(12) United States Patent
`Touboul
`
`111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US006480962Bl
`US 6,480,962 Bl
`*Nov. 12, 2002
`
`(10) Patent No.:
`(45) Date of Patent:
`
`(54) SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`5,724,425 A
`5,740,248 A
`5,761,421 A
`
`3/1998 Chang eta!.
`4/1998 Fieres et a!.
`6/1998 van Hoff et a!.
`
`(75)
`
`Inventor: Shlomo Touboul, Kefar-Haim (IL)
`
`(73) Assignee: Finjan Software, Ltd., Kefar-Haim
`(IL)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`This patent is subject to a terminal dis(cid:173)
`claimer.
`
`(21) Appl. No.: 09/551,302
`
`(22) Filed:
`
`Apr. 18, 2000
`
`Related U.S. Application Data
`
`( 63) Continuation of application No. 08/790,097, filed on Jan. 29,
`1997.
`(60) Provisional application No. 60/030,639, filed on Nov. 8,
`1996.
`
`Int. Cl? .................................................. H02H 3/05
`(51)
`(52) U.S. Cl. ........................................ 713/200; 713/201
`(58) Field of Search ................................. 713/200, 201,
`713/202; 714/38, 704; 709/225, 229
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,077,677 A
`5,359,659 A
`5,361,359 A
`5,485,409 A
`5,485,575 A
`5,572,643 A
`5,606,668 A
`5,623,600 A
`5,638,446 A
`5,692,047 A
`5,692,124 A
`5,720,033 A
`
`12/1991 Murphy eta!.
`10/1994 Rosenthal
`11/1994 Tajalli eta!.
`1!1996 Gupta eta!.
`1!1996 Chess eta!.
`11/1996 Judson
`2/1997 Shwed
`4/1997 Ji eta!.
`6/1997 Rubin
`11/1997 McManis
`11/1997 Holden eta!.
`2/1998 Deo
`
`(List continued on next page.)
`
`OTHER PUBLICATIONS
`
`Jim K. Omura, "Novel Applications of Cryptography in
`Digital Communications", IEEE Communications Maga(cid:173)
`zine, May, 1990; pp. 21-29.
`Okamoto, E. et al., "ID-Based Authentication System For
`Computer Virus Detection", IEEE/IEE Electronic Library
`online, Electronics Letters, vol. 26, Issue 15, ISSN
`0013-5194, Jul. 19, 1990, Abstract and pp. 1169-1170.
`URL:http:/iel.ihs.com:80/cgi-bin/iel_cgi?se
`2ehts%26ViewTemplate%3ddocview%5fb%2ehts.
`IBM AntiVirus User's Guide Version 2.4, International
`Business Machines Corporation, Nov. 15, 1995, pp. 6-7.
`Norvin Leach et al, "IE 3.0 Applets Will Earn Certification",
`PC Week, vol. 13, No. 29, Jul. 22, 1996, 2 pages.
`"Finjan Software Releases SurfinBoard, Industry's First
`JAVA Security Product For the World Wide Web", Article
`published on the Internet by Finjan Software Ltd., Jul. 29,
`1996, 1 page.
`
`(List continued on next page.)
`
`Primary Examiner---Dieu-Minh Le
`(74) Attorney, Agent, or Firm-Squire, Sanders &
`Dempsey, L.L.P.
`
`(57)
`
`ABSTRACT
`
`A system protects a client from hostile Downloadables. The
`system includes security rules defining suspicious actions
`and security policies defining the appropriate responsive
`actions to rule violations. The system includes an interface
`for receiving incoming Downloadable and requests made by
`the Downloadable. The system still further includes a com(cid:173)
`parator coupled to the interface for examining the
`Downloadable, requests made by the Downloadable and
`runtime events to determine whether a security policy has
`been violated, and a response engine coupled to the com(cid:173)
`parator for performing a violation-based responsive action.
`
`51 Claims, 7 Drawing Sheets
`
`Blue Coat Systems - Exhibit 1032
`
`

`
`US 6,480,962 Bl
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`6/1998 Breslau et a!.
`5,765,205 A
`7/1998 Devarakonda et a!.
`5,784,459 A
`8/1998 Davis et a!.
`5,796,952 A
`9/1998 Cohen et a!.
`5,805,829 A
`11/1998 Chen et a!.
