DE10217952A1 - Proxy server type device for use in a mobile phone network for protection of terminal units against harmful content, whereby the proxy serves an interface between a data server and a data terminal - Google Patents

Abstract

Method for protection of digital units in a network is based on use of a proxy server that can be used with a multiplicity of protocols. The proxy takes requests from the digital units and checks them for harmful content, which is removed if necessary. The repaired requests are then forwarded to a target. The proxy then receives responses to the requests and checks them for harmful information, which is removed if necessary, prior to forwarding to the relevant terminal. Independent claims are also included for the following:- (a) a device for protecting digital units in a network; (b) a device for protecting digital units in a network using POP, ftp or smtp protocols; software for a digital computer system; (c) and a data carrier for the loading software for method implementation.

Description

The invention relates to an apparatus and a method for Protection of data terminals and data servers between preferably public and private data networks. The protection is used for the incoming or outgoing or for the total data stream regardless of the type of connected Data terminal or data server guaranteed. The protection extends to dynamically and permanently connected Data terminals or data servers on data networks. The Invention provides protective devices, even if Data protection programs on the data terminal or data server cannot be saved.

Under a private network is a network or one Network unit in a data device means that only one is accessible to certain user groups. A single can Be a person, a family or even the employee Company.

The public network is a data network, what users can be entered regardless of time and place, in particular the Internet. The allocation of data streams between private ones and public networks is done through dynamic or fixed Addresses. Data transfer between public and private networks is based on defined transmission protocols realized. On the Internet, for example, the assignment would be over IP addresses take place and the data transfer with the TCP / IP Transmission protocol. When exchanging data between mobile Terminal devices, on the other hand, are assigned via telephone numbers and data transmission through the GSM or UMTS standard.

When exchanging data between public and private Networking is a major problem that is undesirable Data or data that the data terminal or the data server can damage, be replaced. In addition there is the danger is that additional information in the data stream unwittingly from the data terminal or data server into the Data network can be sent or received. The Additional information can be evaluated elsewhere and be misused.

Undesired data is understood to mean all the data that the user does not want to receive with the data stream. The In addition to data viruses, advertising banners, cookies, Program scripts etc.

Damage caused by data viruses is particularly strong due to the strong Networking growth between data terminals and Data servers associated with a steady increase. data viruses come in different types. The damage ranges from the destruction, manipulation and misuse of data carriers to programs, the data devices and user data spy on and unwittingly send by the user.

In addition to the data viruses, there is unwanted additional information, which are also sent in the data stream. This Additional information addresses various types of damage on. The constant loading of advertising banners can connect slow down noticeably between the data terminal and the data server. By storing additional information on the Data terminal users feel in their privacy injured. When you unknowingly save it on the A program can retrofit the data terminal or data server Read information from the data carrier or the user. In addition, this additional information can contain gaps and errors from installed data programs to data devices to manipulate or spy on.

The data viruses and unwanted additional information not on data terminals or data servers in the original Limited senses. Wherever data programs run - that are almost all devices of modern life - can damage be served. It is already known that there are data viruses for mobile devices that, for example, unwittingly send SMS Send messages.

More and more devices are using public networks Connected to data servers. Many types of Data terminals not additionally through protection programs be expanded. The data devices are fully populated delivered and offer no possibility of retrofitting like a computer. Computers as data terminals and data servers offer the possibility of retrospectively protection programs to install. The user does not need the protection programs just install properly, but a substantial one Maintenance effort to update the detection pattern is necessary. The perfect installation already prepares Users big problems. They work too differently individual protection programs with different operating systems or other installed data programs.

The current protection programs always work within a private network or a central unit. So z. B. illustrates the distinction between a private network and a central unit in FIG . The incoming or sent data stream only reaches the data carrier of the data terminal or the data server before a protection program can examine data and initiate reactions.

These properties only allow protection of devices when the user installs the protection program, the underlying updated patterns and rules of the protection program updated and the protection program is working properly. The flawless How it works can only be determined to a limited extent. When a defective program does the first damage, it is for the user can see that he has any settings in the Protection program must change.

Computer damage totaled $ 17 billion in 2001 alone. Only 5 percent of all users who are regularly connected to a public network have installed protection programs that work properly. Due to the complexity of the protection programs and the not inconsiderable investment in them, only companies with their own administrative staff can guarantee permanent protection for the private network. But this only affects computer systems. Devices without the possibility of retrofitting are currently delivered completely unprotected, defective programs.

