`60/030,639
`
`INVENTORS: Touboul, Shlomo
`
`TITLE:
`
`SYSTEM AND METHOD FOR
`PROTECTING A COMPUTER FROM
`HOSTILE'
`
`APPLICATION
`NO:
`FILED:
`
`60/030,639
`
`08 NOV 1996
`
`COMPILED:
`
`19 NOV 2014
`
`000001
`
`Symantec 1008
`IPR of U.S. Pat. No. 8,677,494
`
`
`
`EPROVJSIONAL
`maPucAnoN
`pMBEn.
`
`{
`
`.
`
`. n-¢2.- mar»/#'n.:1*. r.w~1‘._Js:aA1'r»:||~maw .
`'51:-,;_.;+ n~_Ig,
`-
`_
`-
`.
`
`I~‘1IIx .4‘
`
`‘ Mr‘;-u mi-ér-I
`I.'Ub\|l\ll
`.' m I
`
`‘I'mu::'- Fnw I"-'-‘IH":E.I.I(|I'.-1..A-4'I.LI'I~lr"l.|I‘I-[H F-I-“-::::mI
`'
`V
`'
`
`..
`
`iu»s'~“r'n.I
`,
`
`V
`
`uuansn or'oo'MwPAT.am-Pm4asL 15,- 121
`f ,
`
`Fm PTO-1625
`.(Flev.'5/95 >
`
`(FACE)
`
`000002
`
`
`
`
`
`
`APPROVED FOR LICENSE
`.
`
`V
`
`I
`
`,
`
`%
`
`. I I
`
`, 0
`
`
`
`I
`ll||K|||.\l|||yD|i||]|§l\[![jJ!3|I§|l14|l|1H|||
`
`(FRONT)
`Hflflillllilflilil
`
`
`
`000003
`
`
`
`(LEFT INSIDE)
`
`000004
`
`
`
`000005
`
`
`
`A
`I.
`B5HcoosLA§a.
` IIIIIIIIIIIIIIIIIIIIIIIIIIIIlllllllllllllllll
`
`I
`
`I
`
`
`
`I
`
`I
`
`I
`_
`TA
`_
`I
`A
`.
`II
`PATENT Arpucmv
`
`SERIAL NUMBER
`
`.
`
`FILING DATE
`
`'
`
`GROUP ART UNIT
`
`60/030,539
`
`11/os/95
`
`SHLOMO TOUBOUL, REFER HAIM,
`
`ISRAEL.
`
`APPLICANT
`
`1Itc0N'fIuUING DA']_‘A**14*_itt*1t_Rkiu*it"k*kir**
`VERIFIED
`’
`I
`
`,
`
`**FOREIGN/PCT APPLIChTIONS*}'**********
`‘VERIFIED
`
`FILING FEE
`RECEIVED
`
`v
`
`ATTORNEY DOCKET NO.
`
`$150.00
`
`D-S58 I
`
`'
`EPPA HIT)!
`CARTER DEFILIPPO S: FERRELL
`SUITE 200
`
`2225.mnsT BAYSHORE ROAD
`PALO>AL'I‘0 CA 94303
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER FROM HOSTILE
`DOWNLOADABLES
`
`that annexed hereto is a true cow from the records pf the Unitee States
`Thie is to certif
`Patent and Tra emark Office of the‘ application w ch isjdentlfied above.
`'
`By authority 01 the
`COMMISSIONER OF PATENTS AND TRADEMARKS V
`
`Dem‘
`
`'
`
`.
`
`Certifying Officer.
`
`000006
`
`
`
`PATENT APPLICATION SERIAL N0. 0 / Q3 1! fi 3 Q E
`
`U.S. DEPARTMENT OF COMMERCE ‘
`PI\I'ENT AND TRADEMARK OFFICE
`'
`FEE RECORD SHEET
`
`’
`
`_ FIO-1556
`(5/37)
`
`000007
`
`
`
`
`
`o0{o30639
`
`Trademark Offlce; u.s. DEPARTM'EN]'I‘r(C),l4 A
`"Patent
`A
`‘
`PROVISIONAL APPLICATION FOR PATENT COVER SHEET
`
`This = a request for filing a PROVISIONAL APPLICATION Fol: PATENT under 37 cm 1.53 .
`\
`’
`Docket No.D-558
`.
`
`I
`I
`2 & 151 a 2 i .
