GB2350704A - Security system - Google Patents

Security system Download PDF

Info

Publication number
GB2350704A
GB2350704A GB9912817A GB9912817A GB2350704A GB 2350704 A GB2350704 A GB 2350704A GB 9912817 A GB9912817 A GB 9912817A GB 9912817 A GB9912817 A GB 9912817A GB 2350704 A GB2350704 A GB 2350704A
Authority
GB
United Kingdom
Prior art keywords
changes
configuration information
security
monitoring station
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9912817A
Other versions
GB9912817D0 (en
Inventor
Nicholas Peter Carter
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB9912817A priority Critical patent/GB2350704A/en
Publication of GB9912817D0 publication Critical patent/GB9912817D0/en
Priority to AU49413/00A priority patent/AU4941300A/en
Priority to PCT/GB2000/002082 priority patent/WO2000075782A1/en
Publication of GB2350704A publication Critical patent/GB2350704A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/88Detecting or preventing theft or loss
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A security system keeps a record of configuration information for apparatus (e.g. computer equipment) at a monitoring station. Changes in the configuration information for the apparatus is monitored by the apparatus and the changes are transmitted to the monitoring station. This enables the monitoring station to quickly assess whether the configuration changes are indicative of a security breach and if so to take appropriate action. By deleting changes in configuration and in patterns of use, the system can audit hardware and software to detect theft, software piracy and insurance fraud.

