AU2008100700B4 - REAPP computer security system and methodology - Google Patents
REAPP computer security system and methodology Download PDFInfo
- Publication number
- AU2008100700B4 AU2008100700B4 AU2008100700A AU2008100700A AU2008100700B4 AU 2008100700 B4 AU2008100700 B4 AU 2008100700B4 AU 2008100700 A AU2008100700 A AU 2008100700A AU 2008100700 A AU2008100700 A AU 2008100700A AU 2008100700 B4 AU2008100700 B4 AU 2008100700B4
- Authority
- AU
- Australia
- Prior art keywords
- reapp
- enabled
- computer
- data
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Description
AUSTRALIA
PATENTS ACT 1990 INNOVATION PATENT FOR THE INVENTION ENTITLED:- REAPP COMPUTER SECURITY SYSTEM AND METHODOLOGY Inventors: Dr Michael Kefaloukos and John Piperides Applicant: REAPP Pty Ltd Address for Legal Service: 1 Place Patent Attorneys Solicitors Suite 404 107 Walker St North Sydney NSW 2060 The invention is described in the following statement: 00
O
O 5 Field of Invention
(N
SThe present invention relates to computer security and in particular to computer security systems securing the operating of computers used for both private and business 00 C purposes; however, the invention is not restricted to this particular field of use.
O COPYRIGHT NOTICE
O
O 10 This document is subject to copyright. The reproduction of this document in 0 Patent Office records and communications is permitted; however, all other copyright 00
O
O rights are reserved.
Problems of the Prior Art A disadvantage with the present art is that the computer remains insecure and vulnerable despite the integration of security software measures. Current solutions for computer security consist of add-on combinations of software and hardware to the computer environment. This is a limiting factor and a problem to be overcome.
Computer applications are increasing in their complexity and therefore they have an exponentially increasing number of vulnerabilities. Computer security applications have focused on specialised means for security, by implementing devices such as firewalls.
A computer is vulnerable by the fact that it communicates with other computers most often using predominantly the TCP/IP protocol that was written in the operating system without security in mind since all communications were trusted (there was a mere handful of users); however, there are now over one billion internet users and the TCP/IP protocol is no safer. The vulnerability of TCP/IP is that the communication packet can be viewed and changed by a third party. Many security applications have focused on the communication of the TCP/IP packet to the computer.
00 0 O 5 A firewall traditionally has been a rule-based filter placed between the internet
(N
and the point of entry of a computer or private network. This enables regulation of all incoming and outgoing packets through examination and determination of whether the 00 C packets are accepted or dropped (discarded). This is termed packet filtering. Because of the number of rules that are involved in the examination of each packet, there are 0 O 10 often firewall rules which conflict.
0 O To resolve such conflicts, rules are prioritised and the rule with the highest 0 o priority will determine if the packet is accepted or otherwise. Further, firewall rules are 0 only capable of performing simple decisions and lack fine-grained control. Further, the firewall rules take no account of the contents of the packet.
Other forms of computer security include intrusion detection systems (IDS) or the ambitiously named intrusion prevention systems (IPS). Intrusion detection is the monitoring of a network for given real time warnings of intrusion detection and prevention. However, the diversification of intrusion patterns is making it increasingly difficult to detect and defeat intrusions.
The above methodologies address access to the computer but not the fundamentals of computer security itself. Consequently, computer security has provided protection through a single firewall which connects a corporate network to the internet at a single point.
Recent developments have also focused on the human elements (wetware) as a means of prevention, such as: 1) "identity management" which concentrates on authentication systems such as biometrics; and 2) computer security policies and practices that are "Effective" by educating and training users in virus prevention.
00 0 O 5 Policies in computer environments are also extensively used, such as "trusted environments" and "separation of duties" which assigns individual security tasks to specific trusted personnel. In addition, this principle should be combined with another
OO
Cl principle of assigning the "least privilege for the least time" such that trusted personnel have the least number of privileges for the shortest amount of time to do their work.
O
O
r- 10 Most commonly, security risk arises, not from a firewall "hole/hack", or from a
O
O breach in security policy, but from a software bug which can be a potential security 00 o exploit. Such an exploit can exist in any part of the communication chain between the
O
connected computers.
Microsoft, with its release of Vista as a desktop operating system (OS) reworked Microsoft's core operating systems such that it impacted on all hardware and software involved in the Vista OS. Implementation of various protections such as: 1) "Denial-of-Service via Driver Revocation [where] once a weakness is found in a particular driver or device, that driver will have its signature revoked by Microsoft, which means that it will cease to function", and 2) "content protection [which] requires that devices (hardware and software drivers) set so-called "tilt bits" if they detect anything [such as] unusual voltage fluctuations, maybe some jitter on BUS signals, a unusual return code from a function call, a device register that doesn't contain quite the value that was expected, or anything similar, a tilt bit gets set" which results in "powering down, [or] to various types of crash, to nothing at all, all triggered by exactly the same external event." The impact of Vista's protection system resulted in "considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost." 00
O
O 5 All these methodologies have tried to secure the network and act as the
(N
Sgatekeeper to the computer with huge overheads in computing resources and with little success.
00 Previously known computer protection systems, such as software firewalls, have O implementation limitations, wherein the lowest common security setting for hardware
O
10 and/or the software is based on the following configuration criteria:
O
O
01. implementation environment as set by the manufacturer and the network 00
O
O environment requirements; 2. "default-deny" firewall rule-set, which is dictated by policy settings; and 3. packet filtering which inspects data "packets" according to the packet filter's rules.
Applications that may be harmful to a network, such as Kazaa, have used a protocol which has an exploit in the form of random port allocation. Consequently, malicious code can enter a computer through on a non-standard port and potentially execute malicious obfuscated code in RAM.
There have been recent developments in firewall technology termed "application layer" firewalling; however, these developments are based on the OSI model of TCP/IP where the seventh layer of the OSI model is the application layer. 9 These developments overlook the problem that not all protocols respect the OSI model, and utilise other network layers to bypass firewalling.
The theory behind the implementation of the above is based on the premise that by adding either a soft or hard firewall to the computer network can manipulate access to the required resources and deny everything else. This takes the form of monitoring port numbers and endpoints based on a user's access privileges using authentication 00 O0 O 5 means. This fails in areas such as malicious code gaining access though spoofing IP
(N
addresses and/or using proxies to hide its endpoint origin. Thus, the control of traffic to the user's computer from specific zones of trust is compromised.
00 The invention herein described seeks to overcome at least some of the problems O as described above.
0 O 10 Object of the invention 0 0 It is an object of the present invention to provide a computer security system 0 having security software operated under an operating system independent of a host computer, such that the host computer operates in a virtual environment encapsulated within the security system.
00 0 O 5 According to the invention, there is provided a computer-implemented security method z including the steps of: 00 REAPP software is executed on a target computer, wherein said target O computer includes any programmable device that has pre-existing
O
O software installed, including a pre-existing OS;
O
00 O 10 a device connected to said target computer, such as an associated drive,
O
a disk, a storage device, a network device or the like; said REAPP software selects an OS to function as said REAPP OS wherein said REAPP OS is different to said pre-existing OS; the boot sequence of said target computer is modified such that said REAPP OS boots in preference to said pre-existing OS; said REAPP OS is executed as a host OS on said target computer; and said REAPP software enables one or more of the following to operate as a virtual client within a virtual machine: i. said pre-existing OS; ii. said pre-existing software.
00
O
0 SAccording to one aspect of the invention, there is provided a computer implemented 0 security system, including: O a. REAPP software, wherein said REAPP software includes a REAPP
O
0 operating system (OS); 00 0 10 b. a target computer for executing said REAPP software, wherein said target 0 computer includes any programmable device; and c. a means for hosting a virtual machine on said target computer wherein: i. said target computer has pre-existing software installed, including a preexisting OS; ii. said REAPP OS is: A. different to said pre-existing OS; and B. configured to boot in preference to said pre-existing OS; C. executed as a host OS on said target computer; and iii. said REAPP software enables one or more of the following to operate as a virtual client within a virtual machine: A. said pre-existing OS; B. said pre-existing software.
The present invention with its wide array of practical embodiments and applications will be better understood with reference to the following description and the accompanying drawings.
Brief Description of the Drawings A preferred embodiment of the invention will now be described, by way of example only, with reference to the accompanying drawings in which Brief Description of the Drawings A preferred embodiment of the invention will now be described, by way of example only, with reference to the accompanying drawings in which Figure 1 illustrates in a schematic diagram a typical application of security software added to, or operating in conjunction with, a computer.
Figure 2 illustrates in a schematic diagram a first preferred embodiment of the REAPP-enabled computer security means as installed as bootable REAPP-enabled security software utilising existing computer apparatus.
Figure 3 illustrates in a flow chart showing the major steps for enabling the REAPP-enabled computer security means utilising existing computer apparatus.
00
O
O 5 Figure 4 illustrates in a schematic diagram the REAPP operating system
(N
Sperforming ongoing examination of data presented to a REAPP-enabled computer or device.
00 Figure 5 illustrates a sample spectral graph of a data compliance check using a O fast Fourier transform where the incidence of each frequency (y axis) is plotted against 0 10 the frequency spectrum (x axis) such that a resultant representative data trace (wave 0 O form) resides within the parameters (high and low alarm limits) that are established by 00 O known data FFT spectral analyses.
O
Figure 6 illustrates a sample spectral graph of a data compliance check using a fast Fourier transform of two FFT wave forms, one being the reference source, whilst the other wave form is the receipted data.
Figure 7 illustrates a sample spectral graph of a data compliance check using a fast Fourier transform wave forms of data where the rate of change of the wave form (dv/dt capabilities) enables the detection of data anomalies.
Figure 8 illustrates in a schematic diagram a further preferred embodiment in one arrangement of the REAPP-enabled computer security means with the interrogation of a LIGHT BRIDGE between devices.
Figure 9 illustrates in a flow chart in one arrangement of a preferred embodiment the steps in the initial startup process of REAPP computer security means.
Figure 10 illustrates in a flow chart in one arrangement of a preferred embodiment the steps in the Endorsement Phase of processes involved in the REAPP computer security means.
Figure 11 illustrates in a flow chart in one arrangement of a preferred embodiment the steps involved during the Engagement of Incoming Information phase.
00
O
0
(N
Detailed description 00 (N Preferred embodiments of the present invention are now described with reference to the drawings, wherein like reference numerals are used to refer to like
O
O elements throughout. In the following description, for purposes of explanation, O 10 numerous specific details are set forth in order to provide a thorough understanding of
O
the invention. It may be evident, however, that the invention may be practised without O0 O these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the invention.
Definitions The term, REAPP is an acronym for: Recognition Endorsement Authorisation/Acknowledgement Permission Protection.
Dictionary of defined terms Table 1 is a dictionary of terms defined according to the invention.
Terms defined in Table 1 are denoted with the use of capitalisation throughout the document. If a term is not capitalised then its plain meaning is to be construed, unless otherwise specified.
00 0 0
(N
Table 1. Dictionary of defined terms 00 TERM DESCRIPTION O BUS The BUS regulates an incoming data stream by: 0 1. performing restrictive and specific channelling of that 00 data stream to a Fast Fourier Transform interrogation 0 0 means, 2. transferring a Fast Fourier Transform file to a VD, to accept control commands from a VD and other devices.
CONDUCTOR A specialised Conductor such as a Dongle is used to authenticate instructions sets and processes as legitimate. In the absence of the Dongle, the computer will run with limited functionality.
Role: To arrest (that is, to isolate before transfer) and to interrogate data transmission using REAPP enabled techniques. This includes the authentication of all in-coming data.
Upon detection of corrupt data by comparison to the reference data sourced in the REAPP- enabled library, the Dongle at the REAPP enabled port will stop data-transmission.
Upon verification, the data-stream will be permitted to be transferred.
TERM DESCRIPTION Control The term "control" of data, communications, operations and processes has its usual meanings but also encompasses interception and quarantining.
