PCT
`WORLD INTELLECTUAL PROPERTY ORGANIZATION
`International Bureau
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`WO 98/21683
`
`(11) International Publication Number:
`
`(51) International Patent Classification 6 :
`G06K
`
`A2
`
`(43) International Publication Date:
`
`22 May 1998 (22.05.98)
`
`(21) International Application Number:
`
`PCT/IB97/01626
`
`(22) International Filing Date:
`
`6 November 1997 (06.11.97)
`
`(81) Designated States: CA, IL, JP, European patent (AT, BE, CH,
`DE, DK, ES, Fl, FR, GB, GR, IE, IT, LU, MC, NL, PT,
`SE).
`
`(30) Priority Data:
`60/030,639
`Not furnished
`
`8 November 1996 (08.11.96)
`6 November 1997 (06.11.97)
`
`Published
`Without international search report and to be republished
`upon receipt of that report.
`
`US
`US
`
`(71) Applicant: FINJAN SOFTWARE, LTD. [ILIIL]; 42945 Ke(cid:173)
`far-Haim (IL).
`
`(72) Inventor: TOUBOUL, Shlomo; 42945 Kefar-Haim (IL).
`
`(54) Title: SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM HOSTILE DOWNLOADABLES
`
`(57) Abstract
`
`A system protects a computer from suspiciOus
`Downloadables. The system comprises a security policy,
`an interface for receiving a Downloadable, and a com(cid:173)
`parator, coupled to the interface, for applying the security
`policy to the Downloadable to determine if the security
`policy has been violated. The Downloadable may include
`a Java™ applet, an ActiveX™ control, a JavaScript™
`script, or a Visual Basic script. The security policy may
`include a default security policy to be applied regardless
`of the client to whom the Downloadable is addressed,
`or a specific security policy to be applied based on the
`client or the group to which the client belongs. The sys(cid:173)
`tem uses an ID generator to compute a Downloadables
`ID identifying the Downloadable, preferably, by fetch(cid:173)
`ing all components of the Downloadable and performing
`a hashing function on the Downloadable including the
`fetched components. Further, the security policy may
`indicate several tests to perform, including (1) a compar(cid:173)
`ison with known hostile and non-hostile Downloadables;
`(2) a comparison with Downloadables to be blocked or
`allowed per administrative override; (3) a comparison
`of the Downloadable security profile data against access
`control lists; (4) a comparison of a certificate embodied
`in the Downloadable against trusted certificates; and (5)
`a comparison of the URL from which the Downloadable
`originated against trusted and untrusted URLs. Based on
`these tests, a logical engine can determine whether to al(cid:173)
`low or block the Downloadable.
`
`100
`~
`
`125
`
`110
`
`Internal Network
`Security System
`
`130
`
`115
`
`120
`
`Security
`Management
`Console
`
`Blue Coat Systems - Exhibit 1013
`
`

