
`00,,N6Ca35%55%6,gm.52$052$82:RN
`
`nwwm3w555mmowmwa
`65%:n.mummzoEszng
`
`mzszmmzozézozzoo
`
`ON“
`
`RN
`
`
`
`mKNCNNmew
`
`5&85qu
`
`
`
`835.8:83%
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0004
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0004
`
`
`
`
`
`US. Patent
`
`Nov. 12, 2002
`
`Sheet 3 0f 7
`
`US 6,480,962 B1
`
`5.03
`
`m6E
`
`
`
`
`
`mzHIQ/E33E;<><w
`
`m3:
`
`8mEnema
`
`mmxomm
`
`QR.
`
`szzmmmzoammm
`
`ESEEma
`
`Lomm<mE<o
`
`
`
`8654542309monoEmDm
`
`
`
`EmzzoKSzMMEEZDK
`
`105292
`
`8530a
`
`
`
`mm<mS<ofiEsomm
`
`
`
`<23,<><j
`
`mmfiowmfio
`
`
`
`20$szonszxm
`
`
`
`E05:mmmooma
`
`555E55
`
`“EOEmmoyi
`
`xmogbz
`
`EEG
`
`mmoma
`
`2Em>m
`
`mmoma
`
`
`
`E052mwmoomm
`
`55%:Eflm
`
`xmoimz
`
`259m
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0005
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0005
`
`
`
`
`US. Patent
`
`20022,
`
`w%
`
`7M
`
`6,SU
`
`1B2
`
`
`
` %a0,NV©\|.\mfiméazgoe$05525Qnommésé
`m.$532%
`mzoazmca222:520535M82mm:
`
`
`M4HL
`
`
`.moHHZOE004H30
`.LI]
`
`
`
`EmoLH<JaXm>zo<
`
`NGV
`
`>mo§m2
`
`EMmem
`
`mmmoomm
`
`zmhm>m
`
`xmogbmz
`
`Ewgm>m
`
`>x02m2
`
`zmpmym
`
`mmOKQ
`
`wmmoomm
`
`2m~m>m
`
`mmOma
`
`xmoghmz
`
`2m~m>m
`
`mmOmm
`
`2mgm>m
`
`mmOmm
`
`
`
`an:525%
`
`50%
`
`EOEmmzommm
`
`
`
`H2m§zomH>zmMEHFZDK
`
`mmHoH4ol
`
`
`
`mm<m<k<o>HHmzomm
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0006
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0006
`
`
`
`
`US. Patent
`
`Nov. 12, 2002
`
`Sheet 5 0f 7
`
`US 6,480,962 B1
`
`500
`
`}
`
`
`
`RECOGNIZE
`
`RECEIPT OF A REQUEST
`
`MADE BY A DOWNLOADABLE
`
`DURING RUNTIME
`’?
`
`
`
`
`
`
`INTERRUPT PROCESSING OF THE REQUEST
`
`FORWARD A MESSAGE IDENTIFYING THE
`DOWNLOADABLE TO THE EVENT ROUTER
`
`INFORM USER
`
`LOG EVENTS
`
`
`ARE
`ANY INGOMING
`YES
`
`DOWNLOADABLES KNOWN TO BE
`
`SUSPICIOUS
`
`
`
`
`
`THE EXECUTING
`DOWNLOADABLES IN
`
`VIOLATION OF A
`
` RESUME
`
`OPERATION OF
`
`THE DOWNLOADABLE
`
`
`
`F/G. 5
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0007
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0007
`
`
`
`US. Patent
`
`Nov. 12, 2002
`
`Sheet 6 0f 7
`
`US 6,480,962 B1
`
`530
`
`RULE VIOLATIONS
`
`6'20
`
` COMFWLE ALL CURRENT
` 630
`
`COMPILE RULE VIOLATIONS
`
`WITH SECURITY POLICIES
`
`PERFORM A PREDETERMINED
`
`RESPONSE ACTION BASED
`
`ON THE COMPARISON
`
`F/G. 6
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0008
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0008
`
`
`
`US. Patent
`
`Nov. 12, 2002
`
`Sheet 7 0f 7
`
`US 6,480,962 B1
`
`700
`
`f
`
`MONITOR OPERATING SYSTEM
`FOR ALL OS REQUESTS
`
`770
`
`
`
`OS REQUEST
`RECEIVED
`7
`
`
`
`730
`
`
`
`
`
`Y ES
`
`INTERRUPT OS REQUEST
`
`FORWARD INFORMAHON ON 08
`REQUEST TO THE EVENT ROUTER
`
`RESUME OS REQUEST
`
`
`
`IS
`OS REQUEST
`SUSPICIOUS
`?