DEVICE In addition to the traditional (non-REAPP functions) of a DM MANAGER (DM) to enable or disable each device), the main REAPP-enabled functions include: 1. To take instruction from the CPU; 2. To access restricted references sourced in the REAPPenabled library; 3. To verify that all devices are functioning correctly, by comparison of each device's function with reference the each specific device's function as located in the REAPP library.
DONGLE With the addition of REAPP functionality the Dongle is an expanded device over known dongles and is enabled to regulate the flow of the arriving data. The main REAPP-enabled functions of the Dongle include: 1. To verify the source port of the incoming data by comparison to references sourced in the REAPP- enabled library 2. To interrogate incoming data from any origin or source.
3. To verify the incoming data by comparison to references 00 0 0 TERM DESCRIPTION sourced in the REAPP enabled library 00 CO 4. To instruct and transfer verified data to the LAN driver.
0 The REAPP enabled dongle has the ability to stop data flow that 0 is not verifiable. This REAPP-enabled function will prevent unwanted 0 0 data from further requiring to be processed within the interior of the 0 computer, and is intended as an operating system time saving Smechanism.
DPU Any unit that can act as a coordinator of data processing.
(DIRECTIVE A directive (also known as an instruction) processing unit that PROCESSING interprets computer program instructions and processes data.
UNIT)
The main REAPP-enabled function of a DPU includes: 1. To assist in coordination of data processing and sequencing.
2. To process instructions to terminate the function of any device exhibiting non-compliant behaviour non REAPP compliant behaviour, and total shutdown if insufficient functioning REAPP enabled devices remain 3. To process REAPP- library data: To process signatures from Fast Fourier Transform files isolated and quarantined data in the SD.
To process verification compliance of the Fast Fourier Transform files by comparison of the said TERM DESCRIPTION Fast Fourier Transform file to the legacy files referenced and sourced in the REAPP enabled library INCOMING This is a REAPP-enabled operating system function.
QUALIFIED
Data presented in a REAPP-enabled operating system must
IMMOBILIZED
conform to the compliance standards referenced in the REAPP-enabled
INFORMATION
(QTI) library source.
(IQTI)
All data processed from a non-REAPP-enabled library source, for example, external information sources, such as a LAN, WAN or removal source will be subject to analysis by a REAPP-enabled operating system such that in one embodiment the original pre-existing system becomes a CLIENT virtual operating system and the REAPP operating system becomes the HOST system, where the flow of data into the Client OS will be analysed and monitored by the Host OS.
KOF "Knowledge of function" is a means of enabling verification of the responses to test data and functional incorporation of the data
(KNOWLEDGE
OF FUNCTION) exchanged. An example of "Knowledge of function" in computing is OF
FUNCTION)
where object-oriented languages facilitate and encourage reuse of components such as class libraries. In programming, programs such as Java support coupling between separately compiled components so that they are reusable. The main REAPP-enabled function is to test verification of responses and incorporation of data exchange with reference to a REAPP-enabled library source.
00
O
o TERM DESCRIPTION LIGHT BRIDGE The main REAPP-enabled function of a LB includes: 00 (LB) Cl 1. To provide conditional enablement of the BUS by executing functional isolation of the BUS carrying a suspect data 0 O stream, deemed corrupt, when subjected to fast Fourier O analysis and compared to the REAPP library.
O
00 2. To act as a transparent bridge between the CPU and storage 0 0device of the REAPP-enabled operating system.
3. To accept instructions from the CPU and the DPU as required.
MEMORY is computer memory which can STORE or contain data in many forms (MEM) including RAM, ROM, as well as computer memory associated at the card, device or mother board level and inserted RAM. For example, a "Video Device" includes a graphics accelerator card, display adapter and many other devices, which include the following components: 1. Graphics processing unit (GPU) which is a dedicated graphics microprocessor, commonly used for 3d functions.
2. Video BIOS which is firmware that contains instructions that allows the computer and software to interface with a video card.
The instruction memory of the above microprocessor and BIOS can be altered through flashing with new instruction sets.
3. Video memory or VRAM which is RAM on the video card.
TERM DESCRIPTION In this document, MEM includes any source of memory that can be referenced for compliance of the REAPP enabled operating system and or devices to a REAPP-enabled library standard PORT The main REAPP-enabled function of the port controller includes CONTROLLER allowing the transfer of data to the device manager of a REAPP-enabled (PC) operating system.
LAN DRIVER Main non REAPP function A LAN driver, or a network card driver, enables the operating system to communicate with the network card so it can communicate across the network or LAN by transmitting and receive packets of information. The LAN driver provides a "bridge" between the operating system (software) and the network card (hardware). Therefore enabling a computer to computer or network to computer data exchange enablement. The main REAPP-enabled function of the LAN Driver includes: 1. To provide the bridge to enable monitoring of correct REAPP-enabled operating system power up and shut down procedure.
2. To provide the bridge to communicate with a REAPPenabled dongle with reference to a REAPP-enabled library/ source.
3. To regulate the rate and flow of all information to a reapenabled operating system, after activation from of the device manager.
TERM DESCRIPTION 4. To examine and allow or reject incoming information to a REAPP-enabled operating system and ensure compliance with reference to a REAPP-enabled library/ source.
To facilitate transfer of information to the device manager of a REAPP-enabled operating system.
The selective determination of which REAPP enabled devices are opened or closed is due to the use of a logic device in conjunction with a programmable device such as computer memory, capable of accessing a REAPP-enabled library/ source.
REAPP
ENABLED
LIBRARY
A data source that conforms to REAPP enabled standards.
Enables revision of REAPP enabled standards after confirmation, acceptance and incorporation into the REAPP enabled operating system.
To maintain ongoing capture of data with reference to dynamic changes to any REAPP enabled device and system, status and function.
To permit incorporation of REAPP-enabled devices to perform a multitude of functions so as contribute to a secure, faster and more efficient operating system
REAPP
ENABLED
OPERATING
SYSTEM
SD (STORAGE
DEVICE)
The main REAPP-enabled function includes the storage of data in a quarantined area before subjecting the data to Fast Fourier Transform and analysing the data by comparison with the REAPP library; and in the event that the data is within the REAPP library thresholds, the data TERM DESCRIPTION is moved from the SD quarantine to the REAPP data processing environment.
SECURE DATA Verification device for updated software incorporation -can be VERIFIER implemented within other devices. The main REAPP-enabled function SDV) includes:
(SDV)
1. To store REAPP-enabled sourced library references.
2. To respond to requests for compliance to REAPP-enabled standards of data.
3. To maintain ability of upgradability with reference to expanding REAPP-enabled library source(s).
VIRUS Antivirus and anti-malware software and/or hardware which DETECTOR (VD) identifies and eliminates computer viruses and other malicious software through techniques such as: 1) pattern matching of virus definitions to files on the computer.
2) identifying abnormal behaviour through data capture.
The main REAPP-enabled function includes: 1. To store copies of secure data references.
2. To screen the booting of the operating system for aberrant code.
3. To perform compliance of: 00 0 0 TERM DESCRIPTION Incoming data with reference to secure REAPP- 00 enabled library source(s); To check all devices for knowledge of REAPP-enabled
O
O standard of function at shut down of REAPP- enabled 0 operating system.
00 To detect viruses and malware in Fast Fourier Transform files; To perform a check that all devices are free of aberrant code before shutdown of a REAPP-enabled operating system.
Summary of the Invention The inventive device, method and system provide an improved computer security system for "nominated", as opposed to "global", users. Information from one or more external environments can be graded on a scale of insecure to secure.
Consequently, using the inventive REAPP system, a computer can be used to view insecure information with an insecure setting and then reset to view and communicate securely with trusted sites.
In one embodiment, the REAPP system enables a structured compliance check of targeted data. A data file is created as a result of REAPP enabled computations on incoming data. This resultant data file is then compared for compliance to known data file(s) or library(ies) within the REAPP enabled system so that a level of trust can be 00 0 O 5 allocated to the incoming data. If the data is categorised as "trusted", further access to
(N
Sthe data by the user is enabled.
00 REAPP-enabled security involves multiple level verifications as an ongoing, continuing interrogation process of the computer environs. When the REAPP-enabled O computer security system detects a potential threat or unusual alteration within the 0 0 computing environment then the computer is shut down or demoted to a lower security 0 O status, depending on governing requirements, which are set and finalised on 00 o installation.
O
The invention is not restricted to the use in the area of computer security alone but can also be applied to the area of verification of any electronic data. The REAPP enabled reference data can be manually updated on portable devices as well as on-line via networked communications.
The preferred embodiments involve an arrangement of steps. However, it should be noted that this invention is not limited to a single embodiment or arrangement of steps.
COMMON COMPUTER SECURITY SYSTEMS Referring to Figure 1, a computer, referred to here as a host computer consists of Host Components 20, the Host OS 21, accompanying Host software 22 which runs on the Host OS 21, the Host Computer Hardware 23 and the Data 24 that sits on the host computer. Known computer security systems typically, as shown in Figure 1, have security software 10 added to, or operating in conjunction with, a host computer. This adjunct security software 10 typically monitors security by comparing the host computer's OS operation 22 against a library 13 containing rules and protocols 12. It is through the host computer OS 21 and its environment that the host computer communicates to the external environment, be it via a GUI 32, via external 00
O
O 5 communications 33 such as the internet, or via an external security library 31 used by
(N
Sthe security software.
00 Selection of the Intrusion Detection/Prevention System (IDS/IPS) OS 11 is critical to effective security screening. Most PCs do not have antiviral software that runs on an O OS 11 different to the screened computer's OS 21. This is mainly due to the majority of
O
11 0 security software 22 residing within the host computer that it is trying to protect, and
O
O sharing the same operating system 21 as the host computer.
00
O
O Such known security measures are inherently unable to protect the computer since protection will only operate once the computer has booted. Consequently, there have been instances of security breaches using "rootkits". A rootkit subverts control of a common computer OS 21 by obscuring its installation and evades detection of most PC security systems (which are usually software 22 installations). Consequently, such software 22 installations are unable to examine a boot disk's boot sector or slack space.' Consequently, a rootkit contains programs used by computer hackers which are concealed because it is not possible to examine the boot sector and/or the slack space of the hard drive prior to booting the computer (or possibly at any other time when Slack Space is involved), which is too late for a good security examination.
REAPP- ENABLED COMPUTER SECURITY A REAPP-enabled computer security system is a computer security system that is autonomous, in that under threat, theft, manipulation, the REAPP authentication requirements cannot be overridden. If an internal computer component or device is replaced, without first authorising the device via the appropriate REAPP authorisation 1 Slack space or file slack is the area between the end of a file and the end of the last cluster or sector used by that file. Slack space is dependent on the format of storage device.
00
O
O 5 process (as described below), then the REAPP-enabled operating system provides an Sautomatic exclusion of the new device and deems the computer as insecure.
00 Consequently, device transplantation is not possible without authentication of the authentication requirements and a re-retrofit of the new requirements. No O information can be retrieved or destroyed from the re-retrofitted device, except by the
O
l^ 10 authentication via the REAPP-enabled authentication process. REAPP-enablement can
O
O be scaled to suit the applicable environment.
OO
O The REAPP-enabled product, system and methodology are described below as different embodiments in the context of the environment to which the REAPP-enabled security is to be used.
A REAPP-enabled computer can be de-militarized and remilitarized, to give the computer a specified risk/safety status. This safety status is enabled through a combination of processes of threshold assessment of internal computer devices and incoming data subjection to a reaping process by the REAPP-enabled security processes.
This threshold assessment is continuous and the threshold is dynamic such that the security level of the REAPP-enabled computer can change and adapt as data and devices are assessed. Subsequently, as circumstances change the REAPP-enabled security level changes.
A FIRST PREFERRED EMBODIMENT A first preferred embodiment of the REAPP-enabled product, system and methodology is described below with reference to Figure 2.
Installation of REAPP-enabled computer security means The REAPP-enabled computer security means is preferably installed as bootable REAPP-enabled security software 14 utilising existing computer hardware 23 (termed 00
O
O 5 "target computer"). Consequently REAPP-enabled security software 14 can be installed -as: 00 a) a primary installation by either: i. the original equipment manufacturer (OEM) or 0 0 ii. as a retrofit to existing computer infrastructure; or
O
O
b) as an add-on application to existing Host Computer 20 infrastructure.