`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT.
`
`AL
`AM
`AT
`AU
`AZ
`BA
`BB
`BE
`BF
`BG
`BJ
`BR
`BY
`CA
`CF
`CG
`CH
`CI
`CM
`CN
`cu
`cz
`DE
`DK
`EE
`
`Albania
`Armenia
`Austria
`Australia
`Azerbaijan
`Bosnia and Herzegovina
`Barbados
`Belgium
`Burkina Faso
`Bulgaria
`Benin
`Brazil
`Belarus
`Canada
`Central African Republic
`Congo
`Switzerland
`Cote d'Ivoire
`Cameroon
`China
`Cuba
`Czech Republic
`Germany
`Denmark
`Estonia
`
`ES
`Fl
`FR
`GA
`GB
`GE
`GH
`GN
`GR
`HU
`IE
`IL
`IS
`IT
`JP
`KE
`KG
`KP
`
`KR
`KZ
`LC
`Ll
`LK
`LR
`
`Spain
`Finland
`France
`Gabon
`United Kingdom
`Georgia
`Ghana
`Guinea
`Greece
`Hungary
`Ireland
`Israel
`Iceland
`Italy
`Japan
`Kenya
`Kyrgyzstan
`Democratic People's
`Republic of Korea
`Republic of Korea
`Kazakstan
`Saint Lucia
`Liechtenstein
`Sri Lanka
`Liberia
`
`LS
`LT
`LU
`LV
`MC
`MD
`MG
`MK
`
`ML
`MN
`MR
`MW
`MX
`NE
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`SD
`SE
`SG
`
`Lesotho
`Lithuania
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Madagascar
`The former Yugoslav
`Republic of Macedonia
`Mali
`Mongolia
`Mauritania
`Malawi
`Mexico
`Niger
`Netherlands
`Norway
`New Zealand
`Poland
`Portugal
`Romania
`Russian Federation
`Sudan
`Sweden
`Singapore
`
`SI
`SK
`SN
`sz
`TD
`TG
`TJ
`TM
`TR
`TT
`UA
`UG
`us
`uz
`VN
`YU
`zw
`
`Slovenia
`Slovakia
`Senegal
`Swaziland
`Chad
`Togo
`Tajikistan
`Turkmenistan
`Turkey
`Trinidad and Tobago
`Ukraine
`Uganda
`United States of America
`Uzbekistan
`VietNam
`Yugoslavia
`Zimbabwe
`
`

`
`wo 98/21683
`
`PCT/IB97/01626
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK
`
`FROM HOSTILE DOWNLOADABLES
`
`BACKGROUND OF THE INVENTION
`
`5
`
`1.
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly provides
`
`a system and method for protecting a computer and a network from hostile Downloadables.
`
`2.
`
`Description of the Background Art
`
`10
`
`The Internet is currently a collection of over 100,000 individual computer networks
`
`owned by governments, universities, nonprofit groups and companies, and is expanding at an
`
`accelerating rate. Because the Internet is public, the Internet has become a major source of
`
`many system damaging and system fatal application programs. commonly referred to as
`
`"viruses."
`
`15
`
`Accordingly, programmers continue to design computer and computer network
`
`. security systems for blocking these viruses from attacking both individual and network
`
`computers. On the most part, these security systems have been relatively successful.
`
`However, these security systems are not configured to recognize computer viruses which
`
`have been attached to or configured as Downloadable application programs, commonly
`
`20
`
`referred to as "Downloadables." A Downloadable is an executable application program,
`
`which is downloaded from a source computer and run on the destination computer.
`
`Downloadable is typically requested by an ongoing process such as by an Internet browser or
`
`web engine. Examples of Downloadables include JavaTM applets designed for use in the
`
`JavaTM distributing environment developed by Sun Microsystems. Inc .. JavaScript scripts also
`
`-1-
`
`

`
`W098/21683
`
`PCT!IB97/01626
`
`developed by Sun Microsystems, Inc., ActiveX™ controls designed for use in the ActiveX'M
`
`distributing environment developed by the Microsoft Corporation, and Visual Basic also
`
`developed by the Microsoft Corporation. Therefore, a system and method are needed to
`
`protect a network from hostile Downloadables.
`
`5
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a network from suspicious
`
`Downloadables. The system comprises a security policy, an interface for receiving a
`
`Downloadable. and a comparator. coupled to the interface. for applying the security pulic: t\l
`
`10
`
`the Downloadable to determine if the security policy has been violated. The Downloadable
`
`may include a Java™ applet, an ActiveX™ control, a JavaScript™ script, or a Visual Basic
`
`script. The security policy may include a default security policy to be applied regardless of
`
`the client to whom the Downloadable is addressed, a specific security policy to be applied
`
`based on the client or the group to which the client belongs. or a specific policy to be applied
`
`15
`
`based on the client/group and on the particular Downloadable received. The system uses an
`
`. ID generator to compute a Downloadable ID identifying the Downloadable. preferably. by
`
`fetching all components of the Downloadable and performing a hashing function on the
`
`Downloadable including the fetched components.
`
`Further, the security policy may indicate several tests to perform. including (I J a
`
`20
`
`comparison with known hostile and non-hostile Downloadables; (2) a comparison with
`
`Downloadables to be blocked or allowed per administrative override; (3) a comparison of the
`
`Downloadable security profile data against access control lists; (4) a comparison of a
`
`certificate embodied in the Downloadable against trusted certificates; and (5) a comparison of
`
`the URL from which the Downloadable originated against trusted and untrusted URLs.
`
`-2-
`
`