`Type a plus sign (+)
`inside this box -—>
`
`+
`
`LAST NAME ~
`'
`
`FIRST NAME
`
`MIDDLE —
`lNlTlA
`
`RESIDENCE (CITY AND EITHER STATE OR FOREIGN
`COUNTRY
`~
`
`INVENTORIBI I API’LICANT(s)
`
`TITLE OF INVENTION (280 characters msx)
`System and Method for Protecting a‘ Computer from Hostile Downloadables
`‘
`
`t
`
`‘
`
`;
`
`7
`
`CORRESPONDENCEADDRESS
`
`Eppa Hite
`Carr, DeFilippo & Ferrell LLP
`2225 East Bayshore Road, Suite 200
`Palo Alto
`
`y
`
`,
`
`l
`Tel.:_ (415) 812-3428
`Fax:
`(415) 812-3444
`
`V
`
`-
`
`p
`I-[ X] Specification
`
`‘ ENCLOSED APPLICATION PARTS (check all that a I .
`Number ofPages
`[23 ]
`[
`] Small Entity Statement
`
`)
`
`I
`
`[X] Other (specify): 9 page "Appendix"
`[ 7]
`Nuntber of Sheets
`.[.X] Drawing(s)
`METHOD OF PAYMENT OF FILING FEES FOR THIS PROVISIONAL APPLICATION FOR PATENT
`
`-
`[ X} A check or money order is enclosed to cover the filing fees.
`‘
`'
`
`
`
`[
`] The Commissioner is hereby authorized to charge the filingfees and credit
`’
`
`Piling
`Deposit Account No. 06-0600.
`.
`'
`Amount ($):
`[X] The Commissioner is hereby authorized to charge payment of the following
`fees associated with this communication or credit any overpayment to Deposit
`'
`
`
`Account No. 06-0600. A d licute ” 3 0 this sheet is attached.
`The invention was made by an agency of the United States Government or under a contract with an agency of the
`United States Government.
`'
`y
`-
`‘
`'-
`I
`[X] No.
`'
`[
`] Yes, the name of the US. Government agency and the Govemrnent contract member are:
`
`
`'
`
`
`
`
`
`
`
`Respectfully submitted,
`Shlomo Touboul
`
`'
`
`'iDate:
`‘-
`
`‘
`Send To:
`
`Box Provisional Application
`Assistant Commissioner for Patents
`Washington, DC. 20231
`
`[
`
`] Additional inventors are being named on separately numbered sheets attached hereto.
`
` %
`~
`
`
`
`,Reg.No. 30,266
`Eppal-Ii
`Carr, DeFiIippo &: Ferrell LLP
`2225 East Bayshore Road, Suite 200 ‘
`Palo Alto, CA 94303
`'
`. Tel.: (415) 812-3428
`Fax: (415) 812-3444
`.
`‘
`
`000008
`
`
`
`so/osoeag
`
`
`
`IN THE
`
`‘UNITED STATES PATENT ANT) TRADEMARK OFFICE A
`
`APPLICANT:
`NO.:
`DATE:
`‘
`
`TITLE:
`
`I
`
`,
`
`Touboul, Shlomo
`Unl<_noW_n
`A
`On Even ‘Date Herewith
`System and Method fro protecting a_Computer from
`Hostile Downloadables
`
`T EXAMINER:
`
`Unknown
`
`GROUP ART UNI'I‘:
`
`A
`
`- umaown
`
`A'ITY.DKT.NO.:
`
`V
`
`I
`
`PA-558
`
`ASSISTANTACOMMISSIONER F01: PATENTS it
`WASHINGTON, DC. 20231 A
`.
`CERTIFICATE or axrnsss MAIL
`Enaosaubssaausat
`
`A
`
`sIR:
`
`-
`
`"Express Mail" mailing label number jM
`_
`Date of Deposit:
`I hereby certify that this paper or fee is being deposited with the United States Postal
`-Service "Express Mail Post Office to Addressee" service under 37 CFR 1.10 on the
`date indicated above and is addressed to Assistant Commissioner for Patents,
`Washington, D.C. 20231.
`
`'
`
`Depositedby=
`
`
` (Signature of person ailing paper o1’-.fee)
`
`
`
`000009
`
`
`
`
`
`
`.
`
`.
`
`1.
`
`This invention relates generally to computer networks, and
`
`_more particularly to a system and method for protecting ‘computers
`from hostile Downloadables.
`
`2. mm
`
`The Internet is a collection of currently over 100,000
`
`
`
`
`
`
`
`
`
`
`individual computer "networks owned by governments, universities,
`
`.
`
`nonprofit groups and companies, and is expanding at an accelerating
`
`rate. Because the Internet is public,‘ the Internet has become a major;
`source of many system damaging and system Afatal application
`
`
`
`
`
`
`programs, commonly referred to as “viruses.”
`Accordingly, ' programmers continue‘ to design computer. .
`security systems for blocking these viruses from attacking both
`
`
`
`
`
`
`
`these security‘
`individual and network computers.’ On the most part,
`systems have been relatively successful. However,
`these security 0
`‘systems’ are not configured to recognizecomputer viruses vvhichl
`have been attached to Downloadable application programs.