`5,832,208 A
`12/1998 Angelo et a!.
`5,850,559 A
`1!1999 Hayman eta!.
`5,859,966 A
`1!1999 Boebert et a!.
`5,864,683 A
`4/1999 Atkinson et a!.
`5,892,904 A
`9/1999 Chen et a!.
`5,951,698 A
`9/1999 Walsh et a!.
`5,956,481 A
`10/1999 Golan
`5,974,549 A
`11/1999 Ji
`5,983,348 A
`6,092,194 A * 7/2000 Touboul
`..................... 713/200
`6,154,844 A * 11/2000 Touboul et a!. ............. 713/201
`6,167,520 A * 12/2000 Touboul
`..................... 713/200
`
`01HER PUBLICATIONS
`
`"Powerful PC Security for the New World of JAVA™ and
`Downloadables, Surfin Shield™" Article published on the
`Internet by Finjan Software Ltd., 1996, 2 Pages.
`Microsoft® Authenticode Technology, "Ensuring Account(cid:173)
`ability and Authenticity for Software Components on the
`Internet", Microsoft Corporation, Oct. 1996, including
`Abstract, Contents, Introduction and pp. 1-10.
`
`"Finjan Announces a Personal Java™ Firewall For Web
`Browsers-the SurfinShield™ 1.6 (formerly known as Surf(cid:173)
`inBoard)", Press Release of Finjan Releases SurfinShield
`1.6, Oct. 21, 1996, 2 pages.
`Company Profile "Finjan-Safe Surfing, The Java Security
`Solutions Provider" Article published on the Internet by
`Finjan Software Ltd., Oct. 31, 1996, 3 pages.
`"Finjan Announces Major Power Boost and New Features
`for SurfinShield™ 2.0" Las Vegas Convention Center/Pa(cid:173)
`vilion 5 P5551, Nov. 18, 1996, 3 pages.
`"Java Security: Issues & Solutions" Article published on the
`Internet by Finjan Software Ltd., 1996, 8 pages.
`"Products" Article published on the Internet, 7 pages.
`Mark LaDue, "Online Business Consultant: Java Security:
`Whose Business Is It?" Article published on the Internet,
`Home Page Press, Inc. 1996, 4 pages.
`Web Page Article "Frequently Asked Questions About
`Authenticode", Microsoft Corporation, last updated Feb. 17,
`1997, Printed Dec. 23, 1998. URL: http://www.microsoft(cid:173)
`.com/workshop/security /authcode/signfaq .asp#9, pp. 1-13.
`Zhang, X.N., "Secure Code Distribution", IEEE/IEE Elec(cid:173)
`tronic Library online, Computer, vol. 30, Issue 6, Jun. 1997,
`pp.: 76-79.
`
`* cited by examiner
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 1 of 7
`
`US 6,480,962 Bl
`
`f(cid:173):z: w
`..........
`__J u
`
`(11
`:z:
`0
`.......... __J
`f -w
`():z:
`.......... :z:
`:Z:<C
`::) I
`~(_)
`~
`
`0 u
`
`0::: w
`&: w
`
`(11
`
`

`
`205
`
`lcP~
`
`210
`
`INPUT
`DEVICE
`
`COMMUNICATIONS
`INTERFACE
`
`120
`
`225
`
`230
`
`FIG. 2
`
`215
`
`OUTPUT
`DEVICE
`
`220
`;
`
`235
`
`RAM
`
`COMMUNICATIONS ENGINE
`WEB BROWSER
`DOWNLOADABLE ENGINE
`
`SECURITY SYSTEM
`
`OPERATING SYSTEM
`
`~260
`
`265 --{_U FILE MGT.II NETWORK MGT. ll.-}- 270
`SYSTEM
`SYSTEM
`275 --4-..U PROCESS
`SYSTEM
`
`MEMORY MGT.IJ__V- 280
`SYSTEM
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`z
`0
`~
`'"""' ~N
`N c c
`
`N
`
`'JJ. =(cid:173)~
`~ .....
`N
`0 ......,
`-..J
`
`e
`
`rJ'l
`0'1
`'l.
`00
`Q
`\o
`0'1
`N
`~
`1--"
`
`

`
`260
`270-..., OPERATING SYSTEM r 275
`NETWORK
`PROCESS
`SYSTEM
`SYSTEM
`
`r2BO
`MEMORY
`SYSTEM
`
`265-...,
`FILE
`SYSTEM
`
`JAVA VIRTUAL MACHINE
`...