`
`W098/21683
`
`PCT/IB97/01626
`
`Based on these tests, a logical engine can determine whether to allow or block the
`
`Downloadable.
`
`The present invention further provides a method for protecting a computer from
`
`suspicious Downloadables. The method comprises the steps of receiving a Downloadable.
`
`5
`
`comparing the Downloadable against a security policy to determine if the security policy has
`
`been violated, and discarding the Downloadable ifthe security policy has been violated.
`
`It will be appreciated that the system and method of the present invention may provide
`
`computer protection from known hostile Downloadables. The system and method of the
`
`present invention may identify Downloadables that perform operations deemed suspicious.
`
`10
`
`The system and method of the present invention may examine the Downloadable code to
`
`determine whether the code contains any suspicious operations. and thus may allow or block
`
`the Downloadable accordingly.
`
`BRIEF DESCRIPTION OF THE ORA WINGS
`
`15
`
`FIG. 1 is a block diagram illustrating a network system, m accordance with the
`
`. present invention;
`
`FIG. 2 is a block diagram illustrating details of the internal network security system of
`
`FIG. 1;
`
`FIG. 3 is a block diagram illustrating details of the security program and the security
`
`20
`
`database of FIG. 2;
`
`FIG. 4 is a block diagram illustrating details ofthe security policies of FIG. 3;
`
`FIG. 5 is a block diagram illustrating details of the security management console of
`
`FIG. 1;
`
`-3-
`
`

`
`wo 98/21683
`
`PCT/IB97/01626
`
`FIG. 6A
`
`is a flowchart
`
`illustrating a method of examining for suspicious
`
`Downloadables, in accordance with the present invention;
`
`FIG. 6B is a flowchart illustrating details of the step for finding the appropriate
`
`security policy of FIG. 6A;
`
`5
`
`FIG. 6C is a flowchart illustrating a method for determining whether an incoming
`
`Downloadable is to be deemed suspicious;
`
`FIG. 7 is a flowchart illustrating details of the FIG. 6 step of decomposing a
`
`Downloadable; and
`
`FIG. 8 is a flowchart illustrating a method 800 for generating a Downloadable ID for
`
`10
`
`identifying a Downloadable.
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100, in accordance with the
`
`present invention. The network system 100 includes an external computer network I 05, such
`
`15
`
`as the Wide Area Network (WAN) commonly referred to as the Internet, coupled via a
`
`communications channel I25 to an internal network security system II 0. The netvvork
`
`system I 00 further includes an internal computer network 115, such as a corporate Local
`
`Area Network (LAN), coupled via a communications channel 130 to the internal network
`
`computer system 11 0 and coupled via a communications channel 13 5 to a security
`
`20 management console I20.
`
`The internal network security system 110 examines Downloadables received from
`
`external computer network 105, and prevents Downloadables deemed suspicious from
`
`reaching the internal computer network 1I5.
`
`It will be further appreciated that a
`
`Downloadable is deemed suspicious if it performs or may perform any undesirable operation,
`
`-4-
`
`