`
`
`
`-1-
`
`I
`
`000010
`
`
`
`PATENT
`
`commonly referred’ to as “applets” or ‘‘Downloadables.''
`
`‘ A
`
`Downloadable is an executable application" program which is”
`
`automatically downloaded from a source computer and run on the
`
`destination computer.
`
`Examples of Downloadables include applets
`
`designed for ‘use in the Java” distributing environment produced by
`
`‘Sun Microsystems or for use in the Active X distributing
`
`environment produced by Microsoft Corporation.
`
`Therefore, a
`
`system and method are needed to protect‘ computers from viruses’
`
`attached to these Downloadables.
`
`000011
`
`
`
`PATENT
`
`
`
`The present
`
`invention provides a system for protecting a
`
`computer from" hosti1e'Downloadables. YT_he system comprises an
`
`interface for receiving a iDown1oadab1e._ a first memory portion
`
`.p storing security policies and a second memory portion storing known
`
`hostile Downloadables§ The system further comprises a first
`
`comparator, coupled to the interface and to" the first memoryiportion,
`
`for discarding the received Downloadable when ‘it matches one of the A
`
`10‘
`
`15
`
`known hostile Downloadables.
`The system further comprises. a
`second comparator,‘ coupled “to. the _first comparator and to the second
`memory portion, for discarding the received Downloadable if it
`violates oneiof security policies.
`The present
`invention further provides a method for ‘protecting
`a computer from hostile Downloadables.
`5'IA‘he4 method comprises the
`steps oi‘ receiving a lDownloadab1e, discarding the received
`Downloadable when the received Downloadable matches a
`
`predetermined hostile Downloadable, i obtaining Downloadable
`
`security profile data on "the received Downloadable when the
`
`‘Downloadable does not match a predetermined hostile Downloadable
`
`.20
`
`and discarding the received Downloadable when the Downloadable
`
`security profile data violates a predetermined security policy.
`
`000012
`
`
`
`PATENT
`
`The system and method of the present
`
`invention provide
`
`computer protection from potentially hostile eomputer viruses which
`
`'have‘been attached to Downloadables.
`
`The system and method of
`
`.
`
`the present
`
`invention advantageously identifies both ‘known hostile
`
`5 Downloadables and identifies potentially hostile commands by
`
`‘fdecomposingi unknown Downloztdables.
`
`000013
`
`
`
`PATENTAV '
`
`
`
`FIG.
`
`1
`
`is a block diagram illustrating a network” system in
`
`accordance -with the present
`
`invention;
`
`FIG. '2“ is a block diagram illustrating the internal network
`
`security system of FIG. 1',
`
`FIG. 3 is a block diagram illustrating the security program of
`
`FIG. 2;
`
`FIG. 4 is a flow chart illustrating‘ an cicample security policy of‘
`
`.10
`
`FIG. 2;_
`FIG. 5 ?is a block‘ diagram illustrating the security management
`console of FIG. 1;
`‘
`A
`
`FIG. 6 is a flowchart illustrating a method for protecting an
`
`internal. computer network from hostile Downloadables; and
`
`FIG. 7 is a flowchart illustrating the FIG. 6 method "for
`
`'15
`
`decomposing a Downloadable.
`
`v
`
`000014
`
`
`
`
`
`FIG.
`
`1
`
`is a "block diagram illustrating a network system 100 in _
`
`accordance with the present
`
`invention. Network system 100
`
`‘ includes an external computer network 1105, such as the ‘Wide Area 5
`
`Network (WAN)'con_1monly referred to as the Internet, coupled via a
`
`signal bus 125 to an internal network securityisystem 110.» Network
`
`system 100 further includes an internal computer network 115, such
`
`as a corporate Local Area Network (LAN), coupled via a signal bus
`130 to internal network computer system 110 and coupled via a
`
`10
`
`signal bus 135 to a security management console 120."
`
`Internal network security system 110 examines Downloadablcs
`received from external computer network 105, and prevents all
`recognizably-hostile Down1oadables- from reaching internal computer
`network 115. A Downloadable is hostile ifnit threatens the integrity
`
`15
`
`of an internal computer network 115‘ component. Security
`
`management console-120 enables modification of internal network
`
`security. system 110.
`
`FIG. 2 is a block diagram of 21
`
`internal network security system
`
`20
`
`110 which includes a Central Processing Unit'(CPU) 205, such as- a
`
`Motorola Power PC“ microprocessor or.an Intel Pentium“
`
`microprocessor, ‘coupled to a signal bus. 220.
