US20070083937A1 - Method and apparatus for protection of electronic media - Google Patents
Method and apparatus for protection of electronic media Download PDFInfo
- Publication number
- US20070083937A1 US20070083937A1 US11/539,140 US53914006A US2007083937A1 US 20070083937 A1 US20070083937 A1 US 20070083937A1 US 53914006 A US53914006 A US 53914006A US 2007083937 A1 US2007083937 A1 US 2007083937A1
- Authority
- US
- United States
- Prior art keywords
- detector
- client
- unauthorized
- detectors
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/12—Computing arrangements based on biological models using genetic models
- G06N3/126—Evolutionary algorithms, e.g. genetic algorithms or genetic programming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to computer readable data storage and more particularly to copy protection and data integrity of computer readable data.
- Standard encryption technologies have been used in the protection of electronic media sent over networks. These technologies encrypt a stream of data on the server side and then decrypt the data on the client side, in order to deter the understanding and the stealing of the data by a third party who has access to the network.
- watermarking electronic media has been another security measure implemented to deter the frequency of illegal media copying.
- watermarking tools place transparent and unique identifiers onto visual content and then enable the watermarked images to be more tightly controlled by their creators.
- AISs artificial immune systems
- the present invention is a system, an article, and a method to detect unauthorized client behaviors and the communication of the unauthorized client behaviors.
- a variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client.
- Unauthorized behavior includes alteration of a client process as well as simultaneously running processes that may enable unauthorized copying of the protected electronic media.
- Communication of unauthorized software behavior includes sharing of detectors among servers on a network, and the sending of detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.
- a method includes sending at least one detector to a client process, receiving a response to the detector from the client process, detecting a presence of an unauthorized software behavior on the client based upon the response, and updating a database of detectors for a previously unseen and unauthorized behavior of the process such that the database evolves over time.
- a method in another illustrative aspect of the present invention, includes exchanging sets of memory detectors between servers during an update period, evaluating the received set of memory detectors against a recipient's self database and a set of matching rules, discarding memory detectors in the received set of memory detectors that match a detector in the recipient's self database, and merging the remaining memory detectors with the existing memory database.
- a system in another illustrative aspect of the present invention, includes a server to send media to a client; and an application (computer program) to perform actions when executed that include sending a detector to the client, receiving a response to the detector from the client, detecting a presence of an unauthorized process behavior on the client based on the response and a matching rule associated with the detector, and updating a database of detectors for a previously unseen unauthorized process behavior on the client such that the database adapts based on the response.
- an application computer program
- a machine readable medium provides instructions which, when executed by at least one processor, cause the processor to perform operations that include sending at least one detector to a client process (or executing program), receiving a response to the detector from the client process, detecting a presence of an unauthorized software behavior on the client based upon the response and a matching rule that is associated with the detector sent; and updating a database of detectors for a previously unseen and unauthorized behavior of the process such that the database adapts the detector based upon the detector response.
- FIG. 1 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, to detect unauthorized software execution;
- FIG. 2 is a block diagram of an embodiment of a server computer as portrayed in FIG. 1 ;
- FIG. 3 is a block diagram of an embodiment of a client computer as portrayed in FIG. 1 ;
- FIG. 4 is a diagram of an embodiment of a detector type
- FIG. 5 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, in which the client includes a detector generator;
- FIG. 6 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, having a client generation of audited system calls;
- FIG. 7 is a diagram of an embodiment of a detector type with process data identity fragments
- FIG. 8 is a block diagram illustrating an embodiment of Artificial Epidemiological Control (AEC) component
- FIG. 9 is a flow diagram of an embodiment of an Artificial Immune System (AIS) process
- FIG. 10 is a flow diagram illustrating an embodiment of a process of updating detector life-cycle information
- FIG. 11 is a flow diagram illustrating an embodiment of an AEC process to share information about unauthorized client process behaviors to augment detection of apparent widespread unauthorized client process behaviors;
- FIG. 12 is a block diagram of an embodiment of a multi-server communication AEC architecture to enable servers coupled to a network to communicate portions of stored memory as memory detector set(s) to other network coupled server(s);
- FIG. 13 is a block diagram of an embodiment of an operating environment to evaluate received memory detectors.
- FIG. 14 is a block diagram of an embodiment of an operating environment with an AIS and AEC, in accordance with the present invention.
- connection means a direct electrical connection between the things that are connected, without any intermediary devices.
- coupled means either a direct connection between the things that are connected, or an indirect connection through one or more passive or active intermediary devices.
- the meaning of “a,” “an,” and “the” include plural references.
- the meaning of “in” includes “in” and “on.” Additionally, a reference to the singular includes a reference to the plural unless otherwise stated or inconsistent with the disclosure.
- the present invention is directed to a method and system of copy protection and data integrity for computer readable media.
- Protection of computer readable media includes detection of unauthorized software behavior, and communication of the detection of unauthorized software behavior.
- Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that may enable unauthorized copying of protected media.
- the present invention has identified that a computer system implemented analogy of a biological system to respond to a foreign body infection, termed herein an Artificial Immune System (AIS), may be employed to monitor software behavior for unauthorized software operations such as copy protection and data integrity.
- AIS Artificial Immune System
- the AIS is premised on the concept that both living entities and computers encounter continuously changing deleterious foreign matter against which they must defend themselves.
- that foreign matter includes viruses, bacteria, and other pathogens that evolve through a process of natural selection.
- Living entities accomplish this feat by recognizing the “self” (e.g., all the proteins that constitute the living entity) and considering things that fall outside of this category to be potentially harmful.
- a computer system recognizes unauthorized copying and storing of data through the determination of abnormal client process behavior.
- server-based detector system 100 includes a server 102 , a network 104 , a client 106 , detector(s) 110 , and response(s) 112 .
- Server 102 includes an AIS detection unit 114 .
- Client 106 includes an executing client software process 108 , which is to be examined, and client presenter 116 .
- the server 102 is coupled to network 104 and is described in more detail with reference to FIG. 2 below.
- Client 106 is also coupled to network 104 and is described in more detail with reference to FIG. 3 below.
- network 104 can employ any form of network media for communicating information from one electronic device to another.
- the network 104 can include the Internet in addition to local area networks (LANs), wide area networks (WANs), direct connections, such as through a universal serial bus (USB) port, forms of computer-readable media, or any combination thereof.
- LANs local area networks
- WANs wide area networks
- USB universal serial bus
- a router acts as a link between LANS, enabling messages to be sent from one to another.
- communication links within LANs typically include twisted wire pair or coaxial cable
- communication links between networks may utilize analog telephone lines, full or fractional dedicated digital lines including T 1 , T 2 , T 3 , and T 4 , Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links, or other communications links known to those skilled in the art.
- ISDNs Integrated Services Digital Networks
- DSLs Digital Subscriber Lines
- wireless links including satellite links
- satellite links or other communications links known to those skilled in the art.
- remote computers and other related electronic devices might be remotely connected to either LANs or WANs via a modem and temporary telephone link.
- a remote computer may act in a number of ways, including as an internet (content) server or a client with an application program.
- network 104 may comprise a vast number of such interconnected networks, computers, and routers. As shown, server 102 and client 106 are in communication through network 104 , which provides a path between the executing client software process 108 and the embodiment of the AIS detection unit 114 .
- Server 102 provides access to information, such as streaming media, and services through network 104 to client 106 . While client 106 may be receiving information from server 102 , server 102 may also transmit through network 104 a series of detectors 110 to client presenter 116 . Client presenter 116 in turn presents detectors 110 to client software process 108 residing on client 106 . Client 106 communicates responses 112 to detectors 110 through network 104 for evaluation by AIS detection unit 114 . The communication of detectors 110 and responses 112 between client 106 and server 102 may occur without the user's knowledge.
- a server 102 enables the operation of network server 204 on network 104 ( FIG. 1 ) for access by a client, such as client 106 . Accordingly, server 102 enables network server 204 to respond to requests for information by a client software process 108 , or other application programs 334 ( FIG. 3 ), which are running on client 106 ( FIG. 3 ). For instance, server 102 can stream data, drawings, pictures, figures, graphics, movies, audio files, animations, and the like in response to a request for information. These transactions can take place across a closed or open network, such as the Internet. The server 102 may include many more components than those shown. As illustrated in FIG. 2 , server 102 can communicate with a network, via network interface unit 266 for use with and according to, communication protocols such as TCP/IP protocol.
- communication protocols such as TCP/IP protocol.
- Server 102 in an embodiment includes processing unit 242 , video display adapter 260 , and a mass memory, all in communication with each other via bus 264 .
- the mass memory generally includes RAM 244 , non-volatile memory, such as a ROM 256 , and one or more permanent mass storage devices, such as hard disk drive 252 , tape drive, optical drive, and/or floppy disk drive.
- the mass memory stores operating system 246 for controlling the operation of server 102 .
- a general-purpose server operating system may be employed, e.g., UNIX, LINUX, WINDOWS NT®, or the like.
- BIOS Basic input/output system
- the mass memory also stores program code and data for providing a presence on a network. More specifically, the mass memory stores application programs 250 , data (not shown), and network server 204 . These application programs 250 include computer executable instructions which, when executed by central processing unit 242 , generate response messages and perform the logic described elsewhere in this specification. The application programs 250 include programs that perform logical operations.
- Server 102 may also include a Simple Mail Transfer Protocol (SMTP) handler application (not shown) for transmitting and receiving e-mail, a Hypertext Transfer Protocol (HTTP) handler application for receiving and handing HTTP requests, and an HTTP Over Secure Socket Layer (HTTPS) handler application (not shown) for handling secure connections.
- SMTP Simple Mail Transfer Protocol
- HTTP Hypertext Transfer Protocol
- HTTPS HTTP Over Secure Socket Layer
- Server 102 the embodiment includes input/output interface 268 for communicating with external devices, such as a mouse, keyboard, scanner, and other input devices not shown in FIG. 2 .
- server 102 may further include additional mass storage facilities such as CD-ROM/DVD-ROM drive 262 and hard disk drive 252 .
- Hard disk drive 252 is utilized by server 102 to store application programs, databases, and program data used by the network server 204 to be loaded into RAM 244 for execution, and the like.
- Detector databases described in more detail below
- audio databases and image databases, and the like may be stored.
- Server 102 includes AIS detection unit 114 (as described in an embodiment with reference to FIG. 8 ) and in an embodiment Artificial Epidemiological Control (AEC) unit 1208 (described with reference to FIG. 12 .) Servers that include an AIS detection unit 114 ask questions of, and receive responses from, clients. These questions take the form of “detectors”, which are any identifying characteristic of an executing program.
- AIS detection unit 114 as described in an embodiment with reference to FIG. 8
- AEC Artificial Epidemiological Control
- client 106 includes network interface unit 302 for connecting to a LAN, VLAN, or WAN, or for connecting remotely to a LAN, VLAN, or WAN.
- Network interface unit 302 includes necessary circuitry for such a connection, constructed for use with various communication protocols including the TCP/IP protocol, the particular network configuration of the LAN, VLAN, or WAN it is connecting to, and a particular type of coupling medium.
- Network interface unit 302 may also be capable of connecting to the Internet through a point-to-point protocol (PPP) connection or a Serial Line Internet protocol (SLIP).
- PPP point-to-point protocol
- SLIP Serial Line Internet protocol
- modem 330 is in communication with central processing unit 314 via bus 322 and enables server 102 to place a call to or receive a call from a telephone number.
- Modem 330 may be a wired and/or wireless telephonic device capable of transmitting voice and/or data.
- Client 106 includes BIOS 326 , central processing unit 314 , video display adapter 308 , and memory.
- the memory generally includes random access memory (RAM) 310 , read-only memory (ROM) 304 and a permanent mass storage device, such as disk drive 318 .
- the memory stores operating system 312 and other application programs 334 , for controlling the operation of client 106 .
- the memory also includes client software process 108 , and client presenter 116 for managing the information provided by server 102 in response to requests by clients 106 .
- the application programs, software processes, and content are stored on a computer-readable medium.
- Input/output interface 320 may also be provided for receiving input from a mouse, keyboard, or other input device.
- modem 330 are all connected to central processing unit 314 via bus 322 . Additionally, modem 330 may be a wired or wireless telephonic device capable of transmitting data and/or voice communications. Other peripherals may also be connected to central processing unit 314 in a similar manner.
- an embodiment of a detector 110 includes an illustrative detector 400 .
- the detector 400 consists of a sequence of file system calls generated by an executing program, which can be either exactly or partially matched by a currently executing program's (or process's) audited file system calls, depending upon the given matching executing algorithm (rule).
- one or more matching rules are associated with detector 110 and are employed in determining how stringent a given sequence of computer system calls must be matched before a match is validated. For example, for a sequence of eight system calls, one possible matching rule is that the sequence matches if any of six of the eight calls is matched, i.e. a detector 110 is sent, and a received response 112 matches. Another possible matching rule is to require the first six system calls in the sequence included within detector 400 to match.
- a matching rule may be employed that describes a set of possible matches, such as: OPEN/*/READ/CLOSE/READ/WRITE/*/IOCONTROL where the ‘*’ denotes that the algorithm classifies a match regardless of what system call sequence arises after the “OPEN” and “WRITE” system calls in detector 110 .
- the length of a given sequence of system calls within detector 110 may be any length such as eight. It has been determined that by varying the lengths of a sequence of system calls it may be more difficult to discern the meaning of detector 110 , thereby improving the security, and effectiveness of the present invention.
- sequence calls are numerically encoded and combined into a number for transmission to and/or storage on client 106 .
- Encoding the sequence calls is directed at obscuring the meaning of detector 110 further, as the number may have different meanings based on the algorithm employed to encode the sequence, thus making it more difficult for a client side user to determine how the invention functions.
- Encoding schemes for the sequence calls may be implemented in a variety of ways depending upon the number of system calls in a given sequence, the format of the detector rules, and the like.