Description

2350704 SECURITY SYSTEM The present invention generally relates to a
security system for monitoring the change of configuration of equipment indicating the possibility of a security breach. The present invention also relates to an equipment auditing system.
With the increasing prevalence of high value, high technology equipment, it has become a problem for managers to keep track of equipment. The maintenance of an audit for equipment for example owned by a company can be extremely laborious. This is particularly the case with regard to computers where it is desirable to maintain an audit of both hardware and software owned by a company. In view of the ever present problem of software piracy, it is particularly important that the company should keep an accurate software audit.
Another problem with high value, high technology equipment is the problem of theft. For example, theft of computer equipment has become a problem. Various techniques have been used to try to reduce this problem including electronically tagging computers, and providing security markings.
The problem with the security marking technique is that it only becomes useful when the computer equipment is recovered since it aids identification of the owner.
The problem with security tagging is that it adds costs since it requires complex tagging equipment.
2 It is an object of the present invention to overcome the problems with the prior art.
A first aspect of the present invention provides a method of monitoring apparatus by keeping a record of the configuration information for the apparatus remote from the apparatus. Configuration information for a number of apparatuses can be stored. Within the apparatus the configuration of the apparatus is monitored in order to determine any changes. When changes occur in the configuration of the apparatus these are transmitted to remote monitoring equipment.
The configuration information for the apparatus can provide a ', signature" unique for the hardware and the use to which the apparatus is put. Further, where the apparatus is programmable, the configuration information can give a "signature" for the software configuration of the apparatus. The configuration information can include details on the user and details on the location of the apparatus.
For security purposes, the technique can be applied by only transmitting changes within the configuration information which are pertinent to security. The designation of certain information parameters as pertinent to security will be dependent upon the apparatus and the use to which it is put.
In an embodiment of the present invention the configuration information for the apparatus is 3 automatically determined and transmitted to the remote monitoring equipment at some initial stage. in this way the reTnc',-e monitoring equipment can store a database of configuration parameters for a number of apparatuses.
Thus with the transmission of changes in configuration information for apparatus, when this changes, the remote monitoring equipment is able to keep an up to date database of configuration information for a number of apparatuses. This therefore provides an efficient automated auditing system.
In addition to the auditing system, an embodiment of the present invention provides a security aspect by requiring the user to register by submitting manually entered configuration information for the apparatus.
This can be compared with the automatically transmitted configuration information in order to identify a discrepancy. This feature of the present invention provides insurance companies for example, with a means for confirming that the insured party has correctly specified the insured equipment and thus avoids insurance fraud.
The configuration information for the apparatus can include a large number of parameters and is dependent upon the apparatus. For example, the configuration information can include information on the hardware components of the apparatus, and information on the use of the apparatus by a user. This latter information can 4 provide information on a pattern of use of the apparatus by the user. When monitoring for security breaches, a considerable change in the pattern of use of the apparatus by the user can indicate breach of security e.g. theft of a computer, because an unauthorised user will use the apparatus in quite a different way from an authorised user.
Where the apparatus comprises computer equipment, the configuration information can include information on the software loaded on the computer.
Preferably the present invention is intended to operate covertly. Thus the determination of changes in configuration information and the transmission of the changes are not apparent to a user to avoid the possibility of an unauthorised user overriding the transmission of the changes which warn of a security breach.
Apparatus which includes means of communication is able to directly communicate with the remote monitoring equipment in order to transmit the changes in configuration information. Examples of such apparatus are mobile phones, and other computer equipment equipped with a modem or network card for connection to a local area network.
Where the apparatus does not include means for transmission to the remote monitoring equipment, the apparatus includes means to output the changes in association with information or instructions which are intended for input to another apparatus. Thus, the changes are output together with instructions to cause them to be transmitted as a package attached to 5 information or instructions output from the apparatus. This package thus acts as a virus or trojan in a computer system. When an apparatus receives the package, if it has transmission means, the package is activated and transmits the changes. If the apparatus does not have a transmission means, the package is simply passed on as an output attached to information. In this way the package is propagated between computers until it is transmitted successfully to the remote monitoring equipment.
In accordance with a further aspect of the present invention there is provided an automatic audit system in which apparatus configuration information is transmitted from a plurality of apparatuses to an auditor station.
Changes in the configuration information for the apparatus are monitored by the apparatus and these changes are transmitted to the auditor station. In this way the auditor station keeps an accurate record of the configuration information for the apparatuses.
Embodiments of the present invention will now be described with reference to the accompanying drawings, in which:
6 Figure 1 is schematic diagram of a generalised embodiment of the present invention; Figure 2 is a flow diagram illustrating the operation of the embodiment of Figure 1; Figure 3 is a schematic diagram of a computer in accordance with a first embodiment to the present invention; Figure 4 is a flow diagram illustrating a first method of installing the program to implement the embodiment of Figure 3; Figure 5 is a f low diagram of another method of installing the program to implement the embodiment of Figure 3; Figure 6 is a flow diagram illustrating the operation of the embodiment illustrated in Figure 3; Figure 7 is a f low diagram illustrating in more detail the transmission step S46 of Figure 6; Figure 8 is a schematic diagram of a network embodiment of the present invention; Figure 9 is a flow diagram of the method of installing the software in the network embodiment of Figure 8; and Figure 10 is a flow diagram of the steps carried out in the implementation of the embodiment of Figure 8.
A generalised embodiment of the present invention will now be described with reference to Figures 1 and 2.
7 As can be seen in Figure 1 a number of pieces of equipment la, lb, lc and 1d are connected to a communications network 2 and thereby to remote monitoring equipment 3. The communications network 2 can comprise any means of communication to remote monitoring equipment e.g. a telecommunications network requiring direct dialling by each piece of equipment la, lb, ic and 1d to the remote monitoring equipment 3, the internet requiring each of the pieces of equipment la, lb, lc and 1d to have an internet connection, or a wireless network such as a cellular network for mobile telephones.
Each of the pieces of equipment la, lb, lc and 1d have unique configuration parameters which are dependent upon any one of a number of parameters such as hardware, software and the use to which the equipment is put by the user. The operation of the embodiment of Figure 1 will now be described with reference to the flow diagram of Figure 2. 20 In step S1 the user of the equipment la, lb, lc or ld. registers with the party operating the remote monitoring equipment 3 and submits configuration information which has been entered manually. For example, the user is required to provide details of the hardware and software provided at the equipment together with personal details.
