Symantec 1014
`IPR of U.S. Pat. No. 8,141,154
`
`000001
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`SYSTEM AND METHOD FOR INSPECTING DYNAMICALLY GENERATED
`
`EXECUTABLE CODE
`
`FIELD OF THE INVENTION
`
`[0001]
`
`The present invention relates to computer security, and more particularly to
`
`protection against malicious code such as computer viruses.
`
`BACKGROUND OF THE INVENTION
`
`[0002]
`
`Computer viruses have been rampant for over two decades now. Computer viruses
`
`generally come in the form of executable code that performs adverse operations, such as
`
`modifying a computer's operating system or file system, damaging a computer's hardware or
`
`hardware interfaces, or automatically transmitting data from one computer to another.
`
`Generally, computer viruses are generated by hackers willfully, in order to exploit computer
`
`vulnerabilities. However, viruses can also arise by accident due to bugs in software
`
`applications.
`
`[0003]
`
`Originally computer viruses were transmitted as executable code inserted into files.
`
`As each new viruses was discovered, a signature of the virus was collected by anti-virus
`
`companies and used from then on to detect the virus and protect computers against it. Users
`
`began routinely scanning their file systems using anti-virus software, which regularly
`
`updated its signature database as each new virus was discovered.
`
`[0004]
`
`Such anti-virus protection is referred to as "reactive“, since it can only protect in
`
`reaction to viruses that have already been discovered.
`
`[0005] With the advent of the Internet and the ability to run executable code such as
`
`scripts within Internet browsers, a new type of virus formed; namely, a virus that enters a
`
`computer over the Internet and not through the computer's file system. Such Internet viruses
`
`can be embedded within web pages and other web content, and begin executing within an
`
`Internet browser as soon as they enter a computer. Routine file scans are not able to detect
`
`such viruses, and as a result more sophisticated anti-virus tools had to be developed.
`
`WDC,IMANAGE-1496219.1
`000002
`
`l of 31
`
`000002
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0006]
`
`Two generic types of anti-virus applications that are currently available to protect
`
`against such Internet viruses are (i) gateway security applications, and (ii) desktop security
`
`applications. Gateway security applications shield web content before the content is
`
`delivered to its intended destination computer. Gateway security applications scan web
`
`content, and block the content from reaching the destination computer if the content is
`
`deemed by the security application to be potentially malicious. In distinction, desktop
`
`security applications shield against web content after the content reaches its intended
`
`destination computer.
`
`[0007] Moreover, in addition to reactive anti-virus applications, that are based on
`
`databases of known virus signatures, recently "proactive" antivirus applications have been
`
`developed. Proactive anti-virus protection uses a methodology known as "behavioral
`
`analysis" to analyze computer content for the presence of viruses. Behavior analysis is used
`
`to automatically scan and parse executable content, in order to detect which computer
`
`operations the content may perform. As such, behavioral analysis can block viruses that
`
`have not been previously detected and which do not have a signature on record, hence the
`
`name "proactive”.
`
`[0008]
`
`Assignee's US Patent No. 6,092,194 entitled SYSTEM AND METHOD FOR
`
`PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE
`
`DOWNLOADABLES, the contents of which are hereby incorporated by reference, describes
`
`gateway level behavioral analysis. Such behavioral analysis scans and parses content
`
`received at a gateway and generates a security profile for the content. A security profile is a
`
`general list or delineation of suspicious, or potentially malicious, operations that executable
`
`content may perform. The derived security profile is then compared with a security policy
`
`for the computer being protected, to determine whether or not the contents security profile
`
`violates the computer's security policy. A security policy is a general set of simple or
`
`complex rules, that may be applied logically in series or in parallel, which determine whether
`
`or not a specific operation is permitted or forbidden to be performed by the content on the
`
`computer being protected. Security policies are generally configurable, and set by an
`
`administrator of the computer that are being protected.
`
`WDC,IMANAGE-1496219.1
`000003
`
`2 of 31
`
`000003
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0009]
`
`Assignee’s US Patent No. 6,167,520 entitled SYSTEM AND METHOD FOR
`
`PROTECTING A CLIENT DURING RUNTIME FROM HOSTILE DOWNLOADABLES,
`
`the contents of which are hereby incorporated by reference, describes desktop level
`
`behavioral analysis. Desktop level behavioral analysis is generally implemented during run-
`
`time, while a computer's web browser is processing web content received over the Internet.