`
`wo 98/21683
`
`PCTIIB97/01626
`
`or if it threatens or may threaten the integrity of an internal computer network 115
`
`component.
`
`It is to be understood that the term "suspicious" includes hostile, potentially
`
`hostile, undesirable, potentially undesirable, etc. Security management console 120 enables
`
`viewing, modification and configuration ofthe internal network security system 110.
`
`5
`
`FIG. 2 is a block diagram illustrating details of the internal network security system
`
`1I 0, which includes a Central Processing Unit (CPU) 205, such as an Intel Pentium'&
`
`microprocessor or a Motorola Power PC® microprocessor, coupled to a signal bus 220. The
`
`internal network security system II 0 further includes an external communications interface
`
`10
`
`210 coupled between the communications channel 125 and the signal bus 220 for receiving
`
`Downloadables from external computer network 105, and an internal communications
`
`interface 225 coupled between the signal bus 220 and the communications channel 130 for
`
`forwarding Downloadables not deemed suspicious to the internal computer network 115.
`
`The external communications interface 210 and the internal communications interface 225
`
`15
`
`may be functional components of an integral communications interface (not shown) for both
`
`receiving Downloadables from
`
`the external computer network 105 and forwarding
`
`Downloadables to the internal computer network 1I5.
`
`Internal network security system 110 further includes Input/Output (1/0) interfaces
`
`2I5 (such as a keyboard, mouse and Cathode Ray Tube (CRT) display), a data· storage
`
`20
`
`device 230 such as a magnetic disk, and a Random-Access Memory (RAM) 235. each
`
`coupled to the signal bus 220. The data storage device 230 stores a security database 240,
`
`which includes security information for determining whether a received Downloadable is to
`
`be deemed suspicious. The data storage device 230 further stores a users list 260 identifying
`
`the users within the internal computer network 115 who may receive Downloadables, and an
`
`-5-
`
`

`
`wo 98/21683
`
`PCT!IB97/01626
`
`event log 245 which includes determination results for each Downloadable examined and
`
`runtime indications of the internal network security system 110. An operating system 250
`
`controls processing by CPU 205, and is typically stored in data storage device 230 and
`
`loaded into RAM 235 (as illustrated) for execution. A security program 255 controls
`
`5
`
`examination of incoming Downloadables, and also may be stored in data storage device 230
`
`and loaded into RAM 235 (as illustrated) for execution by CPU 205.
`
`FIG. 3 is a block diagram illustrating details of the security program 255 and the
`
`security database 240. The security program 255 includes an ID generator 315, a policy
`
`10
`
`finder 317 coupled to the ID generator 315, and a first comparator 320 coupled to the policy
`
`finder 317. The first comparator 320 is coupled to a logical engine 333 via .four separate
`
`paths, namely, via Path 1, via Path 2, via Path 3 and via Path 4. Path I includes a direct
`
`connection from the first comparator 320 to the logical engine 333. Path 2 includes a cudc
`
`scanner coupled to the first comparator 320, and an Access Control List (ACL) comparator
`
`15
`
`330 coupling the code scanner 325 to the logical engine 333. Path 3 includes a certificate
`
`scanner 340 coupled to the first comparator 320, and a certificate comparator 345 coupling
`
`the certificate scanner 340 to the logical engine 333. Path 4 includes a Uniform Resource
`
`Locator (URL) comparator 350 coupling the first comparator 320 to the logical engine 3330.
`
`A record-keeping engine 335 is coupled between the logical engine 333 and the event log
`
`20
`
`245.
`
`The security program 255 operates in conjunction with the security database 240,
`
`which includes security policies 305, known Downloadables 307, known Certificates 309
`
`and Downloadable Security Profile (DSP) data 310 corresponding
`
`to
`
`the known
`
`Downloadables 307. Security policies 305 includes policies specific to particular users 260
`
`-6-
`
`