8 In step S2 the user then loads the security program onto the user's equipment and in step S3 the security program determines the configuration information and the equipment and transmits it to the remote monitoring equipment 3. At the remote monitoring equipment 3, the submitted configuration information is compared with the transmitted configuration information to determine if there are any discrepancies in step SS. If there is a discrepancy, in step S10 the party operating the remote monitoring equipment 3 will contact the user to try to clarify why this discrepancy has arisen. Thus the facility greatly enhances the ability of an insurer to detect insurance fraud. The remote monitoring equipment 3 can be operated by an insurer and an insured party can be required to install the security program as well as submit information on the equipment that they wish to insure. Any discrepancy between information submitted and information automatically detected may indicate an attempt at insurance fraud.
Thus, the remote monitoring equipment 3 stores configuration information for each of the pieces of equipment la, lb, lc and ld thus enabling the auditing of the equipment. This has great benefits where the system illustrated in Figure 1 comprises a company computer network i.e. the communications network 2 comprises a local area network.
9 Having obtained the initial configuration information from each of the pieces of equipment la, lb, lc and ld, the security program then proceeds to monitor the equipment in step S6 and in step S7 it detects whether there are any changes. When changes occur, in step S8 the equipment transmits the changes to the remote monitoring equipment 3. In this way the remote monitoring equipment 3 is kept up to date with all configuration changes and thus maintains an up to date audit.
In a computer system. there are many reasons why the configuration parameters may change. For example, at each of the pieces of equipment la, lb, lc and ld, new software may be installed, or a user may change the hardware configuration e.g. by adding new hardware. The nature of these changes can indicate whether there has been a security breach e.g. whether there is unauthorised use of the equipment such as when the equipment has been stolen. Thus in step S9, the party operating the remote monitoring equipment 3 can consider whether the changes are significant i. e. pertinent to security. For example, the mere fact that new software has been loaded need not be an indication of a security breach. However, change of a user name, change of user personal details, or change of connection parameters may point towards a security breach and could thus lead the party operating the remote monitoring equipment 3 to contact the user in step S10.
If the changes are not considered significant in step S9, the process returns to step S6 whereby the security program continues to monitor the equipment.
A specific embodiment of the present invention will now be described with reference to Figures 3 to 7.
Figure 3 schematically illustrates a computer for use in this embodiment of the present invention. This embodiment can be implemented using a multipurpose general computer suitably programmed. The computer comprises a conventional computer bus 10 linking conventional components of the computer together i.e.
pointing device (mouse) 11, the keyboard 12, the display 13, the processor 14, the modem 15, the volatile memory 16, and the disk storage medium 17. The processor implements process steps stored as computer program modules in the disk storage medium 17. The volatile memory 16 is provided as a working memory f or use by the processor 14. The modem 15 is provided to enable transmission of configuration information to a remote monitoring station (not shown).
This embodiment of the present invention illustrates the data structure used by the Microsoft Windows 951 operating system. The Windows 95 operating system uses a data structure termed the system registry which stores configuration information required by or used by the hardware of the computer and by the software implemented on the computer. The structure of the system registry in the Windows 95 operating system is well documented in text books and will be familiar to a skilled person in the art. However, a brief overview will now be given.
The system registry comprises a data structure presented to a user of the operating system as though it was a file structure. However, the entries in the registry are not stored as a file structure. The only files which are stored permanently in the disk storage medium 17 are the system.dat and the user.dat files. The system.dat file contains configuration information for the hardware and software which is not specific to the users. The user.dat file contains configuration information which is specific to the or each user of the computer. When the computer is booted up, the permanently stored system.dat and user.dat files are copied to temporary files user.daO and system.daO. These are used as the working copies of the files whilst the computer is running. Using these files the registry data structure is provided to the user as can be seen in Figure 3. The registry is presented as a data structure having '-,Lys. The six keys of the registry are: 25 HKEY-CLASSES-ROOT HKEY-CURRENT_USER HKEY-LOCAL MACHINE 12 HKEY-USERS HKEY-CURRENT_CONFIG HKEY-DYN_DATA Mach of the keys has a number of subkeys each of which have subkeys; etc. In this way the keys are arranged as a data structure.
The HKEY_CLASSES_ROOT key contains object linking and embedding (OLE) information and information about the relationships that exist among file classes.
The HKEY_CURRENT_USER key contains a user profile of the user who is currently logged on. This information includes environment variables set by the current user and the user's personal program groups (desk top settings, network connections, printers, and application preferences).
The HKEY_LOCAL_MACHINE key contains information about the local work station currently in use, including startup control data and hardware and operating system data. The hardware information includes data about the local work stations desktops, the systems memory, and device drivers used by the system. The HKEY_LOCAL_XACHINE key is formed from the data in the user.daO file on the disk of the disk storage medium 17. The subkey classes under the subkey software of the key HKEY-LOCAL_MACHINE key is used to form the entries in the HKEY-CLASSES-ROOT key.
13 The HKEY-USERS key is currently loaded user profiles, including the one maintained in the HKEY CURRENT---USER key. The HKEY-USERS key is formed f rom data stored in the temporary system file system.daO stored on the disk storage medium 17. The HKEY_CURRENT_USER key is always a subkey of the HKEY-USERS key and is always a default profile.
The HKEY_CURRENT_CONFIG key is mapped from a specific configuration in the HKEY-LOCAL-MACHINE key.
The HKEY-DYN_DATA key stores dynamic data for the current system configuration and maintains a set of performance statistics that show how the system is running. The data for this key is never stored on the disk storage medium 17 and is only ever kept in the volatile memory 16.
The registry can be treated as a file system and is addressable as if it were a file system. The inventor of the present invention has realised that because of this it is possible not only to store information in the registry but also store program code. As can be seen in Figure 3 in this embodiment a new subkey SECURITY has been added under the HKEY-LOCAL--MACHINE key. The SECURITY subkey has itself two subkeys PROGRAM and DATA. The PROGRAM subkey stores the program code for execution by the processor 14 to implement the embodiment of the present invention. The DATA subkey stores a copy of the HKEY_LOCAL---MACHINE key data and the HKEY-USERS key data.
14 Thus the program can be addressed using "MYCOMPUTER/ HKEYLOCAL_MACHINE/SOFTWARE/CLASSES/SECURITY/PROGRAM". Because the security program is stored as a subkey in the HKEY-LOCAL_MACHINE key, it is stored in the system.dat file when the computer is shut down and it can thus be accessed using a disk address.
In the registry it is possible to hide entries. This further reduces the possibility of the security program being detected and thus circumvented by someone trying to breach security.
By installing the security program in the Registry, it is made more difficult for someone trying to circumvent the security procedure. The file is hidden. The registry is a very large and complex data structure and thus only experienced computer users would have a chance of locating the program as a key in the registry. This is of course, assuming that they are expecting to find it. Further, because it is not stored as a file, it cannot easily be deleted. For example, it is not possible simply to delete all files and reinstall windows 95. The registry files system.dat and user.dat are stored as hidden f iles on the hard disk and when Windows 95 is reinstalled, it looks for these files stored on the disk so that it can use a previous copy of the registry.