- a generic hashing function may be employed to encode the system calls within detector 110 , without departing from the scope or spirit of the present invention.
- detector 110 Three varieties of detector 110 are illustratively described herein.
- a self-detector is a system call fragment that is typically located in a complete self-database, i.e., a database that includes a set of possible sequences of system calls seen in the normal execution of client software process 108 . If a common self-detector is employed as a “behavioral question” to client software process 108 running on client 106 , client software process 108 is to provide a response that indicates an acknowledgment that the self-detector has been found in its audit log (not shown).
- detector 110 is a memory detector.
- a memory detector is a system call sequence that has already been associated with unauthorized software alterations. These detectors are typically taken from an AEC database, and are typically employed to detect recurrent unauthorized software alterations.
- detector 110 is a novel detector.
- a novel detector is a system call sequence that is a possible behavioral anomaly, but has not previously been seen. They are employed to recognize new unauthorized software alterations.
- detector 110 While three varieties of detector 110 have been described above, the present invention is not so limited. For example, detectors composed of only non-system calls, or a combination of system and non-system calls, and the like, may be employed, without departing from the spirit or scope of the invention.
- server 102 communicates detector 110 to client 106 over network 104 .
- Positive or negative responses 112 in turn are communicated to server 102 , depending on whether the detectors have been matched by the audited system call fragments of client software process 108 on client 106 .
- the AIS detection unit 114 on server 102 evaluates client's responses 112 to determine the authorization status of client's executing software 108 .
- AIS detection unit 114 If server 102 communicates common self-detectors to client 106 , AIS detection unit 114 expects to receive a positive response 112 from client 106 , thereby confirming the ability of client 106 to respond. By transmitting non-self detectors (i.e., memory or novel detectors), AIS detection unit 114 is enabled to test for illegal behavior of client software process 108 . Negative responses to the non-self detectors may be expected of an authorized client software process 108 . Positive responses to some non-self, novel detectors may be expected of a client with an unauthorized software alteration that has not yet been documented. Positive responses to some non-self memory detectors may be expected in the case of a client that is executing an unauthorized software alteration documented in the memory database (not shown).
- non-self detectors i.e., memory or novel detectors
- the client-side detector generation system 500 includes client detector generator 502 .
- Client detector generator 502 is in operation executing a program within client 106 that is coupled to, and communicates with client's software process 108 , or it may be a component of the client's software process 108 .
- the operating environment shown in FIG. 5 operates in substantially the same manner as the operating environment shown in FIG. 1 , except that client detector generator 502 provides “behavioral questions” in the form of self and non-self (i.e., novel and memory) detectors to client executing program 108 .
- Responses 112 from client executing program 108 are communicated through network 104 to AIS detection unit 114 .
- sequences of audited system calls 602 are communicated through network 104 to AIS detection unit 114 .
- Audited system calls 602 are compared against a client software process self-database (not shown) included in AIS detection unit 114 to determine if a significant portion of client software execution behavior is abnormal.
- Audited system calls 602 are transmitted to server 102 by client's software process 108 or by a separate watchdog process (not shown).
- the present invention as portrayed with respect to FIG. 1 , FIG. 5 , and FIG. 6 , is not limited to a network connection and server implementation.
- the fidelity of client's software process 108 may be determined without the presence of network 104 and server 102 .
- a separate process substantially similar to AIS detection unit 114 in execution may co-exist on client 106 for evaluating responses to detectors, without departing from the spirit or scope of the invention.
- detectors 110 are transmitted to client's software process 108 to detect possible illegal software alterations.
- AIS detection unit 114 transmits the three types of detectors 110 described above, whereas in FIG. 5 , client detector generator 502 transmits detectors 110 to client's software process 108 .
- detector 110 responds either to positive matches or to both positive and negative matches.
- Response 112 is bounded by a specified time window within which a matching response is permitted to occur.
- detectors 110 are provided with a life span or length of time that detector 110 is considered active.
- a life span for detectors 110 an efficiency of usage is provided, such that a predetermined number of detectors are active at any given time. This is directed at reducing the processing time to evaluate the set of currently active detectors.
- the determination of the detector death rate may be implemented in a variety of approaches.
- the death rate of a given detector could be a simple timer, or a function of the number of client responses transmitted, the number of memory detectors already on server 102 , the number of positive client responses, the number of audited system calls, or the like, without departing from the scope or spirit of the invention.
- the present invention employs an AIS detection unit substantially similar to the one described above.
- the present invention also employs detectors that are substantially similar to detector 400 .
- these new detectors include additional information directed at detecting predetermined processes that are running virtually at the same time, thus essentially eliminating the screen scraper problem described in the streaming video example.
- an embodiment of a detector 700 as an instance of a detector 110 includes a sequence of file system calls that are substantially similar to the system calls of the detector 400 shown with reference to FIG. 4 .
- the detector 700 may be classified as one of the varieties described above (i.e., memory, self, novel).
- the detector 700 includes an additional data field comprising data to specify the media associated with the file system calls.
- the AIS is enabled to determine whether a virtually simultaneously running process is accessing the media to be protected, thus improving detection of potential unauthorized execution and replication.
- an embodiment of the present invention includes an Artificial Epidemiological Control (AEC) component.
- the AEC component is directed at adaptively responding to widespread unauthorized client behavior by generating memory detectors of unauthorized client behaviors, and sharing information about the unauthorized client behaviors among other servers.
- the AEC component is enabled to obtain information about previously encountered unauthorized software use from many different clients. With a working memory, virtually identical or substantially similar unauthorized software alterations on one client may be more efficiently detected on other clients.
- system 800 includes server 102 , network 104 , and clients 106 A-C .
- Clients 106 A-C include software processes 108 A-C for which the integrity is to be determined.
- Software processes 108 A-C are substantially similar to client software process 108 described above. Additionally, clients 106 A-C are each substantially similar to client 106 described above with reference to FIG. 3 .
- Server 102 includes novel database 802 , self-fragment database 804 , memory fragment database 806 , and evaluator 808 .
- Novel database 802 , self-fragment detector database 804 , and memory fragment detector database 806 are coupled to, and in communication with, client software processes 108 A-C , to provide a series of detectors 110 .
- Client software processes 106 A-C are coupled to evaluator 808 through network 104 and are enabled to provide a series of response(s) 112 to evaluator 808 .
- memory fragment database 806 includes storage of identified unauthorized software behaviors and alterations.
- the storage of the information about unauthorized software alterations and behaviors is typically in the form of memory detector 110 .
- Memory detector 110 may be stored in a cluster or grouping based on at least one criterion, such as their tendency to occur together if an illegal process is copied from one client to another client.
- the AIS detection unit 114 transmits a mix of self-detectors, novel detectors, and memory detectors through network 104 to client 108 A (or 108 B or C )
- Client software process 108 A may provide response 112 that includes a previously unseen unauthorized software alteration or behavior.
- Response 112 is transmitted to evaluator 808 through network 104 , where evaluator 808 determines whether there is an inappropriate client response 112 to detector 110 .
- Evaluator 808 groups the inappropriate responses together into a memory (not shown) and merges the memory into memory fragment database 806 .
- the added memory detectors are subsequently sent to other clients 106 B-C that are in communication with server 102 . In this manner, substantially identical or similar software alterations and behaviors are rapidly detected throughout clients 106 A-C .
- AEC system 800 with its memory fragment database 806 enables the enhanced classification and detection of previously encountered unauthorized software alterations, behaviors, and unauthorized software use more quickly and more thoroughly than systems without such arrangements.
- This strengthening of the AIS system described above is a result of sending clients 106 A-C many groups or clusters of memory detectors 110 from the memory fragment database 806 , self-fragment detector database 804 , and memory fragment detector database 806 .
- the potentially unauthorized client 106 A, B, or C may be sent additional memory detectors 110 associated with originally transmitted memory detector 110 .
- Client response(s) 112 to additional memory detectors 110 or novel detectors 110 provide for the classification of client 106 A-C into one of three potential classes.
- the first class is based on a previously encountered unauthorized client software process 108 A-C behavior.
- the second class of client response(s) 112 is based on newly-discovered unauthorized client software process 108 A-C use, alteration, or behavior.
- the third class of client response(s) 112 is for clients that may have demonstrated a short anomalous behavior that has been observed for an unknown reason, or has not demonstrated itself through its responses as an authorized client.
- client response 112 is of the first response class
- the presence of positive responses to memory detector 110 is noted.
- the occurrence frequency of memory detector groupings is augmented or increased in the memory fragment database 806 .
- the frequency tabulations are retained to provide increased emphasis to unauthorized activities that are more commonly used or appear to be spreading rapidly.
- client response 112 When client response 112 is of the second response class, a memory detector grouping is generated, with new memory detector associations and potentially new detectors. When client response 112 is of the third response class, a memory detector match may be considered to have provided insufficient for the determination of unauthorized client-side behavior.
- the AIS/AEC Detection process 900 is employed to detect unauthorized behavior of a client's process, and to share information about unauthorized behavior with other substantially similar processes.
- the AIS and AEC Detection process 900 begins, after a start block, at block 902 where detectors are sent to a client process.
- the detectors are typically sent to the client process in response to a request for protected electronic media by the client. While the client process is accessing the protected electronic media, a mix of self-detectors, novel detectors, and memory detectors are also sent to the client process.
- the mix of detectors may also include detectors to determine whether any simultaneously running processes are attempting to scrape or suck the protected electronic media. Once the detectors are sent to the client process, the process moves to block 904 .
- responses to the sent mix of detectors are received from the client process.
- the responses may be in the form of positive or of negative responses, audited system call fragments, and the like.
- decision block 906 it is determined whether the client process has been altered without authorization, or is attempting to use the protected electronic media in an unauthorized manner, such that an unauthorized client process behavior exists.
- the responses from the client process are evaluated according to at least one of the matching rules that determine the criterion of a response match for determining whether a match is to be considered validated.
- the process control moves to block 914 , where the life-cycle information for the detectors is updated. Block 914 is described below in conjunction with FIG. 10 .
- the process returns to block 902 , where substantially the same actions discussed herein are performed.
- the process control moves to block 908 , where the detection of an unauthorized client process configuration is communicated to signify a potential infringement or unauthorized intrusion of the media.
- the communication of a potential infringement could result in terminating a transmission of the media to the client, a notifying to appropriate parties of the infringement, terminating the unauthorized client process, and the like.
- the process control moves to block 909 .
- the memory database is updated.
- the process control proceeds to block 910 , where detector database information is shared between servers. Block 910 is described in FIG. 11 and the related discussion.
- the logical flow of AIS and AEC process 900 proceeds to block 912 .
- updated detectors are sent to substantially similar client processes on other clients. In this way, other client processes may be examined for identical or substantially similar unauthorized client behavior, thereby more rapidly detecting inappropriate or unauthorized behavior across several client processes. Additionally, at block 912 , the original determined unauthorized client process may be sent updated detectors to provide further probing of unauthorized activities or usages of the electronic media.
- a process begins at decision block 1002 where a determination is made whether a detector has reached its end of life.
- the process control advances to block 1004 where the detector is terminated or killed. Upon completion of block 1004 , the process control returns to block 902 (shown in FIG. 9 ) where substantially the same actions discussed above are performed.
- the process control advances to decision block 1006 , where a determination is made whether the unauthorized client process behavior has been encountered before.
- process control is transferred to block 1008 .
- the frequencies of observation of detectors are updated based on the frequencies of identified unauthorized client process behaviors.
- the frequency tabulations are retained to provide an increased emphasis on more commonly employed or more rapidly spreading unauthorized client process behaviors.
- the result of block 1008 may be to adjust the transmission frequency of particular detectors or mixes of detectors sent at block 912 in FIG. 9 .
- the process control advances to block 1014 .
- decision block 1006 determines whether the unauthorized client process has not been encountered before. If it is determined at decision block 1006 that the unauthorized client process has not been encountered before, the process control is transferred to decision block 1010 , where a determination is made as to whether the unauthorized client behavior is newly discovered to this process.
- decision block 1010 determines whether the unauthorized client process behavior is be substantial enough for the detection of infringements, alterations of electronic media, and the like.
- the changes to the frequency of detectors, and information about new detectors are retained in a database. Additionally, at block 1014 , the life span information for detectors is updated in the database of detectors. Upon completion of block 1014 , the process control returns to block 902 (shown in FIG. 9 ) where substantially the same actions discussed above are performed.
- a process 1100 begins after a start block, at block 1102 , where memory detectors from a set of memory databases are grouped along with the detectors' associated matching rules. The groupings are sent to other servers. After block 1102 , process control moves to block 1104 .
- process control moves to block 1110 .
- detectors that are matched, and determined to already exist in some form in one or more of the recipient's databases are discarded. Discarding duplicate detectors avoids problems that may arise if the duplicate detectors have associated with them different matching algorithm(s) (rules) than the algorithm(s) of the recipient's detectors.
- the process control proceeds to block 1108 .
- the new memory detector and its associated matching rules are retained by merging them into the recipient's pre-existing memory database. In this manner, the sharing of detectors between databases of detectors improves the likelihood of detecting unauthorized client process behaviors on a larger scale.
- the process control returns to block 912 in FIG. 9 to perform other actions.
- a multi-server communications AEC process 1200 includes servers 102 X-Z , and network 104 .
- Each server 102 X-Z includes an AEC unit 1208 X-Z .
- Servers 102 X-Z are each substantially similar to server 102 portrayed with reference to FIG. 2 .
- each server 102 X-Z may be in communication with a plural number of clients.
- a network arrangement of servers and clients may range from mostly overlapping the communications with clients to communicating with distinct client sets.
- Each server 102 X-Z is coupled to network 104 , which provides a communications path between each other server 102 X-Z .
- networks and servers may comprise a vast number of such interconnected networks, servers, and clients (not shown) and other interconnections may be employed without departing from the spirit or scope of the present invention.