`JAVA
`JAVA
`..- CLASS
`CLASS
`302_./
`
`Jv
`
`r....
`-30
`
`FILE
`SYSTEM
`PROBE
`
`3(o
`
`NETWORK
`SYSTEM
`PROBE
`3~
`
`PROCESS
`SYSTEM
`PROBE
`3~
`
`MEMORY
`SYSTEM
`PROBE
`
`3(6
`
`3]4
`I GUI J--
`
`! :f2
`
`EVENT
`LOG
`
`l ~20
`
`RUNTIME ENVIRONMENT
`MONITOR
`t
`I
`RULES
`H POLICIES
`332- SECURITY DATABASE
`
`3J6
`I
`
`oa
`
`...
`
`JAVA
`CLASS
`EXTENSION
`
`JAVA
`CLASS
`EXTENSION
`3~
`
`BROKER
`
`3~
`REQUEST e6
`:;fB
`I EVENT ROUTER I
`r31B
`f RESPONSE ENGINE l
`
`330
`
`3jB
`
`DATABASE OF
`SUSPICIOUS DOWNLOADABLES
`
`FIG. 3
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`z
`0
`~
`'"""' ~N
`N c c
`
`N
`
`'JJ. =(cid:173)~
`~ .....
`
`~
`0 ......,
`-..J
`
`e
`
`rJ'l
`0'1
`'l.
`00
`Q
`\o
`0'1
`N
`~
`1--"
`
`

`
`260
`265, 210] OPERATING SYSTEM r275
`FILE
`NETWORK
`PROCESS
`SYSTEM
`SYSTEM
`SYSTEM
`4
`t
`NETWORK
`SYSTEM
`PROBE
`
`FILE
`SYSTEM
`PROBE
`
`r-280
`MEMORY
`SYSTEM
`4
`t
`MEMORY
`SYSTEM
`PROBE
`
`'
`
`t
`PROCESS
`SYSTEM
`PROBE
`
`3(o
`
`312
`
`3~
`
`3fB
`
`l )22
`
`EVENT
`LOG
`
`324
`
`GUI
`-
`
`:;JO
`RUNTIME ENVIRONMENT
`MONITOR
`
`I
`H
`POLICIES
`332- SECURITY DATABASE
`
`3j6
`I _r
`
`J
`
`RULES
`
`250
`
`4J3
`r DLL 1
`
`DLL
`EXTENSION
`\
`406
`
`'Sb
`
`401
`\
`MESSAGES
`
`ActiveX PLATFORM
`402
`
`DOE I
`
`MESSAGES
`EXTENSION
`
`...
`
`ODE
`EXTENSION
`
`BROKER
`
`4~
`
`405
`
`REQUEST e6
`:fB
`r EVENT ROUTER 1
`(318
`r RESPONSE ENGINE 1
`
`330
`
`:;JB
`DATABASE OF
`SUSPICIOUS DOWNLOADABLES
`
`FIG. 4
`
`d •
`\Jl
`•
`~
`~ ......
`~ = ......
`
`z
`0
`~
`'"""' ~N
`N c c
`
`N
`
`'JJ. =(cid:173)~
`~ .....
`
`~
`0 ......,
`-..J
`
`e
`
`rJ'l
`0'1
`'l.
