EP1305688A2 - System und verfahren für den umfassenden allgemeinen generischen schutz für computer vor bösartigen programmen, die informationen stehlen und/oder schäden verursachen können - Google Patents

System und verfahren für den umfassenden allgemeinen generischen schutz für computer vor bösartigen programmen, die informationen stehlen und/oder schäden verursachen können

Info

Publication number
EP1305688A2
EP1305688A2 EP01936773A EP01936773A EP1305688A2 EP 1305688 A2 EP1305688 A2 EP 1305688A2 EP 01936773 A EP01936773 A EP 01936773A EP 01936773 A EP01936773 A EP 01936773A EP 1305688 A2 EP1305688 A2 EP 1305688A2
Authority
EP
European Patent Office
Prior art keywords
user
security
computer
communication
rules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01936773A
Other languages
English (en)
French (fr)
Inventor
Yaron Mayer
Zak Dechovich
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SECUREOL (ISRAEL) Ltd
Original Assignee
Mayer Yaron
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mayer Yaron filed Critical Mayer Yaron
Publication of EP1305688A2 publication Critical patent/EP1305688A2/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the present invention relates to security in computers (including personal computers, servers, or other computerized gadgets, as explained in the definitions] and more specifically to a powerful comprehensive generic Security System and method for computers, based on automatic segregation between programs.
  • filtering for allowed types of protocols such as for example FTP versus SMTP and so on can be rendered useless by programs that encrypt or disguise a given protocol type to appear as another.
  • Another major limitation of packet filtering is that it can't be relied upon to scan for stolen data in packets, since malicious applications can encrypt the data and/or disguise it to look like something else, so as to appear for example as a gif image.
  • Antiviruses and firewalls are also not effective against security holes for example in browsers or e-mail programs or in the operating system itself. According to an article in ZDnet from Jan 24, 2001, security holes in critical applications are discovered so often that just keeping up with all the patches is impractical. Also, without proper generic protection for example against Trojan horses, which can identify any malicious program without prior knowledge about it, even VPNs (Virtual Private Networks) and other form of data encryption, including digital signatures, are not really safe because the info can be stolen before or below the encryption.
  • the present invention is a novel concept which tries to go deeply into the roots of the causes of above described problems and thus to eliminate completely the above- described problems by creating what is to the best of our knowledge a most powerful, comprehensive, general and generic Security System for computers.
  • This System and method protects computers (which may include personal computers, servers, and other devices or gadgets with one or more processor that can run programs, as explained below in the definitions) against all kinds of malicious programs that may steal information and/or cause damages including changes of data, deletion of data, interfering with function and so on (such as Viruses, Vandals, Trojan horses, Worms, Macro viruses and Malicious e-mails).
  • the system and method can be used in many operating systems, such as various platforms of Microsoft Windows, Linux, Macintosh, or other operating systems, eventhough the preferred embodiments use mainly the terminology of Windows, which is the most common and familiar operating system.
  • the most important principles and objects of this protection system preferably include:
  • the above protection system is preferably comprised of the following main elements:
  • a monitoring and capturing system which constantly monitors the security-sensitive elements of the computer system, and most importantly all the relevant peripheral device activities, and especially those related to storage devices (and especially the Hard disk or hard disks) and communication devices (network cards, modem, etc.) and can detect and intercept immediately any suspicious or dangerous behavior.
  • the security rules and a database for storing the default rules, a set of pre-distribution acquired rules that are good for most users of the selected operating system, the acquired additional user-defined rules, and the statistics of normal or reasonable behavior of programs, which is continuously learned during the operation of the system.
  • This database area which contains also all the authorizations and optionally (preferably) a log of all the questions that the Security System asked the user and his replies (kept at least for a certain period), and when needed, also a log of suspicious activities detected (kept at least for a certain period) and may contain also definable additional logs.
  • the database is preferably encrypted and is considered a constantly monitored high- security protected and preferably backed-up area as defined below in the detailed description
  • a user interface which interacts with the user in order to learn acceptable behavior patterns, warn the user of perceived dangers when needed, and ask for the user's authorization when needed.
  • it also allows the user to view statistics of behavior of important programs or groups of programs and especially programs that are allowed to access communication channels, especially in what is related to sending and receiving data over the communication lines, such as since the beginning of the current Internet session or for a certain time period.
  • this may also include information such as what protocols were used, etc.
  • the user may also view or modify directly the database of authorizations.
  • the Security System uses a set of heuristics and basic rules for defining suspicious or potentially dangerous activities that are automatically fit for most users. By using the general default rules and adding to them statistical analysis of normal system and applications behavior and what is learned from the user's responses to authorization requests, the Security System quickly learns what is considered reasonable or well-behaved behavior of programs on the user's personal computer or server.
  • the security rules and functions performed by the Security System preferably include: a. Constantly monitoring the security-sensitive elements of the computer system, including all relevant peripheral device activities, and especially storage devices and communication devices, and detecting and selectively intercepting any suspicious or dangerous behavior and acting upon it in accordance with the default and acquired sets of security rules, b. Default segregation of programs into their natural environments, as defined below in the detailed description, c. Warning the user and request for authorization for security- sensitive activities and especially any first-time attempts to access communication channels, d.
  • the present invention offers the following main advantages over the prior art:
  • Malicious behaviors of programs can be detected and intercepted even if they don't display viral or worm-like behavior at all, for example if a screen saver starts to steal data and send it out over communication lines even if it does not show any attempts to spread itself or to modify system areas.
  • Program is any file or area in memory that contains executable commands, such as .exe or .com files, batch files, various Macro files, etc.
  • Micro is an executable written usually in a scripting language and executed by a complex application, such as Microsoft's Outlook or Word.
  • DLL is a dynamic link library. This term is common for example in all versions of the Windows operating system. In other operating systems it might have different names but the principle is the same. In general it is a term for a set of routines that can be called from executables, loaded and linked into them during run time.
  • Device driver or “Driver” is a software component that allows an operating system to communicate with one or more specific hardware devices attached to a computer, such as a hard disk controller, network card or display card.
  • OS or “operating system” is software responsible for controlling the allocation and usage of computer hardware resources such as memory, CPU time, disk space, and peripheral hardware devices.
  • Interrupt request line is a hardware line over which a hardware device, such as an input/output port, keyboard, or disk drive, can send interrupt requests to the central processing unit (CPU). Interrupt request lines are built into the computer's internal hardware and are assigned different levels of priority so that the CPU can determine the sources and relative importance of incoming service requests.
  • User or “users” as used throughout the text are always meant interchangeably to be either user or users.
  • the user or users can be for example the individual user of a computer or computers or a corporation or organization that uses the computers. Therefore, preferably various types of authorizations for example can be given either by the individual user of the computer or for example by the security administrator of the company, or any combination of these. For example some companies might want to give full authority on critical issues only to the system administrator, while others might want to let the employees or certain employees have much more direct control.
  • Database or “Databases” as used throughout the text are always meant interchangeably to be either database or databases.
  • Network as used throughout the text is always interchangeable as either network or networks and represents a connection from a computer (as defined) by any way to one or more computers or any other compatible communication device.
  • File is one or more areas on one or more disks and may have a definition in the FAT that may be represented as a name, directory, etc. and may have other parameters.