Protection programs and facilities are working on different levels. The most important levels include the Port level and the application level. Both differentiate that in the port level does not affect the content of the data stream can be taken. WO 99/54827 and WO 99/48261 Devices known based on IP addresses and Provide protective devices for port addresses. A content filtering and determining the type of data stream transmitted or received does not take place.

From the publications US 5996 011 and WO 99/41913 Devices known, the additional content-related Consider information. The data stream either forwarded or blocked. A modification of the Data stream does not take place. In addition, not the type of the transmitted or received data stream. However, this is mandatory in order to do this depending on the data type load the appropriate protection program.

The object of the present invention is a device and provide a method that simple analysis of information allowed, being both stateless as well statebound connections are taken into account.

This task is solved by inventions with the characteristics of independent claims.

The basic approach of the invention is one To use proxy for both stateless and for statebound connections an analysis of requests and Answers. In a special embodiment the authentication is simulated by the proxy, which then logs on to the target (server) again.

According to the prior art, there is no device or Known method that moves a client (terminal) in the Authentication process to wait for the independent Protection device both fetches or sends and in in a second step the data is analyzed and treated. All known methods and devices break with a Timeout error. This is the state of the art formulated to automatically disconnect when the risk of permanent blocking of the data line or the Data server exists.

That means the client is protected from malware wants to protect, needs to use a data server that Protection devices installed. That would be on the Internet Client a private user or a company and the Data server for example a POP3 email inbox at his Provider. The user receives protection only if the Provider installed protection programs on its POP3 servers has and updated them constantly. Alternatively, the Install user protection programs on his data terminal and maintain, provided the data terminal leaves one Installation of protection programs too.

Different data transmission methods are used in data networks worked. On the one hand there is the stateless Transmission, for example the transmission after the HTTP Default. On the other hand there is the transfer in a defined period, for example transmission POP3, SMTP, GSM or UMTS.

For stateless transfer it is necessary to Provide protection for connected devices, data types to filter the data stream and a separate one Hand over protective device. After inspection and cleaning the data type is returned to the data stream. there there is a need not to completely stream the data block to perform an analysis. The state of the Technology does not specify a process, which complete parts of the Data stream for analysis, which is not forwards the affected data stream unhindered to the client and after analysis and treatment, the data returned to the data stream supplies.

In contrast to the stateless data connection for the fixed data connection the client a permanent connection with a data server. After one Authentication methods become data for the client transmitted, which the latter can then process. The Client expects well-defined responses from the data server. A protective device is therefore state of the art either only on the user's data terminal or only on the data server effectively. This protection device processes the data on the data carrier and cleans or modifies the data.

In detail, this problem is solved by the client is put in a waiting state that does not become one Timeout leads. This is achieved either by: communication is interrupted at a certain time and the client waits in a defined state, or in that known timeouts are used to within perform all operations in this time window. That's the way it is z. For example, it is possible to load up to 100 emails from the server analyze before known mail clients (Outlook Express) the End connection with an error. Before this termination a response is sent to the client. In case There are more than 100 emails in the mailbox, so in one first step just transfer the first 100 emails and in a second step the others. For this second step the client has to log in again.

More specifically, it is a device with the Functionality of a proxy, which is an interface to Network for requests from end devices and / or replies from Targets or servers. In the preferred Embodiment is a network card that has a connection to the Internet. In an advantageous Embodiment is the device, which is preferably as Computer is trained, accessible via the Internet and will used as a kind of public firewall and virus filter. All communication is carried out on this computer.

By the central arrangement and the support of one Variety of protocols can thus be a very current and easy to maintain service for the user on the Internet Tobe offered. With the help of a processing unit, which in usually with one or more processors appropriate memory exists, those of the Interface received requests received and on checks harmful information. The checking requests are preferably done with virus scanners or others for programs specific to this file type. Should be questionable Information is found, so this will result from the request removed and in the preferred embodiment by repaired information replaced in the request. After Reviewing the request, it is forwarded to the destination, i. d. Usually a server. The answer from the target or from the server is also checked for harmful information. Should there is harmful information in the response, so will these be repaired or replaced in the answer, then then forward the checked answer to the digital device.

Another embodiment is preferred for uses state-based requests, such as those used in protocols like POP, ftp and smtp apply. A connection is always there condition-bound when certain answers to requests to be expected. If these answers are not received, please do so either the connection is broken or the system waits until a corresponding response is sent. If the use is canceled, i. d. Usually a timeout in front.