`
`YES
`
`MANAGE THE SUSPICIOUS
`DOWNLOADABLE
`
`740
`
`
`
`
`F/G. 7
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0009
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0009
`
`
`
`US 6,480,962 B1
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOW’NLOADABLES
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is related to co—pending provisional
`patent application filed on Nov. 8, 1996, entitled “System
`and Method for Protecting a Computer from Hostile
`Downloadables,” Ser. No. 60/030,639, by inventor Shlomo
`Touboul, and is a continuation of US. patent application
`filed on Jan. 29, 1997, entitled “System and Method for
`Protecting a Computer During Runtime From Hostile
`Downloadbales,” Ser. No. 08/790,097, by inventor Shlomo
`Touboul, which subject matters are hereby incorporated by
`reference herein.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`
`This invention relates generally to computer networks,
`and more particularly to a system and method for protecting
`clients from hostile Downloadables.
`
`2. Description of the Background Art
`The Internet currently interconnects about 100,000 indi-
`vidual computer networks and several million computers.
`Because it is public, the Internet has become a major source
`of many system damaging and system fatal application
`programs, commonly referred to as “viruses.”
`In response to the widespread generation and distribution
`of computer viruses, programmers continue to design and
`update security systems for blocking these viruses from
`attacking both individual and network computers. On the
`most part, these security systems have been relatively suc-
`cessful. However, these security systems are typically not
`configured to recognize computer viruses which have been
`attached to or masked as harmless Downloadables (i.e.,
`applets). A Downloadable is a small executable or interpret—
`able application program which is downloaded from a
`source computer and run on a destination computer. A
`Downloadable is used in a distributed environment such as
`in the JavaTM distributed environment produced by Sun
`Microsystems or in the ActiveXTM distributed environment
`produced by Microsoft Corporation.
`Hackers have developed hostile Downloadables designed
`to penetrate security holes in Downloadable interpreters. In
`response, Sun Microsystems, Inc. has developed a method
`of restricting Downloadable access to resources (file system
`resources, operating system resources, etc.) on the destina-
`tion computer, which effectively limits Downloadable func-
`tionality at the JavaTM interpreter. Sun Microsystems, Inc.
`has also provided access control management for basing
`Downloadable-accessible resources on Downloadable type.
`However, the above approaches are difficult for the ordinary
`web surfer to manage, severely limit JavaTM performance
`and functionality, and insufliciently protect the destination
`computer.
`Other security system designers are currently considering
`digital signature registration stamp techniques, wherein,
`before a web browser will execute a Downloadable,
`the
`Downloadable must possess a digital signature registration
`stamp. Although a digital signature registration stamp will
`diminish the threat of Downloadables being intercepted,
`exchanged or corrupted,
`this approach only partially
`addresses the problem. This method does not stop a hostile
`Downloadable from being stamped with a digital signature,
`
`10
`
`tom
`
`30
`
`L»LA
`
`40
`
`50
`
`60
`
`2
`and a digital signature does not guarantee that a Download—
`able is harmless. Therefore, a system and method are needed
`for protecting clients from hostile Downloadables.
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a
`client from hostile Downloadables. The system includes
`security rules defining suspicious actions such as WRITE
`operations to a system configuration file, overuse of system
`memory, overuse of system processor time, etc. and security
`policies defining the appropriate responsive actions to rule
`violations such as terminating the applet,
`limiting the
`memory or processor time available to the applet, etc. The
`system includes an interface, such as JavaTM class extensions
`and operating system probes, for receiving incoming Down—
`loadable and requests made by the Downloadable. The
`system still further includes a comparator coupled to the
`interface for examining the Downloadable, requests made
`by the Downloadable and runtime events to determine
`whether a security policy has been violated, and a response
`engine coupled to the comparator for performing the
`violation-based responsive action.
`The present
`invention further provides a method for
`protecting a client from hostile Downloadables. The method
`includes the steps of recognizing a request made by a
`Downloadable during runtime, interrupting processing of
`the request, comparing information pertaining to the Down-
`loadable against a predetermined security policy, recording
`all rule violations in a log, and performing a predetermined
`responsive action based on the comparison.