`
`W098/21683
`
`PCT!IB97/01626
`
`and default (or generic) policies for determining whether to allow or block an incoming
`
`Downloadable. These security policies 305 may identify specific Downloadables to block,
`
`specific Downloadables
`
`to allow, or necessary criteria for allowing an unknown
`
`Downloadable. Referring to FIG. 4, security policies 305 include policy selectors 405.
`
`5
`
`access control lists 410, trusted certificate lists 415, URL rule bases 420. and lists 425 of
`
`Downloadables to allow or to block per administrative override.
`
`Known Downloadables 307
`
`include
`
`lists of Downloadables which Original
`
`Equipment Manufacturers (OEMs) know to be hostile. of Downloadables which 0Uv1s
`
`know to be non-hostile, and of Downloadables previously received by this security program
`
`10
`
`255. DSP data 310 includes the list of all potentially hostile or suspicious computer
`
`operations that may be attempted by each known Downloadable 307, and may also include
`
`the respective arguments of these operations. An identified argument of an operation is
`
`referred to as "resolved." An unidentified argument is referred to as "unresolved." DSP
`
`data 310 is described below with reference to the code scanner 325.
`
`15
`
`The ID generator 315 receives a Downloadable (including the URL from which it
`
`came and the useriD of the intended recipient) from the external computer network I 05 via
`
`the external communications interface 210, and generates a Downloadable ID for identifying
`
`each Downloadable. The Downloadable ID preferably includes a digital hash of the
`
`complete Downloadable code. The ID generator 315 preferably prefetches all components
`
`20
`
`embodied in or identified by the code for Downloadable ID generation. For example, the ID
`
`generator 315 may pre fetch all classes embodied in or identified by the Java ™ applet
`
`bytecode to generate the Downloadable ID. Similarly, the ID generator 315 may retrieve all
`
`components listed in the .INF file for an ActiveX™ control to compute a Downloadable ID.
`
`Accordingly, the Downloadable ID for the Downloadable will be the same each time the ID
`
`-7-
`
`

`
`W098/21683
`
`PCTIIB97/01626
`
`generator 315 receives the same Downloadable. The ID generator 315 adds the generated
`
`Downloadable ID to the list of known Downloadables 307 (if it is not already listed). The
`
`ID generator 315 then forwards the Downloadable and Downloadable ID to the policy finder
`
`317.
`
`5
`
`The policy finder 317 uses the useriD of the intended user and the Downloadable ID
`
`to select the specific security policy 305 that shall be applied on the received Downloadable.
`
`If there is a specific policy 305 that was defined for the user (or for one of its super groups)
`
`and the Downloadable, then the policy is selected. Otherwise the generic policy 305 that
`
`was defined for the user (or for one of its super groups) is selected. The policy finder 317
`
`10
`
`then sends the policy to the first comparator 320.
`
`The first comparator 320 receives the Downloadable, the Downloadable ID and the
`
`security policy 305 from the policy finder 317. The first comparator 320 examines the
`
`security policy 305 to determine which steps are needed for allowing the Downloadable. For
`
`example, the security policy 305 may indicate that, in order to allow this Downloadable, it
`
`15
`
`must pass all four paths, Path 1, Path 2, Path 3 and Path 4. Alternatively, the security policy
`
`305 may indicate that to allow the Downloadable, the it must pass only one of the paths.
`
`The first comparator 320 responds by forwarding the proper information to the paths
`
`identified by the security policy 305.
`
`20
`
`Path 1
`
`In path 1, the first comparator 320 checks the policy selector 405 of the security
`
`policy 305 that was received from the policy finder 317. If the policy selector 405 is either
`
`"Allowed" or "Blocked," then the first comparator 320 forwards this result directly to the
`
`logical engine 333. Otherwise, the first comparator 320 invokes the comparisons in path2
`
`-8-
`
`