`
`As the content is being processed, desktop security applications monitor calls made to critical
`
`systems of the computer, such as the operating system, the file system and the network
`
`system. Desktop security applications use hooks to intercept calls made to operating system
`
`functions, and allow or block the calls as appropriate, based on the computer's security
`
`policy.
`
`[00010] Each of the various anti-virus technologies, gateway vs. desktop, reactive vs.
`
`proactive, has its pros and cons. Reactive anti-virus protection is computationally simple and
`
`fast; proactive virus protection is computationally intensive and slower. Reactive anti-virus
`
`protection cannot protect against new "first-time" viruses, and cannot protect a user if his
`
`signature file is out of date; proactive anti-virus protection can protect against new "first-
`
`time" viruses and do not require regular downloading of updated signature files. Gateway
`
`level protection keeps computer viruses at a greater distance from a local network of
`
`computers; desktop level protection is more accurate. Desktop level protection is generally
`
`available in the consumer market for hackers to obtain, and is susceptible to reverse
`
`engineering; gateway level protection is not generally available to hackers.
`
`[00011] Reference is now made to FIG. 1, which is a simplified block diagram of prior art
`
`systems for blocking malicious content, as described hereinabove. The topmost system
`
`shown in FIG. 1 illustrates a gateway level security application. The middle system shown in
`
`FIG. 1 illustrates a desktop level security application, and the bottom system shown in FIG. 1
`
`illustrates a combined gateway + desktop level security application.
`
`[00012] The topmost system shown in FIG. 1 includes a gateway computer 105 that
`
`receives content from the Internet, the content intended for delivery to a client computer 110.
`
`Gateway computer 105 receives the content over a communication channel 120, and gateway
`
`WDC_IMANAGE—1496219.1
`000004
`
`3 of 31
`
`000004
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`computer communicates with client computer 110 over a communication channel 125.
`
`Gateway computer 105 includes a gateway receiver 135 and a gateway transmitter 140.
`
`Client computer 110 includes a client receiver 145. Client computer generally also has a
`
`client transmitter, which is not shown.
`
`[00013] Client computer 110 includes a content processor 170, such as a conventional web
`
`browser, which processes Internet content and renders it for interactive viewing on a display
`
`monitor. Such Internet content may be in the form of executable code, JavaScript, VBScript,
`
`Java applets, ActiveX controls, which are supported by web browsers.
`
`[00014] Gateway computer 105 includes a content inspector 174 which may be reactive or
`
`proactive, or a combination of reactive and proactive. Incoming content is analyzed by
`
`content inspector 174 before being transmitted to client computer 110. If incoming content
`
`is deemed to be malicious, then gateway computer 105 preferably prevents the content from
`
`reaching client computer 110. Alternatively, gateway computer 105 may modify the content
`
`so as to render it harmless, and subsequently transmit the modified content to client computer
`
`1 1 0.
`
`[00015] Content inspector 174 can be used to inspect incoming content, on its way to client
`
`computer 110 as its destination, and also to inspect outgoing content, being sent from client
`
`computer 110 as its origin.
`
`[00016] The middle system shown in FIG. 1 includes a gateway computer 105 and a client
`
`computer 110, the client computer 110 including a content inspector 176. Content inspector
`
`176 may be a conventional Signature-based anti-virus application, or a run-time behavioral
`
`based application that monitors run-time calls invoked by content processor 170 to operating
`
`system, file system and network system functions.
`
`[00017] The bottom system shown in FIG. 1 includes both a content inspector 174 at
`
`gateway computer 105, and a content inspector 176 at client computer 110. Such a system
`
`can support conventional gateway level protection, desktop level protection, reactive anti-
`
`virus protection and proactive anti-virus protection.
`
`WDC,IMANAGE-1496219.1
`000005
`
`4 of 31
`
`000005
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[00018] As the hacker vs. anti-virus protection battle continues to wage, a newer type of
`
`virus has sprung forward; namely, dynamically generated viruses. These viruses are
`
`themselves generated only at run-time, thus thwarting conventional reactive analysis and
`
`conventional gateway level proactive behavioral analysis. These viruses take advantage of
`
`features of dynamic HTML generation, such as executable code or scripts that are embedded
`
`within HTML pages, to generate themselves on the fly at runtime.