  • Registry is one or more files that may contain operating system and other program settings and mainly managed by the operating system.
  • Computer can refer to a personal computer or workstation or server, or any automated device or gadget with one or more processor or CPU, capable of more than simple arithmetic functions. This includes for example also cellular phones and portable computing devices such as palm pilot. This includes also, for example, computers in cars, which may for example become very important as cars become more automated or even capable of automatic driving, since if hackers are able to damage them for example by Internet or satellite connection, it might even cause life- threatening malfunctions. Other examples can be computers in satellites (In which case, user authorization, when needed, preferably should be requested remotely by encrypted communication with user remote verification), sensitive computer systems in airplanes, etc.
  • Server is a computer on a network that is running software that provides data and services to clients over the network.
  • the term server can also apply to a software process, such as an Automation server, that similarly sends information to clients and that appears on the same computer as a client process, or even within the same application.
  • Kernel is the portion of the operating system that manages and controls access to hardware resources. It performs for example: thread scheduling and dispatching, interrupt and exception handling, and multiprocessor synchronization.
  • DMA Direct Memory Access
  • Image Loading refers to an executable code that is being loaded for execution or unloaded/terminated.
  • Hooked function refers to an executable filtering code placed between the calling code and called function and thus has the ability to monitor and/or intercept and/or redefine the function that is being hooked.
  • Fig. 1 shows the preferred main elements of the Security System within a typical structure of an operating system in a computer, with some of the hooked peripheral device drivers, especially those related to storage devices and network devices, and preferable places and ways that the various parts of the Security System are coupled to and interact with the above typical structure.
  • Fig. lb shows in more detail a preferred way of interaction between Security System parts with an emphasis on the user interface and a preferred process of permission granting.
  • Fig. 2 shows in more detail a flow diagram of a preferred way the monitoring and capturing system interacts, monitors, checks and authorizes file hooked functions of the computer's operating system that may be preformed by an application.
  • Fig. 3 shows in more detail a flow diagram of a preferred way the monitoring and capturing system interacts, monitors, checks and authorizes network hooked functions of the computer's operating system that may be preformed by an application.
  • Fig. 4 shows in more detail a flow diagram of a preferred way the monitoring and capturing system interacts, monitors, checks and authorizes registry hooked functions of the computer's operating system that may be preformed by an application.
  • Fig. 5 shows what preferably happens when executable files are being loaded for execution.
  • Fig. 6 shows in more detail a flow diagram of a preferred way the monitoring and capturing system interacts, monitors, checks and authorizes memory related functions of the computer's operating system that may be preformed by an application.
  • Fig. 7 shows in more detail a flow diagram of preferred main parts and methods of the Security System database, permission and analysis processes.
  • Fig. 8 shows in more detail preferred interfaces and operation of a possible variation of using additional hardware, which monitors hardware accesses on the computer's data bus and has a 2-way interface with the Security System's software.
  • Fig. 9 shows in more detail an overview of a preferable self-preservation method.
  • Fig. 10 shows in more detail a flow diagram of a preferred method of interception process.
  • Fig 11 is a graphic illustration of a preferable way in which processes may be segregated and controlled.
  • Fig 12 is a visual illustration of a more extreme implementation of keeping each program in a 'Bubble' of virtual environment.
  • Fig 13 is a visual illustration of a preferable configuration of connecting computers in an organization to Internet for example through the system administrator's computer.
  • Fig. 1 we show the preferred main elements of the Security System (100) within a typical structure of an operating system (101) in a computer (which can be for example a server, a personal computer, or other computerized gadgets or devices as explain in the definitions), with some of the hooked peripheral device drivers, especially those related to storage devices (110) and communication devices (111), and preferable places and ways that the various parts of the Security System (100) are coupled to and interact with the above typical structure.
  • the entire system and method can be regarded also as a virtual machine that performs the described functions.
  • the Security System is preferably comprised of the following main elements: a.
  • This element of the Security System installs at least some parts of itself as much as possible in the kernel of the operating system (104), and other parts replace various OS files, such as certain drives, device drivers, DLLs, etc. in order to hook various vital functions.
  • the monitoring and intercepting system is defined in more detail in subsequent figures. b.
  • this database (700) contains in addition to all the authorizations, an optional log (770) of all the questions that the Security System asked the user and his replies (kept at least for a certain period), and when needed, also a log (770) of suspicious activities detected (kept at least for a certain period) and may contain also definable additional logs.
  • the database (700) is preferably encrypted and is considered a constantly monitored high-security protected and preferably backed-up area as defined below. Therefore, all accesses to the database are supervised by the monitoring and capturing system as explained in more detail in fig. 11.
  • the Security System may also include (as another possible variation) an optional hardware element (800) shown in more detail in Fig. 8, which can alert the Security System's software to any events where access has been made to the security-sensitive ports (803) and/or memory (801) without an apparent corresponding event on the system level as monitored by said Security System's software.
  • an optional hardware element 800 shown in more detail in Fig. 8, which can alert the Security System's software to any events where access has been made to the security-sensitive ports (803) and/or memory (801) without an apparent corresponding event on the system level as monitored by said Security System's software.
  • the main rules and functions performed by the Security System are:
  • the user interface part (103) of the Security System warns the user about it, and if he allows it, then the natural environment of such programs is limited only to the root of that drive and does not include its sub-directories, otherwise the segregation to branches would be meaningless in this cases.
  • the Security System constantly monitors, intercepts, and warns the user of any attempts by programs to access the storage devices (110) through direct I/O, since that could render meaningless the segregation rules. (This can be accomplished for example by putting the Security System in ring 0 - Using Intel architecture terms).
  • Allowing a program to do whatever it likes to other programs or to their data files or to critical files of the operating system is as unrealistic as letting a guest in a hotel bother any other guests as he pleases, steal their property or copy it or destroy it, destroy their rooms, etc., or for example have free access to the hotel's safe or electronic switchboard or elevator control room, or phone.
  • the present concept is like limiting each guest by default to his room and limiting by default his access to the Hotel's strategic resources, so that only by explicit permission each guest can get additional privileges.
  • the Security System preferably constantly monitors attempts by various programs to access directly the area of the hard disk used by the operating system for the swap files, since that could also allow various security breaches, such as for example replacing critical DLLs with malicious DLLs while they are cached on the disk during virtual memory swapping.
  • the system may preferably to the extent possible also protect (600) some RAM (112) areas if they are not adequately protected by the computer's operating system (101). For example, there might be a vulnerability that enables applications to access a shared memory area called "System internal object name space" and change the names of DLLs, thus replacing them with references to malicious DLLs.
  • the Security System preferably makes sure (600) that it will not be thrown out of the RAM by other applications that might try to neutralize it, for example by checking all the time that it is not thrown out of the DDB (Device Descriptor Block) by other applications and putting itself all the time in the first place there, and/or by the methods described in Fig. 9 about self-preservation.
  • the Security system also prevents programs from accessing also in memory the code or data of other programs or their drivers or DLLs, etc. (unless given explicit permission to do so).
  • Any program that tries to access (such as send, receive, listen, connect etc.) communication channels (111), including IP address, port and protocol (mainly win-sockets and network shared device drivers (300)) needs to get permission from the user (unless it has already been given this privilege). Based on this monitoring, the user is warned and is asked for authorization (for any previously unauthorized connection), inbound or outbound, including any attempts from programs or hackers from the network (120) to connect to the user's computer, and the Security System may also trace-route such attempts on the net (120) in order to find the source of the attack.