`It will be appreciated that the system and method of the
`present invention use at least three hierarchical levels of
`security. A first level examines the incoming Downloadables
`against known suspicious Downloadables. A second level
`examines runtime events. A third level examines the Down-
`loadables operating system requests against predetermined
`suspicious actions. Thus,
`the system and method of the
`invention are better able to locate hostile operations before
`client resources are damaged.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. I is a block diagram illustrating a network system in
`accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of the client;
`FIG. 3 is a block diagram illustrating details of a security
`system;
`FIG. 4 is a block diagram illustrating details of an
`alternative security system;
`FIG. 5 is a flowchart illustrating a method for protecting
`a client from suspicious Downloadables;
`FIG. 6 is a flowchart illustrating the method for managing
`a suspicious Downloadable, and
`FIG. 7 is a flowchart illustrating a supplementary method
`for protecting a client from suspicious Downloadables.
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system
`100 in accordance with the present
`invention. Network
`system 100 includes a server 110 coupled to a communica—
`tions channel 120, e.g., an Internet or an Intranet. The
`communications channel 120 is in turn coupled to a client
`130, e.g., an individual computer, a network computer, a
`kiosk workstation, etc., which includes a security system
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0010
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0010
`
`
`
`US 6,480,962 B1
`
`3
`135 for protecting the client 130 from hostile (i.e., will
`adversely effect the operational characteristics of the client
`130) or suspicious (i.e., potentially hostile) downloadables.
`Server 110 forwards a Downloadable 140 across the
`communications channel 120 to the client 130. During
`runtime, the security system 135 examines each Download—
`able 140 and the actions of each Downloadable 140 to
`monitor for hostile or suspicious actions.
`FIG. 2 is a block diagram illustrating details of a client
`130, which includes a Central Processing Unit (CPU) 205,
`such as a Motorola Power PC® microprocessor or an Intel
`Pentium® microprocessor, coupled to a signal bus 220, The
`client 130 further includes an input device 210 such as a
`keyboard and mouse, an output device 215 such as a
`Cathode Ray Tube (CRT) display, a data storage device 230
`such as Read Only Memory (ROM) or magnetic disk, and a
`Random-Access Memory (RAM) 235, each being coupled
`to signal bus 220. A communications interface 225 is
`coupled between the communications channel 120 and the
`signal bus 220.
`An operating system 260 controls processing by CPU
`205, and is typically stored in data storage device 230 and
`loaded into RAM 235 for execution. The operating system
`260 includes a file management system 265, a network
`management system 270, a process system 275 for control-
`ling CPU 205, and a memory management system 280 for
`controlling memory use and allocation. A communications
`engine 240 generates and transfers message packets to and
`from the communications channel 140 via the communica-
`tions interface 225, and may also be stored in data storage
`device 230 and loaded into RAM 235 for execution.
`
`The client 130 further includes a web browser 245, such
`as the NetscapeTM web browser produced by the Netscape
`Corporation, the Internet ExplorerTM web browser produced
`by the Microsoft Corporation, or the JavaTM Developers Kit
`1.0 web browser produced by Sun Microsystems, Inc., for
`communicating via the communications channel 120. The
`web browser 245 includes a Downloadable engine 250 for
`managing and executing received Downloadables 140.
`The client 130 further includes the security system 135 as
`described with reference to FIG. 1. The security system 135
`may be stored in data storage device 230 and loaded into
`RAM 235 for execution. During runtime, the security sys-
`tem 135 intercepts and examines Downloadables 140 and
`the actions of Downloadables 140 to monitor for hostile or
`suspicious actions. If the security system 135 recognizes a
`suspicious Downloadable 140 or a suspicious request, then
`the security system 135 can perform an appropriate respon-
`sive action such as terminating execution of the Download-
`able 140.
`
`FIG. 3 is a block diagram illustrating details of the
`security system 135a, which is a first embodiment of secu—
`rity system 135 of FIG. 2 when operating in conjunction
`with a JavaTM Virtual machine 250 (i.e., the Downloadablc
`engine 250) that includes conventional JavaTM classes 302.
`Each of the JavaTM classes 302 performs a particular service
`such as loading applets, managing the network, managing
`file access, etc. Although applets are typically described with
`reference to the JavaTM distributed environment, applets
`herein correspond to all downloadable executable or inter-
`pretable programs for use in any distributed environment
`such as in the AetiveXTM distributed environment.
