.
`
`.
`
`PATENT
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Shlomo Touboul
`
`0F
`
`FINJAN SOFTWARE, LTD.
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A I
`
`NETWORK FROM HOSTILE DOWNLOADABLES
`
`DOCKET NO. 40492.00002
`
`Please direct communications to:
`
`Intellectual Property Department
`Graham 8: James LLP
`
`600 Hansen Way
`Palo Alto, CA 94304-1043
`
`(650) 856-6500
`
`Express Mail Number EM096316525US
`
`1313'1248340100
`11069711556113049200002
`
`'1
`
`Ennfigalbsasus
`
`CS-1022
`
`Cicso Systems, Inc. v. Finjan, Inc.
`
`IIEEiIl{ElliiEEEI'II‘i:'EiiiiiIliiilr{IiiiliIII
`
`
`
`
`
`
`
`
`
`.1111:llifii:”Fifi!III}!"ii-'7
`
`I?
`
`CS-1022
`Cicso Systems, Inc. v. Finjan, Inc.
`
`
`
`.
`
`PATENT
`
`APPLICATION FOR
`
`UNITED STATES PATENT
`
`IN THE NAME OF
`
`Shlomo Touboul
`
`0F
`
`FINJAN SOFTWARE, LTD.
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A I
`
`NETWORK FROM HOSTILE DOWNLOADABLES
`
`DOCKET NO. 40492.00002
`
`Please direct communications to:
`
`Intellectual Property Department
`Graham 8: James LLP
`
`600 Hansen Way
`Palo Alto, CA 94304-1043
`
`(650) 856-6500
`
`Express Mail Number EM096316525US
`
`1313'1248340100
`11069711556113049200002
`
`'1
`
`Ennfigalbsasus
`
`CS-1022
`
`Cicso Systems, Inc. v. Finjan, Inc.
`
`IIEEiIl{ElliiEEEI'II‘i:'EiiiiiIliiilr{IiiiliIII
`
`
`
`
`
`
`
`
`
`.1111:llifii:”Fifi!III}!"ii-'7
`
`I?
`
`CS-1022
`Cicso Systems, Inc. v. Finjan, Inc.
`
`
`
`.
`
`.
`
`PATENT
`
`SYSTEM AND METHOD FOR PROTECTING A COMPUTER AND A NETWORK
`
`FROM HOSTILE DOWNLOADABLES
`
`5
`
`PRIORITY REFERENCE TO PROVISIONAL APPLICATION
`
`This application claims benefit of and hereby incorporates by reference
`
`provisional application serial number 60/030,639, entitled “System and Method for
`
`Protecting a Computer from Hostile Downloadables," filed on November 8, 1996, by
`
`inventor Shlomo Touboul.
`
`10
`
`‘15
`
`INCORPORATION BY REFERENCE TO RELATED APPLICATION
`
`This application hereby incorporates by reference related U.S. patent application
`
`serial number 081790,097, entitled “System and Method for Protecting a Client from
`
`Hostile Downloadables,” filed on January 29, 1997, by inventor Shlomo Touboul.
`
`BACKGROUND OF THE INVENTION
`
`1.
`
`Field of the Invention
`
`This invention relates generally to computer networks, and more particularly
`
`provides a system and method for protecting a computer and a network from hostile
`
`20
`
`Domfloadables.
`
`13111248340100
`1 ‘I 069711 55614049200002
`
`2
`
`
`
`'li‘ii‘liiil[iii]:liillHill
`
`
`
`
`
`
`
`
`
`.1125}Hill'EiillHIE!"ii-'3''llil'lliiil:Hill{EEK
`
`
`
`
`
`
`
`
`
`.
`
`. '
`
`PATENT
`
`2.
`
`
`
`Descri tion of the Back ound Art
`
`The Internet is currently a collection of over 100,000 individual computer
`
`networks owned by governments, universities, nonprofit groups and companies, and is
`
`expanding at an accelerating rate. Because the Internet is public, the Internet has become
`
`a major source of many system damaging and system fatal application programs,
`
`commonly referred to as “viruses."
`
`Accordingly, programmers continue to design computer and computer network
`
`security systems for blocking these viruses from attacking both individual and network
`
`‘10
`
`computers. 0n the most part, these security systems have been relatively successful.
`
`However, these security systems are not configured to recognize computer viruses which
`
`have been attached to or configured as Downloadable application programs, commonly
`
`referred to as “Downloadables.” A Downloadable is an executable application program,
`
`which is downloaded from a source computer and run on the destination computer.