`00
`Q
`\o
`0'1
`N
`~
`1--"
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 5 of 7
`
`US 6,480,962 Bl
`
`500
`. - - - - - - -+ - - - - - - - - - , }
`
`NO
`
`~--------~----------~ 508
`FORWARD A MESSAGE IDENTIFYING THE
`DOWNLOADABLE TO THE EVENT ROUTER
`510
`
`YES
`
`MANAGE THE SUSPICIOUS
`DOWNLOADABLE
`
`NO
`
`540
`
`RESUME
`OPERATION OF
`THE DOWNLOADABLE
`
`FIG. 5
`
`

`
`U.S. Patent
`
`Nov.12, 2002
`
`Sheet 6 of 7
`
`US 6,480,962 Bl
`
`530
`
`J
`
`610
`
`COMPILE ALL CURRENT
`RULE VIOLATIONS
`~----~----~ 620
`
`COMPILE RULE VIOLATIONS
`WITH SECURITY POLICIES
`
`PERFORM A PREDETERMINED
`RESPONSE ACTION BASED
`ON THE COMPARISON
`
`630
`
`FIG. 6
`
`

`
`U.S. Patent
`
`Nov. 12, 2002
`
`Sheet 7 of 7
`
`US 6,480,962 Bl
`
`700 j
`
`730
`
`MONITOR OPERATING SYSTEM
`FOR ALL OS REQUESTS
`
`705
`
`NO
`
`720
`
`INFORMATION ON OS
`FORWARD
`REQUEST TO THE EVENT ROUTER
`
`NO
`
`MANAGE THE SUSPICIOUS
`DOWNLOADABLE
`
`FIG. 7
`
`

`
`US 6,480,962 Bl
`
`1
`SYSTEM AND METHOD FOR PROTECTING
`A CLIENT DURING RUNTIME FROM
`HOSTILE DOWNLOADABLES
`
`2
`and a digital signature does not guarantee that a Download(cid:173)
`able is harmless. Therefore, a system and method are needed
`for protecting clients from hostile Downloadables.
`
`5
`
`SUMMARY OF THE INVENTION
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is related to co-pending provisional
`patent application filed on Nov. 8, 1996, entitled "System
`and Method for Protecting a Computer from Hostile
`Downloadables," Ser. No. 60/030,639, by inventor Shlomo
`Touboul, and is a continuation of U.S. patent application
`filed on Jan. 29, 1997, entitled "System and Method for
`Protecting a Computer During Runtime From Hostile
`Downloadbales," Ser. No. 08/790,097, by inventor Shlomo
`Touboul, which subject matters are hereby incorporated by
`reference herein.
`
`BACKGROUND OF THE INVENTION
`
`10
`
`15
`
`The present invention provides a system for protecting a
`client from hostile Downloadables. The system includes
`security rules defining suspicious actions such as WRITE
`operations to a system configuration file, overuse of system
`memory, overuse of system processor time, etc. and security
`policies defining the appropriate responsive actions to rule
`violations such as terminating the applet, limiting the
`memory or processor time available to the applet, etc. The
`system includes an interface, such as Java TM class extensions
`and operating system probes, for receiving incoming Down(cid:173)
`loadable and requests made by the Downloadable. The
`system still further includes a comparator coupled to the
`interface for examining the Downloadable, requests made
`by the Downloadable and runtime events to determine
`whether a security policy has been violated, and a response
`engine coupled to the comparator for performing the
`violation-based responsive action.
`The present invention further provides a method for
`25 protecting a client from hostile Downloadables. The method
`includes the steps of recognizing a request made by a
`Downloadable during runtime, interrupting processing of
`the request, comparing information pertaining to the Down(cid:173)
`loadable against a predetermined security policy, recording
`30 all rule violations in a log, and performing a predetermined
`responsive action based on the comparison.
`It will be appreciated that the system and method of the
`present invention use at least three hierarchical levels of
`security. A first level examines the incoming Downloadables
`35 against known suspicious Downloadables. A second level
`examines runtime events. A third level examines the Down(cid:173)
`loadables operating system requests against predetermined
`suspicious actions. Thus, the system and method of the
`invention are better able to locate hostile operations before
`40 client resources are damaged.
`
`45
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram illustrating a network system in
`accordance with the present invention;
`FIG. 2 is a block diagram illustrating details of the client;
`FIG. 3 is a block diagram illustrating details of a security
`system;
`FIG. 4 is a block diagram illustrating details of an
`alternative security system;
`FIG. 5 is a flowchart illustrating a method for protecting
`a client from suspicious Downloadables;
`FIG. 6 is a flowchart illustrating the method for managing
`a suspicious Downloadable; and
`FIG. 7 is a flowchart illustrating a supplementary method
`for protecting a client from suspicious Downloadables.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system
`100 in accordance with the present invention. Network
`system 100 includes a server 110 coupled to a communica(cid:173)
`tions channel 120, e.g., an Internet or an Intranet. The
`communications channel 120 is in turn coupled to a client
`130, e.g., an individual computer, a network computer, a
`kiosk workstation, etc., which includes a security system
`
`20
`
`1. Field of the Invention
`This invention relates generally to computer networks,
`and more particularly to a system and method for protecting
`clients from hostile Downloadables.