`
`[00019] For example, consider the following portion of a standard HTML page:
`
`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN”>
`
`<HTML>
`
`<SCRIPT LANGUAGE="JavaScript">
`
`document.write("<hl>text that is generated at run-time</hl>");
`
`</SCRIPT>
`
`<BODY>
`
`</BODY>
`
`</HTML>
`
`The text within the <SCRIPT> tags is JavaScript, and includes a call to the standard function
`
`d0cument.wrz'te(), which generates dynamic HTML. In the example above, the function
`
`document. write() is used to generate HTML header text, with a text string that is generated at
`
`run-time. If the text string generated at run-time is of the form
`
`<SCRIPT>malicious JavaScript</SCRIPT>
`
`then the document. wrz'te() function will insert malicious JavaScript into the HTML page that
`
`is currently being rendered by a web browser. In turn, when the web browser processes the
`
`inserted text, it will perform malicious operations to the client computer.
`
`WDC_IMANAGE—1496219.1
`000006
`
`5 of 31
`
`000006
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0020]
`
`Such dynamically generated malicious code cannot be detected by conventional
`
`reactive content inspection and conventional gateway level behavioral analysis content
`
`inspection, since the malicious JavaScript is not present in the content prior to run-time. A
`
`content inspector will only detect the presence of a call to Document. write() with input text
`
`that is yet unknown. If such a content inspector were to block all calls to Document. wrz'te()
`
`indiscriminately, then many harmless scripts will be blocked, since most of the time calls to
`
`Document. wrz'te() are made for dynamic display purposes only.
`
`[0021]
`
`US Patent Nos. 5,983,348 and 6,272,641, both to Ji, describe reactive client level
`
`content inspection, that modifies downloaded executable code within a desktop level anti-
`
`virus application. However, such inspection can only protect against static malicious
`
`content, and cannot protect against dynamically generated malicious content.
`
`[0022]
`
`Desktop level run-time behavioral analysis has a chance of shielding a client
`
`computer against dynamically generated malicious code, since such code will ultimately
`
`make a call to an operating system function. However, desktop anti-virus protection has a
`
`disadvantage of being widely available to the hacker community, which is always eager to
`
`find vulnerabilities. In addition, desktop anti-virus protection has a disadvantage of requiring
`
`installation of client software.
`
`[0023]
`
`As such, there is a need for a new form of behavioral analysis, which can shield
`
`computers from dynamically generated malicious code without running on the computer
`
`itself that is being shielded.
`
`SUMMARY OF THE DESCRIPTION
`
`[0024]
`
`The present invention concerns systems and methods for implementing new
`
`behavioral analysis technology. The new behavioral analysis technology affords protection
`
`against dynamically generated malicious code, in addition to conventional computer viruses
`
`that are statically generated.
`
`[0025]
`
`The present invention operates through a security computer that is preferably
`
`remote from a client computer that is being shielded while processing network content.
`
`WDC_IMANAGE—1496219.1
`000007
`
`6 of 31
`
`000007
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`During run-time, while processing the network content, but before the client computer
`
`invokes a function call that may potentially dynamically generate malicious code, the client
`
`computer passes the input to the function to the security computer for inspection, and
`
`suspends processing the network content pending a reply back from the security computer.
`
`Since the input to the function is being passed at run-time, it has already been dynamically
`
`generated and is thus readily inspected by a content inspector. Referring to the example
`
`above, were the input to be passed to the security computer prior to run-time, it would take
`
`the form of indeterminate text; whereas the input passed during run-time takes the
`
`determinate form
`
`<SCRIPT>malicious JavaScript</SCRIPT>,
`
`which can readily be inspected. Upon receipt of a reply from the security computer, the
`
`client computer resumes processing the network content, and knows whether to by-pass the
`
`function call invocation.
`
`[0026]
`
`To enable the client computer to pass function inputs to the security computer and
`
`suspend processing of content pending replies from the security computer, the present
`
`invention operates by replacing original function calls with substitute function calls within
`
`the content, at a gateway computer, prior to the content being received at the client computer.
`
`[0027]
`
`The present invention also provides protection against arbitrarily many recursive
`
`levels of dynamic generation of malicious code, whereby such code is generated via a series
`
`of successive function calls, one within the next.