- server 102 X transmits through network 104 , memory detector group(s) 1202 X to servers 102 Y and 102 Z , while server 102 Z transmits through network 104 memory detector group(s) 1202 Z to servers 102 X and 102 Y .
- server 102 Y when a server, such as server 102 Y , currently does not have new memory detector group(s) to share, that server remains a recipient of other servers' memory detector group(s) 1202 X, Z .
- each server may share its memory groups at some random update period that is independent of the other servers' update period, without departing from the spirit or scope of the invention.
- the establishment of memory detector databases enables servers to increase the speed and thoroughness of detecting previously seen illegal client software configurations.
- the multi-server communications AEC architecture 1200 scales up this benefit in a more encompassing approach to networks of servers by enabling the sharing of detectors between servers. This embodiment of the present invention therefore provides for the obstruction of the spread of unauthorized software alterations between clients that communicate with other servers on the AEC network.
- server 102 X-Z on network 104 receives the memory detector groups 1202 X-Z , the server's AEC unit 1208 evaluates them against the recipient's self-database according to the recipient server's matching rule.
- a memory detector evaluation system 1300 includes server 102 and memory detector groups 1202 .
- Server 102 is in communication with other servers as shown in FIG. 12 , and receives memory detector groups 1202 from those servers as described above.
- Server 102 includes AEC unit 1208 , which in turn includes a set of matching algorithm(s) (rules) 1306 , garbage collector process 1302 , and portions of self-fragment database 804 and memory-fragment database 806 .
- Self-fragment database 804 is coupled to and communicates with garbage collector process 1302 and memory-fragment database 806 .
- self-database 604 is coupled to a set of matching algorithms (rules) 1306 .
- each server 102 that shares memory detectors may have a different set of matching rules 1306 from other servers 102 .
- an incoming memory detector group 1202 is tested against self-fragment database 804 of the recipient server. If memory detector 110 within memory detector group 1202 is matched to a fragment in the recipient's self database, according to the recipient's set of matching rules 1306 , that detector 110 G is transmitted to garbage collector process 1302 where detector 110 G is discarded. This avoids the likelihood of false positive detections that may arise due to varying matching rules.
- memory detector 110 within received memory detector group 1202 is determined to be unmatched to recipient's self-fragment database 804 , memory detector 110 is transmitted to memory-fragment database 806 where it is merged into server's 102 pre-existing set of detectors.
- the result of this exchange of memory detector groups 1202 between servers enables the scaled-up detection of previously seen illegal software configurations and an improved likelihood of obstructing spreads of illegal software alterations between more clients.
- an integrated AIS/AEC system 1400 includes servers 102 X-Y , network 104 , and clients 106 A-C .
- Clients 106 A-C include software processes 108 A-C , respectively.
- Server 102 X includes novel database 802 X , self-fragment database 804 X , memory fragment database 806 X , evaluator 808 X , and AEC unit 1208 X as described above with reference to FIGS. 8, 12 , and 13 .
- Server 102 Y includes novel database 802 Y , self-fragment database 804 Y , memory fragment database 806 Y , evaluator 808 Y , and AEC unit 1208 Y as described above with reference to FIGS. 8, 12 , and 13 .
- Servers 102 X-Y are coupled to network 104 and communicate detectors 110 to the respective clients' software processes 1108 A-C . As shown, server 102 Y is enabled to communicate with clients 106 B-C , while server 102 X is enabled to communicate with client 106 A .
- Clients 106 A-C are coupled to the network 104 and communicate response(s) 112 to the appropriate server 102 X or Y through network 104 .
- servers 102 X-Y communicate with each other through network 104 to provide sets of memory groups 1202 X-Y to the other server 102 X or Y .
- the integrated AIS/AEC system 1400 enables adaptation over time by providing for the identification of previously unseen, and unauthorized, software operations within a client software process 108 as “non-self” actions while providing for the sharing throughout the network of servers of previously seen unauthorized software operations.
- the AIS component of integrated AIS/AEC system 1400 enables the detection of a broad range of security-compromising software activity as well as the detection of more direct hostile attacks upon the integrity of the system 1400 .
- the employment of self, memory, and novel detectors 110 , in a “dialog” between server 102 X-Y and client 106 A-C enables detection of not only attempts to subvert software but also attempts to subvert the AIS itself. Moreover, by providing detector deaths, the impact of the AIS components' processor usage may be minimized.
- the AEC component of the integrated AIS/AEC system 1400 enables detection of the spread of compromised software as well as the development of data attacks by sharing information between servers 102 X-Y .
- the employment of databases of detectors ( 802 X-Y , 804 X-Y , and 806 X-Y ) is directed at enhancing the efficiency of identification of previously encountered subversions, and the sharing of this information between servers provides broader protection among a population of clients 106 A-C .
- the present invention has identified other specific embodiments that may be directed towards improving the operational efficiency or speed with which the invention identifies a security-compromising client configuration.
- non-self detectors may need to be generated and compared with logged file system calls to determine the presence of potential matches.
- the stringency of matching is determined by the stringency of the matching rules. For example, an illustrative detector length of say eight system calls, a matching rule that would require two consecutive file system calls to be substantially identical to the logged system call fragment would be less stringent than a matching rule that requires seven of the eight consecutive system calls to match. Thus, a less stringent detector-matching rule would match a larger number of logged sequences, and consequently cover a larger area of non-self space.
- the present invention specifically includes, that the non-self space may be covered more efficiently. That is, instead of all the detectors employing the same matching rule, and thereby covering the non-self space in equally sized partitions, the present invention takes advantage of the heterogeneity of non-self space. In this approach, different detectors with different matching rules, allow certain larger areas of non-self space to be covered with a relatively small number of low-stringency-rule detectors, and certain small partitions or crevices of non-self space to be covered with higher-stringency-rule detectors.
- the speed is increased for evaluating the presence of a match between the detector and log fragment, by employing a comparison algorithm such as the Rabin-Karp algorithm and the like.
- Algorithms such as the Rabin-Karp employ prime numbers and sliding windows on the system calls to considerably shorten the amount of time required to evaluate string matches.
- an adaptive rule-leaming algorithm is employed. Specific matching rules are evolved through training on the self-data, and these rules are then employed to more rapidly identify unauthorized client configurations. More general rules may be extracted from analysis of the self-database and directed at covering a larger portion of the search space by generating rules that match key elements of recurring patterns of system calls, rather than specific system calls. As described above, the ‘*’ token provides an example of the generation of a more generalized rule.
- Such generalized rules may be developed to describe larger parts of the non-self space, to cover as large a portion of the space being searched as feasible with the least number of rules, thus improving the efficiency of the detector comparisons.
- Embodiments of the present invention include program operations stored on a machine readable medium.
- a machine readable storage medium includes any mechanism that provides (i.e. stores and/or transmits) information such as computer readable instructions, data structures, program modules, or other data; in a form readable by a machine (e.g. a computer).
- a machine readable medium includes read only memory (ROM), random access memory (RAM), magnetic storage media, optical storage media, flash memory devices and other solid state electronic memory devices, electrical, optical, acoustical or other propagated signals (e.g. carrier waves, infrared signals, digital signals, etc.) etc.
Abstract
Description
- This utility patent application is a continuation U.S. patent application Ser. No. 10/020,524 filed on Dec. 14, 2001, entitled “Method And Apparatus For Protection Of Electronic Media,” the benefit of which is claimed under 35 U.S.C. §120, and further claims the benefit under 35 U.S.C. §119(e) of U.S. Provisional Application No. 60/255,851 filed on Dec. 14, 2000, each of which are incorporated herein by reference.
- The present invention relates to computer readable data storage and more particularly to copy protection and data integrity of computer readable data.
- There has been much attention focused on the protection of copyrighted computer readable media, including image, audio, and video, through tests on the integrity of the media and the legality of the software with which the media is associated.
- Traditional copy protection methods that secure electronic media such as images, audio, and video include a variety of methods such as standard encryption and data marking.
- Standard encryption technologies have been used in the protection of electronic media sent over networks. These technologies encrypt a stream of data on the server side and then decrypt the data on the client side, in order to deter the understanding and the stealing of the data by a third party who has access to the network.
- The process of “watermarking” electronic media has been another security measure implemented to deter the frequency of illegal media copying. Typically, watermarking tools place transparent and unique identifiers onto visual content and then enable the watermarked images to be more tightly controlled by their creators.
- Other copy protection schemes have focused on actively protecting media from unauthorized viewing or copying, in addition to simply labeling the media with ownership and copyright information. Such schemes typically include the use of secure containers for electronic media and some form of encryption.
- There has even been an attempt recently to establish a Global Unique Identifier that would allow media providers to link Secure Digital Music Initiative (SDMI) files to a specific computer, and thereby limit a user's ability to copy the files.
- Moreover, artificial immune systems (AISs) have been designed to notice malign virus (worm, Trojan horse) entry into a computer or a computer network.
- Briefly stated, the present invention is a system, an article, and a method to detect unauthorized client behaviors and the communication of the unauthorized client behaviors. A variety of detectors are sent to a client process and the responses are evaluated to detect the presence of an unauthorized software behavior on the client. Unauthorized behavior includes alteration of a client process as well as simultaneously running processes that may enable unauthorized copying of the protected electronic media. Communication of unauthorized software behavior includes sharing of detectors among servers on a network, and the sending of detectors to other clients to detect previously unseen unauthorized behaviors on the other clients.
- In accordance with one illustrative aspect of the present invention, a method includes sending at least one detector to a client process, receiving a response to the detector from the client process, detecting a presence of an unauthorized software behavior on the client based upon the response, and updating a database of detectors for a previously unseen and unauthorized behavior of the process such that the database evolves over time.
- In another illustrative aspect of the present invention, a method includes exchanging sets of memory detectors between servers during an update period, evaluating the received set of memory detectors against a recipient's self database and a set of matching rules, discarding memory detectors in the received set of memory detectors that match a detector in the recipient's self database, and merging the remaining memory detectors with the existing memory database.
- In another illustrative aspect of the present invention, a system includes a server to send media to a client; and an application (computer program) to perform actions when executed that include sending a detector to the client, receiving a response to the detector from the client, detecting a presence of an unauthorized process behavior on the client based on the response and a matching rule associated with the detector, and updating a database of detectors for a previously unseen unauthorized process behavior on the client such that the database adapts based on the response.
- In still another illustrative aspect of the present invention, a machine readable medium provides instructions which, when executed by at least one processor, cause the processor to perform operations that include sending at least one detector to a client process (or executing program), receiving a response to the detector from the client process, detecting a presence of an unauthorized software behavior on the client based upon the response and a matching rule that is associated with the detector sent; and updating a database of detectors for a previously unseen and unauthorized behavior of the process such that the database adapts the detector based upon the detector response.
- Other features and advantages of the present invention will become apparent from the following Detailed Description of the Invention read in conjunction with the accompanying drawings.
- Non-limiting and non-exhaustive embodiments of the present invention are described with reference to the following drawings. In the drawings, like reference numerals refer to like parts throughout the various figures unless otherwise specified. The order of description in flow diagrams should not be construed as to imply that these operations are necessarily order dependent.
- For a better understanding of the present invention, reference will be made to the following Detailed Description of the Invention, which is to be read in association with the accompanying drawings, wherein:
-
FIG. 1 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, to detect unauthorized software execution; -
FIG. 2 is a block diagram of an embodiment of a server computer as portrayed inFIG. 1 ; -
FIG. 3 is a block diagram of an embodiment of a client computer as portrayed inFIG. 1 ; -
FIG. 4 is a diagram of an embodiment of a detector type; -
FIG. 5 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, in which the client includes a detector generator; -
FIG. 6 is a block diagram of an embodiment of the present invention implemented by a server and a client, coupled through a network, having a client generation of audited system calls; -
FIG. 7 is a diagram of an embodiment of a detector type with process data identity fragments; -
FIG. 8 is a block diagram illustrating an embodiment of Artificial Epidemiological Control (AEC) component; -
FIG. 9 is a flow diagram of an embodiment of an Artificial Immune System (AIS) process; -
FIG. 10 is a flow diagram illustrating an embodiment of a process of updating detector life-cycle information; -
FIG. 11 is a flow diagram illustrating an embodiment of an AEC process to share information about unauthorized client process behaviors to augment detection of apparent widespread unauthorized client process behaviors; -
FIG. 12 is a block diagram of an embodiment of a multi-server communication AEC architecture to enable servers coupled to a network to communicate portions of stored memory as memory detector set(s) to other network coupled server(s); -
FIG. 13 is a block diagram of an embodiment of an operating environment to evaluate received memory detectors; and -
FIG. 14 is a block diagram of an embodiment of an operating environment with an AIS and AEC, in accordance with the present invention. - Throughout the specification, and in the claims, the term “connected” means a direct electrical connection between the things that are connected, without any intermediary devices. The term “coupled” means either a direct connection between the things that are connected, or an indirect connection through one or more passive or active intermediary devices. The meaning of “a,” “an,” and “the” include plural references. The meaning of “in” includes “in” and “on.” Additionally, a reference to the singular includes a reference to the plural unless otherwise stated or inconsistent with the disclosure.
- Briefly stated, the present invention is directed to a method and system of copy protection and data integrity for computer readable media. Protection of computer readable media includes detection of unauthorized software behavior, and communication of the detection of unauthorized software behavior. Unauthorized behaviors include alteration of a client process as well as simultaneously running processes that may enable unauthorized copying of protected media.
- Artificial Immune System (AIS) Operational Environment
- The present invention has identified that a computer system implemented analogy of a biological system to respond to a foreign body infection, termed herein an Artificial Immune System (AIS), may be employed to monitor software behavior for unauthorized software operations such as copy protection and data integrity. The AIS is premised on the concept that both living entities and computers encounter continuously changing deleterious foreign matter against which they must defend themselves. In the case of living entities, that foreign matter includes viruses, bacteria, and other pathogens that evolve through a process of natural selection. Living entities accomplish this feat by recognizing the “self” (e.g., all the proteins that constitute the living entity) and considering things that fall outside of this category to be potentially harmful. In the case of computers, that foreign matter includes viruses, worms, and Trojan horses that are generated within a computing system and may spread from one computer system to another, leaving a trail that may cause computer system software to be infected and to execute abnormally. In the present invention, a computer system recognizes unauthorized copying and storing of data through the determination of abnormal client process behavior.