The essence of this approach is that a Authentication is simulated to the Cache authentication data. The so won Authentication data is used for authentication the target or server. The renewed Authentication, submitting the request and that Receiving data and checking it, of course, may do not take so much time that the client or the user device terminates the connection. As the best known An example is the POP protocol, which is used for Picking up emails serves. Such a client would use a end the connection too long. By the Analyzing the client, however, can lead to certain Interruptions are inserted at times that are not too break the connection. Furthermore, the Timeout times are exhausted so that not all Information is loaded and passed on, but only those that are loaded in the time interval can and can be processed. After that User device has been put into a waiting state, the Request for harmful information to be extracted from the Remove request or get it repaired Replace information in the request. The so tested Request is forwarded to the destination, with the response from Target is also checked for harmful information to remove them from the answer or to go through them to replace repaired information in the response then forward the checked answer to the digital device. However, before the answer can be received, a Registration on the server or at the destination. For this the cached authentication data used.

In a preferred embodiment, only as long Receive responses as defined in the device Waiting state is. As soon as it is expected that the State changes, information is transmitted. This can be recognized by the fact that requests are being resent or that a counter is counted down. Should be reckoned with be that the answer is too big, e.g. B. with several 100 E- Mails, the request can be modified to that only the first 50 emails are loaded and sent to the Client are transmitted.

To optimize the analysis of the proxy intermediate information, especially the Virus check, depending on the type of information, analysis of the file type in particular. So will z. B. depending on the information type, a program for Review the content, especially to review it Viruses, selected and used. This can be avoided that a single virus engine over the documents running and doing checks that are unnecessary. By using configuration files, the Users determine which verification methods apply to which ones Types of data types or files are to be used. It can z. For example, it may be possible that, for certain analytical methods, Fees are charged if these are particularly complex and are safe. However, the user should use a lower one Be satisfied with security, so there is a possibility of this adjust.

The device recognizes from the User identification data or IP addresses, by which Device or which user it is and can in Depending on this user, load a profile in which was set, how, at what time and in which Form reviews are to be made. A possibility authentication to the central proxy server consists in cookies placed on the client user information is stored.

Another feature of the device is a buffer such as it is standard for proxies. This allows the analysis of information to be accelerated because of that in the buffer stored information is provided with a feature which shows whether the information has already been checked and through which program.

In a further preferred embodiment use that Method and device an approach that ultimately the Gives user the ability to decide whether he want to run dangerous programs or not. Anti-virus Programs only recognize viruses and other harmful ones Programs that show a clear pattern. All Programs that are both very useful to the user can also be misused through protection programs not to be eliminated automatically. Examples are here To call dialer. In addition, there is no protection for the data terminal device if a virus appears and there is not yet one Countermeasure or sample for the anti-virus program there.

The approach in the present invention is that the File type of the requested file is recognized, if necessary pack. Is it z. B. an executable file (e.g. BAT or EXE file), a protective sheath is around the File placed and the modified file to the user forwarded. The protective jacket consists of a file (same file format), which, if on the computer of the User starts, issues a warning. This Warning message includes the file name of the original requested file and notifies the user that the file can possibly cause damage. The user can now choose whether to install and start the original file or want to cancel the process. When the action is canceled, the Original file made harmless.

Due to the possible automatic installation and execution on the data terminal of dangerous programs from one Network (internet) can become unwanted and dangerous Unknowingly inject programs on the data terminal.

The protective cover tells the user that now a Program to be loaded, installed and executed. The User can cancel the process. I.e. the program in the Protective cover gives the user the opportunity to Cancel installation and execution process or that run dubbed program.

This approach provides protection if only the File type is known. The user now receives the Possibility, even after knowingly or unknowingly Initiate the charging process to decide whether the requested program is installed and executed should.

An important area of application are dialers, which are small programs that make it easier for the user to establish a desired online connection.

Dialers are often offered by Internet providers who do simplify their - mostly inexperienced - potential customers to set up a suitable Internet access. This happens either by making an entry in the dial-up network (this is the part of Windows that is used to dial into Internet is responsible) is created in the dial-up network, or by installing your own dial-up program. The present invention goes so far that also Result of the execution of the program is checked. Should the dialer an additional Internet use in the dial-up network the user will be informed. The type of automatic installation is based on ActiveX. ActiveX is an extension of the Browser functionality that enables the browser to other ways of accessing the operating system. So can you can access the file system using ActiveX, for example or install programs.

According to the state of the art there are auxiliary programs that one To provide protection on the data terminal against dialers. These monitor the connection to the public Network and disconnect as soon as one dialed number is dialed. But they take hold Dialer countermeasures. So there are dialers based on their partial automatic installation of the anti-dialer software just exit or delete. Or they sit in one Autostart file that automatically every time the Data terminal is executed.