`
`15
`
`Downloadable is typically requested by an ongoing process such as by an Internet
`
`browser or web engine. Examples of Downloadables include JavaTM applets designed for
`
`use in the JavaTM distributing environment developed by Sun Microsystems, Inc.,
`
`JavaScript scripts also developed by Sun Microsystems, Inc., ActivelllTM controls
`
`designed for use in the ActiveXT'“ distributing environment developed by the Microsoft
`
`20
`
`Corporation, and Visual Basic also developed by the Microsoft Corporation. Therefore, a
`
`system and method are needed to protect a netw0rk from hostile Downloadables.
`
`131!124834.01.00
`110697! 1 55614049200 002
`
`'
`
`3
`
`
`
`
`
`"il'll”HillifiiiiEliifi‘.III}!
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`~it‘llIliiin’FrlllliIli"ill""ll-'3'iii-Elli?4'33:
`
`
`
`O
`
`O
`
`PATENT
`
`SUMMARY OF THE INVENTION
`
`The present invention provides a system for protecting a network from suspicious
`
`Downloadables. The system comprises a security policy, an interface for receiving a
`
`Downloadable, and a comparator, coupled to the interface, for applying the security
`
`policy to the Downloadable to determine if the security policy has been violated. The
`
`Downloadable may include a JavaTM applet, an ActiveXTM control, a Java'Scriptm script,
`
`or a Visual Basic script. The security policy may include a default security policy to be
`
`applied regardless of the client to whom the Downloadable is addressed, a specific
`
`iii:Ill"f l
`
`
`"ll"'Eiil1155i
`
`
`iii-llllEEEl‘iii:
`
`security policy to be applied based on the client or the group to which the client belongs,
`
`10
`
`or a specific policy to be applied based on the clientfgroup and on the particular
`
`Downloadable received. The system uses an ID generator to compute a Downloadable
`
`ID identifying the Downloadable, preferably, by fetching all components of the
`
`Downloadable and performing a hashing function on the Downloadable including the
`
`
`
`at:Iii-Lu@3551:if,"'11:?"Eli."
`
`
`
`
`
`fetched components.
`
`15
`
`20
`
`Further, the security policy may indicate several tests to perform, including (1) a
`
`comparison with known hostile and non-hostile Downloadablcs; (2) a comparison with
`
`Downloadables to be blocked or allowed per administrative override; (3) a comparison of
`
`the Downloadable security profile data against access control lists; (4) a comparison of a
`
`certificate embodied in the Downloadable against trusted certificates; and (5) a
`
`comparison of the URL from which the Downloadable originated against trusted and
`
`untrusted URLs. Based on these tests, a logical engine can determine whether to allow or
`
`block the Doumloadable.
`
`131!124834.01.00
`1 10697115561'4049230002
`
`4
`
`
`
`O
`
`O
`
`_pmm
`
`The present invention fiu'ther provides a method for protecting a computer from
`
`suspicious Downloadables. The method comprises the steps of receiving a
`
`Downloadable, comparing the Downloadable against a security policy to determine if the
`
`security policy has been violated, and discarding the Downloadable if the security policy
`
`has been violated.
`
`It will be appreciated that the system and method of the present invention may
`
`I provide computer protection from known hostile Downloadables. The system and
`
`method of the present invention may identify Downloadables that perform operations
`
`deemed suspicious- The system and method of the present invention may examine the
`
`10
`
`Downloadable code to determine whether the code contains any suspicious operations,
`
`and thus may allow or block the Dovmloadable accordingly.
`
`131!124834.01.00
`1 10697” 55614049200002
`
`.
`
`5
`
`
`
`
`
`“ll"n'EiillliEin{EEKHI]!
`
`
`
`
`
`
`
`it:Hit:”555E!Ilillli"ii-"1'"ll-‘3'”iii:Iii-El!335522
`
`
`
`
`
`
`
`
`
`
`
`O
`
`0
`
`mm
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. ‘
`
`IS a block diagram illustrating a network system, in accordance with the
`
`present inventi::;/
`FIGyz‘is a block diagram illustrating details ofthe internal network security
`
`system of FIG. 1;
`
`FIG}.is‘fiJQdiagramillustratingdetails ofthesecurityprogramandthe
`
`-
`
`security database of FIG. 2;
`
`FIGYmdiagram illustrating details ofthe security policies ofFIG. 3;
`
`FIG.4,545 a block diagram illustrating details of the security management console
`
`10
`
`of FIG. 1;
`
`FIGchhartillustrating a method ofexamining for suspicious
`
`Downloadables, in accordance with the present invention;
`
`15
`
`security policy of FIG. 6A?