`2. Description of the Background Art
`The Internet currently interconnects about 100,000 indi(cid:173)
`vidual computer networks and several million computers.
`Because it is public, the Internet has become a major source
`of many system damaging and system fatal application
`programs, commonly referred to as "viruses."
`In response to the widespread generation and distribution
`of computer viruses, programmers continue to design and
`update security systems for blocking these viruses from
`attacking both individual and network computers. On the
`most part, these security systems have been relatively suc(cid:173)
`cessful. However, these security systems are typically not
`configured to recognize computer viruses which have been
`attached to or masked as harmless Downloadables (i.e.,
`applets). A Downloadable is a small executable or interpret(cid:173)
`able application program which is downloaded from a
`source computer and run on a destination computer. A
`Downloadable is used in a distributed environment such as
`in the Java™ distributed environment produced by Sun
`Microsystems or in the ActiveX™ distributed environment
`produced by Microsoft Corporation.
`Hackers have developed hostile Downloadables designed
`to penetrate security holes in Downloadable interpreters. In
`response, Sun Microsystems, Inc. has developed a method
`of restricting Downloadable access to resources (file system
`resources, operating system resources, etc.) on the des tina- 50
`tion computer, which effectively limits Downloadable func(cid:173)
`tionality at the Java™ interpreter. Sun Microsystems, Inc.
`has also provided access control management for basing
`Downloadable-accessible resources on Downloadable type.
`However, the above approaches are difficult for the ordinary 55
`web surfer to manage, severely limit Java™ performance
`and functionality, and insufficiently protect the destination
`computer.
`Other security system designers are currently considering
`digital signature registration stamp techniques, wherein, 60
`before a web browser will execute a Downloadable, the
`Downloadable must possess a digital signature registration
`stamp. Although a digital signature registration stamp will
`diminish the threat of Downloadables being intercepted,
`exchanged or corrupted, this approach only partially 65
`addresses the problem. This method does not stop a hostile
`Downloadable from being stamped with a digital signature,
`
`

`
`20
`
`25
`
`30
`
`US 6,480,962 Bl
`
`10
`
`3
`135 for protecting the client 130 from hostile (i.e., will
`adversely effect the operational characteristics of the client
`130) or suspicious (i.e., potentially hostile) downloadables.
`Server 110 forwards a Downloadable 140 across the
`communications channel 120 to the client 130. During
`runtime, the security system 135 examines each Download(cid:173)
`able 140 and the actions of each Downloadable 140 to
`monitor for hostile or suspicious actions.
`FIG. 2 is a block diagram illustrating details of a client
`130, which includes a Central Processing Unit (CPU) 205,
`such as a Motorola Power PC® microprocessor or an Intel
`Pentium® microprocessor, coupled to a signal bus 220. The
`client 130 further includes an input device 210 such as a
`keyboard and mouse, an output device 215 such as a
`Cathode Ray Tube (CRT) display, a data storage device 230
`such as Read Only Memory (ROM) or magnetic disk, and a
`Random-Access Memory (RAM) 235, each being coupled
`to signal bus 220. A communications interface 225 is
`coupled between the communications channel 120 and the
`signal bus 220.
`An operating system 260 controls processing by CPU
`205, and is typically stored in data storage device 230 and
`loaded into RAM 235 for execution. The operating system
`260 includes a file management system 265, a network
`management system 270, a process system 275 for control-
`ling CPU 205, and a memory management system 280 for
`controlling memory use and allocation. A communications
`engine 240 generates and transfers message packets to and
`from the communications channel140 via the communica-
`tions interface 225, and may also be stored in data storage
`device 230 and loaded into RAM 235 for execution.
`The client 130 further includes a web browser 245, such
`as the Netscape™ web browser produced by the Netscape
`Corporation, the Internet Explorer™ web browser produced
`by the Microsoft Corporation, or the Java™ Developers Kit
`1.0 web browser produced by Sun Microsystems, Inc., for
`communicating via the communications channel 120. The
`web browser 245 includes a Downloadable engine 250 for
`managing and executing received Downloadables 140.