- Referring to
FIG. 1 , server-baseddetector system 100, includes aserver 102, anetwork 104, aclient 106, detector(s) 110, and response(s) 112.Server 102 includes anAIS detection unit 114.Client 106 includes an executingclient software process 108, which is to be examined, andclient presenter 116. - The
server 102 is coupled tonetwork 104 and is described in more detail with reference toFIG. 2 below.Client 106 is also coupled tonetwork 104 and is described in more detail with reference toFIG. 3 below. - In the embodiment portrayed with reference to
FIG. 1 ,network 104 can employ any form of network media for communicating information from one electronic device to another. Also, thenetwork 104 can include the Internet in addition to local area networks (LANs), wide area networks (WANs), direct connections, such as through a universal serial bus (USB) port, forms of computer-readable media, or any combination thereof. On an interconnected set of LANs, including those based on differing architectures and protocols, a router acts as a link between LANS, enabling messages to be sent from one to another. Also, communication links within LANs typically include twisted wire pair or coaxial cable, while communication links between networks may utilize analog telephone lines, full or fractional dedicated digital lines including T1, T2, T3, and T4, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links, or other communications links known to those skilled in the art. Furthermore, remote computers and other related electronic devices might be remotely connected to either LANs or WANs via a modem and temporary telephone link. A remote computer may act in a number of ways, including as an internet (content) server or a client with an application program. - It will be appreciated that
network 104 may comprise a vast number of such interconnected networks, computers, and routers. As shown,server 102 andclient 106 are in communication throughnetwork 104, which provides a path between the executingclient software process 108 and the embodiment of theAIS detection unit 114. -
Server 102 provides access to information, such as streaming media, and services throughnetwork 104 toclient 106. Whileclient 106 may be receiving information fromserver 102,server 102 may also transmit through network 104 a series ofdetectors 110 toclient presenter 116.Client presenter 116 in turn presentsdetectors 110 toclient software process 108 residing onclient 106.Client 106 communicatesresponses 112 todetectors 110 throughnetwork 104 for evaluation byAIS detection unit 114. The communication ofdetectors 110 andresponses 112 betweenclient 106 andserver 102 may occur without the user's knowledge. - Referring to
FIG. 2 , aserver 102 enables the operation ofnetwork server 204 on network 104 (FIG. 1 ) for access by a client, such asclient 106. Accordingly,server 102 enablesnetwork server 204 to respond to requests for information by aclient software process 108, or other application programs 334 (FIG. 3 ), which are running on client 106 (FIG. 3 ). For instance,server 102 can stream data, drawings, pictures, figures, graphics, movies, audio files, animations, and the like in response to a request for information. These transactions can take place across a closed or open network, such as the Internet. Theserver 102 may include many more components than those shown. As illustrated inFIG. 2 ,server 102 can communicate with a network, vianetwork interface unit 266 for use with and according to, communication protocols such as TCP/IP protocol. -
Server 102 in an embodiment includesprocessing unit 242,video display adapter 260, and a mass memory, all in communication with each other viabus 264. The mass memory generally includesRAM 244, non-volatile memory, such as aROM 256, and one or more permanent mass storage devices, such ashard disk drive 252, tape drive, optical drive, and/or floppy disk drive. The mass memorystores operating system 246 for controlling the operation ofserver 102. A general-purpose server operating system may be employed, e.g., UNIX, LINUX, WINDOWS NT®, or the like. Basic input/output system (“BIOS”) 258 is also provided for controlling the low-level operation of server 102.The mass memory also stores program code and data for providing a presence on a network. More specifically, the mass memory storesapplication programs 250, data (not shown), andnetwork server 204. Theseapplication programs 250 include computer executable instructions which, when executed bycentral processing unit 242, generate response messages and perform the logic described elsewhere in this specification. Theapplication programs 250 include programs that perform logical operations.Server 102 may also include a Simple Mail Transfer Protocol (SMTP) handler application (not shown) for transmitting and receiving e-mail, a Hypertext Transfer Protocol (HTTP) handler application for receiving and handing HTTP requests, and an HTTP Over Secure Socket Layer (HTTPS) handler application (not shown) for handling secure connections.Server 102 the embodiment includes input/output interface 268 for communicating with external devices, such as a mouse, keyboard, scanner, and other input devices not shown inFIG. 2 . Likewise,server 102 may further include additional mass storage facilities such as CD-ROM/DVD-ROM drive 262 andhard disk drive 252.Hard disk drive 252 is utilized byserver 102 to store application programs, databases, and program data used by thenetwork server 204 to be loaded intoRAM 244 for execution, and the like. For example, Detector databases (described in more detail below), audio databases, and image databases, and the like may be stored. -
Server 102 includes AIS detection unit 114 (as described in an embodiment with reference toFIG. 8 ) and in an embodiment Artificial Epidemiological Control (AEC) unit 1208 (described with reference toFIG. 12 .) Servers that include anAIS detection unit 114 ask questions of, and receive responses from, clients. These questions take the form of “detectors”, which are any identifying characteristic of an executing program. - Referring to
FIG. 3 ,client 106 includesnetwork interface unit 302 for connecting to a LAN, VLAN, or WAN, or for connecting remotely to a LAN, VLAN, or WAN.Network interface unit 302 includes necessary circuitry for such a connection, constructed for use with various communication protocols including the TCP/IP protocol, the particular network configuration of the LAN, VLAN, or WAN it is connecting to, and a particular type of coupling medium.Network interface unit 302 may also be capable of connecting to the Internet through a point-to-point protocol (PPP) connection or a Serial Line Internet protocol (SLIP). - Additionally,
modem 330 is in communication withcentral processing unit 314 viabus 322 and enablesserver 102 to place a call to or receive a call from a telephone number.Modem 330 may be a wired and/or wireless telephonic device capable of transmitting voice and/or data. -
Client 106 includesBIOS 326,central processing unit 314,video display adapter 308, and memory. The memory generally includes random access memory (RAM) 310, read-only memory (ROM) 304 and a permanent mass storage device, such asdisk drive 318. The memorystores operating system 312 andother application programs 334, for controlling the operation ofclient 106. The memory also includesclient software process 108, andclient presenter 116 for managing the information provided byserver 102 in response to requests byclients 106. The application programs, software processes, and content are stored on a computer-readable medium. Input/output interface 320 may also be provided for receiving input from a mouse, keyboard, or other input device. The memory,network interface unit 302,video display adapter 308, and input/output interface 320,modem 330 are all connected tocentral processing unit 314 viabus 322. Additionally,modem 330 may be a wired or wireless telephonic device capable of transmitting data and/or voice communications. Other peripherals may also be connected tocentral processing unit 314 in a similar manner. - Referring to
FIG. 4 , an embodiment of adetector 110 includes anillustrative detector 400. Here thedetector 400 consists of a sequence of file system calls generated by an executing program, which can be either exactly or partially matched by a currently executing program's (or process's) audited file system calls, depending upon the given matching executing algorithm (rule). - Referring again to
FIG. 1 , one or more matching rules (not shown) are associated withdetector 110 and are employed in determining how stringent a given sequence of computer system calls must be matched before a match is validated. For example, for a sequence of eight system calls, one possible matching rule is that the sequence matches if any of six of the eight calls is matched, i.e. adetector 110 is sent, and a receivedresponse 112 matches. Another possible matching rule is to require the first six system calls in the sequence included withindetector 400 to match. A matching rule may be employed that describes a set of possible matches, such as:
OPEN/*/READ/CLOSE/READ/WRITE/*/IOCONTROL
where the ‘*’ denotes that the algorithm classifies a match regardless of what system call sequence arises after the “OPEN” and “WRITE” system calls indetector 110. - It will be appreciated by one of ordinary skill in the art that the length of a given sequence of system calls within
detector 110 may be any length such as eight. It has been determined that by varying the lengths of a sequence of system calls it may be more difficult to discern the meaning ofdetector 110, thereby improving the security, and effectiveness of the present invention. - In another embodiment of the present invention, the sequence calls are numerically encoded and combined into a number for transmission to and/or storage on
client 106. Encoding the sequence calls is directed at obscuring the meaning ofdetector 110 further, as the number may have different meanings based on the algorithm employed to encode the sequence, thus making it more difficult for a client side user to determine how the invention functions. - Encoding schemes for the sequence calls may be implemented in a variety of ways depending upon the number of system calls in a given sequence, the format of the detector rules, and the like. For example, a generic hashing function may be employed to encode the system calls within
detector 110, without departing from the scope or spirit of the present invention. - Three varieties of
detector 110 are illustratively described herein. One variety ofdetector 110 is a self-detector. A self-detector is a system call fragment that is typically located in a complete self-database, i.e., a database that includes a set of possible sequences of system calls seen in the normal execution ofclient software process 108. If a common self-detector is employed as a “behavioral question” toclient software process 108 running onclient 106,client software process 108 is to provide a response that indicates an acknowledgment that the self-detector has been found in its audit log (not shown). - Another variety of
detector 110 is a memory detector. A memory detector is a system call sequence that has already been associated with unauthorized software alterations. These detectors are typically taken from an AEC database, and are typically employed to detect recurrent unauthorized software alterations. - Yet another variety of
detector 110 is a novel detector. A novel detector is a system call sequence that is a possible behavioral anomaly, but has not previously been seen. They are employed to recognize new unauthorized software alterations. - While three varieties of
detector 110 have been described above, the present invention is not so limited. For example, detectors composed of only non-system calls, or a combination of system and non-system calls, and the like, may be employed, without departing from the spirit or scope of the invention. - Operationally,
server 102 communicatesdetector 110 toclient 106 overnetwork 104. Positive ornegative responses 112 in turn are communicated toserver 102, depending on whether the detectors have been matched by the audited system call fragments ofclient software process 108 onclient 106. TheAIS detection unit 114 onserver 102 evaluates client'sresponses 112 to determine the authorization status of client's executingsoftware 108. - If
server 102 communicates common self-detectors toclient 106,AIS detection unit 114 expects to receive apositive response 112 fromclient 106, thereby confirming the ability ofclient 106 to respond. By transmitting non-self detectors (i.e., memory or novel detectors),AIS detection unit 114 is enabled to test for illegal behavior ofclient software process 108. Negative responses to the non-self detectors may be expected of an authorizedclient software process 108. Positive responses to some non-self, novel detectors may be expected of a client with an unauthorized software alteration that has not yet been documented. Positive responses to some non-self memory detectors may be expected in the case of a client that is executing an unauthorized software alteration documented in the memory database (not shown). Because a client is unlikely to know a priori whether a givendetector 110 should receive a positive or a negative response, an attempt by a user to alter a client to return a positive or a negative response without authorization is likely to fail, thus increasing the security of server-baseddetector system 100. - Referring to
FIG. 5 , the client-sidedetector generation system 500 includesclient detector generator 502.Client detector generator 502 is in operation executing a program withinclient 106 that is coupled to, and communicates with client'ssoftware process 108, or it may be a component of the client'ssoftware process 108. The operating environment shown inFIG. 5 operates in substantially the same manner as the operating environment shown inFIG. 1 , except thatclient detector generator 502 provides “behavioral questions” in the form of self and non-self (i.e., novel and memory) detectors toclient executing program 108.Responses 112 fromclient executing program 108 are communicated throughnetwork 104 toAIS detection unit 114. - Referring now to
FIG. 6 , sequences of audited system calls 602 are communicated throughnetwork 104 toAIS detection unit 114. Audited system calls 602 are compared against a client software process self-database (not shown) included inAIS detection unit 114 to determine if a significant portion of client software execution behavior is abnormal. Audited system calls 602 are transmitted toserver 102 by client'ssoftware process 108 or by a separate watchdog process (not shown). - It will be apparent to those skilled in the art, that the present invention as portrayed with respect to
FIG. 1 ,FIG. 5 , andFIG. 6 , is not limited to a network connection and server implementation. For example, ifdetectors 110 are retained onclient 106, then the fidelity of client'ssoftware process 108 may be determined without the presence ofnetwork 104 andserver 102. For example, a separate process substantially similar toAIS detection unit 114 in execution may co-exist onclient 106 for evaluating responses to detectors, without departing from the spirit or scope of the invention. - Referring now to both
FIG. 1 andFIG. 5 again, in operation thedetectors 110 are transmitted to client'ssoftware process 108 to detect possible illegal software alterations. InFIG. 1 ,AIS detection unit 114 transmits the three types ofdetectors 110 described above, whereas inFIG. 5 ,client detector generator 502 transmitsdetectors 110 to client'ssoftware process 108. In each embodiment,detector 110 responds either to positive matches or to both positive and negative matches.Response 112 is bounded by a specified time window within which a matching response is permitted to occur. - In another embodiment of the present invention,
detectors 110 are provided with a life span or length of time thatdetector 110 is considered active. By employing a life span fordetectors 110, an efficiency of usage is provided, such that a predetermined number of detectors are active at any given time. This is directed at reducing the processing time to evaluate the set of currently active detectors. - It will be apparent to one skilled in the art, that the determination of the detector death rate may be implemented in a variety of approaches. For example, the death rate of a given detector could be a simple timer, or a function of the number of client responses transmitted, the number of memory detectors already on
server 102, the number of positive client responses, the number of audited system calls, or the like, without departing from the scope or spirit of the invention. - Simultaneous Process Detection
- Securing media from copy by a client software process that may be directly involved in the display and control of media has been described. For example, with a video file that is streamed from
server 102 toclient 106, a user may use a media player software program asclient software process 108 to present the video stream. Asclient software process 108, the media player is tested for unauthorized alterations using theAIS detection unit 114 as described above. However, other software processes could compromise the security of the video stream once the stream reachesclient 106. For example, software processes that access content directly from the screen buffer and load that content into a file (“screen scrapers”) could be used to impermissibly copy the displayed video. - To protect against such attacks, the present invention employs an AIS detection unit substantially similar to the one described above. In addition, the present invention also employs detectors that are substantially similar to
detector 400. However, these new detectors include additional information directed at detecting predetermined processes that are running virtually at the same time, thus essentially eliminating the screen scraper problem described in the streaming video example. - It will be appreciated by those of ordinary skill in the art, that the invention is not limited to screen scrapers. For example, other virtually simultaneously running software processes that access sound data passed to a sound driver in a client (“speaker suckers”) may also be detected by the present invention.