`
`FIG. 613 i-s// a flowchart illustrating details ofthe step for finding the appropriate
`FIGf/{giwchartillustratingamethodfordeterminingwhetheranincoming
`FIGk‘I/iéjzowchartillustratingdetailsoftheFIG. 6stepofdecomposing a
`
`Downloadable is to be/fdeemed suspicious;
`
`Downloadable;2nd
`,4"
`FIG/(.8 is a flowchart illustrating a method 800 for generating a Downloadable ID
`
`I
`
`20
`
`for identifying a Downloadable.
`
`13111248340130
`1 10697“ 556f40492.000 02
`
`6
`
`Hill1 1
`
`
`
`
`iii:'li"llfTillIliiulliii
`
`
`
`.1135:lliiu'EEEilllilll"ll-T"llii'Eliill{iii
`
`
`
`.
`
`.
`
`PATENT
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
`
`FIG. 1 is a block diagram illustrating a network system 100, in accordance with
`
`the present invention. The network system 100 includes an external computer network
`
`105, such as the Wide Area Network (WAN) commonly referred to as the lntemet,
`
`coupled via a communications channel 125 to an internal network security system 110.
`
`The network system 100 further includes an internal computer network 115, such as a
`
`corporate Local Area Network (LAN), coupled via a communications channel 130 to the
`
`internal network computer system 1 10 and coupled via a communications channel 135 to
`
`a security management console 120.
`
`10
`
`The internal network security system 110 examines Downloadables received from
`
`15
`
`20
`
`external computer network 105, and prevents Downloadables deemed suspicious from
`
`reaching the internal computer network 1 15. It will be further appreciated that a
`
`Downloadable is deemed suspicious if it performs or may perform any undesirable
`
`operation, or if it threatens or may threaten the integrity of an internal computer network
`
`115 component. It is to be understood that the term “suspicious” includes hostile,
`
`potentially hostile, undesirable, potentially undesirable, etc. Security management
`
`console 120 enables viewing, modification and configuration of the internal network
`
`security system 110.
`
`FIG. 2 is a block diagram illustrating details of the internal network security
`
`system 1 10, which includes a Central Processing Unit (CPU) 205, such as an Intel
`
`PentiumG microprocessor or a Motorola Power PC‘9 microprocessor, coupled to a signal
`
`bus 220. The internal network security system 110 further includes an external
`
`13111248310100
`1 1069711 556140492000 02
`
`7
`
`
`
`
`
`"i!“n'Eifll1155.1:1551}Ill“
`
`
`
`
`
`
`
`
`
`
`
`.1111:lliiiu15511112]!"ll-'3'"Ill"11551!{1551'5311.".
`
`
`
`
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`communications interface 210 coupled between the communications channel 125 and the
`
`signal bus 220 for receiving Downloadables from external computer network 105, and
`
`an internal communications interface 225 coupled between the signal bus 220 and the
`
`communications channel 130 for forwarding Domfloadables not deemed su5picious to
`
`the internal computer network 1 15. The external communications interface 210 and the
`
`internal communications interface 225 may be functional components of an integral
`
`communications interface (not shown) for both receiving Downloadables from the
`
`external computer network 105 and forwarding Downloadables to the internal computer
`
`network 1 15.
`
`10
`
`Internal network security system 110 fiu'ther includes Input/Output (U0)
`
`interfaces 215 (such as a keyboard, mouse and Cathode Ray Tube (CRT) display), a data
`
`storage device 230 such as a magnetic disk, and a Random-Access Memory (RAM) 235,
`
`each coupled to the signal bus 220. The data storage device 230 stores a security
`
`database 240, which includes security information for determining whether a received
`
`15
`
`Downloadable is to be deemed suspicious. The data storage device 230 further stores a
`
`users list 260 identifying the users within the internal computer network 115 who may
`
`receive Downloadables, and an event log 245 which includes determination results for
`
`each Downloadable examined and runtime indications of the internal network security
`
`. system 110. An operating system 250 controls processing by CPU 205, and is typically
`
`20
`
`stored in data storage device 230 and loaded into RAM 235 (as illustrated) for execution.
`
`A security program 255 controls examination of incoming Downloadables, and also may
`
`be'stored in data storage device 230 and loaded into RAM 235 (as illustrated) for
`
`execution by CPU 205.
