`T0ub0ul
`
`US006167520A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,167,520
`Dec. 26, 2000
`
`[54] SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`9/1999 Walsh et al. .......................... .. 395/186
`5,956,481
`5,983,348 11/1999 Ji ........................................... .. 713/200
`OTHER PUBLICATIONS
`
`[75] Inventor: Shlomo Touboul, Kefar-Haim, Israel
`
`[73] Assignee: Finjan Software, Inc., San Jose, Calif.
`
`[21] Appl. No.: 08/790,097
`[22] Filed:
`Jan. 29, 1997
`
`Related US. Application Data
`[60] Provisional application No. 60/030,639, Nov. 8, 1996.
`[51]
`Int. c1.7 ............................. .. G06F 11/30; H04L 9/00
`[52] US. Cl. ........................................... .. 713/200; 709/225
`[58] Field Of Search ............................. .. 395/186, 20055,
`395/20059; 364/2225, 2864, 2865; 326/8;
`711/163; 713/200, 201; 380/4, 25
`
`[56]
`
`References Cited
`
`U-S~ PATENT DOCUMENTS
`
`IBM AntiVirus User’s Guide Version 2.4, p. 6—7, Nov. 1995.
`Zhang, X.N., Computer; “Secure Code Distribution,” vol.
`30, Jun., 1997, pp.: 76—79.
`“Finjan Announces a Personal JavaTM Firewall For Web
`Browsers—the Sur?nShieldTM 1.6”, Press Release of Finj an
`Releases Sur?nShield, Oct. 21, 1996, 2 pages.
`“Finj an Software Releases Sur?nBoard, Industry’s First
`JAVA Security Product For the World Wide Web”, Article
`published on the Internet by Finjan Software, Ltd., Jul. 29,
`1996, 1 page‘
`“Powerful PC Seeurity fer the New World of JevaTM and
`Dewnleadables, Sur?n ShieldTM” Article published on the
`Internet by Finian Software Ltd-e 1996> 2 Pages
`“Company Pro?le Finjan—Safe Sur?ng, The Java Security
`Solutions Provider” Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`“Finj an Announces Major Power Boost and New Features
`for Sur?nShieldTM 2.0” Las Vegas Convention Center/Pa
`villion 5 P5551, Nov. 18, 1996, 3 pages.
`
`5,077,677 12/1991 Murphy et al. ......................... .. 395/10
`
`(List Continued on next page)
`
`5,359,659 10/1994 Rosenthal . . . . . .
`
`5,361,359 11/1994 Tajalli et al. ..
`5,485,409
`1/1996 Gupta et al. . . . . . .
`5 485 575
`1 1996 Chess et al. ..
`5:572:643 11/1996 Judson . . . . . .
`
`. . . . . . .. 380/4
`
`395/700
`. . . . . .. 395/186
`395 183.14
`. . . . . . .. 395/793
`
`Primary EXaminer—Dieu-Minh T- Le
`Attorney, Agent, or Firm—GrahaIn & James LLP
`
`[57]
`
`ABSTRACT
`
`£l$ig1"""'
`
`39"5/
`
`Asystem and method examine. execution or interpretation of
`
`5’692’047 11/1997 McManis ~ ~ ~ ~ ~ ~
`~ ~ ~ ~ ~ ~ “ 380/4
`5:692:124 11/1997 Holden et aL
`395/18701
`5’720’033
`2/1998 D60 _____________ __
`395/186
`5,724,425
`3/1998 Chang et a1, _
`380/25
`5,740,248
`4/1998 Fieres et al. . . . . . .
`. . . . . . . .. 380/25
`5,761,421
`6/1998 Van Hoff et al- -
`-- 395/20053
`57657205 6/1998 Breslau ct a1~ - - - - - - - -
`- - - - - ~~ 711/203
`5’784’459
`7/1998 Devfirakonda et a1‘
`""""" " 380/4
`$32235 311332 2322621211. ~111111111111111111111: 332588133‘
`. . . . .. 395/187.01
`5:832:208 11/1998 Chen et al. . . . . . . .
`578507559 12/1998 Angelo et aL
`__ 395/75003
`5,859,966
`1/1999 Hayman et al. ..