  • the Security System when it asks the user for example if to allow a certain application to access communication channels, it shows additional relevant data apart from the application's name, such as, for example, the full path of where the executable is installed, its size, its date, and/or details such as for example CRC, memory segments, or other identifiers, in order to reduce the chance that some hostile application might for example install itself under some directory and name itselfnetscape.exe and thus be given inadvertently by the user access to the web.
  • the Security System's Database preferably warns the user about this, in order to further avoid confusion.
  • the user is for example an organization and the organization wants for example to allow the system administrator to control which applications have access to the web, then for example each time an employee working with a certain computer allows a certain application to access the web, then preferably this can be permitted only if it fits the definitions allowed by the administrator, preferably using various identification marks to make sure that it is indeed an allowed application and not some other executable with the same name.
  • This can be accomplished in a number of possible ways: For example the administrator can define allowed applications with their identification marks and broadcast this once in a while to all the computers in the organizations, and the Security system will allow access to communication channels only to applications that comply with these definitions (preferably these definitions are password- protected and also reside in an area regarded as a high-security area).
  • Another possible variation is that various requests for authorizations (preferably including various identification marks of the applications) are broadcast by the security system directly to the administrator without even asking the employee and preferably remain blocked until authorization can be given by him.
  • Another possible variation is for example that new authorizations given to applications by the employee (or at least authorizations on important issues) are broadcast by the security system also to the administrator, and allowed only if he OKs them.
  • Another possible variation is for example that, at least for certain authorizations, the user has to call the administrator, and only he can authorize them for example with a password.
  • applications that are allowed to access the web and/or other communication channels reside only in one (or more) computers in the network and the other computers can access them for example only by limited access through local-area network.
  • the Security System allows the user to define general limitations on the communication channels (111) allowed to be opened and optionally also limitations on types of protocols allowed, which is especially useful in cases where the computer is being used as a server, since in such cases the computer will run most of the time unattended by the user, or for example if the user wants to block automatically all incoming communication attempts and just log them.
  • the system preferably constantly monitors the communication channels for outgoing E-mail messages and asks the user for confirmation any time that one or more e-mail messages are being sent out by any program (even authorized programs) or at least and especially when multiple E-mails are being sent out consecutively.
  • the Security System also learns by this process various characteristics of the way the user is normally sending e-mail messages, so that whenever sudden unusual characteristics are apparent, preferably a special interception and warning can be issued.
  • the relevant MAPI functions will be called differently and/or other processes may happen differently than for example when sending e-mail from a Visual Basic Script executed by outlook express.
  • programs that are allowed to access the communication lines are usually a crucial link in Internet related attacks, preferably such programs are always monitored more thoroughly by the Security System, and therefore regarding such programs preferably the user may not tell the Security System to stop asking about various behaviors.
  • Examples of said communication channels in terms of hardware can be the modem, Ethernet card(s), or even the USB (Universal Serial Bus), which can also be used for example for ADSL connection, or any other device that exists or might exist in the future which might be used for communicating data in and out of the computer.
  • This comprehensive covering of all possible communication channels is extremely important, since otherwise the whole security system might be rendered useless.
  • Examples of said communication channels in terms of software can be any of the system functions that can access any of the said hardware devices that can be used for communication, including for example TAPI functions, which can use the modem for sending Faxes, since, otherwise, a malicious application might for example turn off the internal loudspeaker of the modem and dial out and send out stolen data as a Fax. This applies also for example to any access to wireless channels, such as for example Bluetooth or infra-red, since this also can be used for sending data to the computer or stealing data from it.
  • the monitoring & capturing system (102) conducts constant statistical analysis of various events in the computer in order to learn about normal behavior and identify significant deviations from the normal behavior (such as sending out significantly more data than usual, accessing more files than usual, etc.).
  • the programs that have been authorized for use of the communication channels (111) are constantly statistically analyzed and monitored for suspicious deviations from their normal statistical patterns of behavior, so that if such a program for example suddenly starts to access significantly more files than usual or scan large areas of the disk (even if it has been allowed by the user to access areas outside its natural environment) or starts to send out unusual amount of data, it is immediately intercepted and the user warned and asked for authorization.
  • the Security System monitors as much as possible all attempts of software applications to gain direct port accesses to security sensitive devices (such as the modem and network cards (111), hard disk controller, etc.), or to bypass the win-socket drivers, since such access could bypass the operating system.
  • security sensitive devices such as the modem and network cards (111), hard disk controller, etc.
  • Win-socket drivers since such access could bypass the operating system.
  • Windows NT for example allows only drivers that are installed in ring 0 to access such ports directly, so ordinary applications are automatically prevented from doing this, but some other versions of windows do not enforce this limitation. Therefore, the Security System tries to enforce this as much as possible even on systems were it is not enforced.
  • the Security System preferably performs various checks if various crucial system files are suspicious of being infected already, and in that case might for example recommend to the user to reinstall the operating system before trying to install again the security software.
  • the Security System preferably implements also a new concept: Virtual Shared Directories. This way, each time an executable tries to access such a shared directory, it will be preferably given the illusion that it has accessed it, but in reality, each such executable will be preferably redirected to a separate private sub-directory which only it can access.
  • the Security System when executables are accessing shared keys in the registry, the Security System preferably implements also a Virtual Shared-Keys system such as registered components, etc., so that again, preferably the executables are given the illusion that they have accessed the shared keys, but preferably they are in practice being redirected each to its individual private file of relevant registry keys.
  • This in combination with the other rules/functions, and especially rule no.l (about the automatic segregation), can also be described in other words as a system of multiple automatic sandboxes, or a system in which each program is limited to its own virtual computer.
  • the Security System preferably also tries to push the operating system or at least parts of it, to the extent possible, from processor ring 0 (privileged) to ring 1 (less privileged), preferably with the aid of an additional component that converts all the needed functions to run in ring 1 instead of ring 0.
  • processor ring 0 privileged
  • ring 1 privileged
  • these rings are concepts in Intel processors, similar rings or concepts might exist also in other processors.
  • this system and method are important for example for the prevention of theft of highly sensitive codes, such as private encryption keys or credit card details.
  • This is important because in the USA a recent legislation regards digital signatures as no less obligating than handwritten signatures, and in other countries there are similar legislations in process.
  • One of the biggest service suppliers in this area brags that it could take almost infinite time to break the private keys in these digital signatures, but ignores the simple fact that there is no need to break the keys since it is much easier to steal them, for example by a Trojan horse arriving by e-mail or through a web page by exploiting various loopholes in browsers or e-mail programs.