- Referring now to
FIG. 7 , an embodiment of adetector 700 as an instance of adetector 110 includes a sequence of file system calls that are substantially similar to the system calls of thedetector 400 shown with reference toFIG. 4 . Thedetector 700 may be classified as one of the varieties described above (i.e., memory, self, novel). Thedetector 700 however, includes an additional data field comprising data to specify the media associated with the file system calls. By employingdetector 700, the AIS is enabled to determine whether a virtually simultaneously running process is accessing the media to be protected, thus improving detection of potential unauthorized execution and replication. - Artificial Epidemiological Control (AEC) Operational Environment
- Unauthorized software alterations may be passed along or even be mass distributed by users and clients, compromising the security of the media and their stored programs and data on a large scale. Therefore, to augment the efficacy of the AIS of the present invention described above, an embodiment of the present invention includes an Artificial Epidemiological Control (AEC) component. The AEC component is directed at adaptively responding to widespread unauthorized client behavior by generating memory detectors of unauthorized client behaviors, and sharing information about the unauthorized client behaviors among other servers.
- Because a server will typically distribute media to many different clients, the AEC component is enabled to obtain information about previously encountered unauthorized software use from many different clients. With a working memory, virtually identical or substantially similar unauthorized software alterations on one client may be more efficiently detected on other clients.
- Referring now to
FIG. 8 ,system 800 includesserver 102,network 104, andclients 106 A-C.Clients 106 A-C include software processes 108 A-C for which the integrity is to be determined. Software processes 108 A-C are substantially similar toclient software process 108 described above. Additionally,clients 106 A-C are each substantially similar toclient 106 described above with reference toFIG. 3 .Server 102 includesnovel database 802, self-fragment database 804,memory fragment database 806, andevaluator 808. -
Novel database 802, self-fragment detector database 804, and memoryfragment detector database 806 are coupled to, and in communication with, client software processes 108 A-C, to provide a series ofdetectors 110. Client software processes 106 A-C are coupled toevaluator 808 throughnetwork 104 and are enabled to provide a series of response(s) 112 toevaluator 808. - To increase the effectiveness of detection of unauthorized activity of software processes 108 A-C,
memory fragment database 806 includes storage of identified unauthorized software behaviors and alterations. The storage of the information about unauthorized software alterations and behaviors is typically in the form ofmemory detector 110.Memory detector 110 may be stored in a cluster or grouping based on at least one criterion, such as their tendency to occur together if an illegal process is copied from one client to another client. - In operation, the
AIS detection unit 114 transmits a mix of self-detectors, novel detectors, and memory detectors throughnetwork 104 to client 108 A (or 108 B or C)Client software process 108 A may provideresponse 112 that includes a previously unseen unauthorized software alteration or behavior.Response 112 is transmitted toevaluator 808 throughnetwork 104, whereevaluator 808 determines whether there is aninappropriate client response 112 todetector 110. -
Evaluator 808 groups the inappropriate responses together into a memory (not shown) and merges the memory intomemory fragment database 806. - The added memory detectors are subsequently sent to
other clients 106 B-C that are in communication withserver 102. In this manner, substantially identical or similar software alterations and behaviors are rapidly detected throughoutclients 106 A-C. -
AEC system 800 with itsmemory fragment database 806 enables the enhanced classification and detection of previously encountered unauthorized software alterations, behaviors, and unauthorized software use more quickly and more thoroughly than systems without such arrangements. This strengthening of the AIS system described above is a result of sendingclients 106 A-C many groups or clusters ofmemory detectors 110 from thememory fragment database 806, self-fragment detector database 804, and memoryfragment detector database 806. - Moreover, when
memory detector 110 is matched, the potentiallyunauthorized client 106 A, B, or C may be sentadditional memory detectors 110 associated with originally transmittedmemory detector 110. - Client response(s) 112 to
additional memory detectors 110 ornovel detectors 110 provide for the classification ofclient 106 A-C into one of three potential classes. The first class is based on a previously encountered unauthorizedclient software process 108 A-C behavior. The second class of client response(s) 112 is based on newly-discovered unauthorizedclient software process 108 A-C use, alteration, or behavior. The third class of client response(s) 112 is for clients that may have demonstrated a short anomalous behavior that has been observed for an unknown reason, or has not demonstrated itself through its responses as an authorized client. - When
client response 112 is of the first response class, the presence of positive responses tomemory detector 110 is noted. The occurrence frequency of memory detector groupings is augmented or increased in thememory fragment database 806. The frequency tabulations are retained to provide increased emphasis to unauthorized activities that are more commonly used or appear to be spreading rapidly. - When
client response 112 is of the second response class, a memory detector grouping is generated, with new memory detector associations and potentially new detectors. Whenclient response 112 is of the third response class, a memory detector match may be considered to have provided insufficient for the determination of unauthorized client-side behavior. - AIS/AEC Detection Processes
- Referring to
FIG. 9 , the AIS/AEC Detection process 900 is employed to detect unauthorized behavior of a client's process, and to share information about unauthorized behavior with other substantially similar processes. The AIS andAEC Detection process 900 begins, after a start block, atblock 902 where detectors are sent to a client process. The detectors are typically sent to the client process in response to a request for protected electronic media by the client. While the client process is accessing the protected electronic media, a mix of self-detectors, novel detectors, and memory detectors are also sent to the client process. The mix of detectors may also include detectors to determine whether any simultaneously running processes are attempting to scrape or suck the protected electronic media. Once the detectors are sent to the client process, the process moves to block 904. - At
block 904, responses to the sent mix of detectors are received from the client process. As described above, the responses may be in the form of positive or of negative responses, audited system call fragments, and the like. Afterblock 904, the process control advances to decision block 906, where it is determined whether the client process has been altered without authorization, or is attempting to use the protected electronic media in an unauthorized manner, such that an unauthorized client process behavior exists. - At
decision block 906, the responses from the client process are evaluated according to at least one of the matching rules that determine the criterion of a response match for determining whether a match is to be considered validated. Atdecision block 906, if the determination of an unauthorized client process behavior is negative, the process control moves to block 914, where the life-cycle information for the detectors is updated.Block 914 is described below in conjunction withFIG. 10 . Afterblock 914, the process returns to block 902, where substantially the same actions discussed herein are performed. - Alternatively, if it is determined at
decision block 906 that an unauthorized client process is detected, the process control moves to block 908, where the detection of an unauthorized client process configuration is communicated to signify a potential infringement or unauthorized intrusion of the media. The communication of a potential infringement could result in terminating a transmission of the media to the client, a notifying to appropriate parties of the infringement, terminating the unauthorized client process, and the like. Upon completion ofblock 908, the process control moves to block 909. - At block 909, the memory database is updated. The process control proceeds to block 910, where detector database information is shared between servers.
Block 910 is described inFIG. 11 and the related discussion. Upon completion of theblock 910 processing, the logical flow of AIS andAEC process 900 proceeds to block 912. - At
block 912, updated detectors are sent to substantially similar client processes on other clients. In this way, other client processes may be examined for identical or substantially similar unauthorized client behavior, thereby more rapidly detecting inappropriate or unauthorized behavior across several client processes. Additionally, atblock 912, the original determined unauthorized client process may be sent updated detectors to provide further probing of unauthorized activities or usages of the electronic media. - Upon completion of
block 912, the process control moves to block 914, where substantially the same actions discussed above are performed. - Detector Life-cycle Update Process
- Referring to
FIG. 10 , a process (described above with reference to block 914) begins atdecision block 1002 where a determination is made whether a detector has reached its end of life. - If the determination at
decision block 1002 is affirmative, the process control advances to block 1004 where the detector is terminated or killed. Upon completion ofblock 1004, the process control returns to block 902 (shown inFIG. 9 ) where substantially the same actions discussed above are performed. - Alternatively, if it is determined at
decision 1002 that the detector has not reached an end of its life cycle, the process control advances todecision block 1006, where a determination is made whether the unauthorized client process behavior has been encountered before. - At
decision block 1006, if the determination is affirmative, process control is transferred to block 1008. Atblock 1008, the frequencies of observation of detectors are updated based on the frequencies of identified unauthorized client process behaviors. The frequency tabulations are retained to provide an increased emphasis on more commonly employed or more rapidly spreading unauthorized client process behaviors. The result ofblock 1008 may be to adjust the transmission frequency of particular detectors or mixes of detectors sent atblock 912 inFIG. 9 . Upon completion ofblock 1008, the process control advances to block 1014. - Alternatively, if it is determined at
decision block 1006 that the unauthorized client process has not been encountered before, the process control is transferred todecision block 1010, where a determination is made as to whether the unauthorized client behavior is newly discovered to this process. - At
decision block 1010, if the determination is affirmative, the process control moves to block 1012. Atblock 1012, new detectors are created, with accompanying matching rules, to detect future occurrences of this new unauthorized client process behavior. Upon completion ofblock 1012, the process continues atblock 1014. - Alternatively, if it is determined at
decision block 1010 that the unauthorized client process behavior is not new or novel, the process control moves to block 1014. As part of the determination that the unauthorized client process behavior is not new or novel,decision block 1010 also determines whether the unauthorized behavior is be substantial enough for the detection of infringements, alterations of electronic media, and the like. - At
block 1014, the changes to the frequency of detectors, and information about new detectors are retained in a database. Additionally, atblock 1014, the life span information for detectors is updated in the database of detectors. Upon completion ofblock 1014, the process control returns to block 902 (shown inFIG. 9 ) where substantially the same actions discussed above are performed. - Sharing Memory Detector Databases
- Referring to
FIG. 11 , aprocess 1100 begins after a start block, atblock 1102, where memory detectors from a set of memory databases are grouped along with the detectors' associated matching rules. The groupings are sent to other servers. Afterblock 1102, process control moves to block 1104. - At
block 1104, memory detector groupings from the memory databases of other servers are received. The process control then moves todecision block 1106, where evaluations of the received detector groupings are performed. - If it is determined at
decision block 1106 that the received memory detector matches a detector in at least one of the recipient's memory databases, given the recipient's matching rules, and thus is not a new detector, process control moves to block 1110. Atblock 1110, detectors that are matched, and determined to already exist in some form in one or more of the recipient's databases, are discarded. Discarding duplicate detectors avoids problems that may arise if the duplicate detectors have associated with them different matching algorithm(s) (rules) than the algorithm(s) of the recipient's detectors. Upon completion ofblock 1110, the process returns to block 912 inFIG. 9 . - Alternatively, at
decision block 1106, if it is determined that a received memory detector is new to the recipient's memory database, the process control proceeds to block 1108. Atblock 1108, the new memory detector and its associated matching rules are retained by merging them into the recipient's pre-existing memory database. In this manner, the sharing of detectors between databases of detectors improves the likelihood of detecting unauthorized client process behaviors on a larger scale. Upon completion ofblock 1108, the process control returns to block 912 inFIG. 9 to perform other actions. - AEC Multi-Server Communications
- Referring to
FIG. 12 , a multi-servercommunications AEC process 1200 includesservers 102 X-Z, andnetwork 104. Eachserver 102 X-Z includes anAEC unit 1208 X-Z.Servers 102 X-Z are each substantially similar toserver 102 portrayed with reference toFIG. 2 . Although not shown, eachserver 102 X-Z may be in communication with a plural number of clients. Furthermore, a network arrangement of servers and clients may range from mostly overlapping the communications with clients to communicating with distinct client sets. Eachserver 102 X-Z is coupled tonetwork 104, which provides a communications path between eachother server 102 X-Z. - It will be appreciated that the configuration of networks and servers may comprise a vast number of such interconnected networks, servers, and clients (not shown) and other interconnections may be employed without departing from the spirit or scope of the present invention.
- In operation, during an update period,
server 102 X transmits throughnetwork 104, memory detector group(s) 1202 X toservers server 102 Z transmits throughnetwork 104 memory detector group(s) 1202 Z toservers server 102 Y, currently does not have new memory detector group(s) to share, that server remains a recipient of other servers' memory detector group(s) 1202 X, Z. - Although the present description refers to the sharing of memory groups between servers at substantially the same time, it is understood that other embodiments may be utilized, e.g., each server may share its memory groups at some random update period that is independent of the other servers' update period, without departing from the spirit or scope of the invention.