00
O
O A target computer includes any programmable device that has pre-existing software installed, including a pre-existing operating system (OS).
Operation of the REAPP operating system (OS) The REAPP-enabled computer security system is a virtual OS which modifies the boot sequence of the target computer. The boot modification enables the loading of the REAPP OS as the host OS, and the original pre-existing OS is loaded as a client OS in the form of a virtual OS The method of installing a REAPP-enabled computer security system involves: a) Installation of a bootable REAPP-enabled computer security system onto a target computer; b) Modification of the boot sequence of the said target computer such that the REAPP enabled OS boots in preference to the target computer's OS termed the preexisting OS; c) Execution of the REAPP enabled OS as a Host OS on said target computer; and 00
O
O 5 d) Execution of the target computer's OS operates as a virtual client OS
(N
Swithin a virtual machine where the REAPP enabled OS operates as a Host OS running the virtual machine; 00 such that said targeted computer's software is intact for examination in a O forensically intact form. The term computer is used to include all devices that have an 0 11 0 operating system such as a mobile phone, an automatic teller machine, autopilots, 0 0 weaponry, communication devices, etcetera. Devices attached to a computer include 00 O storage devices such as disks, networked drives, flash drives, etcetera.
O
A REAPP-enabled OS 15 loads the pre-existing OS 21 as a client virtual machine, thereby enabling the REAPP Host OS 15 to Control of execution of one or more of the following: said pre-existing OS 21; said pre-existing software.
This control step enables censoring, interception and quarantining all hardware calls and other communications made to/by the client original HOST OS 21. The REAPP-enabled computer security system enables the jailing of the targeted computer's operating system and associated software so that the targeted computer is functionally indistinguishable from the target computer's original state of operations. However, the target computers OS and software is jailed by the REAPP-enabled computer security system such that it is sealed from directly communicating to other devices or destroying data it contains in any form including data on storage devices, in RAM, ROM or elsewhere. Consequently, the REAPP-enabled computer security system reviews, examines and delegates operations, computations and communications whilst maintaining control over the target computer's operations, computations and communications.
00
O
O 5 Installation of REAPP-enabled media provides a bootable REAPP-enabled
(N
Soperating system (OS) 15. This REAPP OS 15 will boot from a suspect host computer to enable examination of the target computing environment by REAPP-enabled security 00 Cl software 14 without forensically altering the original target computing environment, which therefore will remain forensically intact and examinable as a client virtual 0 O 10 machine. This client virtual machine runs within the protection provided by the t"- O combination of REAPP OS 15 running the REAPP-enabled security software 14.
0 00 o The original pre-existing OS on the host computer 20 will be operational as a
O
client operating system hosted by the REAPP Host OS.
The REAPP-enabled bootable OS 15 will be different to the detected Host OS 21 of the target computer 20, which is regarded as a potentially contaminated OS 21. This difference maximises the independence of the REAPP-enabled OS 15 and reduces the cross contamination potential between the original pre-existing OS 21 and the REAPPenabled security software 14 housing the pre-existing OS as a client.
The bootable REAPP-enabled OS 15 preferentially uses an adapted Berkley Systems Distribution of UNIX (BSD), such as Open BSD due it high security levels and near absence of security holes found in the last decade. However, if the original preexisting OS 21 uses Open BSD then an adapted version of Linux kernel (currently 2.6) will be used for the REAPP-enabled OS Other operating 20 systems are also considered by those skilled in the art as useful for implementation by a REAPP-enabled OS such as Microsoft's Windows CE or Windows Pre-installation Environment (WinPE).
Other OS are also available for use by a REAPP-enabled OS in specific circumstances.
00
O
O 5 Specific drivers for known or generic hardware devices will be supplied with the SREAPP-enabled software 14. This methodology will provide a functional working environment for the selected REAPP-enabled OS 00 The REAPP-enabled OS 15 hardware/software selection is dependent on the O operating processes detected in the target computer
O
O 10 Different features of the REAPP security system will now be discussed.
O
00
O
0 0 REAPP-enabled interrogation capability Referring to Figure 2, the REAPP-enabled Security Software 14 includes the capacity to interrogate data from any source. The interrogation of the data is performed by the following steps: 1: incoming data is received and quarantined; 2: the quarantined data is compared against known data contained within the REAPP library; and 3: depending on the outcome of the comparison with the REAPP library, the data will be: a) Accepted; b) Securely stored; c) Disarmed; or d) Destroyed.
00
O
O 5 The REAPP library REAPP-enabled examination provides for a data recognition and verification 00 capability. REAPP compares features of the targeted computing environment against a REAPP library 40 (see Figure The REAPP library includes data files or libraries relating O to known or trusted software, drivers, operating systems and implemented application
O
1- 10 responses. This REAPP library 40 is used to determine compliance with REAPP-enabled
O
O fast Fourier transform responses of both data files and executable programs.
00
O
O
The REAPP-enabled censor At the completion of the data recognition and verification step, data will (broadly) be accepted or rejected. The REAPP-enabled censor, which also has notification and feedback capability, controls communication: internally between devices, as well as; to and from the host computer environment 15 to the external environment The REAPP-enabled censor (which resides within the REAPP-enabled security software 14) provides a means to: stop suspect incoming outgoing unsecured data; and shut down any device that is functioning abnormally; or disable unverified process(es), where there is change in a process value compared with a corresponding file in the REAPP library.
00
O
O 5 The REAPP-enabled methodology In a preferred embodiment the REAPP security system provides a method for 00 securing a computer or computer system. However, it will be appreciated by those skilled within the art of computer security that the use of fast Fourier transforms to O subject the targeted computing environment to a known computing forensic analysis,
O
1- 10 may include variations to the steps outlined.
O
O
Referring to Figure 3 for the steps and Figure 2 for the integers, the REAPP- 0 O enabled methodology is discussed.
The sequences may vary in different arrangements, and the following sequences are provided as exemplary arrangements of the preferred embodiment: 1. REAPP-enabled media, such as a floppy, CD, DVD, RAM disc etcetera, is inserted into a suitable reader of a target device such as a computer mobile phone, automatic teller machine; 2. in the current example, the target computer 20 is powered up; 3. the target computer 20 is booted from the REAPP-enabled media; 4. the REAPP-enabled OS 15 operates as the host operating system; the REAPP-enabled security software 14, operating within the REAPPenabled OS 15, examines the host computer 6. the host computer OS 21, host software 22 and host data 24 are now operating as a virtual machine within the new REAPP-enabled OS 7. A command is sent to the REAPP-enabled OS 15 and original pre-existing host OS 21 seeking a positive "all ports closed" response. There may be allowance 00
O
O 5 for retries and timeouts. If the required response is received, registration of Sall installed programs/applications takes place.
00 In another arrangement, the transition from a potentially contaminated computer environment 20 to a secure computing environment can be achieved by O following the steps outlined below:
O
O 10 1. Insert REAPP-enabled security software 14 with optional independent 00 REAPP-enabled security device into a suitable reader e.g. USB for reading
O
O Flash ROM (dongle) and/or a DVD/CD reader with a DVD/CD.
The independent REAPP-enabled security device is encoded, requiring security authorisation associated with the REAPP-enabled bootable media.
An example of an independent REAPP-enabled security device is a REAPPenabled Dongle. Whether or not the independent security device is installed depends on the level of host computer security required.
2. Power on the target suspect computer 3. The host computer is set to boot from the REAPP-enabled media. This step ensures that the target computer boots from REAPP-enabled portable media, if present, in preference to booting off the target computer's hard drive. In the absence of REAPP-enabled portable media the computer will boot off the target computer's OS. Exemplary boot sequences are as follows: Power Cycle Power down: Referring to Figure 2, if the target computer's OS 21 starts to boot using any operating system other than the REAPP-enabled OS 15, the target computer is immediately powered off and shut down; however, the REAPP-enabled OS continues to function.
00
O
O 5 In one arrangement, powering down the computer involves the sub- Sstep of linking the REAPP-enabled Dongle with an external powerboard or power supply that has a direct, a Bluetooth or other means 00 tC to communicate with the REAPP-enabled security system. This communication is used as a gate which allows the power to continue
O
O 10 to supply to the computer if the REAPP-enabled OS 15 is booted and O the REAPP-enabled security system is activated. The REAPP-enabled 00 security system indicates to the power source that the power drawn
O
O by the computer is involving the activation of the REAPP-enabled security software 14. If there is power drawn but the REAPP-enabled security OS 15 is not booted or the REAPP-enabled Security Software 14 is not executed, then the power supply is shut off.
Power Cycle Power up: If the boot sequence was not initially booting from a REAPP-enabled OS 15, after powering down and being restarted, the computer is rebooted. On reboot, the target computer's BIOS, or equivalent, depending on the computing environment, is flashed to reset the boot sequence so that it: I. searches for a REAPP-enabled OS 15 and boots from specific portable media (in a sequence nominated), and then II. searches for an OS and boots from a primary hard drive. If it boots from a non-REAPP-enabled OS 21, there is a warning (including in the form of a message, sound and/or series of LEDs lighting or flashing) to indicate that the computer is booting from a potentially unsafe environment. The computer is either powered down or selected to boot in an unsafe environment.
00
O
O 5 4. The REAPP-enabled OS 15 is booted. This is indicated by, for Sexample, showing a series of light emitting diodes (LEDs) flashing on the REAPPenabled dongle.
00 Selection of the REAPP security OS 15. The REAPP-enabled OS 15 is O booted with an OS that is different to the primary drive's OS 21. The target computer's
O
1- 10 primary drive is examined by the REAPP-enabled OS which is booted in RAM. The
O
O REAPP-enabled OS then selects an OS that is not identical to the OS on the target 00 O computer. This is to ensure a greater level of security.
O
(-i a. If the REAPP-enabled OS 15 and the target computer's primary hard drive OS are the same, then the REAPP-enabled OS 15 will reboot with a different REAPP-enabled OS b. If the REAPP-enabled OS 15 and the target computer's primary hard drive OS are different then the REAPP-enabled OS 15 is booted and the following takes place: i. booting coincides with the target computer "closing all ports". It is mandatory at this stage for all ports, other than the ports communicating with the REAPP-enabled bootable media, to be closed.
ii. The target computer's OS 21 will be incapacitated. The REAPPenabled security system will examine all hardware 23, software 22 and data 24.
None of the target computer's OS 21, software 22, drivers or firmware are operable at this stage.
6. Detection, examination and registration of all installed software 22 and data 24 is confirmed and continually rechecked. The confirmation of registered software 22 and data 24 is obtained by polling the targeted computer's 20 environment, in order to ensure that no additional hardware 23 or media becomes available which contains new software 22 and/or data 24.
00
O
O 5 7. REAPP-enabled security software 14 is updated from a REAPP-enabled Ssecurity server or media.
00 The REAPP-enabled OS 15, after examination of the target computer's hardware 23, will execute the minimal number of REAPP-enabled drivers required to operate this O hardware 23 and to communicate with a REAPP-enabled security server or
O
1- 10 accompanying media (hard drives, disks, flash drives etc). This communication will use a
O
O secure protocol 16 to perform an analysis of the target computer 20 and to receive 00 O REAPP-enabled security updates 34. This step is enabled by the following sub steps:
O
a. the REAPP-enabled OS 15 receives the latest updates, from the REAPPenabled library 34 or accompanying media, specific to and appropriate for the target computer's operating environment; and b. the first stage of the analysis of the target computer's security and risk assessment is performed using the processing of an independent REAPP-enabled security server 34 which can be located in a distributed form to bypass any form of central attack or "man-in-the-middle attack".
The above analysis will include examination of the target computer's software 22 for compliance with registered programs in a REAPP library 40 of known, trusted programs.