According to the state of the art there are display devices and Operating systems that install an automatic and Do not allow programs to run. They are against it equipped data terminals but powerless if that install dialers by pretending to be wrong Facts happen or dialer in other programs hide and only become active after execution.

The problem of dialers is only intended to show that the novel protection against all programs that work unwittingly or by pretending to be false facts Get access to the data terminal. Malicious programs of this type can contain user information, other data programs or more Abuse detailed information of the data terminal.

The invention is described below with reference to Exemplary embodiments explained in more detail in the figures are shown schematically. Same reference numbers in the individual figures denote the same elements. in the Individual shows:

Fig. 1 is a flow diagram of a data stream from the data server to the terminal in a state bound compound;

Fig. 2 is a flowchart of a data stream to the data server from the terminal in a state bound compound;

Fig. 3 is a flowchart of a data stream from the data server to the terminal in a state not bound compound;

FIG. 4 shows a flow diagram of a data stream to the data server from the data terminal in the case of a non-statebound connection; FIG.

Fig. 5 terminal with inventive proxy in data delivery;

Fig. 6 terminal with proxy according to the invention when receiving data.

In Fig. 3, a flowchart is shown for the stream request from the data server to the data terminal by a stateless connection. Here, the data terminal establishes a connection with the proxy server according to the invention via the proxy according to the invention. The proxy server accepts the data request. The proxy server establishes the connection to the data server. The data server sends the requested data to the proxy server. The proxy recognizes the binary data stream and determines the data type. Based on the data type, a decision is made regarding the protection program to be loaded. If a protection program is available, a data type is removed from the data stream and transferred to the protection device; otherwise the data stream will forward to the data terminal. The protective device detects the analysis tools for the determined data type and carries out an analysis. If the analysis is negative, the data stream is modified by providing cleaned replacement data or by deleting it.

In FIG. 4 is a flow scheme is described in which a data stream delivery from the data terminal to the data server through a stateless connection is made. In the first step, a data terminal sets up a connection with the public network to the proxy server via a transfer point in order to then send the data stream. The proxy server then establishes a connection with the data server. The proxy server recognizes the binary data stream and determines the data type. The decision then follows as to whether the data type should be analyzed. If this is the case, the data type is removed from the data stream and handed over to the protection device; otherwise the data stream is forwarded to the server.

As already described above, the Protector together the analysis tools that are decisive for the determined data type. Should point out that the data is infected, so the Modified information inserted back into the data stream, replaced or removed.

Fig. 1 shows a detail of a statebound connection, as z. B. is the case with the protocols POP or ftp, in which a terminal device collects information from the server. It can be clearly seen how a registration is simulated. The proxy server asks for the password and the user name. This means that a profile is loaded in which either further user names and passwords are stored or in which only rules for checking the information are stored. The proxy server then establishes a connection to the server either by using the transmitted authentication data or in the user profile. At the same time, the client is put on hold. Depending on the client who logs on, this can be done using different techniques. In the following, the data will be picked up from the server. The downloaded data is checked as described above, depending on the data type and the user profile. Authentication with the client is only confirmed after the data has been downloaded. This is one way of making the client wait for an extended period of time.

After authentication is reported as successful the client asks how much data in which Scope should be transmitted. After that, the transmission began.

FIG. 2 shows the method steps when a client sends information to a data server in the case of a statebound connection. Here, too, two authentications are carried out, with the first authentication only being confirmed when the second has been successful. The data then sent by the client is checked against the data types that are sent. The data checked in this way are only sent to the server after the check.

Fig. 6 shows an inventive device in the form of the proxy server 2 which is connected to a data terminal 1. The data exchange takes place transparently with a data server 3 . The proxy server comprises a recognition module 4 for recognizing data types. Data are passed through the protective device 5 in order to recognize whether they are infected or not. A statistics module 7 then decides in what form the data are forwarded or whether no forwarding takes place. A data shredder 6 serves to store infested information. The dash-dotted lines show the flow of clean, cleaned data, the transmitted data stream being recognizable by a solid line.

In FIG. 5, the data reception is described. Here, the proxy server 2 additionally includes a buffer 8 , which can be used as a buffer. Depending on the requested data, data that have already been cleaned are either fetched from the buffer memory 8 or loaded by the server 3 . The dotted lines in this figure show the received data.