- The establishment of memory detector databases enables servers to increase the speed and thoroughness of detecting previously seen illegal client software configurations. The multi-server
communications AEC architecture 1200 scales up this benefit in a more encompassing approach to networks of servers by enabling the sharing of detectors between servers. This embodiment of the present invention therefore provides for the obstruction of the spread of unauthorized software alterations between clients that communicate with other servers on the AEC network. - If
server 102 X-Z onnetwork 104 receives thememory detector groups 1202 X-Z, the server'sAEC unit 1208 evaluates them against the recipient's self-database according to the recipient server's matching rule. - Referring now to
FIG. 13 , a memory detector evaluation system 1300 includesserver 102 andmemory detector groups 1202.Server 102 is in communication with other servers as shown inFIG. 12 , and receivesmemory detector groups 1202 from those servers as described above. -
Server 102 includesAEC unit 1208, which in turn includes a set of matching algorithm(s) (rules) 1306,garbage collector process 1302, and portions of self-fragment database 804 and memory-fragment database 806. Self-fragment database 804 is coupled to and communicates withgarbage collector process 1302 and memory-fragment database 806. Moreover, self-database 604 is coupled to a set of matching algorithms (rules) 1306. - In operation, because each
server 102 that shares memory detectors may have a different set of matchingrules 1306 fromother servers 102, an incomingmemory detector group 1202 is tested against self-fragment database 804 of the recipient server. Ifmemory detector 110 withinmemory detector group 1202 is matched to a fragment in the recipient's self database, according to the recipient's set of matchingrules 1306, thatdetector 110 G is transmitted togarbage collector process 1302 wheredetector 110 G is discarded. This avoids the likelihood of false positive detections that may arise due to varying matching rules. - If
memory detector 110 within receivedmemory detector group 1202 is determined to be unmatched to recipient's self-fragment database 804,memory detector 110 is transmitted to memory-fragment database 806 where it is merged into server's 102 pre-existing set of detectors. The result of this exchange ofmemory detector groups 1202 between servers enables the scaled-up detection of previously seen illegal software configurations and an improved likelihood of obstructing spreads of illegal software alterations between more clients. - Combined AIS/AEC Embodiment
- Referring to
FIG. 14 , an integrated AIS/AEC system 1400 includesservers 102 X-Y,network 104, andclients 106 A-C.Clients 106 A-C include software processes 108 A-C, respectively.Server 102 X includesnovel database 802 X, self-fragment database 804 X,memory fragment database 806 X,evaluator 808 X, andAEC unit 1208 X as described above with reference toFIGS. 8, 12 , and 13.Server 102 Y includesnovel database 802 Y, self-fragment database 804 Y,memory fragment database 806 Y,evaluator 808 Y, andAEC unit 1208 Y as described above with reference toFIGS. 8, 12 , and 13. -
Servers 102 X-Y are coupled tonetwork 104 and communicatedetectors 110 to the respective clients' software processes 1108 A-C. As shown,server 102 Y is enabled to communicate withclients 106 B-C, whileserver 102 X is enabled to communicate withclient 106 A. -
Clients 106 A-C are coupled to thenetwork 104 and communicate response(s) 112 to theappropriate server 102 X or Y throughnetwork 104. - Moreover,
servers 102 X-Y communicate with each other throughnetwork 104 to provide sets ofmemory groups 1202 X-Y to theother server 102 X or Y. - The integrated AIS/
AEC system 1400 enables adaptation over time by providing for the identification of previously unseen, and unauthorized, software operations within aclient software process 108 as “non-self” actions while providing for the sharing throughout the network of servers of previously seen unauthorized software operations. - The AIS component of integrated AIS/
AEC system 1400 enables the detection of a broad range of security-compromising software activity as well as the detection of more direct hostile attacks upon the integrity of thesystem 1400. The employment of self, memory, andnovel detectors 110, in a “dialog” betweenserver 102 X-Y andclient 106 A-C enables detection of not only attempts to subvert software but also attempts to subvert the AIS itself. Moreover, by providing detector deaths, the impact of the AIS components' processor usage may be minimized. - The AEC component of the integrated AIS/
AEC system 1400 enables detection of the spread of compromised software as well as the development of data attacks by sharing information betweenservers 102 X-Y. The employment of databases of detectors (802 X-Y, 804 X-Y, and 806 X-Y) is directed at enhancing the efficiency of identification of previously encountered subversions, and the sharing of this information between servers provides broader protection among a population ofclients 106 A-C. - It will be appreciated that configuration of networks, servers, and clients may comprise a vast number of such interconnected networks, servers, and clients, and other interconnections may be employed without departing from the spirit or scope of the invention. The embodiment portrayed with reference to
FIG. 14 enables a less complicated presentation of an embodiment of the present invention than a more intricate network. - In light of the present disclosure, the present invention has identified other specific embodiments that may be directed towards improving the operational efficiency or speed with which the invention identifies a security-compromising client configuration.
- One such embodiment significantly increases the efficiency of the present invention by maximizing the amount of non-self space covered by a fixed number of non-self detectors. Typically, to detect abnormal behavior, non-self detectors may need to be generated and compared with logged file system calls to determine the presence of potential matches. For a fixed detector length, the stringency of matching is determined by the stringency of the matching rules. For example, an illustrative detector length of say eight system calls, a matching rule that would require two consecutive file system calls to be substantially identical to the logged system call fragment would be less stringent than a matching rule that requires seven of the eight consecutive system calls to match. Thus, a less stringent detector-matching rule would match a larger number of logged sequences, and consequently cover a larger area of non-self space. By cyclically generating detectors with ever-increasing stringency of matching rules, the inventors have identified, and the present invention specifically includes, that the non-self space may be covered more efficiently. That is, instead of all the detectors employing the same matching rule, and thereby covering the non-self space in equally sized partitions, the present invention takes advantage of the heterogeneity of non-self space. In this approach, different detectors with different matching rules, allow certain larger areas of non-self space to be covered with a relatively small number of low-stringency-rule detectors, and certain small partitions or crevices of non-self space to be covered with higher-stringency-rule detectors.
- In yet another such embodiment of the present invention, the speed is increased for evaluating the presence of a match between the detector and log fragment, by employing a comparison algorithm such as the Rabin-Karp algorithm and the like. Algorithms such as the Rabin-Karp employ prime numbers and sliding windows on the system calls to considerably shorten the amount of time required to evaluate string matches.
- In yet another such embodiment of the present invention, greater efficiency is provided by developing the matching rules to minimize the number of comparisons necessary to identify a security-compromising client configuration. In this embodiment, an adaptive rule-leaming algorithm is employed. Specific matching rules are evolved through training on the self-data, and these rules are then employed to more rapidly identify unauthorized client configurations. More general rules may be extracted from analysis of the self-database and directed at covering a larger portion of the search space by generating rules that match key elements of recurring patterns of system calls, rather than specific system calls. As described above, the ‘*’ token provides an example of the generation of a more generalized rule.
- Such generalized rules may be developed to describe larger parts of the non-self space, to cover as large a portion of the space being searched as feasible with the least number of rules, thus improving the efficiency of the detector comparisons.
- Embodiments of the present invention include program operations stored on a machine readable medium. A machine readable storage medium includes any mechanism that provides (i.e. stores and/or transmits) information such as computer readable instructions, data structures, program modules, or other data; in a form readable by a machine (e.g. a computer). For example, a machine readable medium includes read only memory (ROM), random access memory (RAM), magnetic storage media, optical storage media, flash memory devices and other solid state electronic memory devices, electrical, optical, acoustical or other propagated signals (e.g. carrier waves, infrared signals, digital signals, etc.) etc.
- In the foregoing specification, the present invention has been described with reference to specific exemplary embodiments thereof. It will however be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. The specification and drawings including specific embodiments described are accordingly, to be regarded in an illustrative rather than a restrictive sense. Many embodiments of the invention can be made without departing from the spirit and scope of the invention. The invention resides in the claims hereinafter appended.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/539,140 US20070083937A1 (en) | 2000-12-14 | 2006-10-05 | Method and apparatus for protection of electronic media |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US25585100P | 2000-12-14 | 2000-12-14 | |
US10/020,524 US7150045B2 (en) | 2000-12-14 | 2001-12-14 | Method and apparatus for protection of electronic media |
US11/539,140 US20070083937A1 (en) | 2000-12-14 | 2006-10-05 | Method and apparatus for protection of electronic media |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/020,524 Continuation US7150045B2 (en) | 2000-12-14 | 2001-12-14 | Method and apparatus for protection of electronic media |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070083937A1 true US20070083937A1 (en) | 2007-04-12 |
Family
ID=26693555
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/020,524 Active 2024-04-23 US7150045B2 (en) | 2000-12-14 | 2001-12-14 | Method and apparatus for protection of electronic media |
US11/539,140 Abandoned US20070083937A1 (en) | 2000-12-14 | 2006-10-05 | Method and apparatus for protection of electronic media |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/020,524 Active 2024-04-23 US7150045B2 (en) | 2000-12-14 | 2001-12-14 | Method and apparatus for protection of electronic media |
Country Status (1)
Country | Link |
---|---|
US (2) | US7150045B2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110131652A1 (en) * | 2009-05-29 | 2011-06-02 | Autotrader.Com, Inc. | Trained predictive services to interdict undesired website accesses |
EP2544118A2 (en) | 2011-07-04 | 2013-01-09 | Siemens AG Österreich | Method for protecting data content |
US20160366214A9 (en) * | 2013-03-15 | 2016-12-15 | Jean Alexandera Munemann | Dual node network system and method |
Families Citing this family (185)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7565294B2 (en) * | 1999-05-19 | 2009-07-21 | Digimarc Corporation | Methods and systems employing digital content |
US7249097B2 (en) * | 1999-06-18 | 2007-07-24 | Echarge Corporation | Method for ordering goods, services, and content over an internetwork using a virtual payment account |
JP5405704B2 (en) | 1999-06-18 | 2014-02-05 | イーチャージ コーポレーション | Method and apparatus for ordering goods, services and content over an internetwork using a virtual payment account |
US7606760B2 (en) * | 1999-06-18 | 2009-10-20 | Echarge Corporation | Method and apparatus for ordering goods, services and content over an internetwork using a virtual payment account |
US20080082446A1 (en) * | 1999-10-01 | 2008-04-03 | Hicks Christian B | Remote Authorization for Unlocking Electronic Data System and Method |
US6834308B1 (en) * | 2000-02-17 | 2004-12-21 | Audible Magic Corporation | Method and apparatus for identifying media content presented on a media playing device |
EP1269429A2 (en) | 2000-03-15 | 2003-01-02 | Mastercard International, Inc. | Method and system for secure payments over a computer network |
US20100223186A1 (en) * | 2000-04-11 | 2010-09-02 | Hogan Edward J | Method and System for Conducting Secure Payments |
BR0111119A (en) * | 2000-05-25 | 2004-06-22 | Echarge Corp | Secure Transaction Protocol |
US20020129152A1 (en) * | 2001-03-08 | 2002-09-12 | International Business Machines Corporation | Protecting contents of computer data files from suspected intruders by programmed file destruction |
WO2002091146A2 (en) * | 2001-05-09 | 2002-11-14 | Ecd Systems, Inc. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US7103576B2 (en) * | 2001-09-21 | 2006-09-05 | First Usa Bank, Na | System for providing cardless payment |
US7225343B1 (en) * | 2002-01-25 | 2007-05-29 | The Trustees Of Columbia University In The City Of New York | System and methods for adaptive model generation for detecting intrusions in computer systems |
US20040010717A1 (en) * | 2002-01-29 | 2004-01-15 | Intertainer Asia Pte Ltd. | Apparatus and method for preventing digital media piracy |
US7174566B2 (en) * | 2002-02-01 | 2007-02-06 | Intel Corporation | Integrated network intrusion detection |
JP4343551B2 (en) * | 2003-02-25 | 2009-10-14 | パイオニア株式会社 | Information provision system and information provision program |
JP4370800B2 (en) * | 2003-04-21 | 2009-11-25 | ヤマハ株式会社 | Music content utilization apparatus and program |