  • the Security System also learns various characteristics of the way the user is normally accessing the keys, so that when sudden unusual characteristics are apparent, preferably a special interception and warning can be issued. Even if hardware cards, such as smart cards, are used for storing the encryption keys, these keys might still be stolen by Trojans for example by overwriting parts of the programs that access these cards or by monitoring the data in memory while it is being generated by these programs. In cellular phones, for example, eventhough they usually don't have yet sophisticated or sensitive operating systems and file systems compared to Windows, for example, and the operating system is usually EPROMM based, still at least some of the principles of the present system and method can be applied, such as:
  • the self-defense principles such as requiring authorization to modify the BIOS's EPROMM and such as outlined for example in Fig. 9, and protecting the system-critical areas, are easier to implement, since the entire operating system and the security system may be on EPROMM or similar non-easily modifiable memory. So, for example, any attempt to modify any EPROMM data needs explicit permission from the user.
  • the RAM memory used for processing data operations is preferably monitored against hostile activities.
  • Any attempt to automatically dial-out or automatically answer incoming calls preferably needs explicit permission from the user, especially if multiple automatic dials are attempted. This prevents any viruses from causing the phone to automatically send messages to various places, or from becoming for example a spying device, recording what is going on in the room and sending it out without the user's knowledge. 5.
  • constant open Internet connection expected for example in the 3 rd generation cellular phones, like in the PC example, preferably no program can access the web without prior user permission and no connection initiated from the outside can come-in without user permission.
  • Any unauthorized access to additional communication channels, such as Bluetooth devices also is preferably blocked or has to be authorized by the user.
  • Fig lb shows in more detail a preferred interaction between Security System parts with an emphasis on the user interface (preferably graphic user interface) and a preferred process of permission granting.
  • the monitoring and intercepting system (102) immediately stops the program (1002) and asks the user for authorization, and if the user is absent, for example in case of protecting a server, suspect activities may be either blocked until the user comes back and/or logged (770), and such decisions are made either according to the various sets of security rules (740) and the nature of the suspect or dangerous activity, or by user definition.
  • the Security System gives the user options such as for example to abort the offending program immediately, allow only this time, disallow but let the program go on, allow always from now on or until a certain event, stop asking completely about similar breaches for this program, or stop asking completely about similar breaches for all programs in this directory and it's sub-directories.
  • the Security Systems preferably asks also if the permission is given only for reading of data or also for modifying data, etc.
  • the system preferably also allows the user to specify which channels to allow the application to use and what related activities to allow.
  • the user is always asked for authorization in such ways that responding without paying attention will always default to the least dangerous options.
  • highly dangerous activities such as formatting a drive, mass deletion of files, changing hard disk partition information, changing boot area information, installing drivers in levels close to the kernel of the operating system, accessing the defined high-security areas, or modifying executables that reside outside the natural environment of the offending executable programs (such as exe and com files, batch files, DLLs, MS-DOC, MS-XLS files, or any other file that might contain executable commands), renaming them, creating new executables, or changing the linking of files types with applications that will be run when clicking on them, etc.
  • the security system also makes sure that no other programs can enter false answers as if they were entered by the user through the keyboard or the mouse or any other input device, for example by preventing other programs (except the allowed relevant input device drivers) from adding data for example to the buffer of typed keys in memory and the buffer of mouse events, or for example by using the hooking of all keyboard access and all mouse events to make sure that whatever is read for example from the keyboard or mouse is identical to what is in their event buffers or using only the commands that come directly through these hooked functions.
  • the Security System freezes all other processes while it is waiting for the user's reply, for example at least for highly dangerous activities.
  • the Security System plants its own keyboard and mouse drivers instead of those normally in use, however this could be problematic when a non-standard keyboard or mouse is used.
  • Another possible variation of this is to use for example a smarter keyboard and/or mouse which uses also encryption preferably with a date & time stamp, like in the communication with the administrator's computer, as explained below.
  • the Security System also controls access to events and to objects (such as for example the edit box) and to the memory of programs such as for example shell32.dll,user32.dll & gdi32.dll (which are related to the Windows user interface, for example when using the standard open file dialogue box), so that programs don't create false events (such as for example pressing the OK button even though it hasn't really been pressed) or for example alter by direct memory access the content of the input line that contains the file name.
  • these or similar methods can be applied also for example in systems that allow voice commands.
  • the Security System also preferably identifies if the user or the application initiated a potential security-risk command, such as for example accessing a file outside the natural environment of the program for a program that still does not have that privilege, and so can for example allow more flexibility and less limitations (or even no limitations) if the command was initiated directly by the user than if it was initiated by the application.
  • a potential security-risk command such as for example accessing a file outside the natural environment of the program for a program that still does not have that privilege, and so can for example allow more flexibility and less limitations (or even no limitations) if the command was initiated directly by the user than if it was initiated by the application.
  • the Security System preferably prevents applications from creating the false impression as if the user for example typed something on the keyboard and thus initiated the command, preferably by use of any of the ways described above.
  • additional definitions of highly dangerous activities may be easily supplied as an update.
  • the Security System can handle it smartly as a continuous action within the same context.
  • the security system records which files are created by it, in order to be able to identify more easily its associated files even when they are in other areas.
  • the Security System also analyses during the installation the imported functions in shared DLLs of the program in order to try to anticipate the behavior of the program and its needs.
  • the Security System is installed as soon as possible after the operating system is installed, before other applications. (However, as explained above, the Security System can work also for applications installed before it).
  • one computer can be used for example for learning all of the segregation rules and various environment parameters for each program and this knowledge can be transferred to all the other computers in the organization, regardless of the order in which the applications are installed in the other computers.
  • various or all requests for authorization can be for example referred by the Security system directly to the system administrator instead of or in addition to asking the employee that works with the computer, or for example automatically blocked unless they fit with pre-defined permissions by the administrator (that can preferably be easily updated by him whenever needed), by methods like those described in the relevant examples given in function 4.
  • various information such as for example parameters or suspect behaviors learned on one or more computers can be transferred to other computers, preferably only after authorization by the administrator.
  • communications with this authority are secure and encrypted and preferably include also an exact time and date stamp, in order to prevent malicious programs for example from trying to send false authorizations or reuse old authentic authorizations for generating false authorizations.
  • this communication uses special protocols of the security system instead of the normal network device drivers and protocols of the operating system. This can enable also in practice general policy enforcement, so that the organization can decide and enforce very easily for example that only a certain set of programs may be run on all or on certain computers, or only certain actions are allowed on all or on certain computers, etc.
  • These various options can be regarded as various possible embodiments. Some of them can be made available for example as separate products, or for example as various options within the same product.
  • the level of control given to the employee versus the control for example by the system administrator can preferably be set independently for each computer in the organization.
  • a preferable way of viewing and/or modifying the database of authorizations is for example in the form of a table which lists the names and preferably various identification marks of applications allowed to access communication channels (and preferably a list of which channels), or to exceed their natural environments, or to have any other privileges which normal applications do not have by default, and lists which such privileges they have been given. Some activities might remain unallowed to any applications, such as for example trapping the keyboard device in order to catch keystrokes.
