Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-10-30
2002-09-10
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S224000, C709S225000
Reexamination Certificate
active
06449723
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the security management of computer networks. More particularly, the invention relates to methods and systems for preventing the downloading and execution of undesirable Executable Objects in a workstation of a computer network.
BACKGROUND OF THE INVENTION
The Internet has developed very much both in respect of its contents and of the technology employed, since it began a few years ago. In the early days of the Internet, web sites included text only, and after a while graphics was introduced. As the Internet developed, many compressed standards, such as pictures, voice and video files, were developed and with them programs used to play them (called “players”). Initially, such files were downloaded to the user's workstation only upon his request, and extracted only by the appropriate player, and after a specific order from the user.
When, in the natural course of the development of the World Wide Web the search for a way to show nicer, interactive and animated Web Pages began, Sun Microsystems Inc. developed Java—a language that allows the webmaster to write a program, a list of commands—Network Executables—that will be downloaded to the user workstation without his knowledge, and executed by his browser at his workstation. The executables are used, e.g., to provide photographic animation and other graphics on the screen of the web surfer. Such executables have some ways approaching the user workstation's resources, which lead to a great security problem. Although some levels of security were defined in the Java language, it was very soon that a huge security hole was found in the language.
Since Java was developed, Microsoft developed ActiveX, which is another Network Executable format, also downloaded into the workstation. ActiveX has also security problems of the same kind.
The Internet has been flooded with “Network Executables” which may be downloaded—deliberately or without the knowledge of the users—into workstations within organizations. These codes. generally contain harmless functions. Although usually safe, they may not meet the required security policy of the organization.
Once executed, codes may jam the network, cause considerable irreversible damage to the local database, workstations and servers, or result in unauthorized retrieval of information from the servers/workstations. Such elements may appear on Java applets, ActiveX components, DLLs and other object codes, and their use is increasing at an unparalleled pace. The majority of these small programs are downloaded into the organization unsolicited and uncontrolled. The enterprise has no way of knowing about their existence or execution and there is no system in place for early detection and prevention of the codes from being executed.
The security problem was solved partially by the browser manufactures which allow the user to disable the use of executables. Of course this is not a reasonable solution, since all the electronic commerce and advertising are based on the use of executables. The security problem is much more serious once such an executable can approach the enterprise servers, databases and other workstations.
It is therefore clear that it is highly needed to be able to prevent undesirable Executable Objects from infiltrating the LAN/WAN in which we work and, ultimately, our workstation and server. However, so far the art has failed to provide comprehensive solutions which are safe and quick enough to be practically useful. Systems such as “Firewall” or “Finjan”, distributed for use by Internet users, provide only partial solutions and, furthermore, are difficult to install and to update.
SUMMARY OF THE INVENTION
It is an object of the present invention to provide a comprehensive method for selectively preventing the downloading and execution of undesired Executable Objects in a computer, which overcomes the aforesaid drawbacks of prior art systems.
It is another object of the invention to provide such a system which is easy to install and which can be quickly and easily updated.
It is a further object of the invention to provide such a method which can be used with a large number of gateways, LAN's and workstations.
It is yet another object of the invention to provide such a security management system which is independent of the physical infrastructure and network layout.
It is a further object of the invention to provide a system which analyzes the executables “on the fly”, and does not hinder the downloading and he operation of harmless executables.
It is yet a further object of the invention to provide a system of the kind described above, which operates as a central security system to which peripheral gateways may be added as needed, to provide a simple, dynamically growing security system.
It is furthermore an object of the invention to provide a central system which permits to define sub-groups of users. each group being subject to a different security policy.
Also encompassed by the invention is a computer system which utilizes the method of the invention.
Other advantages and objects of the invention will become apparent as the description proceeds.
The method for selectively preventing the downloading and execution of undesired Executable Objects in a computer, according to the invention, comprises the steps of:
(a) providing one or more Control Centers, each connected to one or more gateways located between a LAN and an external computer communication network;
(b) providing means coupled to each of said gateways, to detect Executable Objects reaching said gateway, to analyze the header of each of said Executable Objects, and to determine the resources of the computer that the Executable Object needs to utilize;
(c) providing means coupled to each of said gateways, to store a user's Security Policy representing the resources, or combination of resources, that the user allows or does not allow an Executable Object to utilize within its LAN, wherein the Security Policy is received from and/or stored in each of said one or more Control Centers;
(d) when an Executable Object is detected at the gateway:
1. analyzing the header of said Executable Object;
2. determining the resources of the computer that the Executable Object needs to utilize;
3. comparing the resources of the computer that the Executable Object needs to utilize with the Security Policy and;
(i) if the resources of the computer that the Executable Object needs to utilize are included in the list of the resources allowed for use by the Security Policy, allowing the Executable Object to pass through the gateway and to reach the computer which has initiated its downloading; and
(ii) if the resources of the computer that the Executable Object needs to utilize are included in the list of the resources prohibited for use by the Security Policy, preventing the Executable Object from passing through the gateway, thereby preventing it from reaching—the computer which has initiated its downloading.
A Control Center (CC) may be a central control unit, e.g., a PC or other computer, which is connected to a plurality of gateways, and which updates the memory means containing relevant date, e.g., the Security Policy. As will be understood from the description to follow, once the CC is updated, e.g., by the addition of an additional limitation to the Security Policy, all gateways are updated at once. The use of the CC to control the operation of the security elements of the gateways obviates the need (which exists in prior art systems) to update each gateway every time that a change in policy is made.
A LAN (Local Area Network) may be (but is not limited to), e.g., a network of computers located in an office or building. The LAN is typically connected to outside communications networks, such as the World Wide Web, or to more limited LANs, e.g., of a client or supplier, through one or more gateways. The larger the organization, the larger the number of gateways employed, in order to keep communications at a reasonable speed.
Generally speaking, a LAN can also be made
Elgressy Doron
Jospe Asher
Computer Associates Think Inc.
Cooper & Dunham LLP
Hayes Gail
Revak Christopher A.
LandOfFree
Method and system for preventing the downloading and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for preventing the downloading and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for preventing the downloading and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2820966