`
`Internal network
`
`-5-‘
`
`000015
`
`
`
`PATENT
`
`'A security system 110 further includes an external communications
`
`interface 210 coupled between signal bus 125 and ‘signal bus 220
`
`for receiving the- Downloadables from” externahcomputerii network
`
`105, and an internal communications interface‘-2l25 coupled between
`
`signal .bus 220 and signal bus p130 for forwarding -non-hostilev
`
`'Downloadables to internal computer network ‘115. Alternatively,
`
`external communications interface 210 and internal communications
`
`interface 225 maybe functional _components of an integral‘
`
`communications interface (not shown) for both receiving
`
`10“
`
`Dtownloadablesi from external computer network 105 and forwarding A
`
`non-hostile Downloadables to internal computer network l15t
`
`Internal network security system _110 further. includes
`
`‘Input/Output
`
`(IIO)
`
`interfa'ces215 such as a keyboard, mouse and
`
`._Cathode Ray Tube7(CRT) display, a data storage device 230 such» as I
`
`15'
`
`Read Only Memory (ROM) or magnetic disk, and a Random-Access
`
`' Memory (RAM) 235. each being coupledto signal bus ‘i220.’ Data
`
`"storage device 230 stores a security database 240 ‘which includes
`
`security policies ‘and Downloadable data on for determining whether
`
`a received Downloadable is hostile, and stores an events
`
`245
`
`20
`
`which includes the determination results for each Downloadable. An
`
`operating system 250 controls processing by CPU 2o5.':ma is
`
`typically stored‘ data storage device
`
`and loaded into
`
`' f‘.7_
`
`000016
`
`
`
`PATENT
`
`‘for execution. A security progra1n»25y5 controls operations of
`
`internal network security system 110, andpalso may "be stored in
`
`M data storage device 230 and loaded into RAM 235 ‘for execution by ‘
`
`CPU 205.
`
`FIG. 3 is a block diagram illustrating details of security
`program 255.
`Security progrmn.25$ includes an ID generator 315, a
`firstvcomparator 320 coupled to ID generator 315A", a code scanner
`coupled to first comparator 320.
`second comparator 330 coupled to
`
`code scanner 325 and to first comparator,» 320, and‘ a record—keeping
`engine 335 coupled to first comparator 320t'and to second
`comparator M 330.
`V
`
`Security program 255 operates in conjunction vvithisecurity
`database 240 and events log 245.
`Security database 240 ‘stores
`security policies 305. in a first data storage device V230! portion,
`lcnown Downloadables 307 in a second data storage device 23il
`portion and Downloadableisecurity Profiles (l)Sl’s) data ‘
`corresponding to the.'known.Downloadablesv:310 in a third data.‘
`storage device .230 portion. v_ Security policies 305 includea list of
`computer operations which are deemed to beifipotentially hostile to
`the integrity ofiinternal computer network 115‘.
`Potentially hostile
`
`operations ~may include READ/WRITE operations on a system
`
`'10
`
`15
`
`'20
`
`-3-
`
`000017
`
`
`
`PATENT
`
`configuration file; READ/WRITE operations on a document containing
`
`trade secrets, or any other operation that a user deems potentially‘
`hostile. Known Downloadables 307 may include Downloadables
`which Original Equiprnent Manufacturers (OEMs) know to be hostile,
`
`Downloadables which OEMs know to ‘be non-hostile, Downloadables
`
`which ‘second comparator 330 (described below) has previously
`
`determined to be hostile, and'Down1oadab1es which second}
`comparator 330 (described below) has previously determined to be
`non-hostile. DSP data 310 includes the fundamental computer
`operationsincluded in each known Downloadable 30'l', and may
`include IREADIS, AW_RITEs, file management operations, system
`management operations; memory management operations and CPU’
`allocation operations.
`9
`
`'
`
`ID generator 315 receives Downloadables from "external
`
`10-
`
`A15
`
`computer network 105 via external communications interface 210,
`
`and which generates a digital osignaturelfor each Downloadable. A
`
`l digital signature may include a Downloadable identification'nur'nber.
`
`the Downlondable type.
`
`the Downloadable source and the
`
`_Downloadable destination.
`
`20A
`
`First comparator‘ 320 receives and bit-wise compares the
`
`Downloadables from ID generator 315 withoknown Downloadables
`
`307 stored in securityldatabase 24(_)._ If first comparator» 320
`
`-9.
`
`p
`
`000018
`
`
`
`PATENT
`
`determines a received Downloadable is identical
`
`to a known hostile
`
`Downloadable 307,
`
`then first comparator» 320. discards the received
`
`Downloadable, and forwards a non-hostile Downloadable to the M
`
`.
`
`intended destination toinform the user that
`
`internal network
`
`security system 110 discarded the Downloadable.