EP1471680B1 (en) * | 2003-04-23 | 2006-06-21 | Hewlett-Packard Development Company, L.P. | Identifier-Based Encryption method and apparatus |
US20060155652A1 (en) * | 2003-06-16 | 2006-07-13 | Colby Steven M | Expiring encryption |
WO2005006608A1 (en) * | 2003-07-14 | 2005-01-20 | Sony Corporation | Recording device, recording method, and program |
US20050027608A1 (en) * | 2003-07-29 | 2005-02-03 | Andreas Wiesmuller | System and method for providing commercial services over a wireless communication network |
US8200775B2 (en) | 2005-02-01 | 2012-06-12 | Newsilike Media Group, Inc | Enhanced syndication |
US7533370B2 (en) * | 2003-10-28 | 2009-05-12 | Exent Technologies, Ltd. | Security features in on-line and off-line delivery of applications |
US8996420B2 (en) | 2003-11-21 | 2015-03-31 | Intel Corporation | System and method for caching data |
US20060265329A1 (en) * | 2003-11-21 | 2006-11-23 | Realnetworks | System and method for automatically transferring dynamically changing content |
US20060259436A1 (en) * | 2003-11-21 | 2006-11-16 | Hug Joshua D | System and method for relicensing content |
US8738537B2 (en) | 2003-11-21 | 2014-05-27 | Intel Corporation | System and method for relicensing content |
US9020854B2 (en) | 2004-03-08 | 2015-04-28 | Proxense, Llc | Linked account system using personal digital key (PDK-LAS) |
US20090171847A2 (en) * | 2005-01-24 | 2009-07-02 | Microsoft Corporation | Multi-merchant purchasing environment for downloadable products |
US9202084B2 (en) | 2006-02-01 | 2015-12-01 | Newsilike Media Group, Inc. | Security facility for maintaining health care data pools |
US8140482B2 (en) | 2007-09-19 | 2012-03-20 | Moore James F | Using RSS archives |
US8700738B2 (en) | 2005-02-01 | 2014-04-15 | Newsilike Media Group, Inc. | Dynamic feed generation |
JP4760101B2 (en) * | 2005-04-07 | 2011-08-31 | ソニー株式会社 | Content providing system, content reproducing apparatus, program, and content reproducing method |
US7571476B2 (en) * | 2005-04-14 | 2009-08-04 | Webroot Software, Inc. | System and method for scanning memory for pestware |
US7349931B2 (en) * | 2005-04-14 | 2008-03-25 | Webroot Software, Inc. | System and method for scanning obfuscated files for pestware |
US7591016B2 (en) * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US8516093B2 (en) | 2005-04-22 | 2013-08-20 | Intel Corporation | Playlist compilation system and method |
US8161554B2 (en) * | 2005-04-26 | 2012-04-17 | Cisco Technology, Inc. | System and method for detection and mitigation of network worms |
US7793851B2 (en) * | 2005-05-09 | 2010-09-14 | Dynamics Inc. | Dynamic credit card with magnetic stripe and embedded encoder and methods for using the same to provide a copy-proof credit card |
US7877803B2 (en) * | 2005-06-27 | 2011-01-25 | Hewlett-Packard Development Company, L.P. | Automated immune response for a computer |
US7805419B2 (en) * | 2005-07-11 | 2010-09-28 | Application Security, Inc. | System for tracking and analyzing the integrity of an application |
GB0514492D0 (en) * | 2005-07-14 | 2005-08-17 | Ntnu Technology Transfer As | Secure media streaming |
US8984636B2 (en) | 2005-07-29 | 2015-03-17 | Bit9, Inc. | Content extractor and analysis system |
US7895651B2 (en) | 2005-07-29 | 2011-02-22 | Bit 9, Inc. | Content tracking in a network security system |
US8272058B2 (en) | 2005-07-29 | 2012-09-18 | Bit 9, Inc. | Centralized timed analysis in a network security system |
US20070073726A1 (en) | 2005-08-05 | 2007-03-29 | Klein Eric N Jr | System and method for queuing purchase transactions |
US20070043671A1 (en) * | 2005-08-17 | 2007-02-22 | Kurzweil Educational Systems, Inc. | Protected viewing of digital files |
WO2007038245A2 (en) * | 2005-09-23 | 2007-04-05 | Widevine Technologies, Inc. | Method for evolving detectors to detect malign behavior in an artificial immune system |
US8065733B2 (en) * | 2005-09-23 | 2011-11-22 | Google, Inc. | Method for evolving detectors to detect malign behavior in an artificial immune system |
US11206664B2 (en) | 2006-01-06 | 2021-12-21 | Proxense, Llc | Wireless network synchronization of cells and client devices on a network |
US8219129B2 (en) | 2006-01-06 | 2012-07-10 | Proxense, Llc | Dynamic real-time tiered client access |
US8370928B1 (en) * | 2006-01-26 | 2013-02-05 | Mcafee, Inc. | System, method and computer program product for behavioral partitioning of a network to detect undesirable nodes |
US9830634B2 (en) * | 2006-02-23 | 2017-11-28 | International Business Machines Corporation | Performing secure financial transactions in an instant messaging environment |
US7515710B2 (en) | 2006-03-14 | 2009-04-07 | Divx, Inc. | Federated digital rights management scheme including trusted systems |
DE102006012311A1 (en) * | 2006-03-17 | 2007-09-20 | Deutsche Telekom Ag | Digital data set pseudonymising method, involves pseudonymising data sets by T-identity protector (IP) client, and identifying processed datasets with source-identification (ID), where source-ID refers to source data in source system |
US8255963B2 (en) * | 2006-04-25 | 2012-08-28 | XOrbit Inc. | System and method for monitoring video data |
US7904718B2 (en) | 2006-05-05 | 2011-03-08 | Proxense, Llc | Personal digital key differentiation for secure transactions |
US9277295B2 (en) | 2006-06-16 | 2016-03-01 | Cisco Technology, Inc. | Securing media content using interchangeable encryption key |
US9137480B2 (en) * | 2006-06-30 | 2015-09-15 | Cisco Technology, Inc. | Secure escrow and recovery of media device content keys |
US20080046369A1 (en) * | 2006-07-27 | 2008-02-21 | Wood Charles B | Password Management for RSS Interfaces |
US8190868B2 (en) | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
GB2443264A (en) * | 2006-10-27 | 2008-04-30 | Ntnu Technology Transfer As | Integrity checking method for a device in a computer network, which controls access to data; e.g. to prevent cheating in online game |
WO2008050146A2 (en) * | 2006-10-27 | 2008-05-02 | Secustream Technologies As | Protecting data from access in online game |
KR100869945B1 (en) * | 2006-11-03 | 2008-11-24 | 삼성전자주식회사 | Enhanced digital rights management system and contents tereof, potable device using the same |
US20080243991A1 (en) * | 2007-03-29 | 2008-10-02 | Ryan Thomas A | Content Purchase and Transfer Management for Reader Device |
WO2008131423A1 (en) * | 2007-04-23 | 2008-10-30 | Weogeo, Inc. | Digital content marketing system and method |
US20080288343A1 (en) * | 2007-05-15 | 2008-11-20 | Tp Lab | Method and System to Process Digital Media Product Codes |
US8868463B2 (en) * | 2007-06-08 | 2014-10-21 | At&T Intellectual Property I, L.P. | System and method of managing digital rights |
US20080319870A1 (en) * | 2007-06-22 | 2008-12-25 | Corbis Corporation | Distributed media reviewing for conformance to criteria |
US20080319871A1 (en) * | 2007-06-25 | 2008-12-25 | Rowland Hayes Thomas | Systems and Methods for Auto-Generation of Rich Media Purchase, Reservation and/or Activity Information |
US8160962B2 (en) * | 2007-09-20 | 2012-04-17 | Uniloc Luxembourg S.A. | Installing protected software product using unprotected installation image |
US20090099882A1 (en) * | 2007-10-15 | 2009-04-16 | Sap Ag | Enhanced Security Framework for Composite Applications |
US9177313B1 (en) | 2007-10-18 | 2015-11-03 | Jpmorgan Chase Bank, N.A. | System and method for issuing, circulating and trading financial instruments with smart features |
WO2009062194A1 (en) | 2007-11-09 | 2009-05-14 | Proxense, Llc | Proximity-sensor supporting multiple application services |
US8171528B1 (en) | 2007-12-06 | 2012-05-01 | Proxense, Llc | Hybrid device having a personal digital key and receiver-decoder circuit and methods of use |
US20090157876A1 (en) * | 2007-12-17 | 2009-06-18 | Lection David B | Methods, Systems, And Computer Readable Media For Managing User Access To An Electronic Media Sharing Environment |
US9251332B2 (en) | 2007-12-19 | 2016-02-02 | Proxense, Llc | Security system and method for controlling access to computing resources |
CA2645990C (en) * | 2007-12-20 | 2014-07-29 | Bce Inc. | Contact-less tag with signature, and applications thereof |
US8997161B2 (en) | 2008-01-02 | 2015-03-31 | Sonic Ip, Inc. | Application enhancement tracks |
US8548818B2 (en) * | 2008-01-31 | 2013-10-01 | First Data Corporation | Method and system for authenticating customer identities |
US10552701B2 (en) * | 2008-02-01 | 2020-02-04 | Oath Inc. | System and method for detecting the source of media content with application to business rules |
KR101452708B1 (en) * | 2008-02-01 | 2014-10-21 | 삼성전자주식회사 | CE device management server, method for issuing DRM key using CE device management server, and computer readable medium |
US8508336B2 (en) | 2008-02-14 | 2013-08-13 | Proxense, Llc | Proximity-based healthcare management system with automatic access to private information |
US11120449B2 (en) | 2008-04-08 | 2021-09-14 | Proxense, Llc | Automated service-based order processing |
US9953143B2 (en) * | 2008-05-05 | 2018-04-24 | Oracle International Corporation | Software identifier based correlation |
US20090307140A1 (en) * | 2008-06-06 | 2009-12-10 | Upendra Mardikar | Mobile device over-the-air (ota) registration and point-of-sale (pos) payment |
US9704161B1 (en) * | 2008-06-27 | 2017-07-11 | Amazon Technologies, Inc. | Providing information without authentication |
US8788945B1 (en) | 2008-06-30 | 2014-07-22 | Amazon Technologies, Inc. | Automatic approval |
US9449319B1 (en) | 2008-06-30 | 2016-09-20 | Amazon Technologies, Inc. | Conducting transactions with dynamic passwords |
CN102165810B (en) * | 2008-09-29 | 2014-07-30 | 诺基亚公司 | Handover decision procedure in a mobile communications system |
JP2010086370A (en) * | 2008-10-01 | 2010-04-15 | Canon Inc | Image forming apparatus, delivery server, and firmware updating method |
US20100088768A1 (en) * | 2008-10-03 | 2010-04-08 | Invensys Systems, Inc. | Industrial process visualization application having an operating system locale-based regionally limited license |
US10755287B2 (en) * | 2008-11-25 | 2020-08-25 | Microsoft Technology Licensing, Llc | Selecting between client-side and server-side market detection |
US8935633B2 (en) * | 2008-12-10 | 2015-01-13 | International Business Machines Corporation | Providing controlled access to the use of electronic devices |
US20100146499A1 (en) * | 2008-12-10 | 2010-06-10 | International Business Machines Corporation | Controlling Access to Electronic Devices by Meeting Invitees |
CN105072454B (en) | 2009-01-07 | 2019-04-19 | 索尼克Ip股份有限公司 | For the specialization of the media guidance of online content, centralization, automation creation |
US20100212017A1 (en) * | 2009-02-18 | 2010-08-19 | International Business Machines Corporation | System and method for efficient trust preservation in data stores |
US8503675B2 (en) * | 2009-02-24 | 2013-08-06 | Beyond Broadband Technology, Llc | Cable television secure communication system for one way restricted |
US20100218261A1 (en) * | 2009-02-26 | 2010-08-26 | Schneider James P | Isolating processes using aspects |
US8375459B2 (en) * | 2009-03-25 | 2013-02-12 | International Business Machines Corporation | Frequency based age determination |
US20100269164A1 (en) * | 2009-04-15 | 2010-10-21 | Microsoft Corporation | Online service data management |
US11489857B2 (en) | 2009-04-21 | 2022-11-01 | Webroot Inc. | System and method for developing a risk profile for an internet resource |
US20100324983A1 (en) * | 2009-06-22 | 2010-12-23 | Etchegoyen Craig S | System and Method for Media Distribution |
US8752142B2 (en) * | 2009-07-17 | 2014-06-10 | American Express Travel Related Services Company, Inc. | Systems, methods, and computer program products for adapting the security measures of a communication network based on feedback |
EP2507995A4 (en) | 2009-12-04 | 2014-07-09 | Sonic Ip Inc | Elementary bitstream cryptographic material transport systems and methods |
US8621636B2 (en) | 2009-12-17 | 2013-12-31 | American Express Travel Related Services Company, Inc. | Systems, methods, and computer program products for collecting and reporting sensor data in a communication network |
US9756076B2 (en) * | 2009-12-17 | 2017-09-05 | American Express Travel Related Services Company, Inc. | Dynamically reacting policies and protections for securing mobile financial transactions |
US9852218B1 (en) | 2010-01-01 | 2017-12-26 | Joseph Alan Epstein | System and method for distributing media via portable storage |
US8650129B2 (en) | 2010-01-20 | 2014-02-11 | American Express Travel Related Services Company, Inc. | Dynamically reacting policies and protections for securing mobile financial transaction data in transit |
US20110178868A1 (en) * | 2010-01-21 | 2011-07-21 | Priyank Shanker Garg | Enhancing search result pages using content licensed from content providers |
US9418205B2 (en) | 2010-03-15 | 2016-08-16 | Proxense, Llc | Proximity-based system for automatic application or data access and item tracking |
US10579995B2 (en) * | 2010-03-30 | 2020-03-03 | Visa International Service Association | Event access with data field encryption for validation and access control |
US8733732B2 (en) * | 2010-05-24 | 2014-05-27 | Eaton Corporation | Pressurized o-ring pole piece seal for a manifold |
US10360625B2 (en) * | 2010-06-22 | 2019-07-23 | American Express Travel Related Services Company, Inc. | Dynamically adaptive policy management for securing mobile financial transactions |
US8924296B2 (en) | 2010-06-22 | 2014-12-30 | American Express Travel Related Services Company, Inc. | Dynamic pairing system for securing a trusted communication channel |
US8850539B2 (en) | 2010-06-22 | 2014-09-30 | American Express Travel Related Services Company, Inc. | Adaptive policies and protections for securing financial transaction data at rest |
US20120011014A1 (en) * | 2010-07-08 | 2012-01-12 | Microsoft Corporation | Media purchase techniques |
US10217109B2 (en) * | 2010-07-09 | 2019-02-26 | Mastercard International Incorporated | Apparatus and method for combining cryptograms for card payments |
US9322974B1 (en) | 2010-07-15 | 2016-04-26 | Proxense, Llc. | Proximity-based system for object tracking |
US9342832B2 (en) | 2010-08-12 | 2016-05-17 | Visa International Service Association | Securing external systems with account token substitution |
US9563751B1 (en) * | 2010-10-13 | 2017-02-07 | The Boeing Company | License utilization management system service suite |