`The client 130 further includes the security system 135 as
`described with reference to FIG. 1. The security system 135
`may be stored in data storage device 230 and loaded into
`RAM 235 for execution. During runtime, the security sys(cid:173)
`tem 135 intercepts and examines Downloadables 140 and
`the actions of Downloadables 140 to monitor for hostile or
`suspicious actions. If the security system 135 recognizes a
`suspicious Downloadable 140 or a suspicious request, then
`the security system 135 can perform an appropriate respon(cid:173)
`sive action such as terminating execution of the Download- 50
`able 140.
`FIG. 3 is a block diagram illustrating details of the
`security system 135a, which is a first embodiment of secu(cid:173)
`rity system 135 of FIG. 2 when operating in conjunction
`with a Java™ virtual machine 250 (i.e., the Downloadable
`engine 250) that includes conventional Java™ classes 302.
`Each of the Java TM classes 302 performs a particular service
`such as loading applets, managing the network, managing
`file access, etc. Although applets are typically described with
`reference to the Java™ distributed environment, applets
`herein correspond to all downloadable executable or inter(cid:173)
`pretable programs for use in any distributed environment
`such as in the ActiveX™ distributed environment.
`Examples of Java ™ classes used in Netscape Navigator™
`includeAppletSecurity.class, EmbeddedAppletFrame.class:,
`AppletClassLoader.class, MozillaAppletContext.class,
`ServerSocket.class, Security Exception.class and
`
`4
`SecurityManager.class, etc. Examples of Java™ classes
`used in Internet Explorer™ include AppletSecurity.class,
`BrowserAppletFrame.class, AppletClassLoader.class,
`ServerSocket.class, SecurityException.class and
`5 SecurityManager.class, etc. Other classes may include
`Broker.class, BClnterface.class, SocketConnection.class,
`queue Manager. class, Browser Extension. class,
`Message.class, MemoryMeter.class and AppletDescription(cid:173)
`.class.
`The security system 135a includes Java™ class exten-
`sions 304, wherein each extension 304 manages a respective
`one of the Java™ classes 302. When a new applet requests
`the service of a Java class 302, the corresponding Java™
`class extension 304 interrupts the request and generates a
`15 message to notify the request broker 306 of the Download(cid:173)
`able's request. The request broker 306 uses TCP/IP message
`passing protocol to forward the message to the event router
`308.
`The security system 135a further includes operating sys(cid:173)
`tem probes 310, 312, 314 and 316. More particularly, a file
`management system probe 310 recognizes applet instruc(cid:173)
`tions sent to the file system 265 of operating system 260, a
`network system probe 312 recognizes applet instructions set
`to the network management system 270 of operating system
`260, a process system probe 314 recognizes applet instruc(cid:173)
`tions sent to the process system 275 of operating system 260,
`and a memory management system probe 316 recognizes
`applet instructions sent to the memory system 280 of oper(cid:173)
`ating system 260. When any of the probes 310-316 recog-
`nizes an applet instruction, the recognizing probe 310--316
`sends a message to inform the event router 308.
`Upon receipt of a message, the event router 308 accord(cid:173)
`ingly forwards the message to a Graphical User Interface
`(GUI) 324 for notifying the user of the request, to an event
`35 log 322 for recording the message for subsequent analysis,
`and to a runtime environment monitor 320 for determining
`whether the request violates a security rule 330 stored in a
`security database 326. Security rules 330 include a list of
`computer operations which are deemed suspicious. Suspi-
`40 cious operations may include READ/WRITE operations to
`a system configuration file, READ/WRITE operations to a
`document containing trade secrets, overuse of system
`memory, overuse of system processor time, too many
`applets running concurrently, or too many images being
`45 displayed concurrently. For example, the runtime environ(cid:173)
`ment monitor 320 may determine that a security rule 330 has
`been violated when it determines that an applet uses more
`than two megabytes of RAM 235 or when the Java TM virtual
`machine 250 runs more than five applets concurrently.
`Upon recognition of a security rule 330 violation, the
`runtime environment monitor 320 records the violation with
`the event log 322, informs the user of the violation via the
`GUI 324 and forwards a message to inform the response
`engine 318 of the violation. The response engine 318
`55 analyzes security policies 332 stored in the security database
`326 to determine the appropriate responsive action to the
`rule 330 violation. Appropriate responsive actions may
`include terminating the applet, limiting the memory or
`processor time available to the applet, etc. For example, the
`60 response engine 318 may determine that a security policy
`332 dictates that when more than five applets are executed
`concurrently, operation of the applet using the greatest
`amount of RAM 235 should be terminated. Further, a
`security policy 332 may dictate that when an applet or a
`65 combination of applets violates a security policy 332, the
`response engine 318 must add information pertaining to the
`applet or applets to the suspicious Downloadables database
`
`

`
`US 6,480,962 Bl
`
`5
`328. Thus, when the applet or applets are encountered again,
`the response engine 318 can stop them earlier.