`
`[0028]
`
`By operating through the medium of a security computer, the present invention
`
`overcomes the disadvantages of desktop anti-virus applications, which are available to the
`
`hacker community for exploit. Security applications embodying the present invention are
`
`concealed securely within managed computers.
`
`[0029]
`
`There is thus provided in accordance with a preferred embodiment of the present
`
`invention a method for protecting a client computer from dynamically generated malicious
`
`content, including receiving at a gateway computer content being sent to a client computer
`
`WDC_IMANAGE—1496219.1
`000008
`
`7 of 31
`
`000008
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`for processing, the content including a call to an original function, and the call including an
`
`input, modifying the content at the gateway computer, including replacing the call to the
`
`original function with a corresponding call to a substitute function, the substitute function
`
`being operational to send the input to a security computer for inspection, transmitting the
`
`modified content from the gateway computer to the client computer, processing the modified
`
`content at the client computer, transmitting the input to the security computer for inspection
`
`when the substitute function is invoked, determining at the security computer whether it is
`
`safe for the client computer to invoke the original function with the input, transmitting an
`
`indicator of whether it is safe for the client computer to invoke the original function with the
`
`input, from the security computer to the client computer, and invoking the original function
`
`at the client computer with the input, only if the indicator received from the security
`
`computer indicates that such invocation is safe.
`
`[0030]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a system for protecting a client computer from dynamically generated malicious
`
`content, including a gateway computer, including a gateway receiver for receiving content
`
`being sent to a client computer for processing, the content including a call to an original
`
`function, and the call including an input, a content modifier for modifying the received
`
`content by replacing the call to the original function with a corresponding call to a substitute
`
`function, the substitute function being operational to send the input to a security computer for
`
`inspection, and a gateway transmitter for transmitting the modified content from the gateway
`
`computer to the client computer, a security computer, including a security receiver for
`
`receiving the input from the client computer, an input inspector for determining whether it is
`
`safe for the client computer to invoke the original function with the input, and a security
`
`transmitter for transmitting an indicator of the determining to the client computer, and a
`
`client computer communicating with the gateway computer and with the security computer,
`
`including a client receiver for receiving the modified content from the gateway computer,
`
`and for receiving the indicator from the security computer, a content processor for processing
`
`the modified content, and for invoking the original function only if the indicator indicates
`
`WDC_IMANAGE—1496219.1
`000009
`
`8 of 31
`
`000009
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`that such invocation is safe; and a client transmitter for transmitting the input to the security
`
`computer for inspection, when the substitute function is invoked.
`
`[0031]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing at
`
`least one computing device to receive content including a call to an original function, and the
`
`call including an input, replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`thereby generating modified content, process the modified content, transmit the input for
`
`inspection, when the substitute function is invoked while processing the modified content,
`
`and suspend processing of the modified content, determine whether it is safe to invoke the
`
`original function with the input, transmit an indicator of whether it is safe for a computer to
`
`invoke the original function with the input, and resume processing of the modified content
`
`after receiving the indicator, and invoke the original function with the input only if the
`
`indicator indicates that such invocation is safe.
`
`[0032]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving content being sent to a client computer for processing,
`
`the content including a call to an original function, and the call including an input, modifying
`
`the content, including replacing the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input to a security
`
`computer for inspection, and transmitting the modified content to the client computer for
`
`processing.
`
`[0033]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a client computer from dynamically generated
`
`malicious content, including a receiver for receiving content being sent to a client computer
`
`for processing, the content including a call to an original function, and the call including an
`
`input, a content modifier for modifying the received content by replacing the call to the
`
`original function with a corresponding call to a substitute function, the substitute function
`
`WDC_IMANAGE—1496219.1
`000010
`
`9 of 31
`
`000010
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`being operational to send the input to a security computer for inspection, and a transmitter for
`
`transmitting the modified content to the client computer.
`
`[0034]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive content including a call to an original function, and the call
`
`including an input, and replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection.
`
`[0035]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving content being sent to a client computer for processing,
`
`the content including a call to an original function, and the call including an input, modifying
`
`the content, including replacing the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`transmitting the modified content to the client computer for processing, receiving the input
`
`from the client computer, determining whether it is safe for the client computer to invoke the
`
`original function with the input, and transmitting to the client computer an indicator of
`
`whether it is safe for the client computer to invoke the original function with the input.