`
`wo 98/21683
`
`PCT/IB97 /01626
`
`and/or path 3 and/or path 4 based on the contents of policy selector 405.
`
`It will be
`
`appreciated that the first comparator 320 itself compares the Downloadable ID against the
`
`lists of Downloadables to allow or block per administrative override 425. That is, the system
`
`security administrator can define specific Downloadables as "Allowed'' or "Blocked."
`
`5
`
`Alternatively, the logical engine 333 may receive the results of each of the paths and
`
`based on the policy selector 405 may institute the final determination whether to allow or
`
`block the Downloadable. The first comparator 320 informs the logical engine 333 of the
`
`results of its comparison.
`
`10
`
`Path 2
`
`In path 2, the first comparator 320 delivers the Downloadable, the Downloadable ID
`
`and the security policy 305 to the code scanner 325. If the DSP data 310 of the received
`
`Downloadable is known, the code scanner 325 retrieves and forwards the information to the
`
`ACL comparator 330. Otherwise, the code scanner 325 resolves the DSP data 31 0. That is.
`
`15
`
`the code scanner 325 uses conventional parsing techniques to decompose the code (including
`
`all prefetched components) of the Downloadable into the DSP data 31 0. DSP data 31 0
`
`includes the list of all potentially hostile or suspicious computer operations that may be
`
`attempted by a specific Downloadable 307, and may also include the respective arguments of
`
`these operations. For example, DSP data 310 may include a READ from a specifi~ file, a
`
`20
`
`SEND to an unresolved host, etc. The code scanner 325 may generate the DSP data 310 as a
`
`list of all operations in the Downloadable code which could ever be deemed potentially
`
`hostile and a list of all files to be accessed by the Downloadable code. It will be appreciated
`
`that the code scanner 325 may search the code for any pattern, which is undesirable or
`
`suggests that the code was written by a hacker.
`
`-9-
`
`

`
`W098/21683
`
`PCT!IB97/01626
`
`An Example List of Operations Deemed Potentially Hostile
`
`• File operations: READ a file, WRITE a file;
`
`• Network operations: LISTEN on a socket, CONNECT to a socket. SEND data,
`
`5
`
`RECEIVE data, VIEW INTRANET;
`
`• Registry operations: READ a registry item, WRITE a registry item:
`
`• Operating system operations:
`
`EXIT WINDOWS, EXIT BROWSER. START
`
`PROCESS/THREAD, KILL PROCESS/THREAD, CHANGE PROCESS/THREAD
`
`PRIORITY, DYNAMICALLY LOAD A CLASS/LIBRARY, etc.; and
`
`10
`
`• Resource usage thresholds: memory, CPU, graphics, etc.
`
`In the preferred embodiment, the code scanner 325 performs a full-content inspection.
`
`However, for improved speed but reduced security, the code scanner 325 may examine only
`
`a portion of the Downloadable such as the Downloadable header. The code scanner 325 then
`
`15
`
`stores the DSP data into DSP data 310 (corresponding to its Downloadable !D). and s~.:nds
`
`the Downloadable, the DSP data to the ACL comparator 330 for comparison \\ ith thl·
`
`security policy 305.
`
`The ACL comparator 330 receives the Downloadable, the corresponding DSP data
`
`and the security policy 305 from the code scanner 325, and compares the DSP data against
`
`20
`
`the security policy 305. That is, the ACL comparator 330 compares the DSP data of the
`
`received Downloadable against the access control lists 410 in the received security policy
`
`305. The access control list 410 contains criteria indicating whether to pass or fail the
`
`Downloadable. For example, an access control list may indicate that the Downloadable fails
`
`-10-
`
`

`
`wo 98/21683
`
`PCT!IB97/01626
`
`if the DSP data includes a WRITE command to a system file. The ACL comparator 330
`
`sends its results to the logical engine 333.
`
`Path 3:
`
`5
`
`In path 3, the certificate scanner 340 determines whether the received Downloadable
`
`was signed by a certificate authority, such as Veri Sign, Inc .. and scans for a certificate
`
`embodied in the Downloadable. The certificate scanner 340 forwards the found certificate to
`
`the certificate comparator 345. The certificate comparator 345 retrieves known certificates
`
`309 that were deemed trustworthy by the security administrator and compares the found
`
`10
`
`certificate with the known certificates 309 to determine whether the Downloadable \\as
`
`signed by a trusted certificate. The certificate comparator 345 sends the results to the logical
`
`engine 333.
`
`Path 4:
`
`15
`
`In path 4, the URL comparator 350 examines the URL identifying the source of the
`
`Downloadable against URLs stored in the URL rule base 420 to determine whether the
`
`Downloadable comes from a trusted source. Based on the security policy 305, the URL
`
`comparator 350 may deem the Downloadable suspicious if the Downloadable comes from an
`
`untrustworthy source or if the Downloadable did not come from a trusted source. For
`
`20
`
`example, if the Downloadable comes from a known hacker, then the Downloadable may be
`
`deemed suspicious and presumed hostile. The URL comparator 350 sends its results to the
`
`logical engine 333.
`
`-11-
`
`