`..... .. 395/186
`5,864,683
`1/1999 Boebert et al. .................. .. 395/200.79
`5,892,904
`4/1999 Atkinson et al. ................ .. 395/187.01
`
`a Downloadable for operations deemed suspicious or
`hostile, and respond accordingly. The system includes secu
`rity rules de?ning suspicious actions and security policies
`de?ning the appropriate responsive actions to rule viola
`tions. The system includes an interface for receiving incom
`ing Downloadable and requests made by the Downloadable.
`The system still further includes a comparator coupled to the
`interface for examining the Downloadable, requests made
`by the Deweleeeeele eee “meme.
`ee eeeeeeiee
`Wheither a Secumy Pohcy has been V1°1ated> ,and a FGSPQHSG
`engine coupled to the'comparator for performing a violation
`based responslve aCHOH
`
`8 Claims, 6 Drawing Sheets
`
`505
`
`RECUGNIZE
`RECEEP] OF A REQUEST MADE EV A
`DOWNLOAD ABLE DURING RUNTIM
`'7
`
`YES
`
`ARE
`ANY INCDMING
`DOWNLUADAMS KNOWN [0
`BE SUSSICIOUS
`ND
`
`ARE
`IHE EXECUIING
`DUWNLQADABLES m VIOLATION
`3}’ A RULE
`6
`
`525
`
`NO
`
`540
`
`RESUME OPERATION
`OF THE DOWNLDAD ABLE
`
`MANAGE [HE SUSPIEIOUS DOWNLGADABLES
`
`000001
`
`Symantec 1010
`IPR of U.S. Pat. No. 8,677,494
`
`
`
`6,167,520
`Page 2
`
`OTHER PUBLICATIONS
`
`“Java Security: Issues & Solutions” Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`Mark LaDue, “Online Business Consultant” Article pub
`lished on the Internet, Home Page, Inc. 1996, 4 pages.
`Jim K. Ornura, “Novel Applications of Cryptography in
`Digital Communications”, IEEE Communications Maga
`Zine, May 1990; pp. 21—27.
`Norvin Leach et al, “IE 3.0 Applets Will Earn Certi?cation”,
`PC Week, v13, n29, 2 pages, Jul. 22, 1996.
`
`Microsoft Authenticode Technology, “Ensuring Account
`ability and Authenticity for Software Components on the
`Internet”, Microsoft Corporation, Oct. 1996, including con
`tents, Introduction and pp. 1—10.
`
`Web page: http://iel.ihs.corn:80/cgi—bin/ielicgi?se .
`.
`.
`2ehts%26VieWTernplate%3ddocvieW%5fb%2ehts,
`Oka
`rnato, E. et al., “ID—Based Authentication System For Corn
`puter Virus Detection”, IEEE/IEE Electronic Library online,
`Electronics Letters, vol. 26, Issue 15, ISSN 0013—5194, Jul.
`19, 1990, Abstract and pp. 1169—1170.
`
`000002
`
`
`
`U.S. Patent
`
`Dec. 26,2000
`
`Sheet 1 of6
`
`6,167,520
`
`2.»
`
`nvwEmzomm8;
`
`3
`
`
`
`cam55%tpsam
`
`EEGoz:<En_o
`
`
`
`canmzazwm:m§.3z;8
`
`Rm«mm
`
`35%
`
`.52E052
`
`Emmum
`
`NGE
`
`
`
`
`
`M52:mzo:§z2,s8mzommamwmmvpyoo
`
`
`
`magmaSE30
`
`
`
`2Em»mtaasm
`
`5m<29238
`
`mzo:§z2§8
`
`mzzsé
`
`000003
`
`000003
`
`
`
`
`
`
`
`f.Hef.aDr3U
`
`(092m
`
`M
`
`.mhS
`
`60.102
`
`6,167,520
`
`
`
`
`
`m5m<o<3z;8Sosampm.,_om_m<m<29
`
`
`
` wm<ms<QcmsamE
`
`Dzomzmca
`
`<2:
`
`$50
`
`
`
`Nfixomm538m
`
`8»
`
`E58~zH._>H._
`
`EOE:
`
`55m
`
`V2252
`
`Ema
`
`5:
`
`25%
`
`
`
`_§m»mozE<~mn_o
`
`S
`
`Nnew
`
`000004
`
`
`
`
`
`mzazmmmzonfimmezzo::mzzoE>zH._£222
`
`
`
`
`
`Ea
`
`oo._
`
`E5,.