`
`Examples of JavaTM classes used in Netscape NavigatorTM
`include AppletSecurity.class, EmbeddchppletFramc.classz,
`AppletClassLoader.class, MozillaAppletContext.class,
`ServerSocket.class, SecurityException.class and
`
`10
`
`tom
`
`30
`
`L» .n
`_
`
`40
`
`50
`
`60
`
`4
`SecurityManager.class, etc. Examples of JavaTM classes
`used in Internet ExplorerTM include AppletSecurity.class,
`BrowserAppletFrame.class, AppletClassLoader.class,
`ServerSocket.class, SecurityExceptionclass and
`SecurityManager.class, etc. Other classes may include
`Brokerclass, BClnterfaceclass, SocketConnection.class,
`queueManager.class, BrowserExtension.class,
`Messageclass, MemoryMeterclass and AppletDescription-
`.class.
`
`The security system 135a includes JavaTM class exten—
`sions 304, wherein each extension 304 manages a respective
`one of the JavaTM classes 302. When a new applet requests
`the service of a Java class 302, the corresponding JavaTM
`class extension 304 interrupts the request and generates a
`message to notify the request broker 306 of the Download—
`able’s request. The request broker 306 uses TCP/IP message
`passing protocol to forward the message to the event router
`308.
`
`The security system 135a further includes operating sys-
`tem probes 310, 312, 314 and 316. More particularly, a file
`management system probe 310 recognizes applet instruc-
`tions sent to the file system 265 of operating system 260, a
`network system probe 312 recognizes applet instructions set
`to the network management system 270 of operating system
`260, a process system probe 314 recognizes applet instruc—
`tions sent to the process system 275 of operating system 260,
`and a memory management system probe 316 recognizes
`applet instructions sent to the memory system 280 of oper—
`ating system 260. When any of the probes 310—316 recog-
`nizes an applet instruction, the recognizing probe 310—316
`sends a message to inform the event router 308.
`Upon receipt of a message, the event router 308 accord—
`ingly forwards the message to a Graphical User Interface
`(GUI) 324 for notifying the user of the request, to an event
`log 322 for recording the message for subsequent analysis,
`and to a runtime environment monitor 320 for determining
`whether the request violates a security rule 330 stored in a
`security database 326. Security rules 330 include a list of
`computer operations which are deemed suspicious. Suspi-
`cious operations may include READ/WRITE operations to
`a system configuration file, READ/WRITE operations to a
`document containing trade secrets, overuse of system
`memory, overuse of system processor time,
`too many
`applets running concurrently, or too many images being
`displayed concurrently. For example, the runtime environ-
`ment monitor 320 may determine that a security rule 330 has
`been violated when it determines that an applet uses more
`than two megabytes of RAM 235 or when the JavaTM virtual
`machine 250 runs more than five applets concurrently.
`Upon recognition of a security rule 330 violation, the
`runtime environment monitor 320 records the violation with
`the event log 322, informs the user of the violation via the
`GUI 324 and forwards a message to inform the response
`engine 318 of the violation. The response engine 318
`analyzes security policies 332 stored in the security database
`326 to determine the appropriate responsive action to the
`rule 330 Violation. Appropriate responsive actions may
`include terminating the applet,
`limiting the memory or
`processor time available to the applet, etc. For example, the
`response engine 318 may determine that a security policy
`332 dictates that when more than five applets are executed
`concurrently, operation of the applet using the greatest
`amount of RAM 235 should be terminated. Further, a
`security policy 332 may dictate that when an applet or a
`combination of applets violates a security policy 332, the
`response engine 318 must add information pertaining to the
`applet or applets to the suspicious Downloadables database
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0011
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0011
`
`
`
`US 6,480,962 B1
`
`5
`328. Thus, when the applet or applets are encountered again,
`the response engine 318 can stop them earlier.
`The GUI 324 enables a user to add or modify the rules 330
`of the security database 326, the policies 332 of the security
`database 326 and the suspicious applets of the suspicious
`Downloadables database 328. For example, a user can use
`the GUI 324 to add to the suspicious Downloadables data-
`base 328 applets generally known to be hostile, applets
`deemed to be hostile by the other clients 130 (not shown),
`applets deemed to be hostile by network MIS managers, etc.