Two methods of installation of the security program will now be described with reference to Figures 4 and 5.
Figure 4 is a f low diagram of a f irst method of installation of the program. in step S20 the set up process is initiated for example, by entering a floppy disk with the initialisation program installed and typing the command "setup.exe". In step S21 the security program code is copied to the new subkey PROGRAM under the SOFTWARE subkey of the HKEY-LOCAL--- MACHINE key. In step S22 a registry entry for the program to run on bootup is then added and in step S23 the computer is rebooted. During reboot the system.dat file is updated using the temporary system file (system.daO) during the reboot operation in step S24. The computer then runs on bootup in step S25. In the method illustrated in Figure 4 the installation program is able to directly copy the security program code into the new key in the registry.
Figure 5 is a flow diagram illustrating an alternative embodiment in which the set up process does not directly copy the security program code into the registry but instead installs a program which can do so.
In step S30 the set up process is initiated and in step S31 the installation program and security program code are copied to a folder on the disk. In step S32 the installation program is run and in step S33 the security program code is copied to a new subkey PROGRAM under the SOFTWARE subkey of the HKEY-LOCAL_MACHINE key. In step S34 the registry entry for the program to run on bootup is then added and in step S35 all registry entries for 16 the installation program and the security program code in the folder are deleted together with the folder itself. The computer is then rebooted in step S36 and in step S37 the system.dat file is updated using the temporary system file (system.daO) during the reboot operation. Following the reboot operation the security program is then implemented (step S38).
Thus in this embodiment of the present invention, the security program is installed in the registry so as to run on bootup to identify changes in the configuration information for the computer.
The operation of the security program will now be described with reference to Figures 6 and 7.
When the computer undergoes bootup in step S40, in step S41 the security program determines whether the DATA subkey has a data entry. If not, the data in the LOCAL_MACHINE and USERS keys are transmitted to the remote monitoring equipment in step S49. In step S50 it is then determined whether the transmission has been successful. If not, the program can periodically retry to transmit in step S51. After a predetermined number of unsuccessful retries, the program will terminate in step S53. If in step S50 the transmission had been successful, the LOCAL_MACHINE and USERS data will be copied to the new DATA subkey in step S52 and the process will then terminate in step S53.
17 Thus, the security program will only store the data in the DATA subkey if it is sure that the remote monitoring party has successfully received the data. If it has not, the program does not store the data and the next time the computer is booted up, steps S49 to S52 will be repeated.
Thus steps S49 to S52 provide a means by which a remote monitoring party can automatically receive configuration information for the computer. This can be used for auditing purposes as well as for security monitoring.
If in step S41 there is a data entry present in the DATA subkey, in step S42 the data in the LOCAL_MACHINE and USERS keys are compared with the data in the security programs DATA subkey in the registry. In step S43 it is then determined if there is a difference. If there has been no change in configuration the security program terminates in step S43. The method by which the comparisons can take place in step S42 is by a simple text string comparison. The data can be identified by the_ key path, the name of the data (since each key can contain more than one data item) and the data content itself as:
path,Iname;data:
where the data has been deleted, the text for comparison can be given by:
path:name:
18 Thus, by simply comparing each of the data structures given above consecutively, for the data in subkeys of the HKEY-LOCAL_MACHINE and the HKEY-USERS keys, differences can be identified.
If however, there are changes, an optional step S44 can determine whether these changes are "critical". If they are not critical, the program may terminate in step S53.
The reason for the optional step S44 is to provide a means for screening out configuration changes which are not pertinent for security. In an implementation for auditing purposes, all configuration changes can be transmitted. However, for a security implementation, it may be desirable only to transmit changes which are considered to be significant. In order to set the changes which are considered to be "critical,' it is simply necessary to flag keys which are pertinent to security. The following list some of the keys for which changes could be critical.
CRITICAL CHANGES 1. Change of machine name or ID HKEY-LOCAL MACHINE\System\Currentcontroiset\control\ ComputerName\ComputerName 2. Change of internet service provider (ISP) 19 HKEY-USERS\Default\RemoteAccess\Addresses - (This gives the services (remote or ISP names)) HKEY-USERS\default\RemoteAccess\Profile\ISPName\ Terminal - (This gives the phone number) HKEY-USERS\Default\RemoteAccess\ProfileISPName\User (This gives the account name).
3. Change of network connection HKEY-LOCAL MACHINE\Network\Logon - (This gives the log on name) 4. Change of remote connections This is the same as for 2 above.
5. Dialling code and phone number changed HKEYUSERS\Default\Software\microsoft\WindowsMessaging Subsystem\Profiles\MSExchangeSettings\ d27c2lebe56f... /001e3a09 - (This gives home phone number) HKEY-USERS\Default\Software\Microsoft\WindowsMessaging Subsystem\Profiles\MSExchangeSettings\ d27c2lebe56f... /001eOcIf - (This gives home fax number) 6. Change of users HKEY-USERS - (Any user added or especially deleted after default).
SUBTLE CHANGES 1. Settings for MS Mail HKEY-LOCAL MACHINE\Software\microsoft\AtWorkFax\LocalModems\Gener al\LocalId - (This gives fax number).
2. Services for MS Mail All the subkeys under: HKEYCURRENT_USERS\Software\microsoft\WindowsMessaging Subsystem\Profiles\MSExchangeSettings 3. Changes in program use (i.e. new applications loaded or old ones deleted) All the subkeys under: HKEY-CURRENT_USERS\Software\VendorName - (i.e. Adobe, Microsoft etc.) In step S45 the changes or "critical" changes are encrypted for security purposes. The encryption technique used can comprise any conventional encryption technique such as Blowfish. In step S46 the changes are covertly or secretly transmitted to the remote monitoring party. In step S47 it is then determined whether the 21 transmission has been successful. If not, in step S54 retransmissions can be periodically retried. If there is still no successful transmission the security program can terminate in step S53.
If transmission is successful, in step S48 the data in the security program data key in the registry is updated. At the remote monitoring party, in step S55 the changes are checked to determine whether there has been a security breach. Where the changes appear significant, the remote monitoring party may take the steps of contacting the computer user to determine that there has been a security breach e.g. whether the computer has been stolen. The remote monitoring party may however have been informed that the user's circumstances have changed and that configuration changes are to be expected and therefore the remote monitoring party will not take any action and will simply update the configuration information kept for the computer.
The following gives two code fragments which can perform the step of setting the program to run once at start-up.
Code Fragment in C / load the path into the string szAppPath szAppPath=App.Path & "\\" & App. NicsApp & ".EXE11 22 / Create a key in the registry at the required location and return its address in hKey RegCreateKey(HKEY-LOCAL_MACHINE, "Software\\microsoft\\windows\\Currentversion\\Run", &hKey); / Name hKey "NicsApp" and set its value to szAppPath and length to the length of szAppPath + 1 / RegSetValueEx(hKey, "NicsApp", 0&, REG_SZ, szAppPath, strlen(szAppPath)+l)); /close and continue RegCloseKey(hKey); Code Fragment in Visual Basic Dim hKey as Long Dim strRunCmd as String 'set the path for NicsApp strRunCmd=App.Path & "\" & App.NicsApp & ".EXW 'Create a key in the registry at the required location and return its address in hKey RegCreateKey(HKEY-LOCAL_MACHINE, "Software\Microsoft\Windows\currentversion\Run", &hKey); 'Name hKey '1NicsAppl' and set its value to strRunCmd and length to the length of strRunCmd + 1 RegSetValueEx(hKey, "NicsApp", 0&, REG_SZ, ByVal strRunCmd, Len(sRunCmd)+ 1)); 23 'Close and continue RegCloseKey The steps performed by the security program in Figure 6 are implemented covertly to avoid warning any potential thief or unauthorised person that their activities have been logged. Thus, not only is the transmission of the changes undertaken covertly, but also the program operates covertly so as to be invisible to the user.