  • this table includes also various statistical data about the behavior of each program, as explained before. In an organization where most control is in the hands of the system administrator, preferably the security system installed on each computer still runs a similar table and maintains a similar database, however the system can limit what the employee can change without the administrator's authorization.
  • this table contains also additional information and controls, such as for example the list of computers connected to the system within the organization, preferably with a unique identifier to each computer, and preferably with additional statistical information on the behavior of each computer in the list, so that preferably the system can alert the administrator for example whenever a computer in the system starts to deviate significantly from its normal behavior, such as unusual disk activity or unusual communications activity.
  • additional information and controls such as for example the list of computers connected to the system within the organization, preferably with a unique identifier to each computer, and preferably with additional statistical information on the behavior of each computer in the list, so that preferably the system can alert the administrator for example whenever a computer in the system starts to deviate significantly from its normal behavior, such as unusual disk activity or unusual communications activity.
  • Such data is preferably also logged.
  • the communication between the administrator's computer and the employees' computers is encrypted and secure.
  • the Security System on the administrator's computer constantly sends short communications at short intervals to the other computers in the system in order to be able to notice quickly for example if the Security System on any computer has been damaged or disabled.
  • this short communication can contain for example special codes with different keys for each computer, so that only an active Security System can respond to it properly, and so that a different response will come from a working computer where the Security System has been disabled or is not working properly (including for example if the computer was booted from a diskette instead of the hard disk), and no response from a computer that is turned off for example.
  • a central gateway computer which might be the administrator's computer, or a separate computer
  • this might be used as an additional control for catching backdoors that might exist for example even in the operating system itself:
  • the Security System on each computer preferably reports to the Security System on the administrator's computer all the time or at preferably short intervals for example how much data it has allowed to be sent out from the computer's communication channels, so that the Security System on the administrator's computer can preferably notice and intercept immediately or after a short interval communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer.
  • the Security System on the administrator's computer can for example check the packet headers by itself or use for this the services of the network firewall on the gateway computer if such a firewall is being used, or use some other routing information to know from which computers the data is coming.
  • This feature is very important and can be used also independently of other features to find cases where the actual amount of data sent- out does not fit the amount reported, even for example the amount reported by the dialer of the operating system.
  • more than one administrator can exist.
  • a modem or network card or other communications device capable of monitoring at least the amounts of data sent out so that this communication device can preferably report back to the Security System of the computer how much data actually went out, so that preferably the communications can be immediately blocked and an alert issued if the amount of actual communication does not fit the amount reported by the Security System of that computer.
  • the blocking in this case is done by the Security system, however another possible variation is that it can be done also by the communications device itself, or by the administrator's computer or the gateway computer in organizations where all the traffic goes through them).
  • FIG. 2 shows a preferred method for monitoring, checking and authorizing access to hooked functions that are called due to a disk related action (201) (such as file open, file read, file write, file change, disk read, disk write, disk format, etc.).
  • a disk related action such as file open, file read, file write, file change, disk read, disk write, disk format, etc.
  • the function is tunneled to the proper method of access (202) (read, write, query, etc.).
  • the Security System retrieves caller's identity (203), retrieves its relevant information from the database (700), if needed, and retrieves the required file action parameters (204) (such as file name, path name, etc.).
  • the parameters are tracked (211) and, if needed, relevant parts are stored in database (700) for further use (for example for statistics).
  • an access to rules settings in the database (700) is made to check whether the current action is permitted, and the answer's origin is authorized to prevent hacking of the Security System (207).
  • the Security System can take into consideration also if the action was initiated by the user or by the application, as described in Fig. lb. If hacking was spotted, the Security System preferably proceeds to special termination process (1001). If origin of answer is authenticated as coming indeed from the database, the Security System performs a check whether the action is permitted.
  • the Security System can for example ask permission from the user, or terminate the process, or tell it that something does not exist, or tell it that the request has been done (without actually doing it), or do the above things if the user has not agreed, or choose other actions, preferably depending also on the amount of visibility wanted by the user (1002), and if authorized it passes on the parameters to the original hooked function (212), and, if needed, the database is updated with the new authorization. Also, it should be noted that this and the other figures, and especially the flowcharts are just general examples, and various steps can for example change or be in a different order.
  • Fig. 3 shows a preferred method for monitoring, checldng and authorizing access to hooked functions that are called due to a communication related action (301) (such as open connection, close connection, send, receive, etc.).
  • a communication related action such as open connection, close connection, send, receive, etc.
  • the function is tunneled to the proper method of access (302) (send, receive, etc.).
  • the Security System retrieves caller's identity (303), retrieves its relevant information from database (700) and retrieves required communication action parameters (304) (such as handle id, address, protocol, etc.).
  • the parameters are tracked (311) and, if needed, relevant parts are stored in database (700) for further use (for example for statistics).
  • the Security System can take into consideration also if the action was initiated by the user or by the application, as described in Fig. lb. If needed, an access to rules settings in the database (700) is made to check whether the current action is permitted and the answer's origin is authorized to prevent hacking of the Security system (307). If hacking was spotted the Security System preferably proceed to special termination process (1001). If origin of answer is authenticated as coming indeed from the database, the Security System performs a check whether the action is permitted.
  • the Security System can for example ask permission from the user, or terminate the process, or tell it that something does not exist, or tell it that the request has been done (without actually doing it), or do the above things if the user has not agreed, or choose other actions, preferably depending also on the amount of visibility wanted by the user (1002), and if authorized it passes on the parameters to the original hooked function (312), and, if needed, the database is updated with the new authorization.
  • Fig. 4 shows a preferred method for monitoring, checking and authorizing access to hooked functions that are called due to a registry related action (401) (such as read, write, change, etc.).
  • a registry related action such as read, write, change, etc.
  • the function is tunneled to the proper method of access (402) (read, write, etc.).
  • the Security System retrieves caller's identity (403), retrieves its relevant information from database (700) and required registry action parameters (404) (such as key, value, etc.).
  • the parameters are tracked (411) and, if needed, relevant parts are stored in database (700) for further use (for example for statistics).
  • An access to rules settings in the database (700) is made to check whether the current action is permitted, answer's origin is authorized to prevent hacking of the Security System (407).
  • the Security system preferably proceeds to special termination process (1001). If origin of answer is authenticated as coming indeed from the database, the Security System performs a check whether the action is permitted. If not, the Security System can for example ask permission from the user, or terminate the process, or tell it that something does not exist, or tell it that the request has been done (without actually doing it), or do the above things if the user has not agreed, or choose other actions, preferably depending also on the amount of visibility wanted by the user (1002), and if authorized it passes on the parameters to the original hooked function (412) and, if needed, the database is updated with the new authorization.