`Further, a user can use the GUI 324 to add to the rules 330
`actions generally known to be hostile, actions deemed to be
`hostile by network MIS managers, etc.
`It will be appreciated that the embodiment illustrated in
`FIG. 3 includes three levels of security. The first
`level
`examines the incoming Downloadables 140 against known
`suspicious Downloadables. The second level examines the
`Downloadables’access to the JavaTM classes 302. The third
`level examines the Downloadables requests to the operating
`system 260. Thus, the security system 135a is better apt to
`locate a hostile operation before an operation damages client
`130 resources.
`
`FIG. 4 is a block diagram illustrating details of a security
`system 135b, which is a second embodiment of security
`system 135 when operating in conjunction with the
`ActiveXTM platform (i.e.,
`the Downloadable engine 250)
`which uses message 401 calls, Dynamic-Data-Exchange
`(DDE) 402 calls and Dynamically-Linked-Library (DLL)
`403 calls. Thus, instead of having JavaTM class extensions
`304, the security system 135 has a messages extension 401
`for recognizing message 401 calls, a DDE extension 405 for
`recognizing DDE 402 calls and a DLL extension 406 for
`recognizing DLL calls. Upon recognition of a call, each of
`the messages extension 404, the DDE extension 405 and the
`DLL extension 406 send a message to inform the request
`broker 306. The request broker 306 and the remaining
`elements operate similarly to the elements described with
`reference to FIG, 3.
`
`illustrating a method 500 for
`FIG. 5 is a flowchart
`protecting a client 130 from hostile and suspicious Down-
`loadables 140. Method 500 begins with the extensions 304,
`404, 405 or 406 in step 505 waiting to recognize the receipt
`of a request made by a Downloadable 140. Upon recognition
`of a request, the recognizing extension 304, 404, 405 or 406
`in step 506 interrupts processing of the request and in step
`508 generates and forwards a message identifying the
`incoming Downloadable 140 to the request broker 306,
`which forwards the message to the event router 308.
`The event router 308 in step 510 forwards the message to
`the GUI 324 for informing the user and in step 515 to the
`event log 322 for recording the event. Further, the event
`router 308 in step 520 determines whether any of the
`incoming Downloadables 140 either alone or in combination
`are known or previously determined to be suspicious. If so,
`then method 500 jumps to step 530. Otherwise, the runtime
`environment monitor 320 and the response engine 318 in
`step 525 determine whether any of the executing Down—
`loadables 140 either alone or in combination violate a
`security rule 330 stored in the security database 332.
`If a rule 330 has been violated, then the response engine
`318 in step 530 manages the suspicious Downloadable 140.
`Step 530 is described in greater detail with reference to FIG.
`6. Otherwise, if a policy has not been violated, then response
`engine 318 in step 540 resumes operation of the Download-
`able 140. In step 535, a determination is made whether to
`end method 500. For example, if the user disconnects the
`
`10
`
`tom
`
`30
`
`L»LA
`
`40
`
`50
`
`60
`
`6
`client 130 from the server 110, method 500 ends. If a request
`to end is made, then method 500 ends. Otherwise, method
`500 returns to step 505.
`FIG. 6 is a flowchart illustrating details of step 530. Since
`multiple rule 330 violations may amount to a more serious
`violation and thus require a stricter response by the response
`engine 318, step 530 begins with the response engine 318 in
`step 610 compiling all rule 330 violations currently occur-
`ring. The response engine 318 in step 620 compares the
`compiled rule 330 violations with the security policies 332
`to determine the appropriate responsive action for managing
`the suspicious Downloadable 140 or Downloadables 140,
`and in step 630 the response engine 318 performs a prede-
`termined responsive action. Predetermined responsive
`actions may include sending a message via the GUI 324 to
`inform the user, recording the message in the event log 322,
`stopping execution of a suspicious Downloadable 140, stor-
`ing a Downloadable 140 or combination of Downloadables
`140 in the suspicious Downloadable database 328, limiting
`memory available to the Downloadable 140, limiting pro-
`cessor time available to the Downloadable 140, etc.
`FIG. 7 is a flowchart illustrating a supplementary method
`700 for protecting a client 130 from suspicious Download—
`ables 140. Method 700 begins with operating system probes
`310, 312, 314 and 316 in step 705 monitoring the operating
`system 260 for Operating System (OS) requests from Down—
`loadables 140. As illustrated by step 710, when one of the
`probes 310—316 recognizes receipt of an OS request, the
`recognizing probe 3107316 in step 715 interrupts the request
`and in step 720 forwards a message to inform the event
`router 308.