`
`wo 98/21683
`
`PCT!IB97/01626
`
`The logical engine 333 examines the results of each of the paths and the policy
`
`selector 405 in the security policy 305 to determine whether to allow or block the
`
`Downloadable. The policy selector 405 includes a logical expression of the results received
`
`from each of the paths. For example, the logical engine 333 may block a Downloadable if it
`
`5
`
`fails any one of the paths, i.e., if the Downloadable is known hostile (Path 1 ), if the
`
`Downloadable may request suspicious operations (Path 2), if the Downloadable was not
`
`signed by a trusted certificate authority (Path 3 ), or if the Downloadable did came from an
`
`untrustworthy source (Path 4). The logical engine 333 may apply other logical expressions
`
`according to the policy selector 405 embodied in the security policy 305.
`
`If the policy
`
`10
`
`selector 405 indicates that the Downloadable may pass, then the logical engine 333 passes
`
`the Downloadable to its intended recipient. Otherwise, if the policy selector 405 indicates
`
`that the Downloadable should be blocked, then the logical engine 333 forwards a non-hostile
`
`Downloadable to the intended recipient to inform the user that internal network security
`
`system 110 discarded the original Downloadable. Further, the logical engine 333 forwards a
`
`15
`
`status report to the record-keeping engine 335, which stores the reports in event log 245 in
`
`the data storage device 230 for subsequent review, for example, by the MIS director.
`
`FIG. 5 is a block diagram illustrating details ofthe security management console I20,
`
`which includes a security policy editor 505 coupled to the communications channel I 35, an
`
`20
`
`event log analysis engine 5 I 0 coupled between communications channel 13 5 and a user
`
`notification engine 515, and a Downloadable database review engine 520 coupled to the
`
`communications channel 135. The security management console 120 further includes
`
`computer components similar to the computer components illustrated in FIG. 2.
`
`-12-
`
`

`
`wo 98/21683
`
`PCT/ffi97 /01626
`
`The security policy editor 505 uses an I/0 interface similar to 1/0 interface 215 for
`
`enabling authorized user modification of the security policies 305. That is, the security
`
`policy editor 505 enables the authorized user to modify specific security policies 305
`
`corresponding
`
`to
`
`the users 260,
`
`the default or generic security policy 305,
`
`the
`
`5
`
`Downloadables to block per administrative override, the Downloadables to allow per
`
`administrative override, the trusted certificate lists 415, the policy selectors 405. the access
`
`control lists 410, the URLs in the URL rule bases 420, etc. For example, if the authorized
`
`user learns of a new hostile Downloadable, then the user can add the Downloadable to the
`
`Downloadables to block per system override.
`
`10
`
`The event log analysis engine 510 examines the status reports contained in the event
`
`log 245 stored in the data storage device 230. The event log analysis engine 510 d~termines
`
`whether notification of the user (e.g., the security system manager or MIS director) is
`
`warranted. For example, the event log analysis engine 510 may warrant user notification
`
`whenever ten (1 0) suspicious Downloadables have been discarded by internal network
`
`15
`
`security system 110 within a thirty (30) minute period. thereby flagging a potential imminent
`
`security threat. Accordingly, the event log analysis engine 510 instructs the user nntilicatiun
`
`engine 515 to inform the user. The user notification engine 515 may send an e-mail via
`
`internal communications interface 220 or via external communications interface 210 to the
`
`user, or may display a message on the user's display device (not shown).
`
`20
`
`FIG. 6A is a flowchart illustrating a method 600 for protecting an internal computer
`
`network 115 from suspicious Downloadables. Method 600 begins with the ID generator 315
`
`in step 602
`
`receiving a Downloadable. The ID generator 315 in step 604 generates a
`
`Downloadable ID identifying the received Downloadable, preferably, by generating a digital
`
`-13-
`
`