`
`13111243310100
`1 106971155514049200002
`
`8
`
`nnnnnn
`
`iii:|I
`Elli!
`
`
`
`
`
`.1=.E'.‘.'iii:iii!11:]:"a?“[[I'
`
`
`
`O
`
`0
`
`13mm-
`
`FIG. 3 is a block diagram illustrating details of the security program 255 and the
`
`security database 240. The security program 255 includes an ID generator 315, a policy
`
`finder 317 coupled to the ID generator 315, and a first comparator 320 coupled to the
`
`policy finder 317. The first comparator 320 is coupled to a logical engine 333 via four
`
`separate paths, namely, via Path 1, via Path 2, via Path 3 and via Path 4. Path 1 includes
`
`a direct connection fromthe first comparator 320 to the logical engine 333. Path 2 -
`
`includes a code scanner coupled to the first comparator 320, and an Access Control List
`
`(ACL) comparator 330 coupling the code scanner 325 to the logical engine 333. Path 3
`
`includes a certificate scanner 340 coupled to the first comparator 320, and a certificate
`
`comparator 34S coupling the certificate scanner 340 to the logical engine 333. Path 4 -
`
`includes a Uniform Resource Locator (URL) comparator 350 coupling the first
`
`comparator 320 to the logical engine 3330. A record-keeping engine 335 is coupled
`
`between the logical engine 333 and the event log 245.
`
`'
`
`The security program 255 operates in conjunction with the security database 240,
`
`which includes security policies 305, known Downloadables 307, known Certificates
`
`309 and Downloadable Security Profile (DSP) data 310 corresponding to the known
`
`Downloadables 307. Security policies 305 includes policies specific to particular users
`
`10
`
`15
`
`260 and default (or generic) policies for determining whether to allow or block an
`
`20
`
`incoming Downloadable. These security policies 305 may identify specific
`
`Downloadables to block, specific Downloadables to allow, or necessary criteria for
`
`allowing an unknown Downloadable. Referring to FIG. 4, security policies 305 include
`
`131l124334.01.00
`1 1 0697f1556f40492£0002
`
`9
`
`
`
`
`
`“all:lift:'EiillHill"ii""IE1"“'liiilllliil!ilii'L“ll“u'iiEllllEEEirlliiil'|I'.'.'.|i.
`
`
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`policy selectors 405, access control lists 410, trusted certificate lists 415, URL rule bases
`
`420, and lists 425 of Downloadables to allow or to block per administrative override.
`
`Known Downloadables 307 include lists of Downloadables which Original
`
`Equipment Manufacturers (OEMs) know to be hostile, of Downloadables which OEMs
`
`know to be non-hostile, and of Downloadables previously received by this security
`
`program 255. DSP data 310 includes the list of all potentially hostile or suspicious
`
`computer operations that may be attempted by each known Downloadable 307, and may
`
`also include the respective arguments of these operations. An identified argument of an
`
`operation is referred to as “resolved." An unidentified argument is referred to as
`
`10
`
`“unresolved.” DSP data 310 is described below with reference to the code scanner 325.
`
`The ID generator 315 receives a Downloadable (including the URL from which it
`
`came and the userID of the intended recipient) from the external computer network 105
`
`via the external communications interface 210, and generates a Downloadable ID for
`
`identifying each Downloadable. The Downloadable ID preferably includes a digital
`
`hash of the complete Downloadable code. The ID generator 315 preferably prefetches
`
`all components embodied in or identified by the code for Downloadable ID generation.
`
`For example, the ID generator 315 may prefetch all classes embodied in or identified by
`
`the JavaTM applet bytecode to generate the Downloadable ID. Similarly, the ID generator
`
`315 may retrieve all components listed in the INF file for an ActiveXm control to
`
`compute a Downloadable ID. Accordingly, the Doumloadable ID for the Downloadable
`
`will be the same each time the ID generator 315 receives the same Downloadable. The
`
`ID generator 315 adds the generated Downloadable ID to the list of known
`
`15
`
`20
`
`131!124B34.01.00
`110697!1555t40492.00002
`
`10
`
`
`
`"ll'll'Eiili'lliiiu{Fill[Elli
`
`
`
`
`
`
`
`
`
`
`
`it:“ii:iii."IIIIEI"if.""ll-"3'{Eli{EillIIEEEI'.
`
`
`
`
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`Downloadables 307 (if it is not already listed). The ID generator 315 then forwards the
`
`Downloadable and Downloadable ID to the policy finder 317.