`
`000004
`
`
`
`U.S. Patent
`
`Dec. 26, 2000
`
`Sheet 3 of 6
`
`6,167,520
`
`
`
`mflmzzszaamsoszma.._om_m<m<._<Q
`
`
`
`
`
`8»,
`
`E58Ea
`
`
`
`ExofiE38”.
`
`
`
`mzazmmmzommm
`
`Q3.
`
`zemficm3
`
`m8
`
`zoazém
`
`22.035
`
`
`
`
`
`mezzo:_z§zoE>E£523.
`
`
`
` fiméaEmsamE
`
`8+
`
`N3
`
`503:xm>E<
`
`Rx.
`
`$<m8_2
`
`E03:
`
`‘Ema
`
`
`
`35;wzzéao
`
`22.35E
`
`000005
`
`cmn_
`
`N».
`
`oi
`
`000005
`
`
`
`U.S. Patent
`
`Dec. 26,2000
`
`Sheet 4 0f6
`
`6,167,520
`
`( START )
`
`/_\500
`
`505
`
`RECEIPT OF A REQUEST MADE BY A
`DOWNLOAD ABLE DURING RUNTIM
`'?
`
`f 506
`
`INTERRUPT PROCESSING OF THE REQUEST
`I
`FORWARD A MESSAGE IDENTIFYING THE /508
`DOWNLOADABLE TO THE EVENT ROUTER
`L
`INFORM USER ,510
`I
`LOG EVENTS fsrs
`
`YES
`
`ARE
`ANY INCOMING
`DOWNLOADABLES KNOWN TO
`BE SUSPICIOUS
`0
`
`520
`
`525
`
`ARE
`THE EXECUTING
`DOWNLOADABLES IN VIOLATION
`OF A RULE
`?
`
`YES
`
`NO
`
`540
`
`RESUME OPERATION
`OF THE DOWNLOAD ABLE
`
`MANAGE THE SUSPICIOUS DOWNLOADABLES
`
`530
`
`555 \
`END
`N0
`?
`
`F/G. 5
`
`YES
`
`000006
`
`
`
`U.S. Patent
`
`Dec. 26,2000
`
`Sheet 5 0f6
`
`6,167,520
`
`5.30
`
`@
`
`6'0\ COMPILE ALL CURRENTl
`RULE VIOLATIONS
`l
`520\COMPARE RULE VIOLATIONS
`WITH SECURITY POLICIES
`
`530\ PERFORM A PREDETERMINED
`RESPONSE ACTION BASED
`
`ON THE COMPARISON F
`
`F/G. 6
`
`000007
`
`
`
`U.S. Patent
`
`Dec. 26,2000
`
`Sheet 6 0f6
`
`6,167,520
`
`‘I t
`
`700
`
`( START )
`
`MONITOR OPERATING SYSTEM FOR ALL 0S REQUESTS W
`
`705
`
`YES
`
`715
`INTERRUPT OS REQUEST /
`
`FORWARD INFORMATION ON 08 /720
`REQUEST TO THE EvENT ROUTER
`
`725
`
`IS
`OS REQUEST
`SUSPICIOUS
`'?
`
`RESUME OS
`REQUEST
`
`730
`
`MANAGE THE SUSPICIOUS / 735
`DOWNLOADABLE
`
`740
`
`NO
`
`END
`?
`
`YES
`
`FIG. 7
`
`000008
`
`
`
`6,167,520
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`This application is related to co-pending provisional
`patent application ?led on Nov. 8, 1996, entitled “System
`and Method for Protecting a Computer from Hostile
`DoWnloadables,” Ser. No. 60/030,639, by inventor Shlomo
`Touboul, Which subject matter is hereby incorporated by
`reference.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`2
`security rules de?ning suspicious actions such as WRITE
`operations to a system con?guration ?le, overuse of system
`memory, overuse of system processor time, etc. and security
`policies de?ning the appropriate responsive actions to rule
`violations such as terminating the applet, limiting the
`memory or processor time available to the applet, etc. The
`system includes an interface, such as J avaTM class extensions
`and operating system probes, for receiving incoming DoWn
`loadable and requests made by the DoWnloadable. The
`system still further includes a comparator coupled to the
`interface for examining the DoWnloadable, requests made
`by the DoWnloadable and runtime events to determine
`Whether a security policy has been violated, and a response
`engine coupled to the comparator for performing the
`violation-based responsive action.