`
`[0036]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a client computer from dynamically generated
`
`malicious content, including a receiver (i) for receiving content being sent to a client
`
`computer for processing, the content including a call to an original function, and the call
`
`including an input, and (ii) for receiving the input from the client computer, a content
`
`modifier for modifying the received content by replacing the call to the original function with
`
`a corresponding call to a substitute function, the substitute function being operational to send
`
`the input for inspection, an input inspector for determining whether it is safe for the client
`
`computer to invoke the original function with the input, and a transmitter (i) for transmitting
`
`the modified content to the client computer, and (ii) for transmitting an indicator of the
`
`determining to the client computer.
`
`WDC_IMANAGE—1496219.1
`00001 1
`
`10 of 31
`
`000011
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0037]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive content including a call to an original function, and the call
`
`including an input, replace the call to the original function with a corresponding call to a
`
`substitute function, the substitute function being operational to send the input for inspection,
`
`and determine whether it is safe for a computer to invoke the original function with the input.
`
`[003 8]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a method for protecting a computer from dynamically generated malicious content,
`
`including processing content received over a network, the content including a call to a first
`
`function, and the call including an input, transmitting the input to a security computer for
`
`inspection, when the first function is invoked, receiving from the security computer an
`
`indicator of whether it is safe to invoke a second function with the input, and invoking the
`
`second function with the input, only if the indicator indicates that such invocation is safe.
`
`[0039]
`
`There is yet further provided in accordance with a preferred embodiment of the
`
`present invention a system for protecting a computer from dynamically generated malicious
`
`content, including a content processor (i) for processing content received over a network, the
`
`content including a call to a first function, and the call including an input, and (ii) for
`
`invoking a second function with the input, only if a security computer indicates that such
`
`invocation is safe, a transmitter for transmitting the input to the security computer for
`
`inspection, when the first function is invoked, and a receiver for receiving an indicator from
`
`the security computer whether it is safe to invoke the second function with the input.
`
`[0040]
`
`There is additionally provided in accordance with a preferred embodiment of the
`
`present invention a computer-readable storage medium storing program code for causing a
`
`computing device to process content received over a network, the content including a call to
`
`a first function, and the call including an input, transmit the input for inspection, when the
`
`first function is invoked, and suspend processing of the content, receive an indicator of
`
`whether it is safe to invoke a second function with the input, and resume processing of the
`
`WDC,IMANAGE—1496219.1
`000012
`
`ll of 31
`
`000012
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`content after receiving the indicator, and invoke the second function with the input only if the
`
`indicator indicates that such invocation is safe.
`
`[0041]
`
`There is moreover provided in accordance with a preferred embodiment of the
`
`present invention a method for protecting a client computer from dynamically generated
`
`malicious content, including receiving an input from a client computer, determining whether
`
`it is safe for the client computer to invoke a function with the input, and transmitting an
`
`indicator of the determining to the client computer.
`
`[0042]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a system for protecting a client computer from dynamically generated malicious
`
`content, including a receiver for receiving an input from a client computer, an input inspector
`
`for determining whether it is safe for the client computer to invoke a function with the input,
`
`and a transmitter for transmitting an indicator of the determining to the client computer.
`
`[0043]
`
`There is further provided in accordance with a preferred embodiment of the present
`
`invention a computer-readable storage medium storing program code for causing a
`
`computing device to receive an input from a computer, determine whether it is safe for the
`
`computer to invoke a function with the input, and transmit an indicator of the determination
`
`to the computer.
`
`[0044]
`
`The following definitions are employed throughout the specification and claims.
`
`SECURITY POUCY - a set of one or more rules that determine whether or not a requested
`
`operation is permitted. A security policy may be explicitly configurable by a computer
`
`system administrator, or may be implicitly determined by application defaults.