Figure 7 is a flow diagram illustrating step S46 of Figure 6 in more detail.
In step S60 it is determined during bootup whether there is a network connection or a modem present. In step S61 the type of connection is then determined if there is no connection, in step S62 the program terminates. If there is a network connection, in step S67 the changes are transmitted over the network. In step S66 the security program then deletes the connection log and removes all records of the connection and the program terminates in step S62.
If the modem is present, in step S63 it is determined whether there is an internet connection via an internet service provide (ISP). If so, in stepS65 the changes are transmitted over the internet. If not, the changes are transmitted by directly dialling the remote monitoring equipment and making a direct 24 connection in step S64. Whenever a modem is used, in order to ensure secrecy, the modem loud speaker is turned off using the command "ATDT'. Then in step S66 the connection log is deleted and all records of the connection is removed. The program then terminates in step S62.
if the connection is made via the direct dial technique in step S64, not only can the remote monitoring party receive the changes in the configuration information but also they can obtain the telephone number from which the connection was made using the caller ID facility provided by telecommunications networks. Thus, this information can be used to identify the location of the computer should this be necessary in order to trace a security breach e.g. theft of the computer.
The embodiment of the present invention described in reference to Figures 3 to 7 can be used on computers which have any type of communications link e.g. modem, ISDN terminal, or network card. When the computer is connected to a network, the server in the network can intercept the transmitted changes in order to filter them and maintain an audit of the software and hardware of the computers in the network. Such an embodiment will now be described with reference to Figures 8 to 10.
Figure 8 is a schematic diagram of a computer network in which clients 21, 22 and 23 are connected over a network 20 to a server 24 and a communications link 25.
In each of the clients the security program 21b, 22b and 23b is stored in the respective registry 21a, 22a and 23a. In the server similarly, the security program 24b is stored in the server registry 24a. The server 24 additionally includes an administration program 24c for carrying out administration duties as will be described hereinafter in more detail. The communications link 25 provides a means of communication to a remote monitoring party 26 for monitoring changes in the configuration parameters of the computers 21, 22 and 23 of the network.
Figure 9 is a flow diagram illustrating the setting up of the system. In step S70 the security program is installed on the server. In step S71 the administration program is installed on the server. In step S72 the administration program causes the deployment of the security program to the clients. In step S73 the clients install and run the security program as has been described hereinabove with reference to the first embodiment. In step S74 the server receives the configuration information from the clients and collates this to form audit information. Thus the manager operating the server is able to automatically obtain an audit of the hardware and software provided in the network. Further, as will be described hereinafter the audit information is automatically updated when changes in the configuration information is received from the 26 Ls. Thus the manager of the network has a client completely updated audit automatically provided.
Figure 10 is a flow diagram illustrating the operation of the embodiment. In step S80 when configuration changes are made at a client, in step S81 the client transmits the changes. The server receives the changes and updates the audit information. This may not be necessary if the audit information has already been changed. For example, if the manager has already been asked permission for a computer to move location, e.g. change a network address, the manager may manually enter this in the audit information and thus when the changes are received, the audit information may not require updating.
In step S83, the server is able to f ilter the changes in order to filter out any changes which are not pertinent to security. Such a decision may be based upon network parameters. For instance, changes which only indicate local movement of the computers may be filtered out since this merely indicates local mobility of the computers within the office and therefore this information need not be passed on to the remote monitoring party. In step S84 the server will then transmit any changes after filtering to the remote monitoring party.
As can be seen in this embodiment, the supervision by the server and the monitoring by the remote monitoring 27 party effectively provides two levels of monitoring.
This a I lows for decisions to be made regarding information on changes at two different levels i.e. at a local level and at a remote level.
Because the server is able to access the register of the clients, the administration program is also able to check to determine whether the audit information matches the information in the registry of the clients.
If there is a discrepancy, it indicates that the security program has not successfully transmitted the changes to the server. The manager of the network will then be able to investigate the reasons for this.
Although the embodiments described hereinabove are require a means of communication with the remote monitoring equipment, the present invention is not limited as such. In another embodiment of the present invention, if the security program is unable to transmit the changes within a time period of for example 24 to 48 hours, it will generate a program packet which includes the changes and a self executable program module much like a virus. This will be copied onto the f irst n disks loaded into the disk drive of the computer, where n is some predetermined number. When the disk with the program packet is inserted into another computer, the packet will determine whether the computer has a communications link available. If it does, the computer 28 packet will launch itself and transmit the changes to the remote monitoring party using this "host" computer. The program packet will then remove all traces of itself. If the "host" computer does not have a communications link available, the program packet will replicate onto n floppy disks inserted into the computer in order to be passed onto other computers to repeat the exercise.
The number of "generations" of this "virus" can be limited in order to limit the spread.
Although the embodiments of the present invention have been described as being implemented when the computer is booted up, the present invention is not limited to this. A computer program can run periodically and/or when the computer is booted up.
Further, although the embodiments of the present invention have been described with reference to computers, the present invention is not limited to this. The present invention is applicable to any apparatus such as mobile telephones, intelligent peripheral devices such as printers, set top boxes, cars, boats or yachts, and aeroplanes.
In the embodiments it has been described that the computer program is hidden (in the registry). This provides an added level of security but the computer program could be stored more conventionally as a file in a folder.
29 The configuration information which is monitored in the present invention can comprise any configuration information which can identify a machine, such as hardware, software, and user parameters. The user parameters particularly provide information on a pattern of use and thus provide very specific configuration information. When equipment is used without authority e.g. stolen, a user will typically enter many configuration parameters which will identify the user.
These will be transmitted to the remote monitoring party enabling a rapid identification of the unauthorised user.
Although the present invention has been described hereinabove, with reference to specific embodiments, it will be apparent for the skilled person in the art that modifications may be made without departing from the spirit and scope of the present invention.