`The present invention further provides a method for
`protecting a client from hostile DoWnloadables. The method
`includes the steps of recogniZing a request made by a
`DoWnloadable during runtime, interrupting processing of
`the request, comparing information pertaining to the DoWn
`loadable against a predetermined security policy, recording
`all rule violations in a log, and performing a predetermined
`responsive action based on the comparison.
`It Will be appreciated that the system and method of the
`present invention use at least three hierarchical levels of
`security. A?rst level examines the incoming DoWnloadables
`against knoWn suspicious DoWnloadables. A second level
`examines runtime events. A third level examines the DoWn
`loadables operating system requests against predetermined
`suspicious actions. Thus, the system and method of the
`invention are better able to locate hostile operations before
`client resources are damaged.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a netWork system in
`accordance With the present invention;
`FIG. 2 is a block diagram illustrating details of the client;
`FIG. 3 is a block diagram illustrating details of a security
`system;
`FIG. 4 is a block diagram illustrating details of an
`alternative security system;
`FIG. 5 is a ?oWchart illustrating a method for protecting
`a client from suspicious DoWnloadables;
`FIG. 6 is a ?oWchart illustrating the method for managing
`a suspicious DoWnloadable; and
`FIG. 7 is a ?oWchart illustrating a supplementary method
`for protecting a client from suspicious DoWnloadables.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a netWork system
`100 in accordance With the present invention. NetWork
`system 100 includes a server 110 coupled to a communica
`tions channel 120, e.g., an Internet or an Intranet. The
`communications channel 120 is in turn coupled to a client
`130, e.g., an individual computer, a netWork computer, a
`kiosk Workstation, etc., Which includes a security system
`135 for protecting the client 130 from hostile (i.e., Will
`adversely effect the operational characteristics of the client
`130) or suspicious (i.e., potentially hostile) doWnloadables.
`Server 110 forWards a DoWnloadable 140 across the
`communications channel 120 to the client 130. During
`runtime, the security system 135 examines each DoWnload
`able 140 and the actions of each DoWnloadable 140 to
`monitor for hostile or suspicious actions.
`
`BACKGROUND OF THE INVENTION
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly to a system and method for protecting
`clients from hostile DoWnloadables.
`2. Description of the Background Art
`The Internet currently interconnects about 100,000 indi
`vidual computer netWorks and several million computers.
`Because it is public, the Internet has become a major source
`of many system damaging and system fatal application
`programs, commonly referred to as “viruses.”
`In response to the Widespread generation and distribution
`of computer viruses, programmers continue to design and
`update security systems for blocking these viruses from
`attacking both individual and netWork computers. On the
`most part, these security systems have been relatively suc
`cessful. HoWever, these security systems are typically not
`con?gured to recogniZe computer viruses Which have been
`attached to or masked as harmless DoWnloadables (i.e.,
`applets). A DoWnloadable is a small executable or interpret
`able application program Which is doWnloaded from a
`source computer and run on a destination computer. A
`DoWnloadable is used in a distributed environment such as
`35
`in the JavaTM distributed environment produced by Sun
`Microsystems or in the ActiveXTM distributed environment
`produced by Microsoft Corporation.
`Hackers have developed hostile DoWnloadables designed
`to penetrate security holes in DoWnloadable interpreters. In
`response, Sun Microsystems, Inc. has developed a method
`of restricting DoWnloadable access to resources (?le system
`resources, operating system resources, etc.) on the destina
`tion computer, Which effectively limits DoWnloadable func
`tionality at the JavaTM interpreter. Sun Microsystems, Inc.
`has also provided access control management for basing
`DoWnloadable-accessible resources on DoWnloadable type.
`HoWever, the above approaches are difficult for the ordinary
`Web surfer to manage, severely limit JavaTM performance
`and functionality, and insufficiently protect the destination
`computer.