`
`The policy finder 317 uses the userID of the intended user and the Downloadable
`
`ID to select the specific security policy 305 that shall be applied on the received
`
`Downloadable. If there is a specific policy 305 that was defined for the user (or for one
`
`of its super groups) and the Downloadable, then the policy is selected. Otherwise the
`generic policy 305 that-was defined for the user (or for one ofits super groups) is
`
`selected. The policy finder 31'}:l then sends the policy to the first comparator 320.
`
`The first comparator 320 receives the Downloadable, the Downloadable ID and
`
`the security policy 305 from the policy finder 31?. The first comparator 320 examines
`
`the security policy 305 to determine which steps are needed for allowing the
`
`Downloadable. For example, the security policy 305 may indicate that, in order to allow
`
`this Downloadable, it must pass all four paths, Path 1, Path 2, Path 3 and Path 4.
`
`Alternatively, the security policy 305 may indicate that to allow the Downloadable, the it
`
`must pass oniy one of the paths. The first comparator 320 responds by forwarding the
`
`proper information to the paths identified by the security policy 305.
`
`
`Path 1
`
`In path 1, the first comparator 320 checks the policy selector 405 of the security
`
`policy 305 that was received from the policy finder 317. If the policy selector 405 is
`
`. either “Allowed" or “Blocked,” then the first comparator 320 forwards this result
`
`directly to the logical engine 333. Otherwise, the first comparator 320 invokes the
`
`comparisons in path2 andfor path 3 andlor path 4 based on the contents of policy selector
`
`131I124334.01.00
`110697!1556!40492.00002
`
`'11
`
`10
`
`15
`
`20
`
`
`
`“il‘ll'liiilliliiirEliiil:{Ell
`
`
`
`
`
`
`
`
`
`
`
`M113]liiiin‘EiilIll]!"ll?"ll-'3'"':lEEEll{ESEIiiiill Eh
`
`
`
`
`
`
`
`
`
`O
`
`O
`
`PATENT
`
`405. It will be appreciated that the first comparator 320 itself compares the
`
`Downloadable ID against the lists of Downloadables to allow or block per administrative
`
`override 425. That is, the system security administrator can define specific
`
`Downloadables as “Allowed” or “Blocked.”
`
`Alternatively, the logical engine 333 may receive the results of each of the paths
`
`and 'based on the policy selector 405 may institute the final determination whether to
`
`allow or block the Downloadable. The first comparator 320 informs the logical engine
`
`333 of the results of its comparison.
`
`10
`
`Bath;
`
`In path 2, the first comparator 320 delivers the Downloadable, the Downloadable
`
`ID and the security policy 305 to the code scanner 325. If the DSP data 310 of the
`
`received Downloadable is known, the code scanner 325 retrieves and forwards the
`
`information to the ACL comparator 330. Otherwise, the code scanner 325 resolves the
`
`DSP data 310. That is, the code scanner 325 uses conventional parsing techniques to
`
`decompose the code (including all prefetched components) of the Downloadable into the
`
`DSP data 310. DSP data 310 includes the list of all potentially hostile or suspicious
`
`computer operations that may be attempted by a specific Downloadable 307, and may
`
`also include the respective arguments of these Operations. For example, DSP data 310
`
`may include a READ from a specific file, a SEND to an unresolved host, etc. The code
`
`15
`
`20
`
`scanner 325 may generate the DSP data 310 as a list of all operations in the
`
`Downloadable code which could ever be deemed potentially hostile and a list of all files
`
`to be accessed by the Downloadable code. It will be appreciated that the code scanner
`
`131!124334.01.00
`1 10697! 1 556!40492.00002
`
`12
`
`
`
`
`
`“ill!'55:]!lliii::liiiltill!
`
`
`
`
`
`
`
`
`
`“111:.liftiii!lilil"Ii""Ill”{iiiiii:(iii.
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`325 may search the code for any pattern, which is undesirable or suggests that the code
`
`was written by a hacker.
`
`An Exam 1e List of O erations Deemed Potentiall Hostile
`
`0
`
`File operations: READ a file, WRITE a file;
`
`0 Network operations: LISTEN on a socket, CONNECT to a socket, SEND data,
`
`RECEIVE data, VIEW INTRANET;
`
`I Registry operations: READ a registry item, WRITE a registry item;
`0 Operating system Operations: EXIT WINDOWS, EXIT BROWSER, START
`
`10
`
`PROCESSITHREAD, KILL PROCESSITHREAD, CHANGE PROCES SITI-IREAD
`
`PRIORITY, DYNAMICALLY LOAD A CLASSILIBRARY, etc.; and
`
`a Resource usage thresholds: memory, CPU, graphics, etc.