`
`The event router 308 in step 725 routes the information to
`each of the components of the security engine 135 as
`described with reference to FIG. 5. That is, the event router
`308 forwards the information to the GUI 324 for informing
`the user, to the event log 322 for recordation and to the
`runtime environment monitor 320 for determining if the OS
`request violates a rule 330. The response engine 318 com-
`pares the OS request alone or in combination with other
`violations against security policies 332 to determine the
`appropriate responsive actions. It will be appreciated that,
`based on the security policies 332, the response engine 318
`may determine that an OS request violation in combination
`with other OS request violations, in combination with rule
`330 violations, or in combination with both other OS request
`violations and rule 330 violations merits a stricter responsive
`action.
`
`If the OS request does not violate a security rule 330, then
`the response engine 318 in step 730 instructs the operating
`system 260 via the recognizing probe 310—316 to resume
`operation of the OS request. Otherwise, if the OS request
`violates a security rule 330, then the response engine 318 in
`step 730 man ages the suspicious Downloadable by perform-
`ing the appropriate predetermined responsive actions as
`described with reference to FIGS. 5 and 6. In step 740, a
`determination is made whether to end method 700. If a
`request to end the method is made, then method 700 ends.
`Otherwise, method 700 returns to step 705.
`The foregoing description of the preferred embodiments
`of the invention is by way of example only, and other
`variations of the above-described embodiments and methods
`are provided by the present
`invention. For example,
`although the invention has been described in a system for
`protecting an internal computer network, the invention can
`be embodied in a system for protecting an individual com—
`puter. Components of this invention may be implemented
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0012
`
`SOPHOS
`EXHIBIT 1016 - PAGE 0012
`
`
`
`US 6,480,962 B1
`
`J avaTM
`
`
`
`7
`using a programmed general purpose digital computer, using
`application specific integrated circuits, or using a network of
`interconnected conventional components and circuits. The
`embodiments described herein have been presented for
`purposes of illustration and are not intended to be exhaustive
`or limiting. Many variations and modifications are possible
`in light of the foregoing teaching. The system is limited only
`by the following claims.
`What is claimed is:
`1. A computer-based method, comprising:
`monitoring substantially in parallel a plurality of sub-
`systems of the operating system during runtime for an
`event caused from a request made by a Downloadable;
`interrupting processing of the request;
`comparing information pertaining to the Downloadable
`against a predetermined security policy; and
`performing a predetermined responsive action based on
`the comparison.
`2. The method of claim 1, wherein monitoring the oper—
`ating system includes monitoring a request sent to a Down-
`loadable engine.
`3. The method of claim 2,
`wherein the Downloadable engine includes a
`virtual machine having JavaTM classes; and
`wherein monitoring the operating sys em includes moni-
`toring each JavaTM class for receip of the request.
`4. The method of claim 2,
`wherein the Downloadable engine inc udes an AppletXTM
`platform having a message engine, a dynamic-data-
`exchange and a dynamically—linkee library; and
`wherein monitoring the operating sys em includes moni—
`toring the message engine, the dynamic-data-exchange
`and the dynamically-linked library for receipt of the
`request.
`5. The method of claim 1, further com rising determining
`whether information pertaining to the Downloadable vio-
`lates a security rule.
`6. The method of claim 5, further com rising determining
`whether violation of the security rule violates the security
`policy.
`7. The method of claim 1, further comprising:
`comparing information pertaining to the Downloadable
`with information pertaining to a predetermined suspi-
`cious Downloadable; and
`performing a predetermined responsive action based on
`the comparison with the information pertaining to the
`predetermined suspicious Downloadable.
`8. The method of claim 1, wherein the prede ermined
`responsive action includes storing results of the comparison
`in an event log.
`9. The method of claim 1, wherein the prede ermined
`responsive action includes informing the user when the
`security policy has been violated.
`10. The method of claim 1, wherein the prede ermined
`responsive action includes storing information on the Down-
`loadable in a suspicious Downloadable database.
`11. The method of claim 1, wherein the prede ermined
`responsive action includes discarding the Downloadable.
`12. A system, comprising:
`a security policy;
`a