`The GUI 324 enables a user to add or modify the rules 330
`of the security database 326, the policies 332 of the security
`database 326 and the suspicious applets of the suspicious 5
`Downloadables database 328. For example, a user can use
`the GUI 324 to add to the suspicious Downloadables data(cid:173)
`base 328 applets generally known to be hostile, applets
`deemed to be hostile by the other clients 130 (not shown),
`applets deemed to be hostile by network MIS managers, etc. 10
`Further, a user can use the GUI 324 to add to the rules 330
`actions generally known to be hostile, actions deemed to be
`hostile by network MIS managers, etc.
`It will be appreciated that the embodiment illustrated in
`FIG. 3 includes three levels of security. The first level 15
`examines the incoming Downloadables 140 against known
`suspicious Downloadables. The second level examines the
`Downloadables'access to the Java™ classes 302. The third
`level examines the Downloadables requests to the operating
`system 260. Thus, the security system 135a is better apt to
`locate a hostile operation before an operation damages client
`130 resources.
`FIG. 4 is a block diagram illustrating details of a security
`system 135b, which is a second embodiment of security
`system 135 when operating in conjunction with the
`ActiveX™ platform (i.e., the Downloadable engine 250)
`which uses message 401 calls, Dynamic-Data-Exchange
`(DDE) 402 calls and Dynamically-Linked-Library (DLL)
`403 calls. Thus, instead of having Java™ class extensions
`304, the security system 135 has a messages extension 401
`for recognizing message 401 calls, a DDE extension 405 for
`recognizing DDE 402 calls and a DLL extension 406 for
`recognizing DLL calls. Upon recognition of a call, each of
`the messages extension 404, the DDE extension 405 and the
`DLL extension 406 send a message to inform the request
`broker 306. The request broker 306 and the remaining
`elements operate similarly to the elements described with
`reference to FIG. 3.
`FIG. 5 is a flowchart illustrating a method 500 for
`protecting a client 130 from hostile and suspicious Down(cid:173)
`loadables 140. Method 500 begins with the extensions 304,
`404, 405 or 406 in step 505 waiting to recognize the receipt
`of a request made by a Downloadable 140. Upon recognition
`of a request, the recognizing extension 304, 404, 405 or 406
`in step 506 interrupts processing of the request and in step
`508 generates and forwards a message identifying the
`incoming Downloadable 140 to the request broker 306,
`which forwards the message to the event router 308.
`The event router 308 in step 510 forwards the message to
`the GUI 324 for informing the user and in step 515 to the
`event log 322 for recording the event. Further, the event
`router 308 in step 520 determines whether any of the
`incoming Downloadables 140 either alone or in combination
`are known or previously determined to be suspicious. If so,
`then method 500 jumps to step 530. Otherwise, the runtime
`environment monitor 320 and the response engine 318 in
`step 525 determine whether any of the executing Down(cid:173)
`loadables 140 either alone or in combination violate a
`security rule 330 stored in the security database 332.
`If a rule 330 has been violated, then the response engine
`318 in step 530 manages the suspicious Downloadable 140.
`Step 530 is described in greater detail with reference to FIG.
`6. Otherwise, if a policy has not been violated, then response
`engine 318 in step 540 resumes operation of the Download- 65
`able 140. In step 535, a determination is made whether to
`end method 500. For example, if the user disconnects the
`
`6
`client 130 from the server 110, method 500 ends. If a request
`to end is made, then method 500 ends. Otherwise, method
`500 returns to step 505.