If a positive match is received, then notification is given to the REAPP-enabled OS that the said software 22 is accepted as known. If no match is made then a notification is given: i. to run one instance of the program as follows: A. run the examined program in an secure encapsulated mode within a REAPP-enabled virtual machine (VM); B. run the target computer's OS 21 and specific software in secure encapsulated mode within a REAPP-enabled virtual machine A 00
O
O 5 REAPP-enabled virtual machine is enabled to run the target computer SOS 21 with specific software 22 as separate REAPP-enabled VM instances; or 00 ii. not to run the examined program in any environment (including in a VM O and/or in situ).
0 O 10 8. The target computer's operating environment is moved to a VM as a client 0 hosted by REAPP-enabled security software 14.
O O 0 The REAPP-enabled security software 14 moves the target computer's unexecuted OS 21, accompanying drivers, software 22 and data 23 from the target computer's physical environment (a hard/flash drive, disk(s) etc) to a virtual OS environment.
This step is commonly referred to as a physical to virtual (P2V) step which entails a virtual machine creation in the REAPP-enabled OS's virtual host environment. The P2V step copies all the files from the target computer's OS, applications and data. A REAPPenabled P2V migration tool may also migrate the target computer's files to a distributed REAPP-enabled server over the network if required or desired.
9. Reboot with REAPP hosting target computer as a client The REAPP-enabled OS 15 will then reboot as a primary OS 15 with the target computer's OS 21 booted simultaneously in an encapsulated virtual machine.
Re-examination of host computer Once the target computer's OS 21 is enabled (in the REAPP-enabled OS's virtual host environment), then both the REAPP-enabled OS 15 and the target computer's OS 21 are able to be run simultaneously on the same computer the target computer).
00 0 0 5 Initially the REAPP-enabled OS 15 will examine the following the target computer's r- elements including: 00 a. the target computers OS 21; the target computers interactions with the target computers physical device hardware 23,
O
O b. the target computer's firmware,
O
O 10 c. all target computer software 22, and 00 O d. any opening or closing of ports which will be virtually active but not bridged across to the REAPP-enabled OS 15. Consequently, the target computer's OS 21 will not be able to allow any ports to be functional at this stage.
11. Host computer enabled as operable as a VM client Once the target computer's OS 21 has been successfully examined and has been cleared as a clean and secure operating environment, then the target computer's OS 21 can perform its functions in a virtual machine (VM) environment without being confined to a closed environment. Consequently, the port enablement can be modulated from the REAPP-enabled OS 15 and REAPP-enabled security softwarel4 such that any request for port opening can be cleared via the function of that REAPP-enabled security software 14 before opening of the computer.
12. The REAPP-enabled OS 15 will continue to be the primary OS whilst the target computer's OS 21 environment will be running simultaneously. The REAPPenabled OS 15 will continually examine the target computer's operating environment for security and risk. These operations will be discussed in detail below.
13. This REAPP-enabled OS 15 can examine the target computer's operations by continually polling the VM environment containing the target computer 20. This examination includes assessment of the VM hardware 23, software 22, firmware and 00
O
O 5 instructions in RAM. The arrangement of sub-steps involved in this examination -includes: 00 a. interrogation by REAPP-enabled security system of all active programs; b. detection of abnormal event(s), where the REAPP-enabled security software 0 O 14 will issue notification of error to the user of the REAPP-enabled computer and freeze 0 10 the target computer's OS 21 and software 22 for examination and clearance if possible; 0 c. acknowledgement of the detected abnormal event, REAPP-enabled security 0 software 14, if unable to determine the cause of the abnormal event, will forward an image of the frozen virtual machine to the REAPP-enabled server 34; d. responses by the REAPP-enabled Server 34, containing either a negative response, a timeout, or if no positive response received, will enable the REAPP-enabled security software 14 to issue an instruction to only restart the VM containing the Target Computer's OS 21 with a "shut all" ports command; and e. notification of the user of the findings. If the user chooses to ignore warnings, the REAPP-enabled security software 14 will freeze the VM containing the host computer operations. The user can also choose to shut down the system and undertake manual remediation.
14. The computer can be powered off or on with the REAPP-enabled OS booting as the primary OS followed by the target computer's OS booting second and always being checked by the REAPP-enabled primary OS. This REAPP-enabled OS can be copied onto the target computer's hard drive if considered desirable.
00
O
O 5 ENGAGEMENT OF INCOMING INFORMATION The REAPP security technology is a new or improved means for verifying 00 electronic data and so securing the environment in which such data is to be viewed or used. A REAPP-enabled secure operating environment screens all incoming data. The O screening of incoming data incorporates the use of multiple fast Fourier transform
O
S 10 analyses.
0
O
SInformation passed to a REAPP-enabled security device (such as a personal 0 O computer, mobile phone, automatic teller machine or other means for viewing and accessing data) must be presented in a manner that conforms to REAPP-enabled standards, as follows: 1. Data must have conformity that includes the following: a) Information should be registered; and/or b) Conform to a mode that is acceptable to an operating system which utilises REAPP-enabled security software that conforms to a REAPP-enabled standard.
2. Information should be stopped at the ports while the REAPP-enabled dongle and associated firmware perform an initial check on the credentials of the presenting information.
3. Upon confirmation of the presenting information as acceptable data by the REAPP-enabled Dongle and associated firmware, the REAPP-enabled Dongle sends an information request and receives a response from the REAPP-enabled LD (and from other devices in other arrangements), which in turn sends an information request and receives a response from the REAPP-enabled DM and then the REAPP-enabled CPU, which switches on with confirmation of the acceptable data.
00
O
O 5 FAST FOURIER TRANSFORM METHODOLOGY Referring to Figure 4, the REAPP operating system enables ongoing examination 00 of data presented to a REAPP-enabled computer or device, including a personal computer, a mobile phone, or other means for reading and using electronic data, O including a closed loop system for drug scripts or bank transactions.
O
O 10 Utilising the method of fast Fourier transform (FFT) analysis in REAPP-enabled
O
0security software, in the REAPP-enabled operating system enables: 0 S(a) the examination of large volumes of data (including whole MPG files), performing calculations on compressed and/or normal data and data volumes; and multiple checks to be performed on the same data serially and/or in parallel.
A REAPP-enabled security software utilising FFT analysis can catalogue data and/or files including program files for conformity to known and or trusted data libraries. Each file has its own unique FFT signature. Therefore, the examination of code is relative to known code signatures. By "code", the inventors mean any file, data or binary information that can be observed as a whole or as a rolling signature of a specified number of bits, relative to a known code signature.
In the REAPP-enabled computer, an input data set is presented in a time domain (binary data stream) which has data analysis performed with respect to time. In the case of incoming data, the data is: cached for a specified period of time such as one second intervals; or 00
O
O 5 analysed "on the wire" which currently code can be analysed for
(N
acceptable code signature with at least a gigabyte per second input which is standard for most network cards; followed by 00 transformed into specified epochs of the data, which is converted into a O frequency domain using a FFT transformation. A time domain reveals
O
1- 10 how the data input changes with time, whilst a frequency domain
O
O reveals the strength of the signal in each given frequency epoch over a 0 o range of frequencies which provides a unique signature of the data. The
O
0advantage of a frequency domain is that it can include a phase shift to recombine the frequency epoch over a range of frequencies. The advantage of a frequency domain is that it can include a phase shift to recombine the frequency epochs to reform the original time domain.
Therefore, the original data input can be recreated at any time to reproduce the data input for forensic and/ or analyses.
DATA REGISTRATION AND ACCEPTANCE Figure 4 shows the mechanisms for performing information registration and conforming to acceptable information criteria. These are enabled by performing Fourier analyses such as fast Fourier analysis and/or discrete Fourier analysis and trusted data which is then compared to incoming data Fourier transforms. This data can be modulated through feed forward and feedback loops by raising or lowering the data acceptance thresholds.
A Fourier-transform is made from the binary data that is potentially enabled to be executed within a computer. Such data is considered to be acceptable when the Fourier transform lies within a specified range of safe parameters as defined from the Fourier transforms obtained from of known data signatures such as disk images (e.g.
00
O
O 5 ISD images from computer storage devices) and binary data executed in computer
(N
memory where the data image is obtained through use of virtual machines (VMware and like products) to freeze and read the RAM Fourier transform.
00 The Fourier-transform analyses data: 0 O as it enters the computer; and /or
O
O 10 that has entered the computer and is stored in a quarantined region.
OO
0 The data is sampled to generate a Fourier transform of the relative frequency components which are compared with signals representative of incident frequency of trusted data samples. The degree of similarity between the frequency of the image and memory elements based on the input data and the frequency of the same elements based on the trusted data sourced by a data base of known trusted Fourier transforms from known trusted data sources. The comparison of the Fourier transforms is calculated for the extent of the similarity with a threshold value. When the calculation is larger than or equal to the threshold values, the correlation of the input data and the enrolled data have a common origin and is therefore trusted. Conversely, when the calculation is less than the threshold value, the correlation of the Fourier transforms are different to the extent of being of an untrusted nature. Therefore, the data is rejected as determined via the Fourier transform analyses.
The methods of comparison for Fourier transform data include; but are not limited to: Frequency/spectrum pattern matching; Dynamics and or rate of change of the frequency spectrum; and Magnitude of the frequency spectrum limits.
00
O
O 5 Fast Fourier Transform Analysis using a staged interrogation The method of FFT can be used iteratively and repeatedly within the REAPP- 00 enabled OS.
Stage 1: 0 0 The first stage of FFT takes place by interrogation of the input data stream that 0 O 10 flows from the unsecured source.
0 0 The REAPP- enabled operating system, as discussed earlier, either dams the input data stream as cached data set, or performs the analysis "on the wire". This cached data set is effectively creating a "quarantine" area that receives all data prior to transfer of this data into the operating environment of the REAPP- enabled OS. Thus, the "quarantine" area is a non- operational secured holding area within the REAPPenabled computer. This cached data may be secured in 1 second epochs or in other specified epochs of data.
Stage 2: In sequential flow terms, the data enters the REAPP-enabled computer through an open data port, after it has its' data source verified via integration of standards check, compliant with the REAPP-enabled system standards library.
The incoming data stream is then receipted into an isolated area that is to be found within a storage device that will be both electrically and functionally contained and exist in separation (either physically or functionally by, e.g. partitioning segments of the storage device in a different format to that of the original (legacy) format and original pre-existing operating system) from the rest of the REAPP-enabled operating system. Such reformatting can take place using LINUX'S gparted dynamic re-partitioning utilities. Accessing data from the isolated areas can take place by using cross platform 00
O
O 5 tools such as SAMBA with access controlled by user logon scripts or shell scripts that are
(N
conditionally enabled.
00 Stage 3: The REAPP-enabled security software utilizing a FFT, will when appropriate for 0 O example reaching capacity, sensing End of File EOF) where no more data can be read O 10 from a data source such as a file or stream perform the following:
O
O close the input open port;
O
processes the receipted data; perform a FFT on the receipted data; interrogate this FFT file against the REAPP-enabled library of known FFTs of known and trusted data; generate a compliance check against parameters of known, secure and trusted source of the same data sets attributes; and parse the data into the REAPP-enabled OS if the tolerance of the data meets the REAPP-enabled security settings.
Conversely if the wave form or parts thereof are similar to a known malicious code, the REAPP-enabled security software will determine its compliance level. Once the compliance level is determined, the device will either allow further passage of the receipted data, or isolate, process or nullify the code that is suspect.
The volume of data receipted is critical for the integrity of the FFT file. The addition of data adds to the complexity of the resultant waveform. Hence the waveform derived from this data can only enhance the level of security integrity that can be achieved from a REAPP-enable OS.
00
O
O 5 The REAPP-enabled OS is enhanced and not compromised by the addition of
(N
Smore data, which is unique to this invention. Further should potential incoming corrupt data be made minimal due to the corrupted code being broken into specified byte sizes 00 C (for example, K) placed into the data stream, then reconstituted), in order to by-pass this important feature, then this intentional, malicious, minimal data, will still be
O
O 10 arrested by the lower parameter limit of the wave form, set up by FFT analysis.