In a variant of the device, not shown, the information is packed or wrapped depending on the type of information, so that the user can make a final decision about the execution of the program. List of literature cited WO 99/54827
WO 99/48261
US 5996 011
WO 99/41913 reference number 1 data terminal
2 proxy
3 data servers
4 Detection module for data type
5 protection device
6 data shredders
7 statistics module
8 buffers

Claims (18)

1. Method for protecting digital devices in a network, with a proxy, the functionality of which preferably extends to a large number of protocols, the proxy accepts requests from the digital devices, checks them for harmful information in order to remove them from the request and / or to replace them with repaired information in the request, - the proxy forwards the checked requests to the destination, the proxy checks the responses for malicious information to remove them from the response and / or to replace them with repaired information in the response, - The proxy forwards the checked response to the digital terminal. 2. Method for protecting digital devices in a network, using a proxy, the functionality of which preferably extends to a large number of protocols, - The proxy accepts requests from the digital devices, simulates an authentication in order to carry out a further authentication with the destination, preferably using temporarily stored authentication data, the user device being put into a waiting state, the request being checked for harmful information in order to to remove them from the request and / or to replace them with repaired information in the request, in order to then forward the checked request to the target, wherein the response is also checked by the target for harmful information in order to remove it from the response and / or to replace this with repaired information in the response in order to then forward the checked response to the digital terminal. 3. Method according to one or more of the preceding Claims, characterized in that the requests both to a statebound, especially POP or ftp, as also to a stateless connection, especially http, to lead. 4. Method according to one or more of the preceding Claims, characterized in that an analysis of the Information type is made, and based on the Information type a program for checking the content, especially for checking for viruses, selected and is used. 5. Method according to one or more of the preceding Claims, characterized in that the proxy Information buffers and managed in a cache. 6. Method according to one or more of the preceding Claims, characterized in that the proxy in Dependency of the end device and / or of User identification data loads a test pattern that the Kind of information, the test algorithms and the Determines consequences. 7. Method according to one or more of the preceding Claims, characterized in that depending on the Information type of information, the information preferably encased by an executable program is so that the user when executing the so encased information an indication of the type of Receives information. 8. Device for protecting digital devices in a network, with the functionality of a proxy, - with an interface to the network for requests from end devices and / or answers, with a processing unit that accepts requests received from the interface, checks them for harmful information in order to remove them from the request and / or to replace them with repaired information in the request and then forward the checked request to the destination, wherein the response from the target is also checked for harmful information in order to remove it from the response and / or to replace it with repaired information in the response and then to forward the checked response to the digital terminal. 9. Device for protecting digital devices in a network, with the functionality of a proxy, with an interface to the network for status-related inquiries from end devices and / or replies, in particular according to protocols POP, ftp and smtp, - with a processing unit that accepts requests received from the interface, simulates authentication in order to carry out further authentication with the target, preferably using temporarily stored authentication data, the user device being placed in a waiting state, the request being checked for harmful information in order to remove it from the request and / or to replace it with repaired information in the request, in order to then forward the checked request to the target, the response from the target also being checked for harmful information in order to extract it from the response remove and / or to replace this with repaired information in the answer, in order to then forward the checked answer to the digital terminal. 10. Device according to the previous one Device claim characterized in that only as long as responses are received as the device in one defined waiting state. 11. Device according to the previous one Device claim, characterized in that the Request is modified so that only part of the answer, in particular with the POP protocol, so that the device remains in a defined waiting state. 12. Device according to one or more of the previous device claims, thereby characterized that an analysis of the type of information, in particular the file type, and in Depending on the type of information a program for Review the content, especially to review it Viruses, selected and used. 13. Device according to one or more of the previous device claims, thereby characterized in that the proxy buffers information and in managed a cache. 14. Device according to one or more of the previous device claims, thereby characterized that requests to both a statebound, especially POP or ftp, as well a stateless connection, especially http. 15. Device according to one or more of the previous device claims, thereby characterized that depending on the device and / or a test pattern of user identification data that loads the kind of information that Test algorithms and the consequences. 16. The device according to one or more of the previous device claims, thereby characterized that there are funds available in Dependency of the information type of the information Information preferably through an executable program sheath so that the user when executing the so encased information an indication of the type of Receives information. 17. Software, characterized in that on a digital computing system consisting of one or more Computer systems can exist, a method according to a or more of the preceding method claims is implemented. 18. Data carrier, characterized by a data structure, that after loading onto a digital computing system that is out one or more computer systems can exist Method according to one or more of the preceding Process claims implemented.