`FIG. 6 is a flowchart illustrating details of step 530. Since
`multiple rule 330 violations may amount to a more serious
`violation and thus require a stricter response by the response
`engine 318, step 530 begins with the response engine 318 in
`step 610 compiling all rule 330 violations currently occur(cid:173)
`ring. The response engine 318 in step 620 compares the
`compiled rule 330 violations with the security policies 332
`to determine the appropriate responsive action for managing
`the suspicious Downloadable 140 or Downloadables 140,
`and in step 630 the response engine 318 performs a prede(cid:173)
`termined responsive action. Predetermined responsive
`actions may include sending a message via the GUI 324 to
`inform the user, recording the message in the event log 322,
`stopping execution of a suspicious Downloadable 140, stor(cid:173)
`ing a Downloadable 140 or combination of Downloadables
`140 in the suspicious Downloadable database 328, limiting
`20 memory available to the Downloadable 140, limiting pro(cid:173)
`cessor time available to the Downloadable 140, etc.
`FIG. 7 is a flowchart illustrating a supplementary method
`700 for protecting a client 130 from suspicious Download(cid:173)
`abies 140. Method 700 begins with operating system probes
`25 310, 312, 314 and 316 in step 705 monitoring the operating
`system 260 for Operating System (OS) requests from Down(cid:173)
`loadables 140. As illustrated by step 710, when one of the
`probes 310-316 recognizes receipt of an OS request, the
`recognizing probe 310-316 in step 715 interrupts the request
`30 and in step 720 forwards a message to inform the event
`router 308.
`The event router 308 in step 725 routes the information to
`each of the components of the security engine 135 as
`described with reference to FIG. 5. That is, the event router
`308 forwards the information to the GUI 324 for informing
`the user, to the event log 322 for recordation and to the
`runtime environment monitor 320 for determining if the OS
`request violates a rule 330. The response engine 318 com-
`40 pares the OS request alone or in combination with other
`violations against security policies 332 to determine the
`appropriate responsive actions. It will be appreciated that,
`based on the security policies 332, the response engine 318
`may determine that an OS request violation in combination
`45 with other OS request violations, in combination with rule
`330 violations, or in combination with both other OS request
`violations and rule 330 violations merits a stricter responsive
`action.
`If the OS request does not violate a security rule 330, then
`50 the response engine 318 in step 730 instructs the operating
`system 260 via the recognizing probe 310-316 to resume
`operation of the OS request. Otherwise, if the OS request
`violates a security rule 330, then the response engine 318 in
`step 730 manages the suspicious Downloadable by perform-
`55 ing the appropriate predetermined responsive actions as
`described with reference to FIGS. 5 and 6. In step 740, a
`determination is made whether to end method 700. If a
`request to end the method is made, then method 700 ends.
`Otherwise, method 700 returns to step 705.
`The foregoing description of the preferred embodiments
`of the invention is by way of example only, and other
`variations of the above-described embodiments and methods
`are provided by the present invention. For example,
`although the invention has been described in a system for
`protecting an internal computer network, the invention can
`be embodied in a system for protecting an individual com-
`puter. Components of this invention may be implemented
`
`35
`
`60
`
`

`
`US 6,480,962 Bl
`
`5
`
`20
`
`25
`
`7
`using a programmed general purpose digital computer, using
`application specific integrated circuits, or using a network of
`interconnected conventional components and circuits. The
`embodiments described herein have been presented for
`purposes of illustration and are not intended to be exhaustive
`or limiting. Many variations and modifications are possible
`in light of the foregoing teaching. The system is limited only
`by the following claims.
`What is claimed is:
`1. A computer-based method, comprising:
`monitoring substantially in parallel a plurality of sub(cid:173)
`systems of the operating system during runtime for an
`event caused from a request made by a Downloadable;
`interrupting processing of the request;
`comparing information pertaining to the Downloadable 15
`against a predetermined security policy; and
`performing a predetermined responsive action based on
`the comparison.
`2. The method of claim 1, wherein monitoring the oper(cid:173)
`ating system includes monitoring a request sent to a Down-
`loadable engine.
`3. The method of claim 2,
`wherein the Downloadable engine includes a Java™
`virtual machine having Java™ classes; and
`wherein monitoring the operating system includes moni-
`toring each Java ™ class for receipt of the request.
`4. The method of claim 2,
`wherein the Downloadable engine includes an AppletX™
`platform having a message engine, a dynamic-data(cid:173)
`exchange and a dynamically-linked library; and
`wherein monitoring the operating system includes moni-
`toring the message engine, the dynamic-data-exchange
`and the dynamically-linked library for receipt of the
`request.
`5. The method of claim 1, further comprising determining
`whether information pertaining to the Downloadable vio(cid:173)
`lates a security rule.
`6. The method of claim 5, further comprising determining
`whether