`
`If first
`
`comparator» 320 determines ‘that
`
`the received Downloadable is M
`
`identical
`
`to a known non-hostile Downloadable 307, "then first
`
`comparator 320 forwards the received Downloadable and the '
`
`corresponding DSP data 310 to second comparator 330.4 If first a
`
`"10
`
`comparator 320 determines that
`
`the received Downloadable does
`
`not match a known Downloadable (i.e., an “unknown Down1oadable”),
`k
`
`then first comparator 320 forwards the received Downloadable to
`
`code scanner 325 (described below).
`In any case, first comparator
`320 then sends a status report‘ to record-keeping engine 335
`I
`
`15
`
`(described below).
`
`Code scanner 325 receives unknown Downloadables from first
`comparator 320 and uses conventional parsing techniques to
`decompose the byte code of the unknown Downloadable into DSP"
`data. Code scanner 325 then sends the Downloadable and the I
`corresponding ‘DSP data to._second comparator 350.
`Second comparator 330 receives the Downloadable and the
`
`20
`
`correspondi_ng_ DSP data either from code scanner 325 or. from first
`
`‘
`
`-10;
`
`000019
`
`
`
`PATENT
`
`comparator 320, and compares the DSP data against security policies
`
`3'05 stored in security database 305.
`If, from the DSP data. second
`comparator 330 determines that
`the-Downloadable includes a‘
`hostile operation,‘ then second comparator 330 prevents the
`Downloadable from passing to internal. computer network 115;
`
`Similarly to first comparator 320, second comparator 330 forwardspa
`
`non-hostile Downloadable to the intended destination to inform the
`user
`that
`internal network. security ‘system. 110 discarded the
`Downloadable.
`If second comparator 330 determines that
`the
`
`. received Down1oadab1e_does not violate any security policy 305,
`
`‘then second comparator 330 forwards the received non—hostile
`Downloadable to internal computer networlg 115. ‘Further, it second
`comparator 330 received the non~hosti1e Downloadable
`code
`scanner 325,
`then the non-hostile Downloadable is stored in known
`Downloadables 307. and its corresponding DSP data is stored in DSP‘
`datap3i10.
`In any case, second comparator 330 sends a status report
`
`to record-keeping engine 335 (described below).
`
`Record-keeping engine 335 receives status reports from first
`
`comparator'32O and from second comparator 330, and stores the
`
`10
`
`15
`
`20
`
`reports in events ‘log 245 in data storage device 230.
`
`-11;
`
`000020
`
`
`
`FIG. 4 is a block diagram illustrating an example security policy V
`
`305.;
`
`PATENT
`
`FIG. 5 is a block diagram illustrating details" of security
`
`. management console 120, which includes a-security policy generator
`
`505 coupled to signal bus 135, an event
`
`log analysis engine 510
`
`coupled to signal bus 135-. a user notification engine 515‘ coupled to
`
`log analysis engine 510 and a Downloadable databaseireviewv
`event
`engine 520 coupled to signal bus 135.
`Security management console
`120' further includes computer components similar
`to the computer
`
`10
`
`‘
`components illustrated in FIG. 2.
`Security policy generator 505 uses an I/O interface similar to ’
`
`I/O interface 215 for enabling user modification of _ security policies
`
`’ 305.
`
`Further, security policy generator 505 enables the user to
`
`15
`
`M provide multiple security levels,
`
`i.e., enables the storage of multiple
`
`sets of security policies 305 (wherein second comparator 330 can
`
`use only a particular set of security policies 305 ‘based on the
`destination of a received Downloadable).
`For example, security
`
`‘20.
`
`policies 305 may enable a corporate manager to receive_ selected
`Downlioadables but may prevent
`the corporate 'manager’s secretary
`from receiving those Downloadables.
`I
`
`-12-
`
`000021
`
`
`
`PATENT
`
`Event
`
`log analysis engine 510 examines the status reports
`
`stored in events log 245 of data storage device 230. Event log
`
`analysis engine 510 deterrninesif notification of the user (e'.g.—,
`
`the
`
`V security system manager) is warranted.
`
`For example, event
`
`log
`
`analysis engine 510 may warrant user notification whenever ten
`
`(10) hostile Downloadables have -been discarded by internal network
`
`V security system 110 within a thirty (30) minute period,"-thereby
`
`flagging a possible security ‘threat, Accordingly, event
`
`log analysis
`
`engine 510 instructs user notification engine 515 to: inform the-‘user.
`
`7
`
`10
`
`For example, user notification engine___515 may send an e-mailllviapl
`
`internal communications interface 220 or via {external
`
`comrnunications interface 210 to the user, or may display‘ a message. '
`
`on the user’s display device (not shown).
`Downloadable database review engine 520 enab1es_a user (e.g'.,,
`a network security manager)
`to. examine and modify lrnown
`Downloadables 307. and DSP data 310. Thus, if ‘for example a use; _
`learns of new hostile Downloadalbles,
`the user. can add them to
`known Downloadables 307 and the corresponding‘ VDSP data‘ to DMSP
`‘data 310.