  • Fig. 5 shows what preferably happens when any executable files are being loaded for execution (501) by the operating system.
  • the Security System is notified about it and checks it before it actually starts running. Furthermore, the file is being accessed in an earlier phase, (see fig. 2) when the Security System permits the access to the file (for example, ifformat.exe was denied for all it won't reach this phase) as it is being accessed before loading into memory (see fig. 2).
  • the Security System tracks file parameters and relevant data (502) (such as process id (PID), threads, allocated memory, etc.) for further use, stores them in the database (700) if needed, and passes on the parameters.
  • relevant data such as process id (PID), threads, allocated memory, etc.
  • Fig. 6 shows a preferred method for monitoring, checking and authorizing access to hooked functions that are called due to due to a memory related action (601) (such as read, write, etc.). Then the Security System retrieves caller's identity (602), retrieves its relevant information from database (700), gets its parts (libraries, etc.) and its self-allocated memory (physical, virtual, etc.) (603), and checks if the process exceeded its memory borders (604).
  • a memory related action such as read, write, etc.
  • the Security System can for example ask permission from the user, or terminate the process, or tell it that something does not exist, or tell it that the request has been done (without actually doing it), or do the above things if the user has not agreed, or choose other actions, preferably depending also on the amount of visibility wanted by the user (1002), otherwise it passes on the parameters to the original hooked function (605).
  • This feature is implemented to the extent possible since its implementation may be limited or partially limited on various operating systems.
  • the optional additional hardware described in fig. 8 might also be useful in this context if needed.
  • a Security System database The database or parts of it are located in computer's memory and in storage media. Any access to the database is encrypted (701) and its origin identified (702). The authentication is checked (703) and if hacking was spotted the program preferably proceeds to special termination process (1001). If the access is authenticated the database may set or retrieve information (704) from or to the records (740) which preferably contain statistics records (751), Process ID (PID) records (752), additional records (760), log of activity (770) and Security rules (740) which preferably contain info such as •file records (741), Network records (742) and Registry records (743).
  • Each group of the rule records preferably contains the following information: acquired user's rules, pre-distribution acquires rules, default rules and variant parameters (as described above). If the request is for storing information, the request is performed and returned to caller (706) (one of the Security System inner functions). If the request is for retrieving information, the following preferably occurs: The database keeps track of statistics and analyzes (707). If the Security System spots any suspicious deviation in activity, the answer returned to the caller function is negative and the appropriate explanation passed through (710) (this action is performed when handling information that is not im er security database such as PID-752, etc.), otherwise it returns the answer that was retrieved from the database (709).
  • the Security System may also include an optional hardware element (800) which gathers (804) and/or logs (805) monitored hardware port accesses (803), DMA (801), IRQ (802), etc.
  • the monitoring hardware mainly monitors access to storage devices (especially hard disk controller) and access to network devices (such as modem, network cards, etc.).
  • the monitoring hardware has an interface (811) for transfer of information from the Security System's software (104) to said hardware element (800) (such as through accessing read and/or write ports in said hardware element (800)) and for immediate feedback to the Security System's software (104) (such as through accessing read and/or write ports in said hardware element (800), through interrupts, etc.) so that it can alert the Security System's software (104) to any events that have been defined in the built-in local database (806).
  • the comparison of events between the software monitoring and the hardware monitoring can preferably be done by either the hardware element (800), by the software part of the Security System (104) or by both.
  • any Security System part that is being called (901) performs a regular check every defined time (902) for all Security System files integrity (903) and its running functions' (as described in fig. 1) integrity (904). If a deviation is found (905), it informs the user for full understanding of the situation and performs a Self-preservation interception and report (1001).
  • the security system defines a part of the physical memory so that no other process can access it except by using a limited number of calling gates (such as when calling one of the hooked functions), and any other attempt to access this memory area for example for reading or writing causes a CPU exception which transfers control to the Security System. Since the Security system can know from this which application tried to "attack” it, the security system preferably initiates "anti-hacking" measures, such as for example disabling the attacking part of the process, terminating the process, destroying the process's environment, etc.
  • the interception process preferably contains two major interception routes:
  • the first is a normal interception (1002) - it is used when an executable tries to perform an unauthorized activity. In that case it preferably notifies the user (1101) (as described above), blocks the parameters from reaching the original function (1006), and can for example inform the original caller (the program that requested the function) about function failure.
  • the second is a Self- preservation interception (1001). It is used when the Security System detects an intrusion of any kind by an offensive program or a hacker.
  • the offensive program immediately (1007) (such as unload from memory, etc.) (Method of termination may be different from operating system to another), and the Database (700) is modified so it marks the offensive program and/or its files accordingly (1009) (such as not allowing the access to them, etc.).
  • a self-check is being performed (900) (as described in fig. 9) and if the Security System is endangered (1010), it starts Survival emergency procedures (1011) (such as reinstall, shutdown parts, reload, etc.). If not, it continues monitoring (1010). Although it may seem from the diagram that in certain cases there might occur endless loops, this is not the case in reality, it only seems so because the diagram is simplified.
  • FIG. 11 we show a graphic illustration of a preferable way in which processes may be segregated and controlled. Whenever a process (1111) attempts to access other processes or their natural environments (1113) or possibly important system resources (1114-1124), it has to go through the Security System's interception and decision engine, so that practically a virtual environment or virtual computer (1112) is created around it.
  • this graphic illustration is just a possible example. Not all of these functions are necessarily implemented.
  • Category 1122 - other - refers to other possible resources that may be relevant for example in other operating systems or other CPUs).
  • a more extreme possible implementation of this concept (as illustrated also in Fig.
  • the Security System is the first thing installed after the operating system, and the security system preferably relies mainly on identifying if the user or the program initiated each security-sensitive action in order to decide automatically if to allow it or not.
  • one computer can be used for example for learning all of the segregation rules and virtual environment parameters for each program, and this knowledge can be transferred to all the other computers in the organization, without the need to install the Security System before the other applications in the other computers.
  • FIG. 12 we show a visual illustration of a more extreme implementation of keeping each program in a 'Bubble' of virtual environment, so that the application can only see itself (2001) and not other programs except its virtual environment (2002), which contains the operation system and the resources it is allowed to see. Only by explicit permission from the user can the program see other programs or their data or access other system resources.
  • Fig. 13 we show a visual illustration of a preferable configuration in a possible variation in which individual computers in an organization (3001- 3005), each with its own installation of the Security System, are com ected to the Internet (3020) through the central authority's computer, such as for example the system administrator (3010) (or though another gateway computer which supplies information to the central authority about the amount of data actually sent from each computer), with it's own installation of the Security System, so that the Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer, as described in the reference to fig. lb.
  • the central authority's computer such as for example the system administrator (3010) (or though another gateway computer which supplies information to the central authority about the amount of data actually sent from each computer), with it's own installation of the Security System, so that the Security System on the central authority's computer can also notice and intercept communication attempts from computers where the amount of actual communication does not fit the amount reported by the Security System of that computer,