Claims (1)

  1. CLAIMS:
    1. A security method for apparatus having storage means for storing configuration information for the apparatus, the method comprising:
    keeping a record of configuration information for said apparatus at a monitoring station; monitoring, by said apparatus, changes in said configuration information for said apparatus; and transmitting the changes in said configuration information to said monitoring station.
    2. A security method according to claim 1, including the step of determining if any said changes in said configuration information are pertinent to security, wherein the transmission step transmits only the pertinent changes.
    3. A security method according to claim 1 or claim 2, including initial steps of registration by a user of said apparatus with said monitoring station by submitting manually entered configuration information for said apparatus, automatically transmitting said configuration information to said monitoring station, and comparing the manual'.,- submitted configuration information with the transmitted configuration information.
    31 4. A security method according to any preceding claim, wherein said configuration information includes information on hardware components of said apparatus.
    5. A security method according to any preceding claim, wherein said configuration information includes information on the use of said apparatus by a user.
    6. A security method according to any preceding claim, wherein said apparatus includes processing means, and said configuration information includes information on programs implemented by said processing means.
    7. A security method according to any preceding claim including the step of updating the stored configuration information following transmission of the changes.
    8. A security method according to any preceding claim, including performing a security check for said apparatus and updating the kept record of configuration information for said apparatus if said security check reveals no security breach.
    9. A security method according to any preceding claim, wherein the changes in said configuration information are transmitted covertly.
    32 10. A security method according to any preceding claim, wherein said apparatus includes transmission means which transmits the changes in said configuration information to said monitoring station.
    11. A security method according to any one of claims 1 to 9, wherein said apparatus covertly outputs said changes in said configuration information in association with information or instructions intended for input to another apparatus, if the other apparatus has means for transmission to said monitoring station the changes are thereby transmitted, and if not the changes are output in association with information or instructions intended for another apparatus, and the latter step is repeated.
    12. A security method according to claim 11, wherein said apparatus and said another apparatus covertly output said changes on a storage medium in association with a file.
    13. A security method according to claim 12, wherein said apparatus and said another apparatus comprise computers and said changes are attached to said file as executable code for causing said transmission.
    33 14. A security method according to any preceding claim wherein said monitoring and transmission steps take place periodically and/or when said apparatus is initialised.
    15. A security method according to any preceding claim, wherein said apparatus includes processing means for implementing programs and said monitoring step is implemented by said apparatus when said processing means implements a program module covertly stored in said apparatus.
    16. A security method according to any preceding claim, including the step of encrypting the changes before transmission and decrypting the received encrypted changes at said monitoring station.
    17. Apparatus for use in the method of any one of claims 1 to 9 comprising: processing means for determining configuration information for said apparatus; storage means for storing said configuration information; wherein said processing means is adapted to compare current configuration information with the stored configuration information and to determine any changes; 34 the apparatus including means responsive to said processing means for outputting said changes for transmission to a monitoring station.
    18. Apparatus according to claim 17, wherein said processing means is adapted to determine any changes, if any, which are pertinent to security and said output means is adapted to output only the pertinent changes.
    19. Apparatus according to claim 17 or claim 18, wherein said processing means is adapted to control said output means to initially output said configuration information for transmission to said monitoring station. 15 20. Apparatus according to any one of claims 17 to 19, wherein said storage means is adapted to store configuration information including information on hardware components of said apparatus. 20 21. Apparatus according to any one of claims 17 to 20, wherein said storage means is adapted to store configuration information including information on the use of said apparatus by a user. 25 22. Apparatus according to any one of claims, 17 to 21, wherein said storage means is adapted to store configuration information which includes information on programs implemented by said processing means.
    23. Apparatus according to any one of claims 17 to 22, wherein said processing means is adapted to update the stored configuration information following output of the changes.
    24. Apparatus according to any one of claims 17 to 23, wherein said outputting means is adapted to transmit said changes to said monitoring station.
    25. Apparatus according to any one of claims 17 to 23, wherein said outputting means is adapted to output said changes together with instructions for their transmission to said monitoring station as a packet in association with information or instructions intended for input to another apparatus, whereby if said another apparatus has means for transmission to said monitoring station the changes are thereby transmitted, if not the packet is output in association with information or instructions intended for another apparatus, and so on until transmission occurs.
    26. Apparatus according to claim 25, wherein said outputting means is adapted to output said packet covertly in association with a file.
    36 27. Apparatus according to claim 26, comprising a computer, wherein said outputting means is adapted to attach said packet as executable code to said file.
    28. Apparatus according to any one of claims 17 to 27, wherein said outputting means is adapted to output said changes so as to ensure that said changes are covertly transmitted to said monitoring station. 10 29. Apparatus according to any one of claims 17 to 28, wherein said processing means is adapted to determine the changes and to control said outputting means to output periodically and/or when said apparatus is initialised. 15 30. Apparatus according to any one of claims 17 to 29, wherein said storage means is adapted to covertly store a program module for the control of said processing means, and said processing means is adapted to implement said program module to determine the changes and to control said outputting means.
    31. Apparatus according to any one of claims 17 to 30, including means for encrypting the changes before being output by said output means.
    37 32. A storage medium storing instructions for controlling a processing apparatus to be configured in accordance with any one of claims 17 to 31.
    33. Processor implementable instructions for controlling a processing apparatus to be configured in accordance with any one of claims 17 to 31.
    34. A monitoring station for use in the method of any one of claims 1 to 16, including storage means for storing a record of configuration information for one or more remote apparatus, means for receiving said changes in said configuration information, and means for processing said changes.
    35. A monitoring station according to claim 34, including means for decrypting said changes received in encrypted form.
    36. A monitoring station according to claim 34 or claim 35, including means for initially receiving and storing said configuration information.
    37. A ilonitoring station according to claim 36, including means for inputting configuration information submitted by a user of a said apparatus, and means for comparing the submitted configuration information with 38 the stored configuration information to detect any discrepancies.
    38. A storage medium storing instructions for controlling a processing apparatus to be configured in accordance with any one of claims 34 to 37.
    39. Processor implementable instructions for controlling a processing apparatus to be configured in accordance with any one of claims 34 to 37.
    40. An automatic audit method comprising: transmitting apparatus configuration information from apparatus to an auditor station; monitoring, by the apparatus, changes in said configuration information for said apparatus; and transmitting said changes to said auditor station.
    41. A security method substantially as hereinbefore described with reference to any of the accompanying drawings.
    42. Security apparatus substantially as hereinbefore described with reference to any of the accompanying drawings.
GB9912817A 1999-06-02 1999-06-02 Security system Withdrawn GB2350704A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB9912817A GB2350704A (en) 1999-06-02 1999-06-02 Security system
AU49413/00A AU4941300A (en) 1999-06-02 2000-05-31 Security system
PCT/GB2000/002082 WO2000075782A1 (en) 1999-06-02 2000-05-31 Security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9912817A GB2350704A (en) 1999-06-02 1999-06-02 Security system