`Similarly,
`the user, can add new non-hostile b
`V
`Down1oadables- to known Downloadables 3.07 and corresponding DSP
`
`.15
`
`20
`
`. data to DSP data 310.
`
`000022
`
`
`
`PATENT
`
`FIG. 6 is a flowchart illustrating a method 600 for protecting an
`
`internal computer network 115 from hostile Downloadables.
`
`I
`
`Method 600~begins with step 605 by ID generator 315 receiving a
`
`d Downloadable.
`
`ID generator 315 in step 610 generates a signature
`
`representing the received Downloadabies First comparatort320 in
`
`10
`
`15
`
`step 615 compares the received Downloadable with known
`
`Downloadables 307 previously-stored in security database 240.
`first comparator 320 in step 620 determines that the received
`Downloadable is the same ‘as a knownvhostile Downloadable 307,
`then ‘first comparator-320 in step 625 discards the received
`Downloadable and in step 63t)‘forwards a substitute non-hostile
`
`If
`
`First
`Downloadablevto the intended destination to inform the user.
`comparator 320 in step 635 instructs record-keeping‘ engine 335 to
`record the findings,
`i.e., a status report,
`in events log 245. Method'
`600_ then ends.
`‘
`I
`
`‘If first comparator 320 in step 620 did not recognize the
`received Downloadable as a hostile Downloadable 307,
`then first
`
`comparator 320 in step 640‘ determines. whether the received
`
`2°
`
`Downloadable is a known non-hostile Downloadable 307.»
`
`If so.
`
`then
`
`first comparator'320 in step 645 retrieves the DSP data 310
`
`corresponding to the known non-hostile ':Down1oadab1e and jurnpsto
`
`-14-
`
`000023
`
`
`
`l PATENT
`
`step 655. Otherwise,
`
`first comparator 320 forwards the received
`
`iDown1oadab1e to code scanner 325, which in step 650 decomposes
`‘M the received Downloadable into lDS_P data and then jumps to step
`
`655.
`
`,
`
`iln step 655, second comparator 330 compares the DSP data,
`
`either retrieved by first comparator 320 fro'rn,security database 240
`
`or ‘ generated by code scanner 325, with security policies 310 stored
`
`in security database 240.
`
`If second comparator 330 in step 660
`
`determines that
`
`the DSP data violates a security policy 310,
`
`then '
`
`10
`
`second comparator 330 proceeds to step 625. Otherwise, second
`comparator 330 in step .665" passes the received Downloadable ‘to
`
`internal computer network 115 as a non-hostile Dowriloadablep and
`
`proceeds to, step 635.
`
`,15
`
`‘ FIG. 7 is a flowchart illustrating details of method 650 for
`
`decomposing a Downloadable.
`
`9 Method '. 650 begins in step 705 with‘
`
`code scanner 325-disassembling the machine code of the
`
`Downloadabler Code scanners 325 in step 710. resolves a respective
`
`command in the machine code. Code scanner 325 in step 715
`
`20
`
`determines whether the resolved command is a suspect command.
`
`-Examples" of suspect commands include a memory allocation
`
`>15-
`
`000024
`
`
`
`PATENT
`
`command,‘ a loop command such as “goto”, “while”, “if”.,"-‘than” or the
`like.
`If not,
`then code scanner 325 returns to step 710.‘,
`M
`Otherwise, code scanner 325 in step 720 decodes and registers
`
`the command and the command parameters as DSP data. Code
`
`scanner 325 in step 720 registers commands and command
`parameters into a format‘ based on command class. e.g., file "system
`class, networlc system class, memorysystem classand CPU system
`class). Code scanner 325 in step 725 determines whether. the
`
`machine code includes another command.
`
`If so,
`
`then code scanner
`
`10'
`
`32$ returns to step 710. Otherwise, method 650 ends.
`
`000025
`
`
`
`PATENT
`
`The foregoing description of the preferred embodiments of the
`
`invention is by way'of example only, and other variations of the
`
`above-described embodiments and methods are provided by the
`
`For example, although the invention has been
`present iinventionj
`described in a system for protecting an internal computer network,
`
`the invention can be embodied in a system for protecting an :
`
`individual computer. ‘Components of this invention may be
`
`implemented using _a programmed general purpose digital computer,
`using application specific integrated circuits,‘ or using a network of
`
`10
`
`interconnected conventional components and circuits.
`The
`embodiments described herein have been. presented for purposes of
`illustration and are not intended to be exhaustive or limiting. Many _
`
`Variations and modifications are possible in light of the foregoing-
`
`teaching. The system is limited only by the following claims.
`
`*
`
`000026
`
`
`
`PATENT
`
`'1.