O
O Conversely, if processing overheads need to be minimized embedded 00 o devices or low risk applications) randomized spectrum "slicing" (slicing reduces the 0 frequencies that need testing) can be used with very high levels security integrity.
An embodiment of the REAPP-enabled OS will have the output of the cache data storage device being directly coupled to a Light Bridge.
Example of REAPP-enabled security software using Fast Fourier analysis The spectral graphs, as shown in figures 5 to 7, demonstrate three examples of the compliance checking method that can be performed in the FFT domain. However, this checking method is not limited to these areas.
In each described interrogation method, the enabled device capable of FFT analysis will be able to close a REAPP-enabled PORT once it has detected an anomaly in the incoming data stream. The detection of the anomaly, by the ongoing FFT analysis process will contribute to de-activation of the Light Bridge, a process which itself, in turn, will instigate isolation of the incoming data, alert the user, then nullify the suspect receipted data.
Examplel The first example of the REAPP-enabled security software using FFT analysis is shown by Figure 5. This graphical representation shows a frequency spectrum (x axis) by the incidence of each frequency (y axis). The resultant representative data trace (a 00
O
O 5 wave form) resides within the parameters (high and low alarm limits) that are established by known data FFT spectral analyses. By observing if the spectrum's magnitude has deviated from set limits at any frequency, the REAPP-enabled security
OO
Cl system can determine whether the data is potentially malicious or safe. This method is suitable where a lower risk application of a REAPP-enabled OS is required. The limit 0 O 10 check method is relevant to detecting data stream aberrations resulting from O intentional, malicious alteration of a data stream. An example is steganography where 0 potentially malicious coded information is hidden in a picture or a video file.
O
O
0Example 2 The second example of the REAPP-enabled security software using FFT analysis also utilizes pattern matching. Specifically, pattern matching is utilized on the "whole of wave form" by range checking values at multiple discrete frequencies. As discussed earlier, the increased volume of incoming data results in enhanced data, set for analysis, using FFT. The more numerous the discrete frequencies become, the higher the integration level that can be achieved using FFT. Reducing the amount of frequencies may result in faster processing times. This is useful in lower risk applications or environments.
Figure 6 shows the two FFT wave forms, one being the reference source that has been previously examined and found to be safe, whilst the other wave form is the receipted data. The incoming data source is presented in the same manner as the reference source, and is compared for similarity. One method of checking for similarity is the sampling of the receipted data at discrete frequencies, subtracting the reference wave form from the receipted data wave form and determining its conformity by the resultant value (or error) within statistical probabilistic functions such that the variants is of an acceptable level. In effect, high and low limit wave forms are created.
00
O
O 5 Figure 6 is a spectrum frequency (x axis) vs. the incidence of occurrence of said
(N
Sfrequency (y axis).
00 This graphical representation shows that the receipted data matches closely the data from a known source within the boundaries of upper and lower limits of O confidence.
0 O 10 Example 3.
O
C Referring to figure 7, a third example of the REAPP-enabled security software is 0 0 shown. This example shows that the FFT analysis involves, but is not limited to analyzing the wave forms rate of change with a range of frequencies. A REAPP-enabled OS with dv/dt capabilities enables the benefit of detecting anomalies earlier in the FFT waveform than that achieved with pattern matching. Anomalies such as small or recurring programs in the receipted data may affect the magnitude of the same frequency.
As can be seen in Figure 7, the FFT analysis in a REAPP-enabled OS will add an increased ability of security control.
REAPP-enabled security software implementation The implementation of REAPP-enabled security software, capable of using FFT analysis is enabled for implementation in any computing device. A computer system equipped with REAPP-enabled software is one, such that each installed device will have a degree of functional redundancy with respect to security. Each device is potentially able to be setup independently to detect anomalies (including but not limited to, data receipted, program anomaly or device malfunction) with regard to the level of risk and actions to initiate, such as control or isolate a device, initiate a user response, etcetera.
00
O
O 5 REAPP-enabled library growth REAPP-enabled security relies on a dynamic confidential library which records 00 responses to interrogation of data, in all its forms. As applications and systems are developed, the REAPP-enabled library must be updated, continually scrutinized and O guarded. The method of updating the REAPP-enabled library will capture the emerging 0 r- 10 technologies using the REAPP-enabled methodology.
0
O
The data that the REAPP-enabled library contains is in at least three forms: 00 0 1. Unsecured or known data which includes OS's, applications, drivers and the like which are stamped for reference; 2. Data, including software and the accompanying updates received from known source, usually from the manufacturer. This data is rated as trusted otherwise it is rejected.
3. Data which is trusted. This is determined by performing analyses on the data.
For example, when the data is in the form of a program, it has run to determine its functionality along with any risks associated with its operation. A record of this functionality is kept for reference. If the risk of the program is higher than an established risk threshold determined by the REAPP-enabled environment, the program or suitable part of the program, such as a subroutine is re-run but with a determined REAPP-enabled modification applied to lower the determined risk threshold. The response to the modified program is also recorded within the REAPP-enabled library.
The combined entity is then analysed through a Fourier transform algorithm, for which the response is recorded.
There are now at least three reference images of an OS, program and/or data.
These are then stored and comprise the REAPP-enabled library. As may be inferred a 00
O
O 5 malicious attack may try to replicate the REAPP-enabled modification applied and hence Suse the "cuckold" methodology of hiding via alteration.
00 The success of a potential attack will depend on the timely alteration of the REAPP-enabled modification applied. The REAPP-enabled security system, in this O embodiment, will have a "random" modification generator within the system so the 0 1- 10 success of a "cuckold" attack is minimized.
0 0 SThe REAPP-enabled security system uses a methodology of capturing an image of 0 O the REAPP-enabled LIBRARY with any REAPP-enabled modifications applied. This REAPP-enabled LIBRARY dynamically captures the REAPP-enabled modifications via the REAPP-enabled bootable drive and/or the full REAPP-enabled operating system.
Updating statistically infers that a dynamic link is not required to the internet, hence security is maximized. The level of REAPP-enabled modifications applied can be varied to suit the risk level and security profile of the application. For example, a "standalone PC" with no internet connection may tolerate no modification but still be subject to a Fourier analysis examination provided by a REAPP-enabled OS. In contrast, a financial or military application may require complex encryption algorithms again with a Fourier analysis.
The REAPP-enabled security software utilizes a FFT, which can be analysed for conformity against the REAPP-enabled library. The library is the main repository where the reference sources, to enable examination of code for conformity, are stored, retrieved and updated. The REAPP-enabled library may be physically dispersed and only apparent when called upon. The reference sources may reside as distributed data in storage, in many devices, amongst other files, be called upon randomly. One example of such distributed data networks is data distributed over many nodes using the bittorent protocol. Updating the library to include new software or current threats will be an essential part of the REAPP-enabled OS.
00 0 O 5 GRADUATED COMPLIANCE CHECK
(N
Such a review of conformity of code is achieved using a graduated compliance 00 check against trusted and known parameter data set(s). The parameters that are checked include, but are not restricted to, waveform pattern matching which monitors O on a statistical basis the acceptable deviation of aberrations of waveform. This includes
O
11 0 waveform derivative functions such as rate of change, where upper and lower limits are
O
O placed upon the waveform, and said rate of change of the waveform.
00
O
O One form of graduated compliance measures include data flows at sequential time epochs such as 1 second intervals, therefore, the data caching does not slow computer performance significantly. Other forms of graduated compliance include tolerance of frequency transform epochs which contain signatures of known malicious code.
LIGHT BRIDGE This LIGHT BRIDGE device consists of a Led Fibre optic Transmitter/ Receiver Array. Figure 8 provides an overview as one arrangement of the interrogation of a LIGHT BRIDGE between devices. It should be noted that the REAPP-enabled LIGHT BRIDGE shown in Figure 8 is in addition to the REAPP-enabled functionality, but a not a mandatory inclusion.
This LIGHT BRIDGE allows for the possibility of disablement of code to be enabled by devices, situated functionally either side of the LIGHT BRIDGE. This provision of code disablement, as a function of a REAPP-enabled OS, enables a corrupt data stream to be isolated. This contributes to the advantage of complete severance of corrupt data flow to take place.
The inventors liken this severance process to that of decapitation or reaping of the Gorgon's head. The Gorgon, represents the creature of ancient Greek mythology 00
O
O 5 that froze everyone in its path by the power of its hypnotic stare. The inventors have (-i equated the power of this mythical creature, to that of an incoming virus which freezes all programs in its path. This severance process is the quintessential empowerment that 00 Cl heightens the ability of a REAPP-enabled OS to isolate and deal with incoming viruses.
O Data transmission to a computer typically takes the form of transmission of 0 1- 10 electrons as data bits sent individually over a single wire in the form of serial or parallel 0 O transmission to the computer BUS. The BUS transfers data between computer 0 o components inside a computer and typically is controlled by device driver software. A 0 device driver provides the means for software to interact with hardware devices, usually using subroutines that communicate by performing calls and return statements in the form of information feed-forward and feed-back routines. For example, a program may invoke a subroutine to communicate with a device driver. This subroutine effectively instructs the device driver to issue one or more commands to the device hardware, which in turn, the hardware device then sends data back to the driver, which invokes one or more subroutines in the program. The interaction between a device driver and the BUS allows the BUS to connect with one or more hardware devices.
The conversion of binary information from electron transmission into photon transmission as it leaves the BUS takes place in one arrangement. This provides the opportunity for information to be prepared or primed as it is passed through parallel gates to enable parallel transmission of the data. As this data is passed through each gate it is verified against the unprimed data to obtain a proof of its authenticity. This comparison of data is compared by the pulsing of light emitting diodes/laser pulses in a sequencing code which enables the comparison of the light transmitted primed data to the electron transmitted pre-BUS unprimed data. The data is then qualified as part of the verification process such that it is confirmed to be reflecting the original data and not contaminated by additional data. This reflection of original data is confirmed through having a response to a request communicated to the data pre data conversion 00 O0 O 5 into photon transmission. This communication does not involve any controller of a Sdevice driver. In the event that the data is not qualified, then a denial of service will take place.
00 Multiple parallel wires are used to transmit data bits simultaneously, which is O much faster than Serial transmission as bytes of information can be sent rather than one 0 10 bit at a time. This method is used internally within the computer, for example the 0 O internal buses, and sometimes externally for such things as printers, however this 00 0 method of transmission is only available over short distances as the signal will 0 degrade and become unreadable, as there is more interference between many wires than between one.
REAPP-enabled operating system protection The incorporation of the embodiment of a REAPP enabled operating system into a computer system as described in the prior art, allows for the utilization of REAPP enabled methodology to enable the host computer system which uses current hardware and software to manifest a higher level of security, through improved data interrogation and verification.
Startup Protection Phase Computer powering up and device bootstrapping Bootstrapping is the process of starting up a computer, for which a mechanism where the internal devices are prepared before engagement with any information. Most commonly, bootstrapping refers to a logical execution process where a simple system activates another more complicated system that serves the same purpose. Typically, bootstrapping is needed to execute hardware devices, which in turn execute operating system kernel software that is responsible for executing other software programs.
00
O
O 5 Figure 9 illustrates in a flow chart of a preferred embodiment in one Sarrangement of the present invention showing the steps involved in REAPP-enabled computer security initial startup process. The REAPP-enabled operating system 00 Cl bootstrapping involves a set of instructions that reside in each device's programmable memory such that each devices boots in a specific order to begin the initialization of the
O
O 10 computer's operating system. This initialization process involves the checking of each O device's readiness, which is undertaken through the following steps as shown in Figure
O
00 00 9:
O
O
0 Power Up Referring to Figure 9, the Startup Phase involves the startup of the REAPPenabled CPU which leads to the following events: 1. Processes for startup, which includes: a) switching on; b) instruction to devices; followed by c) signals completion of start up When the computer power is switched on, electricity passes from the computer's power supply unit to the REAPP-enabled CPU followed by associated computer housed devices. In one arrangement of the invention the REAPP-enabled LAN Driver (LD) is not powered on at this stage and consequently all the ports are closed.