`
`wo 98/21683
`
`PCT/IB97/01626
`
`hash of the Downloadable code (including prefetched components). The policy finder 317 in
`
`step 606 finds the appropriate security policy 305 corresponding to the useriD specifying
`
`intended recipient (or the group to which the intended recipient belongs) and the
`
`Downloadable. The selected security policy 305 may be the default security policy 305.
`
`5
`
`Step 606 is described in greater detail below with reference to FIG. 6B.
`
`The first comparator 320 in step 608 examines the lists of Downloadables to allow or
`
`to block per administrative override 425 against the Downloadable ID of the incoming
`
`Downloadable to determine whether to allow the Downloadable automatically. If so. then in
`
`step 612 the first comparator 320 sends the results to the logical engine 333. If not. then the
`
`10
`
`method 600 proceeds to step 610. In step 610, the first comparator 620 examines the lists of
`
`Downloadables to block per administrative override 425 against the Downloadable ID of the
`
`incoming Downloadable for determining whether to block the Downloadable automatically.
`
`If so. then the first comparator 420 in step 612 sends the results to the logical engine 333.
`
`Otherwise, method 600 proceeds to step 614.
`
`15
`
`In step 614, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 4. If not, then method
`
`600jumps to step 618. If so, then the URL comparator 350 in step 616 compares the URL
`
`embodied in the incoming Downloadable against the URLs of the URL rules bases 420. and
`
`then method 600 proceeds to step 618.
`
`20
`
`In step 618, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 2. If not, then method
`
`600 jumps to step 620. Otherwise, the code scanner 235 in step 626 examines the DSP data
`
`31 0 based on the Downloadable ID of the incoming Downloadable to determine whether the
`
`Downloadable has been previously decomposed. If so, then method 600 jumps to step 630.
`
`-14-
`
`

`
`W098/21683
`
`PCT/IB97/01626
`
`Otherwise, the code scanner 325 in step 628 decomposes the Downloadable into DSP daw.
`
`Downloadable decomposition is described in greater detail with reli:rence to Fl(i. 7.
`
`In slL'p
`
`630, the ACL comparator 330 compares the DSP data of the incoming Downloadable against
`
`the access control lists 410 (which include the criteria necessary for the Downloadable to fail
`
`5
`
`or pass the test).
`
`In step 620, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 3. If not, then method
`
`600 returns to step 612 to send the results of each of the test performed to the logical engine
`
`333. Otherwise. the certificate scanner 622 in step 622 scans the Downloadable for an
`
`10
`
`embodied certificate. The certificate comparator 345 in step 624 retrieves trusted certificates
`
`from the trusted certificate lists (TCL) 415 and compares the embodied certi fie ate with the
`
`trusted certificates to determine whether the Downloadable has been signed by a trusted
`
`source. Method 600 then proceeds to step 612 by the certificate scanner 345 sending the
`
`results of each of the paths taken to the logical engine 333. The operations of the logical
`
`15
`
`engine 333 are described in greater detail below with reference to FIG. 6C. Method 600 then
`
`. ends.
`
`One skilled in the art will recognize that the tests may be performed in a different
`
`order, and that each of the tests need not be performed. Further, one skilled in the art will
`
`recognize that, although path 1 is described in FIG. 6A as an automatic allowance or
`
`20
`
`blocking, the results of Path 1 may be another predicate to be applied by the logical engine
`
`333. Further, although the tests are shown serially in FIG. 6A, the tests may be performed in
`
`parallel as illustrated in FIG. 3.
`
`-15-
`
`

`
`wo 98/21683
`
`PCTIIB97/01626
`
`FIG. 6B is a flowchart illustrating details of step 606 of FIG. 6A (referred to herein as
`
`method 606). Method 606 begins with the policy finder 317 in step 650 determining
`
`whether security policies 305 include a speci