`
`’ A computer-based method for determining whether '11
`
`Downloadable is hostile,.comprising the steps of:
`receiving a Downloadable; ‘
`decomposing. the Downloadable into Downloatdable security
`
`profile data; '
`‘comparing the Dovvnloadable security profile data against
`predetermined‘ security policies to determine if a security policy has
`beenviolated; and
`A
`
`discarding the received Downloadable when a seeurity policy
`
`'10
`
`has been violated,
`
`2.
`
`. A computer-based method for protecting at computer from
`
`hostile Downloadables, comprising the steps of:
`
`receiving a Downloadable;
`
`‘discarding the received Downloadable when the received
`
`' Downloadable matches a predetermined hostile Downloadableg
`
`obtaining Downloadahle security profile. data on the received
`
`Downloadable when the Downloadableh does not match a
`
`predetermined hostile Downloadable; and
`
`000027
`
`
`
`discarding the received Downloadable when the’ Downloadah1e'.'
`
`«
`
`9104
`
`security profile data violates a predetermined security policy.’
`
`‘PATENT .
`
`3.
`
`A system for determining whether a Downloadable is hostile,
`
`T
`
`comprising:
`
`- a security database storing security policies;
`an interface for receiving a current Downloadable;
`
`a code scanner, coupled to the interface; for decomposing the
`
`current Downloadable into Downloadable security profile data; and
`
`a comparator, coupled to the code scanner and to the security
`
`database,
`
`for. comparing the securityzpolicies against
`
`the
`
`Downloadable security profile data to determine if a security policy
`K
`
`10
`
`has been violated.
`
`4.
`
`9A system for protecting a computer from hostile
`
`t Downloadab1es,‘ comprising:
`
`an interface for receiving a Downloadahle;
`
`M‘ a first memory portion storing securitypoliciesi;
`
`a _second‘ memory portion’ storing known hostile Downloadvables;
`a first comparator, coupled to the interface and to the first
`:
`memory portion. for discarding the received Dovlirnloadablevwhen tit
`
`tnatches one of the known hostile Downloadables; and _
`
`-19-
`
`000028
`
`
`
`PATENT
`
`a second comparator, coupled to the first comparator and to the
`
`second memory‘ portion, for discarding the received Downloadable if
`
`it violates one of security policies.‘
`
`10
`
`11
`
`5.
`
`A system for determining whether a«:Downloadable is hostile,
`
`‘comprising:
`
`b
`
`pmeans for receiving a Downloadable;
`means for decomposing the.Down1oadab1e into Downloadable
`security profile data;_
`V
`M
`means for comparing the Downloadable security profile data
`against predetermined security policies to determine if a security
`
`policy has been violated; and
`
`means for discarding the received Downloadable when a
`
`10
`
`security policy has been violated,
`
`, w
`
`A system for protecting a computer from hostile
`6.
`Down1oadab1es,. comprising: i
`
`means forureceiving a Downloadable;
`
`means for discarding the received Downloadable when the
`received Dovvnloadab.1e matches a ‘ predetermined hostile‘
`I Downloadable;
`
`5
`
`_6
`
`-20;
`
`000029
`
`
`
`PATENT
`
`means for obtaining Downloadable security profile data on the
`
`received_Downloadable when the Downloadable does not match a
`
`I predetermined hostile’Downloadable; and
`
`A10
`
`11.
`
`means for discarding the received Downloadable when the
`
`Downloadable security profile data violates a predetermined security
`
`12'
`
`policy.’
`
`7.
`
`"A computer-readable storage medium storing program code for"
`
`causing a -computer to perform the steps. of:
`a receiving a Dovvnloadable;
`decomposing the Downloadable into Downloadable security
`
`profile data;
`
`cornparing the Downloadable security profile data against
`
`predetermined security policies to determine if a security policy has
`
`been violated; and
`
`discarding the received Downloadable when a security policy
`
`10
`
`has been violated.
`
`8.
`
`‘A computer-readable storage medium storing program‘ code for
`
`causing a computer to perform theisteps of:
`
`receiving a Downloadable;
`
`1 2 3
`
`-21-
`
`000030
`
`
`
`- PATENT
`
`discarding the receivcd_Downloadable when “the received
`Downloadable matches a predeteunined hostile’ Downloildztbllel-,i
`
`obtaining Downloadable security profile data on the received
`
`Downloadable when the Downloadable does not match a
`
`predetermined hostile Downloadable; and
`
`discarding the‘ received Downloadahle when the Downloadable
`
`10
`
`security profile data violates a. predetermined secnrity policy.’
`
`~
`
`000031
`
`
`
`31—ocr—199e
`
`2e=4e..
`
`V FRDM l-'lNJPN SOFTUQRE
`
`TU .%14‘§B123444-*——--
`
`P.B'?