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
EP01936773A 2000-05-28 2001-05-28 System und verfahren für den umfassenden allgemeinen generischen schutz für computer vor bösartigen programmen, die informationen stehlen und/oder schäden verursachen können Withdrawn EP1305688A2 (de)

Applications Claiming Priority (7)

Application Number Priority Date Filing Date Title
IL13641400 2000-05-28
IL13641400 2000-05-28
US20959300P 2000-06-06 2000-06-06
US209593P 2000-06-06
US28401901P 2001-04-15 2001-04-15
US284019P 2001-04-15
PCT/IL2001/000487 WO2001092981A2 (en) 2000-05-28 2001-05-28 System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages

Publications (1)

Publication Number Publication Date
EP1305688A2 true EP1305688A2 (de) 2003-05-02

Family

ID=27271933

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01936773A Withdrawn EP1305688A2 (de) 2000-05-28 2001-05-28 System und verfahren für den umfassenden allgemeinen generischen schutz für computer vor bösartigen programmen, die informationen stehlen und/oder schäden verursachen können

Country Status (8)

Country Link
EP (1) EP1305688A2 (de)
JP (1) JP2003535414A (de)
CN (1) CN1444742A (de)
AU (1) AU6263201A (de)
CA (1) CA2424352A1 (de)
GB (2) GB2380303B (de)
HK (2) HK1084739A1 (de)
WO (1) WO2001092981A2 (de)

Families Citing this family (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2404262B (en) * 2003-06-19 2008-03-05 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20030159070A1 (en) * 2001-05-28 2003-08-21 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US7613930B2 (en) 2001-01-19 2009-11-03 Trustware International Limited Method for protecting computer programs and data from hostile code
EP1225513A1 (de) 2001-01-19 2002-07-24 Eyal Dotan Verfahren zur Sicherung der Rechnerprogramme und Rechnerdaten eines feindlichen Programms
US7028305B2 (en) 2001-05-16 2006-04-11 Softricity, Inc. Operating system abstraction and protection layer
JP2004126854A (ja) * 2002-10-01 2004-04-22 Mitsubishi Electric Corp 攻撃対策装置
US7793346B1 (en) 2003-01-17 2010-09-07 Mcafee, Inc. System, method, and computer program product for preventing trojan communication
WO2004075060A1 (ja) * 2003-02-21 2004-09-02 Tabei, Hikaru コンピュータウィルス検出装置
EP1627330A2 (de) * 2003-05-07 2006-02-22 Linuxcare, Inc. Detektion und warnung für viren in einem gemeinsam benutzten nurlese-dateisystem
US7188127B2 (en) 2003-10-07 2007-03-06 International Business Machines Corporation Method, system, and program for processing a file request
US7730318B2 (en) * 2003-10-24 2010-06-01 Microsoft Corporation Integration of high-assurance features into an application through application factoring
US20050091658A1 (en) * 2003-10-24 2005-04-28 Microsoft Corporation Operating system resource protection
US7111246B2 (en) * 2004-02-17 2006-09-19 Microsoft Corporation User interface accorded to tiered object-related trust decisions
US8332943B2 (en) 2004-02-17 2012-12-11 Microsoft Corporation Tiered object-related trust decisions
KR100596135B1 (ko) * 2004-02-24 2006-07-03 소프트캠프(주) 가상 디스크를 이용한 응용 프로그램 별 접근통제시스템과 그 통제방법
US7406606B2 (en) * 2004-04-08 2008-07-29 International Business Machines Corporation Method and system for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis
US20050259678A1 (en) * 2004-05-21 2005-11-24 Gaur Daniel R Network interface controller circuitry
JP4638494B2 (ja) * 2004-08-21 2011-02-23 ファン・コ−チェン コンピュータのデータ保護方法
CN100461091C (zh) * 2004-08-24 2009-02-11 华盛顿大学 用可重新配置硬件进行内容检测的方法和系统
US7587594B1 (en) 2004-08-30 2009-09-08 Microsoft Corporation Dynamic out-of-process software components isolation for trustworthiness execution
US7690033B2 (en) 2004-09-28 2010-03-30 Exobox Technologies Corp. Electronic computer system secured from unauthorized access to and manipulation of data
JP4688472B2 (ja) * 2004-11-01 2011-05-25 株式会社エヌ・ティ・ティ・ドコモ 端末制御装置及び端末制御方法
US7478237B2 (en) * 2004-11-08 2009-01-13 Microsoft Corporation System and method of allowing user mode applications with access to file data
US7712086B2 (en) * 2004-12-15 2010-05-04 Microsoft Corporation Portable applications
US7654590B2 (en) 2005-01-04 2010-02-02 Illinois Tool Works, Inc. Magnetic appliance latch
US7490352B2 (en) * 2005-04-07 2009-02-10 Microsoft Corporation Systems and methods for verifying trust of executable files
DE602005017585D1 (de) 2005-04-18 2009-12-24 Research In Motion Ltd Verfahren und System zur Erkennung von bösartigen drahtlosen Anwendungen
US7665098B2 (en) 2005-04-29 2010-02-16 Microsoft Corporation System and method for monitoring interactions between application programs and data stores
CN100346252C (zh) * 2005-09-28 2007-10-31 珠海金山软件股份有限公司 计算机软件安全漏洞修复装置和方法
US7917487B2 (en) 2005-12-13 2011-03-29 Microsoft Corporation Portable application registry
CN1909453B (zh) * 2006-08-22 2011-04-20 深圳市深信服电子科技有限公司 一种基于网关/网桥的防间谍软件侵犯方法
US7870336B2 (en) 2006-11-03 2011-01-11 Microsoft Corporation Operating system protection against side-channel attacks on secrecy
WO2008067371A2 (en) * 2006-11-29 2008-06-05 Wisconsin Alumni Research Foundation System for automatic detection of spyware
EP2015212A1 (de) * 2007-06-29 2009-01-14 Axalto SA Tragbares Massenspeichergerät mit Einhängungsverfahren
CN101370305B (zh) * 2008-09-23 2011-10-26 中兴通讯股份有限公司 一种保护数据业务安全的方法和系统
US8719901B2 (en) * 2008-10-24 2014-05-06 Synopsys, Inc. Secure consultation system
US8695090B2 (en) 2008-10-31 2014-04-08 Symantec Corporation Data loss protection through application data access classification
US8850428B2 (en) 2009-11-12 2014-09-30 Trustware International Limited User transparent virtualization method for protecting computer programs and data from hostile code
US9311482B2 (en) * 2010-11-01 2016-04-12 CounterTack, Inc. Inoculator and antibody for computer security
US20130067578A1 (en) * 2011-09-08 2013-03-14 Mcafee, Inc. Malware Risk Scanner
US9043918B2 (en) * 2011-10-13 2015-05-26 Mcafee, Inc. System and method for profile based filtering of outgoing information in a mobile environment
RU2477520C1 (ru) 2012-03-14 2013-03-10 Закрытое акционерное общество "Лаборатория Касперского" Система и способ динамической адаптации функционала антивирусного приложения на основе конфигурации устройства
US8732834B2 (en) * 2012-09-05 2014-05-20 Symantec Corporation Systems and methods for detecting illegitimate applications
US20160055331A1 (en) * 2013-03-28 2016-02-25 Irdeto B.V. Detecting exploits against software applications
CN103729937A (zh) * 2013-12-20 2014-04-16 广西科技大学 一种电动车充电计费监测系统
CN103906045B (zh) * 2013-12-25 2017-12-22 武汉安天信息技术有限责任公司 一种移动终端隐私窃取行为的监控方法及系统
CN105162620B (zh) * 2015-08-04 2018-11-27 南京百敖软件有限公司 一种实现异架构下系统监控的方法
US10303878B2 (en) * 2016-01-22 2019-05-28 Yu-Liang Wu Methods and apparatus for automatic detection and elimination of functional hardware trojans in IC designs
CN106020874A (zh) * 2016-05-13 2016-10-12 北京金山安全软件有限公司 数据上报方法、装置及终端设备
CN106598866A (zh) * 2016-12-22 2017-04-26 合肥国信车联网研究院有限公司 一种基于smali中间语言的静态检测系统及方法
CN106599708A (zh) * 2017-02-21 2017-04-26 柳州桂通科技股份有限公司 一种防止网络之间互访时访客恶意破坏原始数据的实时访问方法及其系统
KR102405752B1 (ko) * 2017-08-23 2022-06-08 삼성전자주식회사 어플리케이션 프로그램의 권한을 제어하는 방법 및 전자 장치
CN108217349B (zh) * 2017-12-06 2020-10-13 上海新时达电气股份有限公司 一种电梯预先授权控制系统及调试方法
CN108345522B (zh) * 2017-12-15 2019-03-29 清华大学 用于对中央处理器cpu进行安全检测的方法、装置和系统
US10742483B2 (en) 2018-05-16 2020-08-11 At&T Intellectual Property I, L.P. Network fault originator identification for virtual network infrastructure
DE102018120344A1 (de) * 2018-08-21 2020-02-27 Pilz Gmbh & Co. Kg Automatisierungssystem zur Überwachung eines sicherheitskritischen Prozesses
EP3623886A1 (de) * 2018-09-17 2020-03-18 Siemens Aktiengesellschaft Verfahren zur verwaltung eines produktionsprozesses, sowie computerprogramm zum ausführen des verfahrens und elektronisch lesbarer datenträger
DE102020114199A1 (de) 2020-05-27 2021-12-02 Basler Aktiengesellschaft Absicherung von Computersystemen gegen Manipulationen und Funktionsanomalien
CN112600757B (zh) * 2020-12-25 2023-03-10 深圳深度探测科技有限公司 一种基于不对称数据传输限速器的安全维护方法
CN114821314B (zh) * 2022-04-19 2024-03-08 中铁建设集团有限公司 基于机器视觉的机场路面异常检测方法