`
`SECURITY PROFILE - information describing one or more suspicious operations
`
`performed by executable software.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0045]
`
`The present invention will be more fully understood and appreciated from the
`
`following detailed description, taken in conjunction with the drawings in which:
`
`WDC,IMANAGE—1496219.1
`000013
`
`12 of 31
`
`000013
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`[0046]
`
`FIG. 1 is a simplified block diagram of prior art systems for blocking malicious
`
`content;
`
`[0047]
`
`FIG. 2 is a simplified block diagram of a system for protecting a computer from
`
`dynamically generated malicious executable code, in accordance with a preferred
`
`embodiment of the present invention;
`
`[0048]
`
`FIG. 3 is a simplified flowchart of a method for protecting a computer from
`
`dynamically generated malicious executable code, in accordance with a preferred
`
`embodiment of the present invention;
`
`[0049]
`
`FIG. 4 is a simplified block diagram of a system for protecting a computer from
`
`dynamically generated malicious executable code, in which the gateway computer itself
`
`performs the code inspection, in accordance with a preferred embodiment of the present
`
`invention; and
`
`[0050]
`
`FIG. 5 is a simplified flowchart of a method for protecting a computer from
`
`dynamically generated malicious executable code, whereby the gateway computer itself
`
`performs the code inspection, in accordance with a preferred embodiment of the present
`
`invention.
`
`DETAILED DESCRIPTION
`
`[0051]
`
`The present invention concerns systems and methods for protecting computers
`
`against dynamically generated malicious code.
`
`[0052]
`
`Reference is now made to FIG. 2, which is a simplified block diagram of a system
`
`for protecting a computer from dynamically generated malicious executable code, in
`
`accordance with a preferred embodiment of the present invention. Three major components
`
`of the system are a gateway computer 205, a client computer 210, and a security computer
`
`215. Gateway computer 220 receives content from a network, such as the Internet, over a
`
`communication channel 220. Such content may be in the form of HTML pages, XML
`
`documents, Java applets and other such web content that is generally rendered by a web
`
`WDC_IMANAGE—1496219.1
`000014
`
`13 of 31
`
`000014
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`browser. Client computer 210 communicates with gateway computer 205 over a
`
`communication channel 225, and communicates with security computer 215 over a
`
`communication channel 230. Gateway computer 205 receives data at gateway receiver 235,
`
`and transmits data at gateway transmitter 240. Similarly, client computer 210 receives data
`
`at client receiver 245, and transmits data at client transmitter 250; and security computer 215
`
`receives data at security receiver 260 and transmits data at security transmitter 265.
`
`[0053]
`
`It will be appreciated by those skilled in the art that the network topology of FIG.
`
`2 is shown as a simple topology, for purposes of clarity of exposition. However, the present
`
`invention applies to general architectures including a plurality of client computers 210 that
`
`are services by one or more gateway computers 205, and by one or more security computers
`
`215. Similarly, communication channels 220, 225 and 230 may each be multiple channels
`
`using standard communication protocols such as TCP/IP.
`
`[0054] Moreover, the functionality of security computer 215 may be included within
`
`gateway computer 205. Such a topology is illustrated in FIG. 4.
`
`[0055]
`
`The computers shown in FIG. 2 also include additional processing modules, each
`
`of which is described in detail hereinbelow. Gateway computer 205 includes a content
`
`modifier 265, client computer 210 includes a content processor 270, and security computer
`
`215 includes an inspector 275, a database of client security policies 280, and an input
`
`modifier 285.
`
`[0056]
`
`Content modifier 265 preferably modifies original content received by gateway
`
`computer 205,and produces modified content, which includes a layer of protection to combat
`
`dynamically generated malicious code. Specifically, content modifier 265 scans the original
`
`content and identifies function calls of the form
`
`Function (input),
`
`(1)
`
`Content modifier 265 further modifies selected ones of the function calls (1) to
`
`corresponding fl,11’1CtlO1’1 calls
`
`WDC,IMANAGE—1496219.1
`000015
`
`14 of 31
`
`000015
`
`

`
`PATENT
`
`DOCKET NO. FIN0008-DIV1
`
`Substitute_function (input, *),
`
`(2)
`
`whereby the call to Functz'0n() has been replaced with a call to Substitute_function().
`
`It is
`
`noted that the input intended for the original function is also passed to the substitute function,
`
`along with possible additional input denoted by "*".
`
`[0057]
`
`It will be appreciated by those skilled in the art that content modifier 265 may
`
`modify all detected function calls, or only a portion of the detected function calls. Functions
`
`that are known to be safe, regardless of their inputs, need not be modified by content
`
`modifier 265. Similarly, functions that are not passed any inputs when invoked and are
`
`known to be safe, also need not be modified by content modifier 265.
`
`[005 8]
`
`Preferably, when call (2) is made, the substitute function sends the input to security
`
`computer 215 for inspection. Preferably, content modifier 2