`
`In the preferred embodiment, the code scanner 325 performs a full-content inspection.
`
`15
`
`However, for improved speed but reduced security, the code scanner 325 may examine
`
`only a portion of the Downloadable such as the Downloadable header. The code scanner
`
`325 then stores the DSP data into DSP data 310 (corresponding to its Downloadable ID),
`
`and sends the Downloadable, the DSP data to the ACL comparator 330 for comparison
`
`with the security policy 305.
`
`20
`
`The ACL comparator 330 receives the Downloadable, the corresponding DSP
`
`data and the security policy 305 from the code scanner 325, and compares the DSP data
`
`against the security policy 305. That is, the ACL comparator 330 compares the DSP data
`
`131l124834.01.00
`' 1 10697l155614049200002
`
`13
`
`
`
`
`
`
`
`
`
`all:lliiin“.iillIII]!"I13?"“ll?’“{EEEIIIii-.1:iliiilil'ii'EEEII115531:llEEElu'111211
`
`
`
`
`
`
`
`
`
`
`
`
`
`O
`
`0.
`
`mm
`
`of the received Downloadable against the access control lists 410 in the received security
`
`policy 305. The access control list 410 contains criteria indicating whether to pass or fail
`
`the Downloadable. For example, an access control list may indicate that the
`
`Downloadable fails if the DSP data includes a WRITE command to a system file. The
`
`ACL comparator 330 sends its results to the logical engine 333.
`
`
`Path 3:
`
`In path 3, the certificate scanner 340 determines whether the received
`
`Downloadable was signed by a certificate authority, such as VeriSign, Inc, and scans for
`
`10
`
`a certificate embodied in the Downloadable. The certificate scanner 340 forwards the
`
`found certificate to the certificate comparator 345. The certificate comparator 345
`
`retrieves known certificates 309 that were deemed trustworthy by the security
`
`admmistrator and compares the found certificate with the known certificates 309 to
`
`determine whether the Downloadable was signed by a trusted certificate. The certificate
`
`15
`
`comparator 345 sends the results to the logical engine 333.
`
`Pat—114:
`
`In path 4, the URL comparator 350 examines the URL identifying the source of
`
`the Downloadable against URLs stored in the URL rule base 420 to determine whether
`
`20
`
`the Downloadable comes from a trusted source. Based on the security policy 305, the
`
`URL comparator 350 may deem the Downloadable suspicious if the Downloadable
`
`comes from an untrustworthy source or if the Downloadable did not come from a trusted
`
`source. For example, if the Downloadable comes from a known hacker, then the
`
`13111248310100
`11069711555'4049230002
`
`14
`
`"Iii:tillIE5?"EliillHill
`
`
`
`
`liiil':lEEEl::IEEZII l
`
`
`
`
`
`all.Iiiiiu“iii!Hill"Ill""ll?
`
`
`
`. _
`
`.
`
`PATENT
`
`Downloadable may be deemed suspicious and presumed hostile. The URL comparator
`
`350 sends its results to the logical engine 333.
`
`The logical engine 333 examines the results of each of the paths and the policy
`
`selector 405 in the security policy 305 to determine whether to allow or block the
`
`Downloadable. The-policy selector 405 includes a logical expression of the results
`received from each ofthe paths. For example, the logical engine 333 may block a
`
`Downloadable if it fails any one of the paths, i.e., if the Downloadable is known hostile
`
`(Path 1), ifthe Downloadable may request suspicious operations (Path 2), ifthe
`
`I
`
`10
`
`Downloadable was not signed by a trusted certificate authority (Path 3), or if the
`
`Domfloadable-did-came from an untrustworthy source (Path 4). The logical engine 333
`
`may apply other logical expressions according to the policy selector 405 embodied in the
`
`security policy 305. If the policy selector 405 indicates that the Downloadable may pass,
`
`then the logical engine 333 passes the Downloadable to its intended recipient.
`
`Otherwise, if the policy selector 405 indicates that the Downloadable should be blocked,
`
`then the logical engine 333 forwards a non-hostile Downloadable to the intended
`
`recipient to inform the user that internal network security system 110 discarded the
`
`original Downloadable. Further, the logical engine 333 forwards a status report to the
`
`record-keeping engine 335, which stores the reports in event log 245 in the data storage
`
`device 230 for subsequent review, for example, by the MIS director.