`Other security system designers are currently considering
`digital signature registration stamp techniques, Wherein,
`before a Web broWser Will execute a DoWnloadable, the
`DoWnloadable must possess a digital signature registration
`stamp. Although a digital signature registration stamp Will
`diminish the threat of DoWnloadables being intercepted,
`exchanged or corrupted, this approach only partially
`addresses the problem. This method does not stop a hostile
`DoWnloadable from being stamped With a digital signature,
`and a digital signature does not guarantee that a DoWnload
`able is harmless. Therefore, a system and method are needed
`for protecting clients from hostile DoWnloadables.
`
`40
`
`45
`
`55
`
`60
`
`SUMMARY OF THE INVENTION
`The present invention provides a system for protecting a
`client from hostile DoWnloadables. The system includes
`
`65
`
`000009
`
`
`
`3
`FIG. 2 is a block diagram illustrating details of a client
`130, Which includes a Central Processing Unit (CPU) 205,
`such as a Motorola PoWer PC® microprocessor or an Intel
`Pentiurn® microprocessor, coupled to a signal bus 220. The
`client 130 further includes an input device 210 such as a
`keyboard and mouse, an output device 215 such as a
`Cathode Ray Tube (CRT) display, a data storage device 230
`such as Read Only Memory (ROM) or magnetic disk, and a
`Random-Access Memory (RAM) 235, each being coupled
`to signal bus 220. A communications interface 225 is
`coupled betWeen the communications channel 120 and the
`signal bus 220.
`An operating system 260 controls processing by CPU
`205, and is typically stored in data storage device 230 and
`loaded into RAM 235 for execution. The operating system
`260 includes a ?le management system 265, a netWork
`management system 270, a process system 275 for control
`ling CPU 205, and a memory management system 280 for
`controlling memory use and allocation. A communications
`engine 240 generates and transfers message packets to and
`from the communications channel 140 via the communica
`tions interface 225, and may also be stored in data storage
`device 230 and loaded into RAM 235 for execution.
`The client 130 further includes a Web broWser 245, such
`as the NetscapeTM Web broWser produced by the Netscape
`Corporation, the Internet ExplorerTM Web broWser produced
`by the Microsoft Corporation, or the J avaTM Developers Kit
`1.0 Web broWser produced by Sun Microsystems, Inc., for
`communicating via the communications channel 120. The
`Web broWser 245 includes a DoWnloadable engine 250 for
`managing and executing received DoWnloadables 140.
`The client 130 further includes the security system 135 as
`described With reference to FIG. 1. The security system 135
`may be stored in data storage device 230 and loaded into
`RAM 235 for execution. During runtime, the security sys
`tem 135 intercepts and examines DoWnloadables 140 and
`the actions of DoWnloadables 140 to monitor for hostile or
`suspicious actions. If the security system 135 recogniZes a
`suspicious DoWnloadable 140 or a suspicious request, then
`the security system 135 can perform an appropriate respon
`sive action such as terminating execution of the DoWnload
`able 140.
`FIG. 3 is a block diagram illustrating details of the
`security system 135a, Which is a ?rst embodiment of secu
`rity system 135 of FIG. 2 When operating in conjunction
`With a J avaTM virtual machine 250 (i.e., the DoWnloadable
`engine 250) that includes conventional J avaTM classes 302.
`Each of the J avaTM classes 302 performs a particular service
`such as loading applets, managing the netWork, managing
`?le access, etc. Although DoWnloadables are being
`described With reference to the JavaTM distributed
`environment, DoWnloadables herein correspond to all doWn
`loadable executable or interpretable programs for use in any
`distributed environment such as in the ActiveXTM distributed
`environment.
`Examples of J avaTM classes used in Netscape NavigatorTM
`include AppletSecurity.class, EmbeddedAppletFrame.class,
`AppletClassLoader.class, MoZillaAppletContext.class,
`ServerSocket.class, SecurityException.class and
`SecurityManager.class, etc. Examples of JavaTM classes
`used in Internet ExplorerTM include AppletSecurity.class,
`BroWserAppletFrame.class, AppletClassLoader.class,
`ServerSocket.class, SecurityException.class and
`SecurityManager.class, etc. Other classes may include
`Broker.class, BCInterface.class, SocketConnection.class,
`queueManager.class, BroWserExtension.class,
`Message.class, MemoryMeter.class and AppletDescription
`.class.