Publications (2)

Publication Number Publication Date
GB9912817D0 GB9912817D0 (en) 1999-08-04
GB2350704A true GB2350704A (en) 2000-12-06

Family

ID=10854611

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9912817A Withdrawn GB2350704A (en) 1999-06-02 1999-06-02 Security system

Country Status (3)

Country Link
AU (1) AU4941300A (en)
GB (1) GB2350704A (en)
WO (1) WO2000075782A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003021402A2 (en) * 2001-09-05 2003-03-13 Cryptic Software Limited Network security
EP1338939A1 (en) * 2002-02-22 2003-08-27 Hewlett-Packard Company State validation device for a computer
EP1475978A1 (en) * 2003-05-07 2004-11-10 M-Stack Limited Apparatus and method of handling simultaneous UTRAN radio resource control procedures which change the security configuration in a UMTS user equipment
WO2004100583A1 (en) * 2003-05-07 2004-11-18 M-Stack Limited Apparatus and method of handling simultaneous utran radio resource control procedures
US7212805B2 (en) 2003-05-07 2007-05-01 M-Stack Limited Apparatus and method of handling simultaneous universal terrestrial radio access network radio resource control procedures which change the security configuration in a universal mobile telecommunications system user equipment
WO2007076850A2 (en) * 2005-12-31 2007-07-12 Rwth Aachen Method and device for protecting a constantly changing data configuration
CN100461909C (en) * 2003-05-07 2009-02-11 M斯太科有限公司 Apparatus and method of handling simultaneous utran radio resource control procedures

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077833A2 (en) * 2000-04-06 2001-10-18 Granite Technologies, Inc. System and method for real time monitoring and control of networked computers
US20060242277A1 (en) 2005-03-31 2006-10-26 Tripwire, Inc. Automated change approval

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2233485A (en) * 1989-06-23 1991-01-09 James Moore Equipment anti-theft monitor
GB2262372A (en) * 1991-12-03 1993-06-16 Bache Hugh Robert Ian Security system for electrical and electronic equipment
GB2268818A (en) * 1992-06-09 1994-01-19 Hartbrook Properties Limited Property protection system
WO1996003728A1 (en) * 1994-07-21 1996-02-08 Baljit Singh Kang Enhancing security of electrical appliances
US5557742A (en) * 1994-03-07 1996-09-17 Haystack Labs, Inc. Method and system for detecting intrusion into and misuse of a data processing system
WO1998025243A1 (en) * 1996-11-30 1998-06-11 Watkins, Daryl, Joclyn Improvements relating to security systems
EP0852367A2 (en) * 1997-01-04 1998-07-08 Siemens Measurements Limited Security system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0644242B2 (en) * 1988-03-17 1994-06-08 インターナショナル・ビジネス・マシーンズ・コーポレーション How to solve problems in computer systems

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2233485A (en) * 1989-06-23 1991-01-09 James Moore Equipment anti-theft monitor
GB2262372A (en) * 1991-12-03 1993-06-16 Bache Hugh Robert Ian Security system for electrical and electronic equipment
GB2268818A (en) * 1992-06-09 1994-01-19 Hartbrook Properties Limited Property protection system
US5557742A (en) * 1994-03-07 1996-09-17 Haystack Labs, Inc. Method and system for detecting intrusion into and misuse of a data processing system
WO1996003728A1 (en) * 1994-07-21 1996-02-08 Baljit Singh Kang Enhancing security of electrical appliances
WO1998025243A1 (en) * 1996-11-30 1998-06-11 Watkins, Daryl, Joclyn Improvements relating to security systems
EP0852367A2 (en) * 1997-01-04 1998-07-08 Siemens Measurements Limited Security system

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003021402A2 (en) * 2001-09-05 2003-03-13 Cryptic Software Limited Network security
WO2003021402A3 (en) * 2001-09-05 2004-08-19 Cryptic Software Ltd Network security
EP1338939A1 (en) * 2002-02-22 2003-08-27 Hewlett-Packard Company State validation device for a computer
EP1475978A1 (en) * 2003-05-07 2004-11-10 M-Stack Limited Apparatus and method of handling simultaneous UTRAN radio resource control procedures which change the security configuration in a UMTS user equipment
WO2004100583A1 (en) * 2003-05-07 2004-11-18 M-Stack Limited Apparatus and method of handling simultaneous utran radio resource control procedures
US7212805B2 (en) 2003-05-07 2007-05-01 M-Stack Limited Apparatus and method of handling simultaneous universal terrestrial radio access network radio resource control procedures which change the security configuration in a universal mobile telecommunications system user equipment
CN100461909C (en) * 2003-05-07 2009-02-11 M斯太科有限公司 Apparatus and method of handling simultaneous utran radio resource control procedures
US8811943B2 (en) 2003-05-07 2014-08-19 Blackberry Limited Apparatus and method of handling simultaneous universal terrestrial radio access network radio resource control procedures which change the security configuration in a universal mobile telecommunications system user equipment
WO2007076850A2 (en) * 2005-12-31 2007-07-12 Rwth Aachen Method and device for protecting a constantly changing data configuration
WO2007076850A3 (en) * 2005-12-31 2007-11-22 Rwth Aachen Method and device for protecting a constantly changing data configuration

Also Published As

Publication number Publication date
GB9912817D0 (en) 1999-08-04
WO2000075782A1 (en) 2000-12-14
AU4941300A (en) 2000-12-28

Similar Documents

Publication Publication Date Title
US10474841B2 (en) System and method of owner application control of electronic devices
EP3028489B1 (en) Centralized selective application approval for mobile devices
JP4959282B2 (en) Application operation control system and application operation control method
US7657927B2 (en) Behavior-based host-based intrusion prevention system
EP1479187B2 (en) Controlling access levels in phones by certificates
US7669237B2 (en) Enterprise-wide security system for computer devices
JP5475743B2 (en) Persistence service provider
EP2733656A1 (en) System and method for enforcing a security policy on mobile devices using dynamically generated security profiles
JP5508502B2 (en) Persistent service agent
JP4524288B2 (en) Quarantine system
US20050091542A1 (en) Automated computer vulnerability resolution system
CN103413083B (en) Unit security protection system
CN101483658B (en) System and method for input content protection of browser
US20070079364A1 (en) Directory-secured packages for authentication of software installation
US20110252468A1 (en) Method and system for protecting a computer againts malicious software
GB2350704A (en) Security system
US20090172778A1 (en) Rule-based security system and method
GB2425193A (en) Method for updating the software in a processor unit
Cisco Configuring Host IDS
Cisco Cisco Intrusion Detection System Host Sensor Quick Start
KR20100027558A (en) System and method using website by permission control and recording medium
Poole III The End Users Security Primer
JPH11154086A (en) Network installing method
KR20050074816A (en) The method of operation real time automatic recovery system
CN104966008A (en) Management method and apparatus for authentication data

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)