`
`15
`
`20
`
`FIG. 5 is a block diagram illustrating details of the security management console
`
`120, which includes a security policy editor 505 coupled to the communications channel
`
`131!124834.01.00
`110697r1556mo492.00002
`
`15
`
`
`
`
`
`"Ila'EiillIliiilrlliiflHill
`
`
`
`
`
`
`
`“1111'.lliiii:'Eiilllil!"iii.""ll-1""'1555‘]:Hill#1351
`
`
`
`
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`135, an event log analysis engine 510 coupled between communications channel 135 and
`
`a user notification engine 515, and a Downloadable database review engine 520 coupled
`
`to the communications channel 135. The security management console 120 further
`
`includes computer components similar to the computer components illustrated in FIG. 2.
`
`The security policy editor 505 uses an IfO interface similar to HQ interface 215
`
`for enabling authorized user modification of the security policies 305. That is, the
`
`security policy editor 505 enables the authorized user to modify specific security policies
`
`I' |.
`
`[hilllliiill{liiil"ll“u,‘EiiillIliallEEEl.‘Hill
`
`
`
`
`
`
`
`
`deli;lliiiu”.iiilllliill"ll?'lli'"'
`
`305 corresponding to the users 260, the default or generic security policy 305, the
`
`Downloadables to block per administrative override, the Downloadables to allow per
`
`‘10
`
`administrative override, the trusted certificate'lists 415, the policy selectors 405, the
`
`access control lists 410, the URLs in the URL rule bases 420, etc. For example, if the
`
`authorized user learns of a new hostile Downloadable, then the user can add the
`
`Downloadable to the Downloadables-to block per system override.
`
`The event log analysis engine 510 examines the status reports contained in the
`
`15
`
`20
`
`event log 245 stored in the data storage device 23 0. The eyent log analysis engine 510
`
`determines whether notification of the user (e.g., the security system manager or MIS
`
`director) is warranted. For example, the event log analysis engine 510 may warrant user
`notification whenever ten (10) suspicious Downloadables have been discarded by
`
`internal network security system 110 within a thirty (30) minute period, thereby flagging
`
`a potential imminent security threat. Accordingly, the event log analysis engine 510
`
`instructs the user notification engine 515 to inform the user. The user notification engine
`
`515 may send an email via internal commmtications interface 220 or via external
`
`1310'1248340100
`1 10697.” 556!40492.00002
`
`'16
`
`
`
`O
`
`- 0
`
`mm
`
`communications interface 210 to the user, or may display a message on the user’s
`
`display device (not shown).
`
`FIG. 6A is a flowchart illustrating a method 600 for protecting an internal
`
`computer network 115 from suSpicious Downloadables. Method 600 begins with the ID
`
`generator 315 in step 602 receiving a Downloadable. The ID generator 315 in step 604
`
`generates a Downloadable ID identifying the received Downloadable, preferably, by
`
`generating a digital hash of the Downloadable code (including prefetched components).
`
`The policy finder 317 in step 606 finds the appropriate security policy 305
`
`10
`
`corresponding to the userID specifying intended recipient (or the group to which the
`
`intended recipient belongs) and the Downloadable. The selected security policy 305
`
`may be the default security policy 305. Step 606 is described in greater detail below
`
`with reference to FIG. 6B.
`
`The first comparator 320 in step 608 examines the lists of Downloadables to allow
`
`‘15
`
`or to block per administrative override 425 against the Downloadable ID of the incoming
`
`Downloadable to determine whether to allow the Downloadable automatically. If so,
`
`then in step 612 the first comparator 320 sends the results to the logical engine 333. If
`
`not, then the method 600 proceeds to step 610. In step 610, the first comparator 620
`
`examines the lists of Downloadables to block per administrative override 425 against the
`
`20
`
`Downloadable ID of the incoming Downloadable for determining whether to block the
`
`Downloadable automatically. If so, then the first comparator 420 in step 612 sends the
`
`results to the logical engine 333. Otherwise, method 600 proceeds to step 614.
`
`13111248340100
`11069711556r‘40-49200002
`
`'17
`
`
`
`
`
`.“11'11“Hill1155::[FillIii]!
`
`
`
`
`
`all.iliiiu":iiliIIIIII"Ill""ll?”‘lliil’{Ediiii."
`
`
`
`‘
`
`.