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6,167,520
`
`4
`The security system 135a includes JavaTM class exten
`sions 304, Wherein each extension 304 manages a respective
`one of the JavaTM classes 302. When a neW applet requests
`the service of a Java class 302, the corresponding JavaTM
`class extension 304 interrupts the request and generates a
`message to notify the request broker 306 of the DoWnload
`able’s request. The request broker 306 uses TCP/IP message
`passing protocol to forWard the message to the event router
`308.
`The security system 135a further includes operating sys
`tem probes 310, 312, 314 and 316. More particularly, a ?le
`management system probe 310 recogniZes applet instruc
`tions sent to the ?le system 265 of operating system 260, a
`netWork system probe 312 recogniZes applet instructions
`sent to the netWork management system 270 of operating
`system 260, a process system probe 314 recogniZes applet
`instructions sent to the process system 275 of operating
`system 260, and a memory management system probe 316
`recogniZes applet instructions sent to the memory system
`280 of operating system 260. When any of the probes
`310—316 recogniZes an applet instruction, the recogniZing
`probe 310—316 sends a message to inform the event router
`308.
`Upon receipt of a message, the event router 308 accord
`ingly forWards the message to a Graphical User Interface
`(GUI) 324 for notifying the user of the request, to an event
`log 322 for recording the message for subsequent analysis,
`and to a runtime environment monitor 320 for determining
`Whether the request violates a security rule 330 stored in a
`security database 326. Security rules 330 include a list of
`computer operations Which are deemed suspicious. Suspi
`cious operations may include READ/W RITE operations to
`a system con?guration ?le, READ/WRITE operations to a
`document containing trade secrets, overuse of system
`memory, overuse of system processor time, too many
`applets running concurrently, or too many images being
`displayed concurrently. For example, the runtime environ
`ment monitor 320 may determine that a security rule 330 has
`been violated When it determines that an applet uses more
`than tWo megabytes of RAM 235 or When the J avaTM virtual
`machine 250 runs more than ?ve applets concurrently.
`Upon recognition of a security rule 330 violation, the
`runtime environment monitor 320 records the violation With
`the event log 322, informs the user of the violation via the
`GUI 324 and forWards a message to inform the response
`engine 318 of the violation. The response engine 318
`analyZes security policies 332 stored in the security database
`326 to determine the appropriate responsive action to the
`rule 330 violation. Appropriate responsive actions may
`include terminating the applet, limiting the memory or
`processor time available to the applet, etc. For example, the
`response engine 318 may determine that a security policy
`332 dictates that When more than ?ve applets are executed
`concurrently, operation of the applet using the greatest
`amount of RAM 235 should be terminated. Further, a
`security policy 332 may dictate that When an applet or a
`combination of applets violates a security policy 332, the
`response engine 318 must add information pertaining to the
`applet or applets to the suspicious DoWnloadables database
`328. Thus, When the applet or applets are encountered again,
`the response engine 318 can stop them earlier.
`The GUI 324 enables a user to add or modify the rules 330
`of the security database 326, the policies 332 of the security
`database 326 and the suspicious applets of the suspicious
`DoWnloadables database 328. For example, a user can use
`the GUI 324 to add to the suspicious DoWnloadables data
`base 328 applets generally knoWn to be hostile, applets
`
`000010
`
`
`
`6,167,520
`
`5
`deemed to be hostile by the other clients 130 (not shown),
`applets deemed to be hostile by network MIS managers, etc.
`Further, a user can use the GUI 324 to add to the rules 330
`actions generally knoWn to be hostile, actions deemed to be
`hostile by netWork MIS managers, etc.
`It Will be appreciated that the embodiment illustrated in
`FIG. 3 includes three levels of security. The ?rst level
`examines the incoming DoWnloadables 140 against knoWn
`suspicious DoWnloadables. The second level examines the
`DoWnloadables’ access to the JavaTM classes 302. The third
`level examines the DoWnloadables requests to the operating
`system 260. Thus, the security system 135a is better apt to
`locate a hostile operation before an operation damages client
`130 resources.