`
`Arreu D l7K
`
`Gateway Level Corporate Security for the
`
`New World of Java” and Dowriloadables
`
`SurfinGate“' Means Business
`
`New downloadablei technologies including .lava'”" and ActiveXT’“ present today's enterprises with
`expanded intranet capabilities, but they also expose corporate computer resources to new kinds of
`security attacks Sui'i'inGate"”‘ addresses the new computing paradigm with corporate-level security at
`the gateway level for salt: use of Java and other liitcmcl tlownloadzihlcs. An intelligent security solution
`for companies with access to the lntcrnet. StirtiiiGatc lunctioiis at the corporate gateway, where it
`intelligently scans. digitally signs, and controls all downloadahles before they access the network.
`Sui-linGutc's powerful Ci11.C|‘pi'lSe-‘WldVC‘ security is combined with efficient, centralized control of the
`company’s Intranet computer users.
`
`Surfinfiale offers corporate security managers the ability to:
`
`-
`
`Establish a security policy for use of Java applets and other lntemetdownioadables‘
`
`' -
`-
`
`Prevent loading of suspicious Java applets or Activex entities at the gateway level
`Provide corporate users with safe Internet access without having to disable downloadable technology
`such as Java or Activex
`‘
`,
`.
`'
`
`" Protect the corporate resources from darriage or unauthorized access by downloadahles
`
`Surfilnfiate addresses a new computing paradigm. where mini-applications called downtoadables are,
`automatically pushed into corporate Intranets unbeknownst to users. As ‘Intranet users access the on-
`line resources they need, the business enterprise is exposed to downloadable-transmitted risks like
`corporate espionage. e-mail fraud, or resource attacks. For the corporate security manager, the new
`pai'adigm's Java applets and ActiveX technologies represent serious new security threats that are
`simply not addressed by built-in security systems like the" Java Security Manager. SurfinGate offers
`sophisticated security at the outermost gateway lcvel. keeping potentially problematic applets
`completely outside ol'llie corporate environment.
`
`~
`
`.
`
`Surt'in(}ate functioiis:
`
`'
`
`o
`-
`
`intelligently sns. analyzes, and controls automatically downloaded Java applets orActi'veX entities
`Specifically executes corporate security policy as defined by the security manager via Security
`Management Console (SMC), including:
`'-
`0
`blocking out any applet that meets a suspicious applet profile
`>
`0
`positively identifying applets before allowing them into the system
`0
`scanning applets tor unauthorized actions and assigning appropriate applet security profile
`
`000032
`
`
`
`1-OCT-1996
`
`2814'?
`
`FROM FINJRN SUFTURRE
`
`‘
`
`TD‘ BB1'41;58123444-j-—--I FREE
`
`0 I
`
`O
`
`intelligently deciding appropriate access based on security policy guidelines and_on'apple1
`security prpfile
`'
`digitally signing acceptable applets before entry
`
`0 ‘Page 2/2
`
`000033
`
`
`
`1-DCT-1996 2148
`
`FROM -‘i}”UFlN SOFT!-JRRE
`
`TD. Bat! 3123444---— P-99
`
`. C'ontrol and Securityfrom Three Dwérenl Perspectives
`The essence of SurlinCrate‘s protective powers is a_thrce-fold checks and balances process that includes
`. the profile generator, database, and Security Management Console. incoming applets or objects are
`first “x-rayed" to expose any potential problems and are assigned a security profile. That profile is then
`checked against known hostile applets in the database, and is evaluated yet again with inforrnation
`from the Security Management Console (SMC) to ensure that filtering precisely executes the
`company's security policy.)An integral part of SurfinGate, the SMC allows corporate security
`managers specific control“over business groups or departments, including what resources are available
`to which intranet users st what times.
`-
`
`~SurfinGate features and benefits-
`
`=
`
`‘
`
`_~
`easy customization and implementation of a corporate security policy for downioadables
`- if a layer oi security several steps away from critical resources
`‘
`:1
`J
`
`-
`.
`-
`
`to
`4-
`
`‘extensive built—in database of potentially hostile or problematic ‘Java applets
`V
`i
`central control over Internet downloadable activity _
`A
`H
`case-specific downloadable security policy instead of total exclusion of ell downloadable technology
`
`.
`
`protection against downloadablcs that is compatible with other security devices including firewalls
`simple sat-up of corporate hierarchy to develop appropriate user access
`‘
`‘V
`
`Suri'in0ate is available from Finjan Software. the leading provider of muiti-layer security solutions for
`the new world oi" lnicrnct/lntrunct dowiiloadabies. The liinjan suite oi'suli_itions protect enterprise and
`stand-alonc computer resources from the potential risks ofdownloadablcs