`
`PATENT
`
`In step 614, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 4. If not, then
`
`method 600 jumps to step 618. If so, then the URL comparator 350 in step 616
`
`compares the URL embodied in the incoming Downloadable against the URLs of the
`
`URL rules bases 420, and then method 600 proceeds to step 618.
`
`In step 618, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 2. If not, then
`
`method 600 jumps to step 620. Otherwise, the code scanner 235 in step 626 examines
`
`the DSP data 310 based on the Downloadable ID of the incoming Downloadable to
`
`it'll!| I
`
`10
`
`determine whether the Downloadable has been previously decomposed. If so, then
`
`
`
`'.'.'ii"ll”Fillilliiu:liil
`
`
`
`
`
`___ .
`
`I' l
`liiil
`
`method 600 jumps to step 630. Otherwise, the code scanner 325 in step 628 decomposes
`
`the Downloadable into DSP data. Downloadable decomposition'is described in greater
`
`detail with reference to FIG. 7. In step 630, the ACL comparator 330 compares the DSP
`
`mmwmwp~
`
`data of the incoming Downloadable against the access control lists 410 (which include
`
`15
`
`the criteria necessary for. the Downloadable to fail or pass the test).
`
`In step 620, the first comparator 320 determines whether the security policy 305
`
`indicates that the Downloadable should be tested according to Path 3. If not, then
`
`method 600 returns to step 612 to send the results of each ofthe test performed to the
`
`logical engine 333. Otherwise, the certificate scanner 622 in step 622 scans the
`
`20
`
`.Downloadable for an embodied certificate. The certificate comparator 345 in step 624
`
`retrieves trusted certificates from the trusted certificate lists (TCL) 415 and compares the
`
`embodied certificate with the trusted certificates to determine whether the Downloadabie
`
`has been signed by a trusted source. Method 600 then proceeds to step 612 by the
`
`13111248340100
`1 10597!1556140492.00002
`
`18
`
`
`
`.
`
`.
`
`PATENT
`
`certificate scanner 345 sending the results of each of the paths taken to the logical engine
`
`333. The operations of the logical engine 333 are described in greater detail below with
`
`reference to FIG. 6C. Method 600 then ends.
`
`One skilled in the art will recognize that the tests may be performed in a different
`
`order, and that each of the tests need not be performed. Further, one skilled in the art
`
`will recognize that, although path 1 is described in FIG. 6A as an automatic allowance or
`
`blocking, the results of Path 1 may be another predicate to be applied by the logical
`
`engine 333. Further, although the tests are shown serially in FIG. 6A, the tests may be
`
`performed in parallel as illustrated in FIG. 3.
`
`| I
`it'll
`
`10
`
`
`
`
`
`“ll“”iii!lEiEullii
`
`lull=l.:'...
`
`II |.\
`.,,
`'H‘III
`
`FIG. 6B is a flowchart illustrating details of step 606 of FIG. 6A (referred to
`
`herein as method 606). Method 606 begins with the policy finder 317 in step 650
`
`determining whether security policies 305 include a specific security policy
`
`corresponding to the userID and the Downloadable. If so, then the policy finder 317 in
`
`15
`
`step 654 fetches the corresponding specific policy 305. If not, then the policy finder 317
`
`in step 652 fetches the default or generic security policy 305 corresponding to the
`
`userID. Method 606 then ends.
`
`FIG. 6C is a flowchart illustrating details of a method 655 for determining
`
`20
`
`whether to allow or to block the incoming Downloadable. Method 655 begins with the
`
`logical engine 333 in step 660 receiving the results from the first comparator 320, from
`
`the ACL comparator 330, from the certificate comparator 345 and from the URL
`
`comparator 350. The logical engine 333 in step 662 compares the results with the policy
`
`13111248310100
`1 10697” 556!40492.00002
`
`19
`
`
`
`.1111:lift”illlilllli"ll-'5'"ll-‘5'
`
`
`
`
`
`
`
`
`
`.
`
`.
`
`PATENT
`
`selector 405 embodied in the security policy 305, and in step 664 determines whether the
`
`policy selector 405 confirms the pass. For example, the policy selector 405 may indicate
`that the logical engine 333 pass the Downloadable if it passes one ofthe tests ofPath 1,
`
`Path 2, Path 3 and Path 4. If the policy selector 405 indicates that the Downloadable
`
`should pass, then the logical engine 333 in step 666 passes the Downloadable to the
`
`intended recipient. In step 668, the logical engine 333 sends the results to the record-
`
`keeping engine 335, which in turn stores the results in
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