`FIG. 4 is a block diagram illustrating details of a security
`system 135b, Which is a second embodiment of security
`system 135 When operating in conjunction With the
`ActiveXTM platform (i.e., the DoWnloadable engine 250)
`Which uses message 401 calls, Dynamic-Data-Exchange
`(DDE) 402 calls and Dynamically-Linked-Library (DLL)
`403 calls. Thus, instead of having JavaTM class extensions
`304, the security system 135 has a messages extension 401
`for recogniZing message 401 calls, a DDE extension 405 for
`recogniZing DDE 402 calls and a DLL extension 406 for
`recogniZing DLL calls. Upon recognition of a call, each of
`the messages extension 404, the DDE extension 405 and the
`DLL extension 406 send a message to inform the request
`broker 306. The request broker 306 and the remaining
`elements operate similarly to the elements described With
`reference to FIG. 3.
`FIG. 5 is a ?oWchart illustrating a method 500 for
`protecting a client 130 from hostile and suspicious DoWn
`loadables 140. Method 500 begins With the extensions 304,
`404, 405 or 406 in step 505 Waiting to recogniZe the receipt
`of a request made by a DoWnloadable 140. Upon recognition
`of a request, the recogniZing extension 304, 404, 405 or 406
`in step 506 interrupts processing of the request and in step
`508 generates and forWards a message identifying the
`incoming DoWnloadable 140 to the request broker 306,
`Which forWards the message to the event router 308.
`The event router 308 in step 510 forWards the message to
`the GUI 324 for informing the user and in step 515 to the
`event log 322 for recording the event. Further, the event
`router 308 in step 520 determines Whether any of the
`incoming DoWnloadables 140 either alone or in combination
`are knoWn or previously determined to be suspicious. If so,
`then method 500 jumps to step 530. OtherWise, the runtime
`environment monitor 320 and the response engine 318 in
`step 525 determine Whether any of the executing DoWn
`loadables 140 either alone or in combination violate a
`security rule 330 stored in the security database 332.
`If a rule 330 has been violated, then the response engine
`318 in step 530 manages the suspicious DoWnloadable 140.
`Step 530 is described in greater detail With reference to FIG.
`6. OtherWise, if a policy has not been violated, then response
`engine 318 in step 540 resumes operation of the DoWnload
`able 140. In step 535, a determination is made Whether to
`end method 500. For example, if the user disconnects the
`client 130 from the server 110, method 500 ends. If a request
`to end is made, then method 500 ends. OtherWise, method
`500 returns to step 505.
`FIG. 6 is a ?oWchart illustrating details of step 530. Since
`multiple rule 330 violations may amount to a more serious
`violation and thus require a stricter response by the response
`engine 318, step 530 begins With the response engine 318 in
`step 610 compiling all rule 330 violations currently occur
`
`10
`
`15
`
`25
`
`35
`
`45
`
`55
`
`65
`
`6
`ring. The response engine 318 in step 620 compares the
`compiled rule 330 violations With the security policies 332
`to determine the appropriate responsive action for managing
`the suspicious DoWnloadable 140 or DoWnloadables 140,
`and in step 630 the response engine 318 performs a prede
`termined responsive action. Predetermined responsive
`actions may include sending a message via the GUI 324 to
`inform the user, recording the message in the event log 322,
`stopping execution of a suspicious DoWnloadable 140, stor
`ing a DoWnloadable 140 or combination of DoWnloadables
`140 in the suspicious DoWnloadable database 328, limiting
`memory available to the DoWnloadable 140, limiting pro
`cessor time available to the DoWnloadable 140, etc.
`FIG. 7 is a ?oWchart illustrating a supplementary method
`700 for protecting a client 130 from suspicious DoWnload
`ables 140. Method 700 begins With operating system probes
`310, 312, 314 and 316 in step 705 monitoring the operating
`system 260 for Operating System (OS) requests from DoWn
`loadables 140. As illustrated by step 710, When one of the
`probes 310—316 recogniZes receipt of an OS request, the
`recogniZing probe 310—316 in step 715 interrupts the request
`and in step 720 forWards a message to inform the event
`router 308.
`The event router 308 in step 725 routes the information to
`each of the components of the security engine 135 as
`described With reference to FIG. 5. That is, the event router
`308 forWards the information to the GUI 324 for informing
`the user, to the event log 322 for recordation and to the
`runtime environment monitor 320 for determining if the OS
`request violates a rule 330. The response engine 318 com
`pares the OS request alone or in combination With other
`violations against security policies 332 to determine the
`appropriate responsive actions. It Will be appreciated that,
`based on the security policies 332, the response engine 318
`may determine that an OS request violation in combination
`With other OS request violations, in combination With rule
`330 violations, or in combination With both other OS request
`violations and rule 330 violations merits a stricter responsive
`action.