This step differs from the operation of powering on conventional computers, which powers on the REAPP enabled LD simultaneously with powering up the REAPP enabled CPU and the REAPP enabled LD keeps all ports open.
Specifically, when the REAPP-enabled CPU is powered on there is an interrogation of the ports to ensure that they are closed. This Startup Phase involves the 00
O
O 5 sub steps of starting with all ports closed. If the REAPP-enabled Ports Closed request
(N
Sand response is negative that is, the ports are open, then the computer will restart immediately or when instructed otherwise. The Ports Closed request can be positive by 00 Cl having one or more ports open, which will instruct the REAPP-enabled CPU to shut down as this is not within the threshold of a secure startup environment.
0 0 l 10 This threshold startup environment can be altered in specific circumstances to
O
O one or more specified "safe" ports to be open on startup if the security threshold is akin 00 O to a non-secure computer or demilitarized computer.
O
Conversely, if the Ports Closed is positive -that is, the ports are all closed -then the next REAPP-enabled DM Open Port(s) sub-step will proceed.
If the REAPP-enabled DM Open Port(s) response is negative then the REAPPenabled CPU will communicate with the REAPP-enabled LD to have the REAPP-enabled LD Activated. This interrogation involves sending a communication to REAPP-enabled LD (and other devices with later communications) and receiving a response. This is enabled by parsing information from the REAPP-enabled CPU across to the REAPP-enabled LD through, in this arrangement, sockets (and/or program "hooks") on the REAPP-enabled LD software enabled by software or firmware. This initial communication will involve the REAPP-enabled LD parsing a response back to the REAPP-enabled CPU which informs the REAPP-enabled CPU that the REAPP-enabled LD activated.
This, in turn, allows specified DM Open Port(s). Once the REAPP-enabled CPU has specified REAPP-enabled DM Open Port(s) there is a communication sent to specified devices to querying whether the devices are powered on by seeking a response to Devices Switched On. This Devices Switched On sub-step can sequentially, continually and/or simultaneously interrogate each and/or all devices.
Upon receiving a response from a device that the devices switched on is negative then the REAPP-enabled CPU will instruct the device to active via the Activate Device 00
O
O 5 sub-step. Initiation of process via instruction to devices to Activate Devices is enabled to
(N
Stake place individually, sequentially or collectively. Once the Activate Devices status of specified or all devices is positive then the REAPP-enabled CPU can perform Device 00 C Recognition. This enables the REAPP-enabled CPU to interrogate one or more devices as to their standing.
O
O
Ir- 10 If the REAPP-enabled CPU recognition of the device does not match the
O
O recognition status parameters embedded in the REAPP-enabled CPU, then the 00 O Recognise Device will be negative which will inform the REAPP-enabled CPU to Restart.
O
SThis Restart sub-step will perform a power recycled immediately or will shut down the computer, which will not be restarted until another event takes place such as human intervention.
If the REAPP-enabled CPU recognition of the device does match the recognition status parameters embedded in the REAPP-enabled CPU, then the Recognise Device will be positive which will inform the REAPP-enabled CPU to acknowledge whether all specified devices are recognized through the All Devices Recognised sub-step.
If the REAPP-enabled CPU recognition of the All Devices Recognised sub-step does not match the recognition status parameters embedded in the REAPP-enabled CPU, then the All Devices Recognised sub-step will be negative which will inform the REAPP-enabled CPU to Restart. As discussed above, this Restart sub-step will perform a power recycled immediately or will shut down the computer, until human intervention takes place.
Conversely, if the All Devices Recognised sub-step conforms to the recognition status parameters embedded in the REAPP-enabled CPU, then the All Devices Recognised sub-step will be positive which will enable the one or more devices to be acknowledged via the Acknowledge Devices sub-step. This enables the REAPP-enabled CPU to be receptive to the function and status of each and all devices. The REAPP- 00 0 O 5 enabled CPU instructs devices to be switched on such that there is an ordered
(N
Sprogression of device recognition and acknowledgement. If the device is powered on and recognised then the device will remain on so long as the device remains recognised.
00 C This device recognition can be an ongoing polling of devices by the REAPP-enabled CPU.
Conversely, if the device is powered on but not recognised by the REAPP-enabled CPU, 0 O 10 then the device will be powered down. This ensures that the powered device is a O recognised device.
0 O0 0 0 Recognition Phase Recognition Phase Recheck: 1. The sequence starts with Ports Closed to ensure that the proper port closure has been initiated; 2. Each device via the Device Recognition sends a feedback response to the REAPP-enabled CPU on each device's functional status individually, sequentially and in serial commutation or collectively in parallel communication; and 3. The REAPP-enabled LD recognition recheck is next in sequence via the Recognise Device sub-step, which is initiated by the REAPP-enabled DM which checks the ports closure status by the REAPP-enabled LD sending an information request and receiving a response in a Local Host loop (commonly using port 80 on 127. 0. 0. 1) to test a host or other device is reachable across the IP network. An information request works by sending a "request" and listening for "response" reply using interval timing and response rate. Note that no information leaves the computer or enters the computer at this stage.
On confirmation of the device recognition and acknowledgement, the device is enabled to run through the Endorsement Phase.
00
O
O 5 Endorsement Phase Referring to Figure 10 the Endorsement Phase is performed by incorporating the 00 following component with the accompanying functions: Function of REAPP-enabled Device Manager 0 0 1. Takes instruction from the REAPP-enabled CPU; 0 0 2. Checks integrity of REAPP-enabled Dongle and its firmware status; 00 O 0 O 3. Is receptive to function of the status of all devices; and 4. Instructs the REAPP-enabled LAN driver by initiating a halter restart sequence.
Halter is used to mean guide and/or instruct and train.
Function of REAPP-enabled Virus Detector 1. Check status of all devices prior to shut down 2. Assists the REAPP-enabled CPU in: a) Start up; and b) Running with data in a virus and malware free environment.
The REAPP-enabled CPU runs an Endorsement Process and performs acknowledgement of the component devices through performing the steps below: 1. A Directive Function to activate the REAPP-enabled Virus Detector (VD) and REAPP-enabled Device Manager This Directive Function is enabled by interrogating the REAPP-enabled VD software and/or hardware and the REAPP-enabled DM as to their status. Specifically a request and response sequence to these devices is performed. This sequence is a gate where the REAPP-enabled VD REAPP-enabled DM signal the REAPP-enabled CPU Ready Status is either positive or negative.
00
O
O 5 If the response is not received (a negative response) then the REAPP-enabled CPU Initiates a Check of REAPP-enabled VD and REAPP-enabled DM. Conversely, if the response is positive, then the REAPP-enabled CPU interrogates the port status of each 00 NC device via the REAPP-enabled CPU Verification of Device Port Status sub-step; O 2. A Receptive function, which acknowledges the start up completion of the 0 10 REAPP-enabled VD and REAPP-enabled DM. This Receptive function is enabled by the
O
O REAPP-enabled VD and REAPP-enabled DM signal passed back the REAPP-enabled CPU 00 O informing of the positive activation of these devices.
O
If there is no signal received, there is no acknowledgement of the device and the REAPP-enabled CPU check returns to the previous Endorsement Phase; followed by 3. The REAPP-enabled CPU Verification of Devices Port Status sub-step takes place through the REAPP-enabled LAN Driver Check Port Status as to the status of the ports communicating with the external environment presence or absence of a REAPPenabled Dongle which is connected via an external port. If the REAPP-enabled LAN Driver Check Port Status request and response is negative then the REAPP-enabled DM Initiates REAPP-enabled LAN Driver Port Check.
If the recheck does not confirm a positive response then the request will return to a previous sub-step of whether the REAPP-enabled VD REAPP-enabled DM Signal the REAPP-enabled CPU Ready Status is either positive or negative.
If the REAPP-enabled LAN Driver Check Port Status request and response is positive then the following sub-step is enabled: REAPP-enabled LD Port Status Enabled to Communicate to REAPP-enabled Dongle. The REAPP-enabled Dongle performs the task of authenticating that the computer may operate because a mandatory step in the endorsement and acknowledgement sequence is present; 00 0 O 5 4. Dongle Confirms Port Status to LD as a verification of port status. If there is no response then the previous sub-step of REAPP-enabled DM Initiates REAPP-enabled LAN Driver Port Check will be performed. If the response is positive, then the REAPP-enabled 00 NC LD shuts the REAPP-enabled Dongle's Port and communicates status to REAPP-enabled Device Manager.
0 0 S 10 Endorsement Phase Recheck: 0 0 0 5. REAPP-enabled Dongle confirms safety of the port closure by confirming that 0 O there is no "echo response" across the network from the REAPP-enabled LD "request" via the REAPP-enabled LD Shuts REAPP-enabled Dongle's Port and Communicates Status to REAPP-enabled Device Manager.
Recognition Phase additional recheck: 1. Despite the positive response from REAPP-enabled Dongle, the REAPPenabled LD performs an additional partial check on REAPP-enabled Dongle's status via the Reiteration Step. This reiteration loop can take place via a polling mechanism or via period (time) or frequency (specified number of times) parameters. Therefore the Receptive function is re-run followed by the Directive function which shuts down all the ports again and signals the REAPP-enabled DM which via the sub-step of REAPP-enabled Device Manager Acknowledgement of Port Closure. This step can also be performed as an intervening step at any stage as an Acknowledgement Phase recheck where REAPPenabled DM acknowledges Port closure after allowing port opening to let data transmit or if an unauthorized event has taken place.
Recognition Phase further recheck: 2. The REAPP-enabled CPU begins a check on REAPP-enabled VD such that there is knowledge of function sequence. This takes place via a REAPP-enabled CPU Recognition Virus Device sub-step. Knowledge of function can consist of a substitution 00
O
O 5 of a sequence of automatically-generated instructions for the original function call, such
(N
Sthat the REAPP-enabled CPU has an intimate knowledge of the function of the REAPPenabled VD and can integrate it appropriately for functional optimization. In computing 00 (N this is often called "intrinsics" or "intrinsic function".
O REAPP-enabled VD Endorsement Phase:
O
O 10 3. The REAPP-enabled VD is endorsed if the CPU Recognition Virus Device sub-
O
step is successful.
O O 0 REAPP-enabled VD Acknowledgement Phase: 4. All devices must acknowledge same signal from the REAPP-enabled VD as shown in the Nominated Device Recognition VD sub-step.
REAPP-enabled VD Permission Phase: 1. Permission is granted once all devices have acknowledged the same signal from the REAPP-enabled VD as verified via a positive response from the Nominated Device Recognition VD sub-step.
REAPP-enabled DM Endorsement Phase: 1. REAPP-enabled CPU Performs a REAPP-enabled Device Manager Check Device(s) Status on each device individually and collectively.
a. The REAPP-enabled DM is endorsed if the REAPP-enabled DM recognition is successful via sub-step REAPP-enabled DM's Response Equivalent to REAPP-enabled CPU Information responding with a positive response.
Conversely, if the response is negative, there will be a Re-run of the Endorsement Sequence.
00
O
O 5 b. This REAPP-enabled CPU Performs a REAPP-enabled Device Manager
(N
SCheck Device(s) Status on each device individually, sequentially or collectively for all devices as shown in sub-steps.
00
(N"
One arrangement of this particular embodiment includes the REAPP-enabled O CPU checks Device Port Status in the following order:
O
O 10 2. The REAPP-enabled CPU continually polls the REAPP-enabled DM via sub-step
O
REAPP-enabled CPU Performs a REAPP-enabled Device Manager Check Device(s) Status
O
O to ensure that that each devices' status is up to date. This is a check which is on ongoing to ensure that the integrity of the system: a. The REAPP-enabled CPU checks on the REAPP-enabled DM's knowledge of REAPP-enabled Dongle and its firmware status and function (substep not shown); b. The REAPP-enabled CPU checks if the REAPP-enabled DM's response same as REAPP-enabled CPU knowledge of REAPP-enabled DM and its firmware status and function via sub-step REAPP-enabled DM's Response Equivalent to REAPP-enabled CPU Information and c. The REAPP-enabled CPU checks if the REAPP-enabled LD understanding of proper location and registration of data from its own source via REAPPenabled LD's Response Equivalent to REAPP-enabled CPU Information including: i. The REAPP-enabled CPU checks if the REAPP-enabled LD has proper knowledge of its own function, for example if the REAPP-enabled LD can recognise: 1. registered data from known source; 2. properly presented data from unknown source; and 3. retain a connection with the REAPP-enabled DM.
00
O
O 5 3. The REAPP-enabled CPU checks if the REAPP-enabled BUS has proper Sknowledge of its own position in the sequence of events via REAPP-enabled BUS's Response Equivalent to REAPP-enabled CPU Information sub-step. For example the 00
C
N REAPP-enabled CPU checks the REAPP-enabled BUS function to confirm if the REAPPenabled BUS can:
O
O
1- 10 a. act as a conduit of instruction from the REAPP-enabled CPU to the
O
O REAPP-enabled VD and in turn to the REAPP-enabled DM; and 00
O
0 O b. confirms completion of such an instruction.
4. The REAPP-enabled CPU checks if the memory has proper knowledge of its own position in the sequence of events via the sub-step of REAPP-enabled Memory's Response Equivalent To REAPP-enabled CPU Information, such that the function of memory includes: a. conduit of REAPP-enabled CPU instruction to a REAPP-enabled virus detector; and b. rests while REAPP-enabled BUS completes the circuit 5. The REAPP-enabled CPU checks if any [nominated device] has proper knowledge of its own position in the sequence of events via the sub-step of [nominated device]'s response equivalent to REAPP-enabled CPU information. This can be reiterated indefinitely.
6. The REAPP-enabled CPU checks if the REAPP-enabled DM has: a. proper knowledge of its position the sequence of events; and b. the status of the REAPP-enabled DM's function, which includes the REAPP-enabled DM performing the following tasks: 00
O
O 5 i. the REAPP-enabled DM is present at all computer functions; and ii. will initiate and halter (guide and/or instruct and train) the 00 restart of computer 7. The REAPP-enabled CPU checks if the REAPP-enabled VD has:
O
O
a. proper knowledge of its position the sequence of events; and
O
O
b. the status of the REAPP-enabled DM's function, which includes the 00 O REAPP-enabled VD performing the following tasks: i. check status of all devices prior to closing down of computer ii. assist the REAPP-enabled CPU in: a) start; b) running; and c) closing computer.
Once the REAPP-enabled CPU has checked all devices and with regard to their status and function and confirmed that the devices are performing as instructed, and then the external device will confirm the performance of the REAPP-enabled CPU.
Engagement of incoming information The inventive system involves the means for an improved method and system for computer security, protecting information that is passed to a REAPP-enabled adapted system. This information must be presented in a manner that conforms to REAPP-enabled standards according to the following steps: 1. Data must have conformity that includes the following: 00
O
O 5 a) Information and/or its recognizable identifier should be registered; and/or b) Conforming to a mode that is acceptable to a computer of a REAPP-enabled 00 standard.
2. Information should be stopped at the ports while the REAPP-enabled Dongle 0 O and associated firmware perform a check on the credentials of the presenting 0 10 information.
0 3. Upon confirmation of the presenting information by the REAPP-enabled 0 Dongle and associated firmware, the REAPP-enabled Dongle subsequently sends an information request and receives a response from devices that the response can be generated from, subsequently the REAPP-enabled LD (and other devices which can generate responses), which in turn sends an information request and receives a response from the REAPP-enabled DM, then the REAPP-enabled CPU which switches on with confirmation of the acceptable data. This constitutes feed-forward regulation.
The REAPP-enabled CPU instructs the REAPP-enabled DM which in turn instructs the REAPP-enabled LD to proceed with the opening of ports and permission granting for incoming information to be allowed into the computer, passed the ports.
Referring to Figure 11, the present invention involves the engagement of incoming information by performing the following steps: 1. The REAPP-enabled LD initially: a) opens ports to interrogate the information, but does not pass the information packets across to program sockets. Therefore, the ports are effectively only partially open; and b) checks the incoming packets; 00
O
O 5 2. The REAPP-enabled Dongle and associated firmware endorses and Sacknowledges the verification of incoming information; 00 3. The REAPP-enabled LD subsequently performs further verification possibly of the following data: 0 O a) password verification 0 O 10 b) data registration; and then performs the following events: 00 0 i. Shuts port; and ii. Relays the results back to the REAPP-enabled CPU.
4. The REAPP-enabled CPU subsequently checks the REAPP-enabled LD's knowledge of password; 5. The REAPP-enabled LD must then respond whether incoming information is qualified (Recognition phase); 6. For which the REAPP-enabled CPU performs a further check of REAPP-enabled LD's knowledge of incoming information (Endorsement phase); and then 7. The REAPP-enabled CPU authorises entry of properly qualified information (Authorization phase).
8. The REAPP-enabled LD does not permit entry of the data until: a) the REAPP-enabled memory and the REAPP-enabled BUS are activated; b) the incoming data is encapsulated and masked; and c) the REAPP-enabled memory and REAPP-enabled BUS are in place; then d) the REAPP-enabled LD opens the ports 00
O
O 5 The incoming information only gets inside the ports and then is contained Sbetween the REAPP-enabled BUS and REAPP-enabled memory in the form of photon pulsed binary information. This is a phase of light masking which provides masked 00 NC information to be passed to the REAPP-enabled CPU.
O 1. The REAPP-enabled LD then checks for authorization of incoming qualified 0 1- 10 information 0 0 S2. The REAPP-enabled LD then "primes" or "tags" the incoming information, 0 O should it turn out to be aberrant in the future; 3. The REAPP-enabled LD informs the REAPP-enabled CPU directly of the means used to tag the information. This means could be variable depending on which piece of information is coming in.
4. Once the REAPP-enabled LD informs the REAPP-enabled CPU of the incoming information clearance, the REAPP-enabled CPU directs the REAPP-enabled memory and REAPP-enabled BUS to accompany the information to a position of advantage for the computer; 5. The REAPP-enabled LD then tests the tagged, qualified and disarmed incoming information and then 6. Informs the REAPP-enabled CPU of the means used to tag the qualified information. This means in one embodiment is variable depending on which piece of information is coming in.
7. The REAPP-enabled CPU then performs the following: a) check on recognition on immobilised information; and b) signals to all devices that the information is immobilised; and 00
O
O 5 8. The REAPP-enabled VD and REAPP-enabled DM acknowledge the signal
(N
-confirmation of the immobilised information.
00 Engaging the disarmed information This immobilisation method may have to be universally recognizable and 0 O interchangeable. From the moment the Incoming Qualified Tagged (immobilized) O 10 Information (IQTI) is passed to the REAP-ENABLED CPU it remains immobilized, until it
O
has passed inspection at other levels.
O O S9. The REAPP-enabled MEM and the REAPP-enabled BUS can also provide a further means of control which is imposed on the IQTI; The REAPP-enabled CPU sends a signal to user and requests approval to transmit the IQTI; 11. All devices signal approval; 12. The REAPP-enabled MEM and REAPP-enabled BUS drop constraints; 13. The REAPP-enabled CPU tests that IQTI understands that the user is in control; 14. The REAPP-enabled CPU instructs devices to be at rest and alerts higher devices that individual scrutiny of IQTI will take place; The REAPP-enabled BUS a. attaches to IQTI; b. takes IQTI past the REAPP-enabled CPU and then past the REAPPenabled DM; and c. alerts the REAPP-enabled DM three times regarding the IQTI status; 00
O
O 5 16. The REAPP-enabled DM checks the REAPP-enabled BUS' knowledge of the I 1QTI; 00 17. The REAPP-enabled BUS then: a. describes the IQTI; and 0 0 b. requests user input;
O
O
18. The REAPP-enabled DM approves entry of IQTI; 00
O
O 19. The REAPP-enabled VD tests the REAPP-enabled BUS' knowledge on IQTI; The REAPP-enabled BUS then: a. describes the IQTI; and b. requests user input; 21. The REAPP-enabled DM checks the REAPP-enabled BUS' knowledge of the IQTI being subject to user demand; 22. The REAPP-enabled DM then: a. checks that IQTI is unarmed; and b. permits further processing 23. The REAPP-enabled BUS guards the IQTI; 24. The REAPP-enabled DM signals that the masking, tagging etcetera is complete; The REAPP-enabled CPU reads the impressions; 26. The REAPP-enabled BUS transfers the IQTI when the REAPP-enabled Dongle is present; 00
O
O 5 27. The REAPP-enabled BUS continues guarding the IQTI and the REAPP-enabled
(N
SBUS only needs reconstituted copy of the IQTI; 00 28. The REAPP-enabled VD signals completion of checking the IQTI; and 29. The REAPP-enabled CPU signals back,
O
O
Shutdown External Device 0 0 An external device in this embodiment is a parallel device whose sole function is 00 O to check function and status of REAPP-enabled CPU. Consequently, the REAPP-enabled CPU is enabled to check on itself, through input of the external device.
8. The REAPP-enabled CPU checks if the external device has: a. proper knowledge of the REAPP-enabled CPU; and b. the status of the REAPP-enabled CPUs function, which includes the REAPP-enabled CPU performing the following tasks: i. to switch on with switch on of computer and, after start up of computer, to a) initiate device sequence; and b) request passwords from user 9. The user checks if the all devices concur with password entered.
On authentication of the password by each and all devices, the REAPPenabled CPU opens computer and opening signals the completion of Start Up with a communication Information request and response; 00
O
O 5 11. The following principal devices: REAPP-enabled VD, REAPP-enabled DM,
(N
SREAPP-enabled LD, and REAPP-enabled Dongle provide a "ready" signal as the REAPPenabled
CPU:
00 a. Switches on respectively the REAPP-enabled VD and REAPP-enabled DM's O "Ready status" flag of:
O
O 10 i. State, and
O
ii. Function 0 O 12. The External Device (REAPP-enabled DONGLE) opens the network at a specific place within the network common to all 13. The REAPP-enabled CPU performs the following tasks: a. focuses attention onto specific part of network b. instructs all devices to rest; and 14. The REAPP-enabled CPU opens access to the hard disk and computer memory.
Role of the REAPP-enabled CPU The REAPP-enabled CPU instructs all devices to be switched off by the following steps: 1. sending a signal to commence closure of all devices; and 2. checks the REAPP-enabled DMs knowledge of all devices' function in the proper sequence of closure.
This ordered progression of device disablement is achieved by the following steps: 00
O
O 5 a. The REAPP-enabled CPU has instructed the REAPP-enabled DM to initiate the Sclosure process; 00 b. The REAPP-enabled DM instructs the REAPP-enabled LD to check that the ports are shutdown;
O
O c. The REAPP-enabled LD signals the REAPP-enabled Dongle and awaits reply;
O
O 10 d. The REAPP-enabled Dongle signals the REAPP-enabled LAN driver confirming 00 closure of ports;
O
e. The REAPP-enabled DM signals closure/shut down completion to the REAPPenabled CPU; f. The REAPP-enabled CPU checks REAPP-enabled VD competency confirming that the REAPP-enabled VD status is reflected by the previous REAPP-enabled VD status contained in the REAPP-enabled CPU; g. The REAPP-enabled VD confirms the status of competency in all devices as free of corruption; h. REAPP-enabled CPU checks all devices that they are free of all corruption; and i. All devices must demonstrate they are free of corruption; j. The REAPP-enabled CPU checks that the following: i. REAPP-enabled VD is still functioning properly ii. REAPP-enabled V. D knowledge of shut down sequence is similar to its own.
k. The REAPP-enabled CPU instructs user to generate password for next computer usage; 00
O
O 5 I. All devices synchronize to that password and sound/signal Sacknowledgement of completion of that process; 00 m. Commands closure pings/tones; n. REAPP-enabled VD checks that the password:
O
O
7 i. has been stored by all devices pings/tones shutdown 0
O
ii. declares shutdown completion with information request and response to the 00 O REAPP-enabled CPU
O
o. All devices signal closure; p. The REAPP-enabled DM Information request and responses closure tone; q. The REAPP-enabled VD resets its status to start; r. The REAPP-enabled LD Gives same closure signal as REAPP-enabled CPU s. The REAPP-enabled Dongle Gives same closure signal as REAPP-enabled CPU t. The memory Shuts down hard disk; and u. The computer function stops.
The External Device resets the flags and locks up memory and checks the availability of the hard disk on memory by trying to access it 3 times while it is locked.
The system is a smart (artificial intelligence oriented) in that all devices check each other throughout start up running and closure. Ports are always shut as opposed to open as in conventional computers.
These arrangements provide the possibility for an improved computer security system.
00
O
O 5 As will be further appreciated by those persons skilled in the art, the present
(N
Sinventive method and system affords distinct business advantages not previously available to vendors relating to the delivery of premium commercial services to 00 Cl subscribers. In this aspect, the present invention provides novel methods of conducting an array of business functions for the purpose of exploiting the business of the inventive
O
O 10 subject matter.
O
O Although the invention has been described with reference to the exemplary and 00 O specific embodiments thereof, it will be appreciated by those skilled in the art that the
O
invention will be may be embodied in many other forms without departing from the scope of the invention.
Furthermore, to the extent that the term "includes" is used herein the detailed description or the claims, as such term is intended to be inclusive in a manner similar to the term "comprising", "having", and its grammatical variations, in the inclusive sense and not as "consisting only of" when employed as a transitional word in a claim.
Dated this 28 July 2008 Inventor's Names: Dr Michael Kefaloukos and John Piperides By: 1 Place Patent Attorneys Solicitors Patent Attorneys for the Applicant
Claims (4)
1. A computer-implemented security method including the steps of: 00 REAPP software is executed on a target computer, wherein said target computer includes any programmable device that has pre-existing software installed, including a pre-existing OS; 00 a device connected to said target computer, such as an associated drive, a disk, a storage device, a network device or the like; said REAPP software selects an OS to function as said REAPP OS wherein said REAPP OS is different to said pre-existing OS; the boot sequence of said target computer is modified such that said REAPP OS boots in preference to said pre-existing OS; said REAPP OS is executed as a host OS on said target computer; and said REAPP software enables one or more of the following to operate as a virtual client within a virtual machine: i. said pre-existing OS; ii. said pre-existing software.
2. A computer implemented security system, including: a. REAPP software, wherein said REAPP software includes a REAPP operating system (OS); 00 b. a target computer for executing said REAPP software, wherein said target C computer includes any programmable device; and 00 c. a means for hosting a virtual machine on said target computer wherein: i. said target computer has pre-existing software installed, including a pre- 00 existing OS; ii. said REAPP OS is: A. different to said pre-existing OS; and B. configured to boot in preference to said pre-existing OS; C. executed as a host OS on said target computer; and iii. said REAPP software enables one or more of the following to operate as a virtual client within a virtual machine: A. said pre-existing OS; B. said pre-existing software.
3. A computer-implemented security system according to claim 2, wherein said REAPP software is enabled to take Control of execution of one or more of the following: said pre-existing OS; said pre-existing software.
4. A computer-implemented security system according to either claim 2 or 3 wherein said REAPP software is enabled to take Control of one or more of the following: data, wherein said data includes one or more communications: i. within said virtual client; ii. to and from said virtual client; iii. any combination of and (ii) above; one or more operations of said virtual client within said virtual machine, wherein said operations include: i. computations; ii. processes; iii. any combination of and (ii) above. A computer-implemented security system according to any one of claims 2 to 4, wherein said REAPP software selects an OS to function as said REAPP OS: 00 said pre-existing OS is examined against one or more operating systems 0 C- within said REAPP software; 00 an OS that is different to said pre-existing OS is selected to function as said REAPP OS such that said pre-existing software is prevented from being executed directly by said REAPP OS. 00
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2008100700A AU2008100700B4 (en) | 2007-07-30 | 2008-07-28 | REAPP computer security system and methodology |
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2007904054 | 2007-07-30 | ||
| AU2007904054A AU2007904054A0 (en) | 2007-07-30 | REAPP1 Security device, system and Method | |
| AU2007904713A AU2007904713A0 (en) | 2007-08-31 | REAPP computer security | |
| AU2007904713 | 2007-08-31 | ||
| AU2008100700A AU2008100700B4 (en) | 2007-07-30 | 2008-07-28 | REAPP computer security system and methodology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU2008100700A4 AU2008100700A4 (en) | 2008-09-11 |
| AU2008100700B4 true AU2008100700B4 (en) | 2008-11-13 |
Family
ID=39748571
Family Applications (4)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2008100700A Expired AU2008100700B4 (en) | 2007-07-30 | 2008-07-28 | REAPP computer security system and methodology |
| AU2008100698A Expired AU2008100698B4 (en) | 2007-07-30 | 2008-07-28 | REAPP fourier transform computer security methodology |
| AU2008281314A Abandoned AU2008281314A1 (en) | 2007-07-30 | 2008-07-28 | A computer-implemented security method and system |
| AU2009100024A Ceased AU2009100024A4 (en) | 2007-07-30 | 2009-01-16 | Computer security system, method and apparatus |
Family Applications After (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2008100698A Expired AU2008100698B4 (en) | 2007-07-30 | 2008-07-28 | REAPP fourier transform computer security methodology |
| AU2008281314A Abandoned AU2008281314A1 (en) | 2007-07-30 | 2008-07-28 | A computer-implemented security method and system |
| AU2009100024A Ceased AU2009100024A4 (en) | 2007-07-30 | 2009-01-16 | Computer security system, method and apparatus |
Country Status (2)
| Country | Link |
|---|---|
| AU (4) | AU2008100700B4 (en) |
| WO (1) | WO2009015422A1 (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3111613B1 (en) | 2014-02-28 | 2018-04-11 | British Telecommunications public limited company | Malicious encrypted traffic inhibitor |
| US10673869B2 (en) | 2014-02-28 | 2020-06-02 | British Telecommunications Public Limited Company | Profiling for malicious encrypted network traffic identification |
| US10469507B2 (en) | 2014-02-28 | 2019-11-05 | British Telecommunications Public Limited Company | Malicious encrypted network traffic identification |
| EP3272096B1 (en) | 2015-03-17 | 2020-09-30 | British Telecommunications public limited company | Learned profiles for malicious encrypted network traffic identification |
| WO2016146610A1 (en) * | 2015-03-17 | 2016-09-22 | British Telecommunications Public Limited Company | Malicious encrypted network traffic identification using fourier transform |
| US10931689B2 (en) | 2015-12-24 | 2021-02-23 | British Telecommunications Public Limited Company | Malicious network traffic identification |
| US10891377B2 (en) | 2015-12-24 | 2021-01-12 | British Telecommunications Public Limited Company | Malicious software identification |
| US11201876B2 (en) | 2015-12-24 | 2021-12-14 | British Telecommunications Public Limited Company | Malicious software identification |
| EP3602999B1 (en) | 2017-03-28 | 2021-05-19 | British Telecommunications Public Limited Company | Initialisation vector identification for encrypted malware traffic detection |
| EP3623982B1 (en) | 2018-09-12 | 2021-05-19 | British Telecommunications public limited company | Ransomware remediation |
| EP3623980B1 (en) | 2018-09-12 | 2021-04-28 | British Telecommunications public limited company | Ransomware encryption algorithm determination |
| CN113111200A (en) * | 2021-04-09 | 2021-07-13 | 百度在线网络技术(北京)有限公司 | Method and device for auditing picture file, electronic equipment and storage medium |
| CN114006761A (en) * | 2021-11-01 | 2022-02-01 | 北京顶象技术有限公司 | Vulnerability detection communication method and device and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050091365A1 (en) * | 2003-10-01 | 2005-04-28 | Lowell David E. | Interposing a virtual machine monitor and devirtualizing computer hardware |
| US20070106993A1 (en) * | 2005-10-21 | 2007-05-10 | Kenneth Largman | Computer security method having operating system virtualization allowing multiple operating system instances to securely share single machine resources |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7103529B2 (en) * | 2001-09-27 | 2006-09-05 | Intel Corporation | Method for providing system integrity and legacy environment emulation |
| US8156558B2 (en) * | 2003-05-17 | 2012-04-10 | Microsoft Corporation | Mechanism for evaluating security risks |
| US7461036B2 (en) * | 2006-01-18 | 2008-12-02 | International Business Machines Corporation | Method for controlling risk in a computer security artificial neural network expert system |
-
2008
- 2008-07-28 WO PCT/AU2008/001088 patent/WO2009015422A1/en active Application Filing
- 2008-07-28 AU AU2008100700A patent/AU2008100700B4/en not_active Expired
- 2008-07-28 AU AU2008100698A patent/AU2008100698B4/en not_active Expired
- 2008-07-28 AU AU2008281314A patent/AU2008281314A1/en not_active Abandoned
-
2009
- 2009-01-16 AU AU2009100024A patent/AU2009100024A4/en not_active Ceased
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050091365A1 (en) * | 2003-10-01 | 2005-04-28 | Lowell David E. | Interposing a virtual machine monitor and devirtualizing computer hardware |
| US20070106993A1 (en) * | 2005-10-21 | 2007-05-10 | Kenneth Largman | Computer security method having operating system virtualization allowing multiple operating system instances to securely share single machine resources |
Also Published As
| Publication number | Publication date |
|---|---|
| AU2008100698A4 (en) | 2008-09-11 |
| WO2009015422A1 (en) | 2009-02-05 |
| AU2009100024A4 (en) | 2009-02-19 |
| AU2008100700A4 (en) | 2008-09-11 |
| AU2008100698B4 (en) | 2009-04-02 |
| AU2008281314A1 (en) | 2009-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2008100700A4 (en) | REAPP computer security system and methodology | |
| US11947688B2 (en) | Secure computing system | |
| US10361998B2 (en) | Secure gateway communication systems and methods | |
| EP3284003B1 (en) | Paravirtualized security threat protection of a computer-driven system with networked devices | |
| US8474032B2 (en) | Firewall+ storage apparatus, method and system | |
| US10162975B2 (en) | Secure computing system | |
| US7743260B2 (en) | Firewall+storage apparatus, method and system | |
| US7437766B2 (en) | Method and apparatus providing deception and/or altered operation in an information system operating system | |
| JP2009521020A (en) | A practical platform for high-risk applications | |
| Angel et al. | Defending against malicious peripherals with Cinch | |
| Yasrab | Mitigating docker security issues | |
| US8713640B2 (en) | System and method for logical separation of a server by using client virtualization | |
| KR20100054940A (en) | Apparatus and method for preventing malware using signature verification for embedded linux | |
| Kuzminykh et al. | Analysis of security of rootkit detection methods | |
| AU2016101012A4 (en) | Secured analysis system and methodology using the Augmented REAPP computer analysis system and methodology | |
| KR20100067383A (en) | Server security system and server security method | |
| CN113259939B (en) | Terminal credibility authentication method and system based on electronic signature | |
| US11711396B1 (en) | Extended enterprise browser blocking spread of ransomware from alternate browsers in a system providing agentless lateral movement protection from ransomware for endpoints deployed under a default gateway with point to point links | |
| Tsantekidis et al. | Security for Heterogeneous Systems | |
| Shen et al. | The Impact of Attacking Windows Using a Backdoor Trojan | |
| Krishnan | Android hypovisors: Securing mobile devices through high-performance, light-weight, subsystem isolation with integrity checking and auditing capabilities | |
| Shin et al. | Revelation of System and Human Vulnerabilities Across MITRE ATT&CK Techniques with Insights from ChatGPT | |
| Revazova et al. | RASP for LSASS: Preventing Mimikatz-Related Attacks | |
| OGINGA | A Model for Detecting Information Technology Infrastructure Policy Violations in a Cloud Environment | |
| Kamlyuk et al. | Absolute Backdoor Revisited |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FGI | Letters patent sealed or granted (innovation patent) | ||
| FF | Certified innovation patent | ||
| MK22 | Patent ceased section 143a(d), or expired - non payment of renewal fee or expiry |