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
AU683038B2 (en) * 1993-08-10 1997-10-30 Addison M. Fischer A method for operating computers and for processing information among computers
US5684875A (en) * 1994-10-21 1997-11-04 Ellenberger; Hans Method and apparatus for detecting a computer virus on a computer
US5765030A (en) * 1996-07-19 1998-06-09 Symantec Corp Processor emulator module having a variable pre-fetch queue size for program execution
US5832208A (en) * 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US6108799A (en) * 1997-11-21 2000-08-22 International Business Machines Corporation Automated sample creation of polymorphic and non-polymorphic marcro viruses
EP1127314A4 (de) * 1998-09-10 2003-03-12 Sanctum Ltd Verfahren und system um eingeschränkte betriebsumgebung für anwendungsprogramme oder anwendungssysteme beizubehalten
US6256773B1 (en) * 1999-08-31 2001-07-03 Accenture Llp System, method and article of manufacture for configuration management in a development architecture framework

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0192981A3 *

Also Published As

Publication number Publication date
CN1444742A (zh) 2003-09-24
GB2380303A (en) 2003-04-02
HK1084739A1 (en) 2006-08-04
GB0230154D0 (en) 2003-02-05
GB0506281D0 (en) 2005-05-04
GB2411988B (en) 2005-10-19
WO2001092981A3 (en) 2002-04-25
CA2424352A1 (en) 2001-12-06
HK1084738A1 (en) 2006-08-04
AU6263201A (en) 2001-12-11
JP2003535414A (ja) 2003-11-25
GB2380303B (en) 2005-09-14
WO2001092981A2 (en) 2001-12-06
GB2411988A (en) 2005-09-14

Similar Documents

Publication Publication Date Title
WO2001092981A2 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US9213836B2 (en) System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US20030159070A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20040034794A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US11036836B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
CN109766699B (zh) 操作行为的拦截方法及装置、存储介质、电子装置
USRE43528E1 (en) System and method for protecting a computer system from malicious software
US8078886B2 (en) Method for protecting computer programs and data from hostile code
US20040103317A1 (en) Method and apparatus for protecting secure credentials on an untrusted computer platform
US20090247125A1 (en) Method and system for controlling access of computer resources of mobile client facilities
JP2019075131A (ja) ファイル・アクセス監視方法、プログラム、および、システム
GB2404262A (en) Protection for computers against malicious programs using a security system which performs automatic segregation of programs
CA2471505A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
GB2411748A (en) Anti-virus system for detecting abnormal data outputs
Guttman et al. Users' security handbook
CA2424144A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
AU2007201692A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
Arai et al. A proposal for an effective information flow control model for sharing and protecting sensitive information
Koropiotis CIS Microsoft Windows Server 2019 compliance
Shen et al. The Impact of Attacking Windows Using a Backdoor Trojan
CA2446144A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
Badger et al. Guide to Securing Apple OS X 10.10 Systems for IT Professionals
Olzak Wireless Handheld Device Security
CA2431681A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
Watch Mac hacked

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021230

AK Designated contracting states

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

RIN1 Information on inventor provided before grant (corrected)

Inventor name: DECHOVICH, ZAK

Inventor name: MAYER, YARON

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: SECUREOL (ISRAEL) LTD.

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20061201