`If the OS request does not violate a security rule 330, then
`the response engine 318 in step 730 instructs the operating
`system 260 via the recogniZing probe 310—316 to resume
`operation of the OS request. OtherWise, if the OS request
`violates a security rule 330, then the response engine 318 in
`step 730 manages the suspicious DoWnloadable by perform
`ing the appropriate predetermined responsive actions as
`described With reference to FIGS. 5 and 6. In step 740, a
`determination is made Whether to end method 700. If a
`request to end the method is made, then method 700 ends.
`OtherWise, method 700 returns to step 705.
`The foregoing description of the preferred embodiments
`of the invention is by Way of example only, and other
`variations of the above-described embodiments and methods
`are provided by the present invention. For example,
`although the invention has been described in a system for
`protecting an internal computer netWork, the invention can
`be embodied in a system for protecting an individual com
`puter. Components of this invention may be implemented
`using a programmed general purpose digital computer, using
`application speci?c integrated circuits, or using a netWork of
`interconnected conventional components and circuits. The
`embodiments described herein have been presented for
`purposes of illustration and are not intended to be exhaustive
`or limiting. Many variations and modi?cations are possible
`in light of the foregoing teaching. The system is limited only
`by the folloWing claims.
`
`000011
`
`
`
`6,167,520
`
`5
`
`10
`
`15
`
`20
`
`7
`
`What is claimed is:
`1. A computer-based method, comprising:
`monitoring the operating system during runtime for an
`event caused from a request made by a DoWnloadable;
`interrupting processing of the request;
`comparing information pertaining to the DoWnloadable
`against a predetermined security policy; and
`performing a predetermined responsive action based on
`the comparison, the predetermined responsive action
`including storing results of the comparison in an event
`log.
`2. A computer-based method, comprising:
`monitoring the operating system during runtime for an
`event caused from a request made by a DoWnloadable;
`interrupting processing of the request;
`comparing information pertaining to the DoWnloadable
`against a predetermined security policy; and
`performing a predetermined responsive action based on
`the comparison, the predetermined responsive action
`including storing the DoWnloadable in a suspicious
`DoWnloadable database.
`3. A system, comprising:
`a security policy;
`an operating system interface for recogniZing a runtime
`event caused from a request made by a DoWnloadable;
`a comparator coupled to the interface for comparing
`information pertaining to the received DoWnloadable
`With the security policy;
`a response engine coupled to the comparator for perform
`ing a predetermined responsive action based on the
`comparison With the security policy; and
`an event log coupled to the comparator for storing results
`of the comparison.
`4. A system, comprising:
`a security policy;
`an operating system interface for recogniZing a runtime
`event caused from a request made by a DoWnloadable;
`a comparator coupled to the interface for comparing
`information pertaining to the received DoWnloadable
`With the security policy;
`a response engine coupled to the comparator for perform
`ing a predetermined responsive action based on the
`comparison With the security policy; and
`a suspicious DoWnloadable database for storing knoWn
`and previously-deemed suspicious DoWnloadables.
`5. A system for determining Whether a DoWnloadable,
`Which is received by a DoWnloadable engine, is suspicious,
`comprising:
`
`8
`means for monitoring the operating system during runt
`ime for an event caused from a request made by a
`DoWnloadable;
`means for interrupting processing of the request;
`means for comparing information pertaining to the DoWn
`loadable against a predetermined security policy; and
`means for performing a predetermined responsive action
`based on the comparison, the predetermined responsive
`action including storing results of the comparison in an
`event log.
`6. A system for determining Whether a DoWnloadable,
`Which is received by a DoWnloadable engine, is suspicious,
`comprising:
`means for monitoring the operating system during runt
`ime for an event caused from a request made by a
`DoWnloadable;
`means for interrupting processing of the request;
`means for comparing information pertaining to the DoWn
`loadable against a predetermined security policy; and
`means for performing a predetermined responsive action
`based on the comparison, the predetermined responsive
`action including storing the DoWnloadable in a suspi
`cious DoWnloadable database.
`7. A computer-readable storage medium storing program
`code for causing a computer to perform the steps of: