In a computer system, a first electronic data processor is communicatively coupled to a first memory space and a second memory space. A second electronic data processor is communicatively coupled the second memory space and to a network interface device. The second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device. A video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format. The computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.
|
0. 36. A method of operating a portable computer based system employing a common operating system and configured with a first memory space and a second protected memory space and at least one electronic data processor, comprising:
storing at least one system file within the first memory space;
downloading website content potentially containing malware from a network of one or more computers using a secure web browser process, wherein the secure web browser process is configured to execute on the at least one electronic data processor, and comprises a first web browser process and at least one second protected web browser process, the first web browser process and the at least one second protected web browser process being configured to access the website content via the network of one or more computers;
executing instructions in the first web browser process, wherein the first web browser process is configured to access data contained in the first memory space and to initialize the at least one second protected web browser process;
passing data from the first web browser process to the at least one second protected web browser process;
executing instructions in the at least one second protected web browser process, wherein the at least one second protected web browser process is configured to access data contained in the second protected memory space and to execute instructions from the downloaded website content, wherein the downloaded website content is capable of accessing the second protected memory space but is denied access to the first memory space;
displaying digital content generated by the secure web browser process;
wherein the secure web browser process is configured such that the at least one system file residing on the first memory space is protected from corruption by website content potentially containing malware downloaded from the network and executing as part of the at least one second protected web browser process.
0. 21. A method of generating data for display of website content on a portable computer employing a common operating system in a secure manner, comprising:
distributing website content, via a network of one or more computers, to the portable computer capable of executing a secure web browser process, wherein the website content potentially contains malware;
wherein the secure web browser process is capable of executing on at least one electronic data processor and comprises a first web browser process and at least one second protected web browser process, the first web browser process and the at least one second protected web browser process being configured to access the website content via the network of one or more computers, the at least one electronic data processor capable of being communicatively coupled to a first memory space and to a second protected memory space, the first memory space having at least one system file, the secure web browser process configured for:
executing instructions in the first web browser process, wherein the first web browser process is configured to access data contained in the first memory space and to initialize the at least one second protected web browser process;
passing data from the first web browser process to the at least one second protected web browser process;
executing instructions in the at least one second protected web browser process, wherein the at least one second protected web browser process is configured to access data contained in the second protected memory space but is denied access to the first memory space;
generating data for display of the distributed website content potentially containing malware;
wherein the secure web browser process is configured such that the at least one system file residing on the first memory space is protected from corruption by the website content potentially containing malware executing in the at least one second protected web browser process.
0. 53. A portable computer based system employing a common operating system for protecting critical files from malicious software attacks via a network of one or more computers, comprising:
a first web browser process capable of executing instructions using at least one electronic data processor and further capable of accessing a first memory space, wherein the first memory space contains at least one critical file; and
at least one second protected web browser process capable of executing instructions using the at least one electronic data processor and further capable of accessing a second protected memory space;
the first web browser process configured to:
accept data entry from a computer user;
execute instructions to access website content from the network of one or more computers;
initialize the at least one second protected web browser process; and
pass data to the at least one second protected web browser process;
the at least one second protected web browser process configured to:
execute instructions for the display of the website content downloaded from the network of one or more computers, wherein the instructions for the display of the website content potentially contain malware;
access data contained in the second protected memory space, wherein the instructions potentially containing malware are capable of accessing the second protected memory space but are denied access to the first memory space; and
generate data for display of website content downloaded from the network of one or more computers;
wherein the portable computer based system is configured such that the at least one critical file residing on the first memory space is protected from corruption by the instructions for the display of website content potentially containing malware downloaded from the network and executing as part of the at least one second protected web browser process;
wherein the portable computer based system is configured such that the at least one second protected web browser process is initialized from clean system files.
0. 1. A method of operating a computer system having at least a first and second electronic data processor capable of executing instructions using a common operating system, comprising the steps of:
executing instructions in a first logical process within the common operating system using the first electronic data processor, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space;
executing instructions in a second logical process within the common operating system using the second electronic data processor, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers;
displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
0. 2. The method of
0. 3. The method of
0. 4. The method of
0. 5. The method of
0. 6. The method of
0. 7. The method of
0. 8. The method of
encrypting data with the first logical process;
transferring the encrypted data from the first logical process to the second logical process;
transferring the encrypted data from the second logical process to the network interface device.
0. 9. The method of
decrypting the data with the network interface device;
transferring the decrypted data from the network interface device to the network.
0. 10. A multi-processor computer system using a common operating system, comprising:
a first electronic data processor capable of executing instructions using the common operating system and communicatively coupled to a first memory space and a second memory space;
a second electronic data processor capable of executing instructions using the common operating system and communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device;
a video processor adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing on the second electronic data processor.
0. 11. The computer system of
0. 12. The computer system of
0. 13. The computer system of
0. 14. The computer system of
0. 15. A multi-processor computer system using a common operating system, comprising:
at least a first and second electronic data processor capable of executing instructions using the common operating system;
at least a first and second memory space;
a video processor;
wherein the first and second electronic data processors, first and second memory space, and video processor are configured for performing the steps of:
executing instructions in a first logical process with the first electronic data processor, wherein the first logical process is executing within the common operating system and is capable of accessing data contained in the first memory space and the second memory space;
executing instructions in a second logical process with the second electronic data processor, wherein the second logical process is executing within the common operating system and is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers;
displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein the video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
0. 16. The computer system of
0. 17. The computer system of
0. 18. The computer system of
0. 19. The computer system of
0. 20. The computer system of
0. 22. The method of claim 21 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
0. 23. The method of claim 22 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
0. 24. The method of claim 21 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
0. 25. The method of claim 21 wherein the website content potentially containing malware comprises internet advertising.
0. 26. The method of claim 25 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content;
multimedia content; and
video content.
0. 27. The method of claim 21 further comprising:
closing the at least one second protected web browser process; and
upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
0. 28. The method of claim 21 further comprising the first web browser process initializing a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate second protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
0. 29. The method of claim 21 wherein the at least one second protected web browser process is initialized from clean system files.
0. 30. The method of claim 21 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and
executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
0. 31. The method of claim 21 wherein the data for display of the distributed website content potentially containing malware is rendered using a video processor.
0. 32. The method of claim 21 wherein at least one file corrupted by a malware process is capable of being restored from a protected image.
0. 33. The method of claim 32 wherein the protected image is stored at a location selected from the group consisting of:
a removable drive;
the first memory space; and
a partition on a memory device.
0. 34. The method of claim 21 wherein the at least one second protected web browser process is capable of running a process selected from the group consisting of:
an electronic mail process;
an instant messaging process;
a gaming process; and
a reader application process.
0. 35. The method of claim 21 wherein the portable computer comprises an intelligent cellular telephone with a built-in secure web browser.
0. 37. The method of claim 36 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
0. 38. The method of claim 37 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
0. 39. The method of claim 36 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
0. 40. The method of claim 36 wherein the website content potentially containing malware comprises internet advertising.
0. 41. The method of claim 40 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content;
multimedia content; and
video content.
0. 42. The method of claim 40 wherein the internet advertising is downloaded from a search engine website.
0. 43. The method of claim 36 further comprising:
closing the at least one second protected web browser process;
upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
0. 44. The method of claim 36 further comprising blocking attempts by malware to record data entry by a computer user.
0. 45. The method of claim 36 further comprising the first web browser process opening a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate second protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
0. 46. The method of claim 36 wherein the at least one second protected web browser process is initialized from clean system files.
0. 47. The method of claim 36 wherein the at least one second protected web browser process is capable of accessing the first memory space only with the permission of a computer user.
0. 48. The method of claim 36 wherein at least one user file residing on the first memory space is protected from being read by a malware process downloaded from the network and executing as part of the at least one second protected web browser process.
0. 49. The method of claim 36 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and
executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
0. 50. The method of claim 36 wherein the digital content is rendered using a video processor.
0. 51. The method of claim 36 wherein the at least one second protected web browser process is capable of running a process selected from the group consisting of:
an electronic mail process;
an instant messaging process;
a gaming process; and
a reader application process.
0. 52. The method of claim 36 wherein the portable computer based system comprises an intelligent cellular telephone with a built-in secure web browser.
0. 54. The portable computer based system of claim 53 wherein the first web browser process is configured to directly exchange data with a network interface device and with the at least one second protected web browser process.
0. 55. The portable computer based system of claim 54 wherein the first web browser process is configured to pass website content downloaded from the network to the at least one second protected web browser process.
0. 56. The portable computer based system of claim 53 wherein the at least one second protected web browser process is configured to directly exchange data with a network interface device and with the first web browser process.
0. 57. The portable computer based system of claim 53 wherein the instructions for the display of website content potentially containing malware comprise internet advertising.
0. 58. The portable computer based system of claim 57 wherein the internet advertising contains digital content selected from the group consisting of:
graphical content;
multimedia content; and
video content.
0. 59. The portable computer of claim 57 wherein the internet advertising is downloaded from a search engine website.
0. 60. The portable computer based system of claim 53 wherein the data for display of website content is rendered using a video processor.
0. 61. The portable computer based system of claim 53 further comprising:
closing the at least one second protected web browser process;
upon closing the at least one second protected web browser process, automatically deleting at least one file selected from the group consisting of:
a temporary internet file;
a cookie; and
a file corrupted by malware.
0. 62. The portable computer based system of claim 53 further comprising the first web browser process opening a plurality of second protected web browser processes, wherein each of the plurality of second protected web browser processes comprises a separate protected memory space, and each of the plurality of second protected web browser processes are disallowed from initiating access to another one of the plurality of second protected web browser processes.
0. 63. The portable computer based system of claim 53 further comprising:
executing instructions from the first web browser process on a first core of a multi-core processor; and
executing instructions from the at least one second protected web browser process on a second core of the multi-core processor.
0. 64. The portable computer based system of claim 53 wherein the at least one second protected web browser process is automatically reinitialized from clean system files following a malware infection.
0. 65. The portable computer based system of claim 53 further comprising an intelligent cellular telephone with a built-in secure web browser.
|
This application is a reissue application of U.S. Pat. No. 7,484,247, entitled “System and Method for Protecting a Computer System from Malicious Software,” issued on Jan. 27, 2009, and is related to reissue applications designated U.S. patent application Ser. No. 12/720,147 from U.S. Pat. No. 7,484,247, and U.S. patent application Ser. No. 12/720,207 from U.S. Pat. No. 7,484,247, both filed on Mar. 9, 2010, and is also related to reissue application designated U.S. patent application Ser. No. 12/854,149 (now, U.S. Pat. No. Re. 43,103) from U.S. Pat. No. 7,484,247, filed on Aug. 10, 2010 and a continuation application therefrom designated U.S. patent application Ser. No. 13/015,186, filed on Jan. 27, 2011. All of the above reissue applications are incorporated herein by reference.
The present invention relates generally to computer hardware and software, and more particularly to a system and method for protecting a computer system from malicious software.
This application is related to the following U.S. patents and applications:
U.S. patent or
PUB Application
Number
Title
Inventor(s)
5,826,013
Polymorphic virus detection module.
Nachenberg
5,978,917
Detection and elimination of macro
Chi
viruses.
6,735,700
Fast virus scanning using session
Flint, et al
stamping.
6,663,000
Validating components of a malware
Muttik, et al.
scanner.
6,553,377
System and process for maintaining a
Eschelbeck,
plurality of remote security applications
et al.
using a modular framework in a
distributed computing environment.
6,216,112
Method for software distribution and
Fuller, et al.
compensation with replenishable
advertisements.
4,890,098
Flexible window management on a
Dawes, et al.
computer display.
5,555,364
Windowed computer display.
Goldstein
5,666,030
Multiple window generation in
Parson
computer display.
5,995,103
Window grouping mechanism for
Ashe
creating, manipulating and displaying
windows and window groups on a
display screen of a computer system.
5,502,808
Video graphics display system with
Goddard, et al.
adapter for display management based
upon plural memory sources.
5,280,579
Memory mapped interface between host
Nye
computer and graphics system.
5,918,039
Method and apparatus for display
Buswell, et al
of windowing application programs
on a terminal.
6,480,198
Multi-function controller and method
Kang
for a computer graphics display system.
6,167,522
Method and apparatus for providing
Lee, et al.
security for servers executing
application programs received via a
network
6,199,181
Method and system for maintaining
Rechef, et al.
restricted operating environments for
application programs or operating
systems.
6,275,938
Security enhancement for untrusted
Bond, et al.
executable code.
6,321,337
Method and system for protecting
Reshef, et al.
operations of trusted internal networks.
6,351,816
System and method for securing a
Mueller, et al.
program's execution in a network
environment.
6,546,554
Browser-independent and automatic
Schmidt, et al.
apparatus and method for receiving,
installing and launching applications
from a browser on a client computer.
6,658,573
Protecting resources in a distributed
Bischof, et al
computer system.
6,507,904
Executing isolated mode instructions in
Ellison, et al.
a secure system running in privilege
rings.
6,633,963
Controlling access to multiple memory
Ellison, et al.
zones in an isolated execution
environment.
6,678,825
Controlling access to multiple isolated
Ellison, et al.
memories in an isolated execution
environment.
5,751,979
Video hardware for protected,
McCrory
multiprocessing systems.
6,581,162
Method for securely creating, storing
Angelo, et al.
and using encryption keys in a computer
system.
6,134,661
Computer network security device
Topp
and method.
6,578,140
Personal computer having a master
Policard
computer system and in internet
computer system and monitoring a
condition of said master and internet
computer systems
PUB
E-mail software and method and system
Jacobs, Paul
Application #
for distributing advertisements to client
E., et al.
20040054588
devices that have such e-mail software
installed thereon.
PUB
System and method for comprehensive
Mayer, Yaron;
Application #
general generic protection for computers
et al.
20040034794
against malicious programs that may
steal information and/or cause damages
PUB
System and method for providing
Skrepetos,
Application #
security to a remote computer over a
Nicholas C.
20040006715
network browser interface.
PUB
Virus protection in an internet
Samman, Ben
Application #
environment.
20030177397
PUB
System and method for protecting
Pham, Khai; et
Application #
computer users from web sites hosting
al.
20030097591
computer viruses.
PUB
Malware infection suppression.
Hinchliffe,
Application #
Alexander
20030023857
James; et al.
PUB
Access control for computers.
Riordan,
Application #
James
20020066016
PUB
Detecting malicious alteration of stored
Wolff, Daniel
Application #
computer files.
Joseph; et al.
20020174349
The above-listed U.S. Patents and U.S. patent applications are incorporated by reference as if reproduced herein in their entirety.
The very popular and ubiquitous rise of the ‘personal’ computer system as an essential business tool and home appliance, together with the exponential growth of the Internet as a means of providing information flows across a wide variety of connected computing devices, has changed the way people live and work. Information in the form of data files and executable software programs regularly flows across the planetary wide system of interconnected computers and data storage devices.
Popular and ubiquitous computer hardware and software architectures have typically been designed to allow for open interconnection via, for example, the internet, a VPN, a LAN, or a WAN, with information often capable of being freely shared between the interconnected computers. This open interconnection architecture has contributed to the adoption and mainstream usage of these computers and the subsequent interconnection of vast networks of computers. This easy to use system has given rise to the explosive popularity of applications such as email, internet browsing, search engines, interactive gaming, instant messaging, and many, many more.
Although there are definite benefits to this open interconnection architecture, a lack of security against unwanted incursions into the computers main processing and non-volatile memory space has emerged as a significant problem. An aspect of some current computer architectures that has contributed to the security problem is that by default programs are typically allowed to interact with and/or alter other programs and data files, including critical operating system files, such as the windows registry, for example. Current open interconnection architectures have opened the door to a new class of unwanted malicious software generally known a malware. This malware is capable of infiltrating any computer system which is connected to a network of interconnected computer systems. Malware is comprised of, but not limited to, classes of software files known as viruses, worms, Trojan horses, browser hijackers, adware, spyware, pop-up windows, data miners, etc. Such malware attacks are capable of stealing data by sending user keystrokes or information stored on a user's computer back to a host, changing data or destroying data on personal computers and/or servers and/or other computerized devices, especially through the Internet. In the least, these items represent a nuisance that interferes with the smooth operation of the computer system, and in the extreme, can lead to the unauthorized disclosure of confidential information stored on the computer system, significant degradation of computer system performance, or the complete collapse of computer system function.
Malware has recently become much more sophisticated and much more difficult for users to deal with. Once resident on a computer system, many malware programs are designed to protect themselves from deletion. For example, some malware programs comprise a pair of programs running simultaneously, with each program monitoring the other for deletion. If one of the pair of programs is deleted, the other program installs a replacement within milliseconds. In another example, some malware will run as a Windows program with a .dlls extension, which Windows may not allow a user to delete while it is executing. Malware may also reset a user's browser home page, change browser settings, or hijack search requests and direct such requests to another page or search engine. Further, the malware is often designed to defeat the user's attempts to reset the browser settings to their original values. In another example, some malware programs secretly record user input commands (such as keystrokes), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, credit account numbers, etc.
Many existing computers rely on a special set of instructions which define an operating system (O/S) in order to provide an interface for computer programs and computer components such as the computer's memory and central processing unit (CPU). Many current operating systems have a multi-tasking capability which allows multiple computer programs to run simultaneously, with each program not having to wait for termination of another in order to execute instructions. Multi-tasking O/S's allow programs to execute simultaneously by allowing programs to share resources with other programs. For example, an operating system running multiple programs executing at the same time allows the programs to share the computer's CPU time. Programs which run on the same system, even if not simultaneously with other programs, share space on the same nonvolatile memory storage medium. Programs which are executing simultaneously are presently able to place binaries and data in the same physical memory at the same time, limited to a certain degree by the O/S restrictions and policy, to the extent that these are properly implemented. Memory segments are shared by programs being serviced by the O/S, in the same manner. O/S resources, such as threads, process tables and memory segments, are shared by programs executing simultaneously as well.
While allowing programs to share resources has many benefits, there are resulting security related ramifications, particularly regarding malware programs. Security problems include allowing the malware program: to capitalize CPU time, leaving other programs with little or no CPU time; to read, forge, write, delete or otherwise corrupt files created by other programs; to read, forge, write, delete or otherwise corrupt executable files of other programs, including the O/S itself; and to read and write memory locations used by other programs to thus corrupt execution of those programs.
In the case of a computer connected to the Internet, the computer may run an O/S, with several user applications, together comprising a known and trusted set of programs, concurrently with an Internet browser, possibly requiring the execution of downloaded code, such as Java applets, or EXE/COM executables, with the latter programs possibly containing malware. Many security features and products are being built by software manufacturers and by O/S programmers to prevent malware infiltrations from taking place, and to ensure the correct level of isolation between programs. Among these are architectural solutions such as rings-of-protection in which different trust levels are assigned to memory portions and tasks, paging which includes mapping of logical memory into physical portions or pages, allowing different tasks to have different mapping, with the pages having different trust levels, and segmentation which involves mapping logical memory into logical portions or segments, each segment having its own trust level wherein each task may reference a different set of segments. Since the sharing capabilities using traditional operating systems are extensive, so are the security features. However, the more complex the security mechanism is, the more options a malware practitioner has to bypass the security and to hack or corrupt other programs or the O/S itself, sometimes using these very features that allow sharing and communication between programs to do so.
Further, regarding malware programs, for virtually every software security mechanism, a malware practitioner has found a way to subvert, or hack around, the security system, allowing a malware program to cause harm to other programs in the shared environment. This includes every operating system and even the Java language, which was designed to create a standard interface, or sandbox, for Internet downloadable programs or applets.
Major vulnerabilities of existing computer systems lies in the architectures of the computer system and of the operating system itself. A typical multi-tasking O/S environment includes an O/S kernel loaded in the computer random access memory (RAM) at start-up of the computer. The O/S kernel is a minimal set of instructions which loads and off-loads resources and resource vectors into RAM as called upon by individual programs executing on the computer. Sometimes, when two or more executing programs require the same resource, such as printer output, for example, the O/S kernel leaves the resource loaded in RAM until all programs have finished with that resource. Other resources, such as disk read and write, are left in RAM while the operating system is running because such resources are more often used than others. The inherent problem with existing architectures is that resources, such as RAM, or a hard disk, are shared by programs simultaneously, giving a malware program a conduit to access and corrupt other programs, or the O/S itself through the shared resource. Furthermore, as many application programs are of a general nature, many features are enabled by default or by the O/S, thus in many cases bypassing the O/S security mechanism. Such is the case when a device driver or daemon is run by the O/S in kernel mode, which enables it unrestricted access to many if not all the resources.
The most common state-of the-art solutions for preventing malware infiltration are software based, such as blockers, sweepers and firewalls, for example, and hardware based solutions such as router/firewalls. Examples of software designed to counter malware are Norton Systems Works, distributed by the Symantec Corporation, Ad-aware, distributed by the Lavasoft Corporation of Sweeden, Spy Sweeper, distributed by the Webroot Software Corporation, Spyware Guard, distributed by Javacool Software LLC, among others. Currently there are a plethora of freeware, shareware and purchased software programs designed to counter malware by a variety of means. Such anti-malware programs are limited because they can only detect known malware that has already been identified (usually after the malware has already attacked one or more computers).
Network firewalls are typically based on packet filtering, which is limited in principle, since the rules determining which packets to accept and which to reject may contain subjective decisions based on trusting known sites or known applications. However, once security is breached for any reason (for example, due to a software or hardware error, a new piece of malware unrecognized by the anti-malware program or firewall, or an intended deception), a malicious application may take over the computer or server or possibly the entire network and create unlimited damages (directly or indirectly by opening the door to additional malicious applications).
The methods in the prior art are typically comprised of embedded software countermeasures that detect and filter unwanted intrusions in real time, or scan the computer system either at the direction of a user or as a scheduled event. Two problems arise from these methods. In the first instance, a comprehensive scan, detect, and elimination of malware from desired incoming data streams could significantly slow or preclude the interactive nature of many applications such a gaming, messaging, and browsing. In the second instance, newly implemented software screens may be quickly circumvented by malware practitioners who are determined to pass their files through the screen. Newly discovered malware leads to the development of additional screens, which lead to more malware, etc., thus creating an escalating cycle of measure, countermeasure. The basic flaw is that all incoming executable data files must be resident on the computers main processor to perform their desired function. Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems.
The majority of these applications rely upon a scanning engine which searches suspect files for the presence of predetermined malware signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified malware. Typically, users regularly download replacement databases, either over the Internet, from a received e-mail, or from a CDROM or floppy disc. Users are also expected to update their software engines every so often in order to take advantage of new virus detection techniques (e.g. which may be required when a new strain of malware is detected).
Many of the aforementioned applications are also not effective against security holes, for example, in browsers or e-mail programs, or in the operating system itself. Security holes in critical applications are discovered quite often, and just keeping up with all the patches is cumbersome. Also, without proper generic protection against, for example, Trojan horses, even VPNs (Virtual Private Networks) and other forms of data encryption, including digital signatures, are not totally safe because information can be stolen before or below the encryption layer. Even personal firewalls are typically limited, because once a program is allowed to access the Internet, there are often few limitations on what files may be accessed and transmitted back to a host.
A major problem faced by computer users connected to a network is that the network interface program (a browser, for example) is resident on the same processor as the O/S and other trusted programs, and shares space on a common memory storage medium. Even with security designed into the O/S, malware practitioners have demonstrated great skill in circumventing software security measures to create malware capable of corrupting critical files on the shared memory storage medium. When this happens, users are often faced with a lengthy process of restoring their computer systems to the correct configuration, and often important files are simply lost because no backup exists.
Therefore, what is needed in the art is a means of isolating the network interface program from the main computer system such that the network interface program does not share a common memory storage area with other trusted programs. The network interface program may be advantageously given access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area. With the network interface program constrained in this way, malware programs are rendered unable to automatically corrupt critical system and user files located on the main memory storage area. If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example.
Other discussions of malware, its effects on computer systems, techniques used by malware practitioners to install malware, and techniques for detection and removal, may be found in the published literature, and in some of the patents and applications previously incorporated by reference. Reference to malware may be found in a technical white paper entitled “Spyware, Adware, and Peer-to-Peer Networks: The Hidden Threat to Corporate Security.”, by Kevin Townsend, © Pest Patrol Inc. 2003. Pest Patrol is a Carlisle; Pa. based developer of software security tools. Another reference is a technical white paper entitled “Beyond Viruses: Why antivirus software is no longer enough.” by David Stang, PhD, © Pest Patrol Inc. 2002. Yet another reference is “The Web: Threat or Menace?” from “Firewalls and Internet Security: Repelling the Wily Hacker”, Second Edition, Addison-Wesley. ISBN 0-201-63466-X, Copyright 2003. The foregoing references are incorporated by reference as if reproduced herein in their entirety.
Embodiments of the present invention achieve technical advantages as a system and method for protecting a computer system from malicious software attacks via a network connection.
It is an object of the present invention to provide a computer system capable of preventing malware programs from automatically corrupting critical user and system files.
It is another object of the present invention to confine any malware infection that may occur to a separate, protected part of the computer system.
It is another object of the present invention to provide a user with an easy and comprehensive method of removing the malware infection, even if the user's anti-malware software is incapable of detecting and/or removing the malware infection.
It is another object of the present invention to provide a user with an easy and comprehensive method of restoring critical system and user files that may have been corrupted by a malware infection.
It is another object of the present invention to provide a computer system configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked.
It is another object of the present invention to provide a computer system capable of executing instructions in a first logical process, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space.
It is another object of the present invention to provide a computer system capable of executing instructions in a second logical process, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers.
It is another object of the present invention to provide a computer system capable of displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal
It is another object of the present invention to provide a computer system configured such that a malware program downloaded from the network and executing as part of the second logical process is incapable of initiating access to the first memory space.
It is another object of the present invention to provide a computer system configured such that corrupted data files residing on the second memory space may be restored from an image residing on the first memory space.
It is another object of the present invention to provide a computer system configured such that data files residing on the second memory space may be automatically deleted when the second logical process is terminated.
It is another object of the present invention to provide a computer system configured such that the second electronic data processor and the video processor are co-located on a circuit card, the circuit card being communicatively coupled to the first electronic data processor.
These objects and other advantages are provided by a preferred embodiment of the present invention wherein a computer system comprising a first electronic data processor is communicatively coupled to a first memory space and to a second memory space, a second electronic data processor is communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device, a video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format, wherein the computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.
Advertisement(s)—This term is intended to broadly encompass any secondary content that is delivered or distributed to client devices in addition to the primary content, e.g., e-mail messages, which the software product instantiated by the client device is designed to receive, transmit, process, display, and/or utilize. For example, this term is intended to cover, without limitation, paid advertisements, community service messages, public service announcements, system information messages or announcements, cross-promo spots, artwork, and any other graphical, multimedia, audio, video, text, or other secondary digital content.
Client Device—This term is intended to broadly encompass any device that has digital data processing and output, e.g., display, capabilities, including, but not limited to, desktop computers, laptop computers, hand-held computers, notebook computers, Personal Digital Assistants (PDAs), palm-top computing devices, intelligent devices, information appliances, video game consoles, information kiosks, wired and wireless Personal Communications Systems (PCS) devices, smart phones, intelligent cellular telephones with built-in web browsers, intelligent remote controllers for cable, satellite, and/or terrestrial broadcast television, and any other device that has the requisite capabilities.
Information—This term is intended to broadly encompass any intelligible form of information which can be presented by a client device, i.e., an information client device, including, without limitation, text, documents, files, graphical objects, data objects, multimedia content, audio/sound files, video files, MPEG files, JPEG files, GIF files, PNG files, HTML documents, applications, formatted documents (e.g., word processor and/or spreadsheet documents or files), MP3 files, animations, photographs, and any other document, file, digital, or multimedia content that can be transmitted over a communications network such as the Internet.
E-Mail Messages—This term is intended to broadly encompass the e-mail message and any attachments thereto, including, without limitation, text, documents, files, graphical objects, data objects, multimedia content, audio/sound files, video files, MPEG files, JPEG files, GIF files, PNG files, HTML documents, applications, formatted documents (e.g., word processor and/or spreadsheet documents or files), MP3 files, animations, photographs, and any other document, file, digital, or multimedia content that can be transmitted over a communications network such as the Internet.
Memory—This term is intended to broadly encompass any device capable of storing and/or incorporating computer readable code for instantiating the client device referred to immediately above. Thus, the term encompasses all types of recording medium, e.g., a CD-ROM, a disk drive (hard or soft), magnetic tape, and recording devices, e.g., memory devices including DRAM, SRAM, EEPROM, FRAM, and Flash memory. It should be noted that the term is intended to include any type of device which could be deemed persistent storage. To the extent that an Application Specific Integrated Circuit (ASIC) can be considered to incorporate instructions for instantiating a client device, an ASIC is also considered to be within the scope of the term “memory.”
It is also know that the state of the art for advertising on personal computers (PCs) currently consists of Internet advertising that is displayed using World Wide Web (or Internet) browser software. As users browse the Internet, the various sites they visit display advertisements of a random nature or advertisements that are related to the content of the Web pages being browsed. Although this method of advertisement is growing rapidly it is not ideal in several respects. Web page based advertisements are easy to ignore. They generally occupy a small area of the computer monitor's display and are inconsistent in appearance with the material that hosts them. Internet users quickly adjust and typically ignore advertisements. To solve this problem, Web based advertisements are becoming more striking in appearance and are making use of animation. However, the advertisement's animation requires additional time when loading a Web page into a user's browser and ultimately detracts from the material that hosts the advertisement.
For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
The making and using of the presently preferred embodiments are discussed in detail below. It should be appreciated, however, that the present invention provides many applicable inventive concepts that can be embodied in a wide variety of specific contexts. The specific embodiments discussed are merely illustrative of specific ways to make and use the invention, and do not limit the scope of the invention.
A computer system, constructed in accordance with a preferred embodiment of the present invention, is illustrated in
The first memory and data storage area 110 may comprise both volatile and nonvolatile memory devices, such as DRAMs and hard drives, respectively. Any memory structure and/or device capable of being communicatively coupled to P1 may be advantageously used in the present invention. M1 may be used to store, for example, critical operating system files, user data and applications, interim results of calculations, etc. The many uses of computer memory are well understood by those skilled in the art, and will not be discussed further here. One may refer to several of the aforementioned patents and applications incorporated by reference, in addition to other references, for a discussion of existing computer architectures and uses of computer memory. Also part of system 100 is user interface 150, which may comprise, for example, a keyboard, mouse or other pointing device, microphone, pen pad, etc. Any device or method capable of inputting commands and/or data from a user 160 to computer system 100 may be used to advantage. A video processor 170 is used to format information for display and transmit the display information to a video display device 180, which is viewed by user 160. Video processor 170 typically includes an associated video memory area, which may be dedicated to the video processor, or shared with other resources. It is understood in the art that the video processor 170 may be part of processor P1 120, in that it may be integrated onto the microprocessor chip. Video processor 170 may also comprise a processor IC located on a video graphics card, which is communicatively coupled to a computer motherboard. Additionally, video processor 170 may comprise circuitry located on the computer motherboard. Further still, functions of video processor 170 may be split between the processor, motherboard, or separate video graphics card.
It is often desirable to connect computer system 100 to a network of one or more computer devices 195, such as the Internet, a LAN, WAN, VPN, etc. This connection may be accomplished via network interface device 190, which may comprise, for example, a telephone modem, a cable modem, a DSL line, a router, gateway, hub, etc. Any device capable of interfacing with the network 195 may be used, via a wired connection, a wireless connection, or an optical connection, for example. Network interface device 190 may connect to network 195 through one or more additional network interface devices (not shown). For example, network interface device 190 may comprise a gateway or router, connected to a cable modem, with the cable modem connected to network 195. Of course, other configurations are within the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, network 195 is isolated from the first processor 120 and memory 110 by a second processor 140 (P2). Second processor 140 may comprise any electronic data processor, such as the devices previously described as applicable to first processor 120. Communicatively coupled to P2 140 is second memory and data storage area 130 (M2), which may comprise any memory device or devices, such as the devices previously described as applicable to first memory 110.
The architecture of computer system 100 is designed to be capable of protecting memory 110 from malware initiated intrusions, and preventing malware from initiating unwanted processes on first processor 120. This is accomplished by using second processor 140 to isolate 110 and 120 from network 195. In a preferred embodiment, P2 140 is communicatively coupled to memory storage area M2 130, and may be configured such that P2 140 is incapable of initiating access to memory storage area M1 110. For example, P2 140 may be capable of accessing memory storage area M1 110 with the strict permission of user 160, either through a real time interaction or via stored configuration or commands. Such a configuration may be desirable in a multi-core or multi processor system, where user 160 may wish to use P2 140 in either a protected mode or an unprotected mode, depending on the application. However, user 160 is capable of denying P2 140 the capability of initiating access to memory storage area M1 110 without the user's permission. P1 120 is communicatively coupled to both memory areas M1 110 and M2 130, thereby enabling P1 120 to access data downloaded from the network 195. In the presently described embodiment, any malware that has intruded the 130-140 system is thus confined to the 130-140 system, and may be configured to be incapable of automatically corrupting data contained on M1 110, or of automatically initiating an unwanted process on P1 120.
This and other features of the present teachings may be illustrated with reference to the example process flow 200 of
In accordance with a preferred embodiment of the present invention, if any malware is downloaded from network 195, it is stored in memory 130, and/or run as a process on second processor 140. In the configuration of computer system 100, any downloaded malware is rendered incapable of self initiating access to memory 110 or first processor 120, because second processor 140 is rendered incapable of initiating access to 110 and 120 without a direct or stored command from user 160. Any malware infection is thus confined. If a malware attack corrupts files and/or disrupts the operation of the 130-140 system, the user may easily shut down the corrupted process and restore the corrupted files from a protected image stored on memory 110, for example.
In accordance with a preferred embodiment of the present invention, the operating system controlling the 110-120 system may be different from an operating system controlling the protected 130-140 system. Conversely, a common operating system may control both the 110-120 system and the protected 130-140 system.
A user 160 may find it desirable to transfer files from the protected 130-140 system to the 110-120 system. User 160 may find it necessary, for example, to transfer an attachment from an e-mail message stored on memory 130 to the 110-120 system for further processing, modification, etc. In this case, the computer system 100 may go through a process whereby a file or other data is transferred from the 130-140 system to the 110-120 system, exemplified by the process 300 illustrated in
In accordance with a preferred embodiment of the present invention, at step 310, user 160 selects one or more data files to download from network 195. The desired data is downloaded to the 130-140 system at step 320. The user 160 then directs computer system 100 to move the desired file(s) from the 130-140 system to the 110-120 system at step 330. P1 120 may then perform a malware scan on the desired files, either in real time as the data is being transferred, or while the data still resides in M2 130 (step 340). Alternatively, P2 140 may perform the malware scan. At step 350, processor P2 140 (or P1 120) determines if malware has been detected in the desired file(s), and thus P1 120 makes a decision. If no malware is detected, the file(s) are moved or copied onto M2 110 at step 360. If malware is detected, the data file(s) are quarantined on M2 130, and the data file(s), if transferred to M1 100, are erased or quarantined. Once malware is detected, the user 160 may be alerted of the detection (step 370). Either as a result of user input or stored configuration commands, the infected file(s) are deleted, cleaned, or quarantined on M2 130, at step 380.
The user 160 would of course understand the dangers inherent in transferring downloaded files from the 130-140 system to the 110-120 system. For example, the user's anti-malware software may not be up to date, or may simply be unable to detect certain types of malware. Also, the malware itself may be so new that the user's anti-malware definitions have not been updated as yet. Therefore the user may wish to keep the files on the 130-140 system for some period of time. Consequently, it may be desirable to have resident on the 130-140 system a variety of application software such as readers, thereby allowing the user to examine the files without risking transferring the files to the 110-120 system. These reader programs, such as Adobe Acrobat Reader, by the Adobe Systems Corporation, or Visio reader, by the Microsoft Corporation, are typically subset application programs of the full featured application programs, and may thus require far less memory space than the full application. Additionally, software companies often distribute the reader programs for free (or a nominal fee), thereby providing advertising for the full featured application in the hopes that it will be eventually purchased by the user. This reader application may be opened and executed on the 130-140 system in a manner similar to the process described in
In the event the 130-140 system becomes infected with malware, the user 160 may wish to clean the 130-140 system. This cleaning may be accomplished by running an anti-malware application on the 130-140 system. However, if the infection is too severe for the anti-malware software to clean, or if the malware is undetectable by the user's anti-malware software, the user may wish to restore critical system files (or other user data files) for the 130-140 system from a protected image stored on M1 100, for example. It is of course understood that the critical system file image may be restored from another device, such as a removable drive or a CD, for example. The user may however consider it more convenient to restore the critical system files from an image on M1 100.
In accordance with a preferred embodiment of the present invention, an exemplary process for restoring M2 130 from M1 110 is illustrated by process 400 in
In accordance with a preferred embodiment of the present invention, a user 160 may consider it advantageous for the 130-140 system to be automatically reinitialized from clean critical system files when a protected process window is opened. In this way, the new protected process is much less likely to be affected by an infection from a previous protected process session. Of course, a user may have a plurality of protected processes open and running during a protected process session. It may only be necessary to automatically reinitialize from clean critical system files when the first protected process is opened during a session. Subsequent protected processes may not require automatic re-initialization from clean critical system files. An exemplary automatic re-initialization from clean critical system files is illustrated by steps 510, 520 and 530 in
In accordance with a preferred embodiment of the present invention, a user 160 may consider it advantageous for the 130-140 system to be automatically cleaned when a protected process window is closed. In this way, any detected or undetected malware infections are much less likely to affect a future protected process session. It may only be necessary to automatically clean the 130-140 system when the last protected process is closed during a session. An exemplary automatic cleaning process is illustrated by steps 540, 550, 560, 570 and 580 in
Interactive network processes such as interactive gaming have become very popular in recent years. In current interactive gaming processes, a user may log onto a game host located on network 195, or connect to other computers whose users wish to participate in the game. Computer games, such as Quake 3. Arena, by Id Software Incorporated, or Call of Duty, by Activision Incorporated, are just two examples of the plethora of games available that may be played interactively over a network. The user's computer system typically provides the bulk of the processing power and video graphics generation required to display the often fast moving and richly detailed three dimensional game environments. Information about the current and new state of the game is exchanged between various users' computer systems, often in real time. With this type of process, a relatively modest amount of data is required to be exchanged between users, or a user and the host, with the bulk of the processing, data manipulation, and graphics generation being handled by the user's local machine. However, this open network connection may become a conduit for malware practitioners to exploit, allowing malware to be downloaded onto a user's computer during a gaming session, often without the user being aware of the malware transfer. It would be advantageous, therefore, for a computer system to be much less susceptible to malware attacks during gaming sessions.
In accordance with a preferred embodiment of the present invention, an exemplary process flow 600, illustrated in
By using exemplary process 600 (or an equivalent), computer system 100 is capable of actively deciding what data to download and use, and what data to discard or scan for malware. The game status data is buffered prior to loading it onto the 110-120 system. The 110-120 system may be advantageously configured to only accept game status information in the proper format, thereby minimizing the chance that a malware practitioner could deceptively load malware onto the 110-120 system.
Additionally, computer system 100 could be configured such that system 130-140 is powerful enough to process the interactive network process without exchanging information with the 110-120 system. Such a configuration may be more secure, as a conduit between the 110-120 system and the 130-140 system may not be necessarily opened. The 130-140 system may contain all the necessary files to facilitate the interactive network process. Higher end computers, workstations, and servers often contain dual (or more) processors, such as the Mac G5, manufactured by the Apple Computer Corporation, or a single physical processor with a multiple processor core. Often, the processors in these multi-processor machines are of equal or comparable processing power. In such a configuration, one processor may be dedicated to performing functions equivalent to those described for P1 120, with a second processor performing the functions equivalent to those described for P2 140. A computer system 100 employing multiple processors may be advantageously configured such that one of the processors is dedicated to protected processes only when a network process is active. When a user is not accessing a network, the multiple processors in a computer system may be dedicated to other processes, such as performing complex calculations or simulations, or running complex non-network interactive gaming processes, for example. Alternatively, the computer system 100 may be configured such that the 110-120 system simply transfers required files to the video processor 170 or the 130-140 system at the appropriate time to facilitate the interactive network process. The 110-120 system could be commanded to retrieve and transfer the files at the command of the video processor, or at the command of the 130-140 system, or a combination of both.
In accordance with embodiments of the present invention, computer system 100 may be configured in a variety of ways, while still remaining within the spirit and scope of the present teachings. One such exemplary embodiment is illustrated in
In accordance with a preferred embodiment of the present invention, an alternate configuration for computer system 100 is illustrated in
In accordance with a preferred embodiment of the present invention, an alternate configuration for computer system 100 is illustrated in
Referring again to
Some malware programs are designed to secretly record user input commands (such as keystrokes, for example), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, bank account numbers, social security numbers, driver's license numbers, credit account numbers, etc. Theft of such personal information could result in the theft of actual assets (money or securities, etc.) or perhaps used for identity theft, among other malicious intents. Clearly, a computer system capable of ensuring the protection of such sensitive information would be desirable.
In accordance with an embodiment of the present invention, a computer system is configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked. Encryption of user input data, such as keystrokes, is an effective means of protecting such data from theft by malware. Specific techniques used for data encryption and decryption are well known in the art, and need not be discussed further here. There are many examples in the art that may be examined to better understand various encryption/decryption techniques and the use of encryption/decryption in computer systems. Among these are U.S. Pat. No. 6,581,162 entitled “Method for securely creating, storing and using encryption keys in a computer system.” issued to Angelo, et al., and U.S. Pat. No. 6,134,661 entitled “Computer network security device and method.” Issued to Topp. The aforementioned patents have been previously incorporated by reference.
In accordance with the present teachings, a method of operating a computer system involving data encryption is described. In step 1010, a user opens a protected process where some level of data encryption is desired, for example, the encryption of sensitive user interface data or user files. Other data may be encrypted as desired. At step 1020, processor P1 120 instructs processor P2 140 to initiate a protected process and open a process window. P1 120 encrypts the sensitive data and passes the user interface data to P2 140 when a P2 140 window is selected or active (step 1030). P2 140 generates video data for the P2 140 process window(s) and passes the video data to video processor 170 (step 1040). Video processor 170 decrypts the sensitive data and interleaves the video data from all P1 and P2 processes (step 1050). P2 140 passes the encrypted sensitive data to network interface device 190 (step 1060). Network interface device 190 decrypts the sensitive data and passes the decrypted sensitive data to network 195. Of course, other methods of operating a computer system in which data is encrypted prior to being passed to P2 140, and decrypted after leaving the control of P2 140, are within the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, data desired to be protected is encrypted prior to sending the data to processor P2 140, which may be running one or more malware processes. Processor P2 140 does not have visibility to the decryption keys, and is therefore unable to decrypt the data. Data may be decrypted by network interface device 190 prior to forwarding the data on to network 195. Conversely, encrypted data may be sent directly over the network for decryption by another computer system, including, for example, an interne banking host computer. Decryption keys may be passed between P1 120 and network interface device 190 via a communication link 191. Video processor 170 may decrypt the data prior to displaying the data on video display 180, with decryption keys possibly passed between P1 120 and video processor 170 via a communication link 171. Conversely, data may be passed directly to video processor 170 via a communication link 151.
A user 160 may wish to encrypt just a portion of the data destined for the network, such as passwords, credit card numbers, etc. Conversely, a user may wish to encrypt large blocks of data, such as e-mails or large application files containing sensitive text and/or graphics. Instructions may be passed to network interface device 190 directing 190 to decrypt one or more specific data blocks prior to sending the data blocks to network 195. Conversely, instructions may be passed to network interface device 190 directing 190 to pass one or more specific data blocks to network 195 without decryption.
While this invention has been described with reference to illustrative embodiments, this description is not intended to be construed in a limiting sense. Various modifications and combinations of the illustrative embodiments, as well as other embodiments of the invention, will be apparent to persons skilled in the art upon reference to the description. It is therefore intended that the appended claims encompass any such modifications or embodiments.
Rozman, Allen F., Cioffi, Alfonso J.
Patent | Priority | Assignee | Title |
10061922, | Apr 30 2012 | Cognyte Technologies Israel Ltd | System and method for malware detection |
10142426, | Mar 29 2015 | Cognyte Technologies Israel Ltd | System and method for identifying communication session participants based on traffic patterns |
10198427, | Jan 29 2013 | Cognyte Technologies Israel Ltd | System and method for keyword spotting using representative dictionary |
10491609, | Oct 10 2016 | Cognyte Technologies Israel Ltd | System and method for generating data sets for learning to identify user actions |
10546008, | Oct 22 2015 | Cognyte Technologies Israel Ltd | System and method for maintaining a dynamic dictionary |
10560842, | Jan 28 2015 | Cognyte Technologies Israel Ltd | System and method for combined network-side and off-air monitoring of wireless networks |
10592063, | Dec 09 2013 | GOOGLE LLC | Controlling actions for browser extensions |
10614107, | Oct 22 2015 | Cognyte Technologies Israel Ltd | System and method for keyword searching using both static and dynamic dictionaries |
10623503, | Mar 29 2015 | Cognyte Technologies Israel Ltd | System and method for identifying communication session participants based on traffic patterns |
10630588, | Jul 24 2014 | Cognyte Technologies Israel Ltd | System and method for range matching |
10944763, | Oct 10 2016 | Cognyte Technologies Israel Ltd | System and method for generating data sets for learning to identify user actions |
10958613, | Jan 01 2018 | Cognyte Technologies Israel Ltd | System and method for identifying pairs of related application users |
10972558, | Apr 30 2017 | Cognyte Technologies Israel Ltd | System and method for tracking users of computer applications |
10999295, | Mar 20 2019 | Cognyte Technologies Israel Ltd | System and method for de-anonymizing actions and messages on networks |
11038907, | Jun 04 2013 | Cognyte Technologies Israel Ltd | System and method for malware detection learning |
11093534, | Oct 22 2015 | Cognyte Technologies Israel Ltd | System and method for keyword searching using both static and dynamic dictionaries |
11095736, | Apr 30 2017 | Verint Systems Ltd. | System and method for tracking users of computer applications |
11303652, | Oct 10 2016 | Cognyte Technologies Israel Ltd | System and method for generating data sets for learning to identify user actions |
11316878, | Apr 30 2013 | Cognyte Technologies Israel Ltd | System and method for malware detection |
11336609, | Jan 01 2018 | COGNYTE TECHNOLOGIES ISRAEL LTD. | System and method for identifying pairs of related application users |
11336738, | Apr 30 2017 | COGNYTE TECHNOLOGIES ISRAEL LTD. | System and method for tracking users of computer applications |
11381977, | Apr 25 2016 | Cognyte Technologies Israel Ltd | System and method for decrypting communication exchanged on a wireless local area network |
11386135, | Oct 21 2016 | Cognyte Technologies Israel Ltd | System and method for maintaining a dynamic dictionary |
11399016, | Nov 03 2019 | VERINT SYSTEMS LTD | System and method for identifying exchanges of encrypted communication traffic |
11403559, | Aug 05 2018 | Cognyte Technologies Israel Ltd | System and method for using a user-action log to learn to classify encrypted traffic |
11432139, | Jan 28 2015 | Cognyte Technologies Israel Ltd | System and method for combined network-side and off-air monitoring of wireless networks |
11444956, | Mar 20 2019 | COGNYTE TECHNOLOGIES ISRAEL LTD. | System and method for de-anonymizing actions and messages on networks |
11463360, | Jul 24 2014 | Cognyte Technologies Israel Ltd | System and method for range matching |
11575625, | Apr 30 2017 | Cognyte Technologies Israel Ltd | System and method for identifying relationships between users of computer applications |
8646084, | Sep 28 2012 | AO Kaspersky Lab | Securing file launch activity utilizing safety ratings |
8938796, | Sep 20 2012 | Case secure computer architecture | |
9122633, | Sep 20 2012 | Case secure computer architecture | |
9870116, | Dec 09 2013 | GOOGLE LLC | Controlling actions for browser extensions |
9923913, | Jun 04 2013 | Cognyte Technologies Israel Ltd | System and method for malware detection learning |
Patent | Priority | Assignee | Title |
4890098, | Oct 20 1987 | INTERNATIONAL BUSINESS MACHINES CORPORATION, ARMONK, NEW YORK 10504, A CORP OF NY | Flexible window management on a computer display |
5280579, | Sep 28 1990 | Texas Instruments Incorporated | Memory mapped interface between host computer and graphics system |
5502808, | Jul 24 1991 | Texas Instruments Incorporated | Video graphics display system with adapter for display management based upon plural memory sources |
5555364, | Aug 23 1994 | SAGE SOFTWARE, INC | Windowed computer display |
5564051, | Apr 02 1991 | International Business Machines Corporation | Automatic update of static and dynamic files at a remote network node in response to calls issued by or for application programs |
5666030, | Jul 20 1994 | NCR Corporation | Multiple window generation in computer display |
5673403, | Nov 13 1992 | International Business Machines Corporation | Method and system for displaying applications of different operating systems on a single system using the user interface of the different operating systems |
5751979, | May 31 1995 | Unisys Corporation | Video hardware for protected, multiprocessing systems |
5826013, | Sep 28 1995 | NORTONLIFELOCK INC | Polymorphic virus detection module |
5918039, | Dec 29 1995 | DELL MARKETING CORPORATION | Method and apparatus for display of windowing application programs on a terminal |
5974549, | Mar 27 1997 | Microsoft Technology Licensing, LLC | Security monitor |
5978917, | Aug 14 1997 | NORTONLIFELOCK INC | Detection and elimination of macro viruses |
5995103, | May 10 1996 | Apple Inc | Window grouping mechanism for creating, manipulating and displaying windows and window groups on a display screen of a computer system |
6091412, | Sep 30 1997 | The United States of America as represented by the Secretary of the Navy | Universal client device permitting a computer to receive and display information from several special applications |
6108715, | Dec 13 1994 | Microsoft Technology Licensing, LLC | Method and system for invoking remote procedure calls |
6134661, | Feb 11 1998 | HANGER SOLUTIONS, LLC | Computer network security device and method |
6167522, | Apr 01 1997 | Oracle America, Inc | Method and apparatus for providing security for servers executing application programs received via a network |
6183366, | Jan 19 1996 | BENEFICIAL INNOVATIONS, INC | Network gaming system |
6192477, | Feb 02 1999 | Dagg LLC | Methods, software, and apparatus for secure communication over a computer network |
6199181, | Sep 09 1997 | International Business Machines Corporation | Method and system for maintaining restricted operating environments for application programs or operating systems |
6216112, | May 27 1998 | Method for software distribution and compensation with replenishable advertisements | |
6275938, | Aug 28 1997 | Microsoft Technology Licensing, LLC | Security enhancement for untrusted executable code |
6285987, | Jan 22 1997 | BEH Investments LLC | Internet advertising system |
6321337, | |||
6351816, | May 19 1996 | Sun Microsystems, Inc. | System and method for securing a program's execution in a network environment |
6385721, | Jan 22 1999 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Computer with bootable hibernation partition |
6397242, | May 15 1998 | VMware, Inc. | Virtualization system including a virtual machine monitor for a computer with a segmented architecture |
6401134, | Jul 25 1997 | Oracle America, Inc | Detachable java applets |
6433794, | Jul 31 1998 | International Business Machines Corporation | Method and apparatus for selecting a java virtual machine for use with a browser |
6438600, | Jan 29 1999 | International Business Machines Corporation | Securely sharing log-in credentials among trusted browser-based applications |
6480198, | Jun 27 1997 | S3 GRAPHICS CO , LTD | Multi-function controller and method for a computer graphics display system |
6492995, | Apr 26 1999 | International Business Machines Corporation | Method and system for enabling localization support on web applications |
6505300, | Jun 12 1998 | Microsoft Technology Licensing, LLC | Method and system for secure running of untrusted content |
6507904, | Mar 31 2000 | Intel Corporation | Executing isolated mode instructions in a secure system running in privilege rings |
6507948, | Sep 02 1999 | International Business Machines Corporation | Method, system, and program for generating batch files |
6546554, | Jan 21 2000 | Oracle America, Inc | Browser-independent and automatic apparatus and method for receiving, installing and launching applications from a browser on a client computer |
6553377, | Mar 31 2000 | McAfee, Inc | System and process for maintaining a plurality of remote security applications using a modular framework in a distributed computing environment |
6578140, | Apr 13 2000 | Personal computer having a master computer system and an internet computer system and monitoring a condition of said master and internet computer systems | |
6581162, | Dec 31 1996 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Method for securely creating, storing and using encryption keys in a computer system |
6633963, | Mar 31 2000 | Intel Corporation | Controlling access to multiple memory zones in an isolated execution environment |
6658573, | Jan 17 1997 | GOOGLE LLC | Protecting resources in a distributed computer system |
6663000, | Aug 01 2002 | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT | Validating components of a malware scanner |
6678712, | Jan 19 1996 | International Business Machines Corporation | Method and system for executing a program under one of a plurality of mutually exclusive operating environments |
6678825, | Mar 31 2000 | Intel Corporation | Controlling access to multiple isolated memories in an isolated execution environment |
6691230, | Oct 15 1998 | GOOGLE LLC | Method and system for extending Java applets sand box with public client storage |
6735700, | Jan 11 2000 | McAfee, Inc | Fast virus scanning using session stamping |
6754815, | Mar 31 2000 | Intel Corporation | Method and system for scrubbing an isolated area of memory after reset of a processor operating in isolated execution mode if a cleanup flag is set |
6756236, | Dec 05 2000 | Sony Deutschland GmbH | Method of producing a ferroelectric memory and a memory device |
6757685, | Feb 19 2001 | HEWLETT-PACKARD DEVELOPMENT COMPANY L P | Process for executing a downloadable service receiving restrictive access rights to at least one profile file |
6772345, | Feb 08 2002 | McAfee, Inc | Protocol-level malware scanner |
6804780, | Nov 08 1996 | FINJAN LLC | System and method for protecting a computer and a network from hostile downloadables |
6836885, | Sep 21 1998 | DELL MARKETING CORPORATION | Method and apparatus for display of windowing application programs on a terminal |
6871348, | Sep 15 1999 | Intel Corporation | Method and apparatus for integrating the user interfaces of multiple applications into one application |
6873988, | Jul 06 2001 | CHECK POINT SOFTWARE TECHNOLOGIES, INC | System and methods providing anti-virus cooperative enforcement |
6880110, | May 19 2000 | SELF REPAIRING COMPUTERS, INC | Self-repairing computer having protected software template and isolated trusted computing environment for automated recovery from virus and hacker attack |
6990630, | May 15 1998 | ANDREAS ACQUISITION LLC | TECHNIQUE FOR IMPLEMENTING BROWSER-INITIATED USER-TRANSPARENT NETWORK-DISTRIBUTED ADVERTISING AND FOR INTERSTITIALLY DISPLAYING AN ADVERTISEMENT, SO DISTRIBUTED, THROUGH A WEB BROWSER IN RESPONSE TO A USER CLICK-STREAM |
6996828, | Sep 12 1997 | HITACHI-OMRON TERMINAL SOLUTIONS, CORP | Multi-OS configuration method |
7013484, | Mar 31 2000 | Alibaba Group Holding Limited | Managing a secure environment using a chipset in isolated execution mode |
7024555, | Nov 01 2001 | Intel Corporation | Apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment |
7024581, | Oct 09 2002 | United Microelectronics Corp | Data processing recovery system and method spanning multiple operating system |
7039801, | Jun 30 2000 | Microsoft Technology Licensing, LLC | System and method for integrating secure and non-secure software objects |
7062672, | Jun 08 2001 | VALTRUS INNOVATIONS LIMITED | Method of and computer network arrangement for restoring an impaired software image |
7082615, | Mar 31 2000 | Intel Corporation | Protecting software environment in isolated execution |
7085928, | Mar 31 2000 | Synopsys, Inc | System and method for defending against malicious software |
7096381, | May 21 2001 | VIR2US, INC | On-the-fly repair of a computer |
7139890, | Apr 30 2002 | Intel Corporation | Methods and arrangements to interface memory |
7146305, | Oct 24 2000 | KYNDRYL, INC | Analytical virtual machine |
7146640, | Sep 05 2002 | BURNT HICKORY COMPANY, LLC | Personal computer internet security system |
7181768, | Oct 28 1999 | Synopsys, Inc | Computer intrusion detection system and method based on application monitoring |
7191469, | May 13 2002 | GOOGLE LLC | Methods and systems for providing a secure application environment using derived user accounts |
7246374, | Mar 13 2000 | Microsoft Technology Licensing, LLC | Enhancing computer system security via multiple user desktops |
7260839, | Jul 08 2002 | Hitachi, LTD | System and method for secure wall |
7284274, | Jan 18 2001 | Synopsys, Inc | System and method for identifying and eliminating vulnerabilities in computer software applications |
7373505, | Apr 15 2004 | Microsoft Technology Licensing, LLC | Displaying a security element with a browser window |
7401230, | Mar 31 2004 | Intel Corporation | Secure virtual machine monitor to tear down a secure execution environment |
7421689, | Oct 28 2003 | Hewlett Packard Enterprise Development LP | Processor-architecture for facilitating a virtual machine monitor |
7444412, | Jun 08 2001 | Hewlett Packard Enterprise Development LP | Data processing system and method |
7484247, | Aug 07 2004 | ROZMAN, MEGAN ELIZABETH; ROZMAN, MELANIE ANN; ROZMAN, MORGAN LEE | System and method for protecting a computer system from malicious software |
7565522, | May 10 2004 | TAHOE RESEARCH, LTD | Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch |
7577871, | May 19 2000 | VIR2US, INC | Computer system and method having isolatable storage for enhanced immunity to viral and malicious code infection |
7596694, | Mar 08 2004 | VALTRUS INNOVATIONS LIMITED | System and method for safely executing downloaded code on a computer system |
7650493, | Jun 30 2000 | Microsoft Technology Licensing, LLC | System and method for integrating secure and non-secure software objects |
7657419, | Jun 19 2001 | KYNDRYL, INC | Analytical virtual machine |
7676842, | Apr 13 2002 | Computer Associates Think, Inc | System and method for detecting malicious code |
7694328, | Oct 21 2003 | GOOGLE LLC | Systems and methods for secure client applications |
7730318, | Oct 24 2003 | Microsoft Technology Licensing, LLC | Integration of high-assurance features into an application through application factoring |
7818808, | Dec 27 2000 | Intel Corporation | Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor |
7849310, | Nov 18 2002 | ARM Limited | Switching between secure and non-secure processing modes |
7854008, | Aug 10 2007 | Fortinet, Inc. | Software-hardware partitioning in a virus processing system |
20020002673, | |||
20020052809, | |||
20020066016, | |||
20020174349, | |||
20030023857, | |||
20030097591, | |||
20030131152, | |||
20030177397, | |||
20030221114, | |||
20040006706, | |||
20040006715, | |||
20040034794, | |||
20040039944, | |||
20040054588, | |||
20040199763, | |||
20040230794, | |||
20040267929, | |||
20050005153, | |||
20050091661, | |||
20050149726, | |||
20050198692, | |||
20050240810, | |||
20060004667, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Oct 29 2012 | ROZMAN, ALLEN FRANK | CIOFFI, ALFONSO | LETTERS OF TESTAMENTARY SEE DOCUMENT FOR DETAILS | 034499 | /0346 | |
Nov 14 2014 | CIOFFI, ALFONSO | ROZMAN, MEGAN ELIZABETH | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 034385 | /0958 | |
Nov 14 2014 | CIOFFI, ALFONSO | ROZMAN, MELANIE ANN | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 034385 | /0958 | |
Nov 14 2014 | CIOFFI, ALFONSO | ROZMAN, MORGAN LEE | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 034385 | /0958 | |
Nov 14 2014 | ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE | ROZMAN, MEGAN ELIZABETH | CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 052994 | /0740 | |
Nov 14 2014 | ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE | ROZMAN, MELANIE ANN | CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 052994 | /0740 | |
Nov 14 2014 | ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE | ROZMAN, MORGAN LEE | CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN DECEASED REPRESENTED BY ALFONSO CIOFFI EXECUTOR OF ESTATE PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958 ASSIGNOR S HEREBY CONFIRMS THE ASSIGNMENT | 052994 | /0740 |
Date | Maintenance Fee Events |
Jan 25 2021 | M2553: Payment of Maintenance Fee, 12th Yr, Small Entity. |
Jan 25 2021 | M2556: 11.5 yr surcharge- late pmt w/in 6 mo, Small Entity. |
Date | Maintenance Schedule |
Jul 17 2015 | 4 years fee payment window open |
Jan 17 2016 | 6 months grace period start (w surcharge) |
Jul 17 2016 | patent expiry (for year 4) |
Jul 17 2018 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jul 17 2019 | 8 years fee payment window open |
Jan 17 2020 | 6 months grace period start (w surcharge) |
Jul 17 2020 | patent expiry (for year 8) |
Jul 17 2022 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jul 17 2023 | 12 years fee payment window open |
Jan 17 2024 | 6 months grace period start (w surcharge) |
Jul 17 2024 | patent expiry (for year 12) |
Jul 17 2026 | 2 years to revive unintentionally abandoned end. (for year 12) |