US20120130900A1 (en) * | 2010-11-19 | 2012-05-24 | General Instrument Corporation | System and Method for Trading Unused Digital Rights |
US8914534B2 (en) | 2011-01-05 | 2014-12-16 | Sonic Ip, Inc. | Systems and methods for adaptive bitrate streaming of media stored in matroska container files using hypertext transfer protocol |
US10089606B2 (en) | 2011-02-11 | 2018-10-02 | Bytemark, Inc. | System and method for trusted mobile device payment |
US20120296826A1 (en) | 2011-05-18 | 2012-11-22 | Bytemark, Inc. | Method and system for distributing electronic tickets with visual display |
US9265450B1 (en) | 2011-02-21 | 2016-02-23 | Proxense, Llc | Proximity-based system for object tracking and automatic application initialization |
US10762733B2 (en) | 2013-09-26 | 2020-09-01 | Bytemark, Inc. | Method and system for electronic ticket validation using proximity detection |
US10453067B2 (en) | 2011-03-11 | 2019-10-22 | Bytemark, Inc. | Short range wireless translation methods and systems for hands-free fare validation |
US10360567B2 (en) | 2011-03-11 | 2019-07-23 | Bytemark, Inc. | Method and system for distributing electronic tickets with data integrity checking |
US8494967B2 (en) | 2011-03-11 | 2013-07-23 | Bytemark, Inc. | Method and system for distributing electronic tickets with visual display |
US11514451B2 (en) | 2011-03-15 | 2022-11-29 | Capital One Services, Llc | Systems and methods for performing financial transactions using active authentication |
US10453062B2 (en) * | 2011-03-15 | 2019-10-22 | Capital One Services, Llc | Systems and methods for performing person-to-person transactions using active authentication |
US10592792B2 (en) * | 2011-04-14 | 2020-03-17 | Handle Financial, Inc. | Systems and methods for barcode translation |
US20120303468A1 (en) * | 2011-05-23 | 2012-11-29 | Microsoft Corporation | Indirect online advertisements promoting third-party web content |
US20120303453A1 (en) * | 2011-05-26 | 2012-11-29 | Yahoo! Inc. | Methods and systems for securely targeting advertisements on login pages |
US20120303454A1 (en) * | 2011-05-26 | 2012-11-29 | Yahoo! Inc. | Methods and systems for targeting advertisements on login pages |
US20120303424A1 (en) * | 2011-05-27 | 2012-11-29 | Lundstrom Insurance Agency, Inc. | Method and software for generating reminder messages for insurance product leads |
US20120303422A1 (en) * | 2011-05-27 | 2012-11-29 | Diran Li | Computer-Implemented Systems And Methods For Ranking Results Based On Voting And Filtering |
US9760917B2 (en) | 2011-06-29 | 2017-09-12 | International Business Machines Corporation | Migrating computing environment entitlement contracts between a seller and a buyer |
US20130006793A1 (en) * | 2011-06-29 | 2013-01-03 | International Business Machines Corporation | Migrating Computing Environment Entitlement Contracts Based on Seller and Buyer Specified Criteria |
US9467708B2 (en) | 2011-08-30 | 2016-10-11 | Sonic Ip, Inc. | Selection of resolutions for seamless resolution switching of multimedia content |
US8909922B2 (en) | 2011-09-01 | 2014-12-09 | Sonic Ip, Inc. | Systems and methods for playing back alternative streams of protected content protected using common cryptographic information |
US8964977B2 (en) | 2011-09-01 | 2015-02-24 | Sonic Ip, Inc. | Systems and methods for saving encoded media streamed using adaptive bitrate streaming |
US8862767B2 (en) | 2011-09-02 | 2014-10-14 | Ebay Inc. | Secure elements broker (SEB) for application communication channel selector optimization |
KR101819988B1 (en) * | 2011-10-11 | 2018-01-19 | 에스케이플래닛 주식회사 | Apparatus for providing keyword advertisement, accounting method and storage medium thereof |
US20130144755A1 (en) * | 2011-12-01 | 2013-06-06 | Microsoft Corporation | Application licensing authentication |
WO2013085517A1 (en) * | 2011-12-08 | 2013-06-13 | Intel Corporation | Method and apparatus for policy-based content sharing in a peer to peer manner using a hardware based root of trust |
US9792451B2 (en) | 2011-12-09 | 2017-10-17 | Echarge2 Corporation | System and methods for using cipher objects to protect data |
US9832211B2 (en) * | 2012-03-19 | 2017-11-28 | Qualcomm, Incorporated | Computing device to detect malware |
US9384349B2 (en) * | 2012-05-21 | 2016-07-05 | Mcafee, Inc. | Negative light-weight rules |
US8938796B2 (en) | 2012-09-20 | 2015-01-20 | Paul Case, SR. | Case secure computer architecture |
US9081778B2 (en) | 2012-09-25 | 2015-07-14 | Audible Magic Corporation | Using digital fingerprints to associate data with a work |
US9881260B2 (en) | 2012-10-03 | 2018-01-30 | Moovel North America, Llc | Mobile ticketing |
US9313510B2 (en) | 2012-12-31 | 2016-04-12 | Sonic Ip, Inc. | Use of objective quality measures of streamed content to reduce streaming bandwidth |
US9191457B2 (en) | 2012-12-31 | 2015-11-17 | Sonic Ip, Inc. | Systems, methods, and media for controlling delivery of content |
CN105339977A (en) * | 2013-01-21 | 2016-02-17 | 赫美特里克斯有限公司 | Secure real-time health record exchange |
US10397292B2 (en) | 2013-03-15 | 2019-08-27 | Divx, Llc | Systems, methods, and media for delivery of content |
US9906785B2 (en) | 2013-03-15 | 2018-02-27 | Sonic Ip, Inc. | Systems, methods, and media for transcoding video data according to encoding parameters indicated by received metadata |
WO2014183106A2 (en) | 2013-05-10 | 2014-11-13 | Proxense, Llc | Secure element as a digital pocket |
US9247317B2 (en) | 2013-05-30 | 2016-01-26 | Sonic Ip, Inc. | Content streaming with client device trick play index |
US9094737B2 (en) | 2013-05-30 | 2015-07-28 | Sonic Ip, Inc. | Network video streaming with trick play based on separate trick play files |
WO2014204515A1 (en) * | 2013-06-19 | 2014-12-24 | Intel Corporation | Mechanism for facilitating dynamic user-based customization of advertisement content at computing devices |
US9967305B2 (en) | 2013-06-28 | 2018-05-08 | Divx, Llc | Systems, methods, and media for streaming media content |
US10489852B2 (en) * | 2013-07-02 | 2019-11-26 | Yodlee, Inc. | Financial account authentication |
US10460314B2 (en) * | 2013-07-10 | 2019-10-29 | Ca, Inc. | Pre-generation of session keys for electronic transactions and devices that pre-generate session keys for electronic transactions |
US10015153B1 (en) * | 2013-12-23 | 2018-07-03 | EMC IP Holding Company LLC | Security using velocity metrics identifying authentication performance for a set of devices |
US9866878B2 (en) | 2014-04-05 | 2018-01-09 | Sonic Ip, Inc. | Systems and methods for encoding and playing back video at different frame rates using enhancement layers |
WO2016022979A1 (en) | 2014-08-07 | 2016-02-11 | Sonic IP. Inc. | Systems and methods for protecting elementary bitstreams incorporating independently encoded tiles |
US9792604B2 (en) | 2014-12-19 | 2017-10-17 | moovel North Americ, LLC | Method and system for dynamically interactive visually validated mobile ticketing |
CN105825371A (en) * | 2015-01-07 | 2016-08-03 | 阿里巴巴集团控股有限公司 | Method and device for processing service |
US10565613B2 (en) * | 2015-03-27 | 2020-02-18 | Facebook, Inc. | Simulating advertising campaigns |
KR102554813B1 (en) | 2015-08-17 | 2023-07-11 | 바이트마크 아이엔씨. | Short-Range Wireless Implementation Methods and Systems for Hands-Free Toll Approval |
US11803784B2 (en) | 2015-08-17 | 2023-10-31 | Siemens Mobility, Inc. | Sensor fusion for transit applications |
US10475036B2 (en) * | 2016-01-08 | 2019-11-12 | Ca, Inc. | Restricting account use by controlled replenishment |
US11386409B2 (en) | 2016-03-04 | 2022-07-12 | Sertintyone Corporation | Systems and methods for media codecs and containers |
CN105827642A (en) * | 2016-05-16 | 2016-08-03 | 深圳市安络科技有限公司 | Automatic penetration testing method and system |
CN107944897A (en) * | 2016-10-13 | 2018-04-20 | 阿里巴巴集团控股有限公司 | Data label dissemination system, method, server and client side |
US10498795B2 (en) | 2017-02-17 | 2019-12-03 | Divx, Llc | Systems and methods for adaptive switching between multiple content delivery networks during adaptive bitrate streaming |
US20190139090A1 (en) * | 2017-11-03 | 2019-05-09 | International Business Machines Corporation | Marketing notification for missing group member |
US11144953B1 (en) * | 2018-04-18 | 2021-10-12 | Facebook, Inc. | Determining performance metrics for delivery of electronic media content items by online publishers scaled using a baseline conversion rate |
US11526954B2 (en) | 2019-05-14 | 2022-12-13 | Microsoft Technology Licensing, Llc | User interface and smart contract interaction model for generating user interface representations |
US11514457B2 (en) * | 2019-05-23 | 2022-11-29 | Microsoft Technology Licensing, Llc | Smart contract generation and execution system with built-in mediator selection and enforcement tools |
US11513815B1 (en) | 2019-05-24 | 2022-11-29 | Hiro Systems Pbc | Defining data storage within smart contracts |
US11657391B1 (en) | 2019-05-24 | 2023-05-23 | Hiro Systems Pbc | System and method for invoking smart contracts |
US10699269B1 (en) * | 2019-05-24 | 2020-06-30 | Blockstack Pbc | System and method for smart contract publishing |
Citations (83)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4535355A (en) * | 1982-06-23 | 1985-08-13 | Microdesign Limited | Method and apparatus for scrambling and unscrambling data streams using encryption and decryption |
US4694489A (en) * | 1983-12-22 | 1987-09-15 | Frederiksen Jeffrey E | Video transmission system |
US5067035A (en) * | 1987-05-22 | 1991-11-19 | Kudelski Sa Fabrique De'enregistreurs Nagra | Error prevention in a recording and reproducing device with at least one rotating head |
US5134656A (en) * | 1989-02-22 | 1992-07-28 | Kudelski S.A. Fabrique D'enregistruers Nagra | Pre-payment television system using a memory card associated with a decoder |
US5144663A (en) * | 1986-04-18 | 1992-09-01 | Kudelski S.A. Fabrique D'engregistreurs Nagra | Method of interactive communication between a subscriber and a decoder of a system of pay-television and decoder thereof |
US5319638A (en) * | 1991-09-12 | 1994-06-07 | Bell Communications Research, Inc. | Link-by-link congestion control for packet transmission systems |
US5539450A (en) * | 1993-04-16 | 1996-07-23 | News Datacom Limited | Methods and systems for providing additional service applications in pay television |
US5592212A (en) * | 1993-04-16 | 1997-01-07 | News Datacom Ltd. | Methods and systems for non-program applications for subscriber television |
US5621799A (en) * | 1993-10-19 | 1997-04-15 | Matsushita Electric Industrial Co., Ltd. | Scrambled transmission system |
US5640546A (en) * | 1993-02-23 | 1997-06-17 | Network Programs, Inc. | Composition of systems of objects by interlocking coordination, projection, and distribution |
US5666412A (en) * | 1994-10-03 | 1997-09-09 | News Datacom Ltd. | Secure access systems and methods utilizing two access cards |
US5684876A (en) * | 1995-11-15 | 1997-11-04 | Scientific-Atlanta, Inc. | Apparatus and method for cipher stealing when encrypting MPEG transport packets |
US5758257A (en) * | 1994-11-29 | 1998-05-26 | Herz; Frederick | System and method for scheduling broadcast of and access to video programs and other data using customer profiles |
US5774527A (en) * | 1993-08-19 | 1998-06-30 | News Datacom Ltd. | Integrated telephone and cable communication networks |
US5799089A (en) * | 1993-10-14 | 1998-08-25 | Irdeto B.V. | System and apparatus for blockwise encryption/decryption of data |
US5805705A (en) * | 1996-01-29 | 1998-09-08 | International Business Machines Corporation | Synchronization of encryption/decryption keys in a data communication network |
US5825890A (en) * | 1995-08-25 | 1998-10-20 | Netscape Communications Corporation | Secure socket layer application program apparatus and method |
US5825879A (en) * | 1996-09-30 | 1998-10-20 | Intel Corporation | System and method for copy-protecting distributed video content |
US5870474A (en) * | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
US5883957A (en) * | 1996-09-20 | 1999-03-16 | Laboratory Technologies Corporation | Methods and apparatus for encrypting and decrypting MIDI files |
US5892900A (en) * | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US5910987A (en) * | 1995-02-13 | 1999-06-08 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US5920625A (en) * | 1994-04-08 | 1999-07-06 | Irdeto Bv | Method and apparatus for transmitting and receiving encrypted signals |
US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
US5922208A (en) * | 1995-06-08 | 1999-07-13 | Defil N.V. Holland Intertrust (Antilles) N.V. | Filter device |
US5923666A (en) * | 1995-10-24 | 1999-07-13 | Nds Limited | Decoding carriers encoded using orthogonal frequency division multiplexing |
US5933498A (en) * | 1996-01-11 | 1999-08-03 | Mrj, Inc. | System for controlling access and distribution of digital property |
US5937159A (en) * | 1997-03-28 | 1999-08-10 | Data General Corporation | Secure computer system |
US5939975A (en) * | 1996-09-19 | 1999-08-17 | Nds Ltd. | Theft prevention system and method |
US5943422A (en) * | 1996-08-12 | 1999-08-24 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
US5953005A (en) * | 1996-06-28 | 1999-09-14 | Sun Microsystems, Inc. | System and method for on-line multimedia access |
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6021197A (en) * | 1995-06-23 | 2000-02-01 | Irdeto B.V. | Method and apparatus for controlling the operation of a signal decoder in a broadcasting system |
US6035037A (en) * | 1995-08-04 | 2000-03-07 | Thomson Electronic Consumers, Inc. | System for processing a video signal via series-connected high speed signal processing smart cards |
US6038433A (en) * | 1996-10-02 | 2000-03-14 | Irdeto B.V. | Method for automatically searching a frequency range for signal channels in a receiver for digitally modulated signals, and receiver for applying such a method |
US6049671A (en) * | 1996-04-18 | 2000-04-11 | Microsoft Corporation | Method for identifying and obtaining computer software from a network computer |
US6052785A (en) * | 1997-11-21 | 2000-04-18 | International Business Machines Corporation | Multiple remote data access security mechanism for multitiered internet computer networks |
US6055503A (en) * | 1997-08-29 | 2000-04-25 | Preview Systems | Software program self-modification |
US6061454A (en) * | 1997-06-27 | 2000-05-09 | International Business Machines Corp. | System, method, and computer program for communicating a key recovery block to enable third party monitoring without modification to the intended receiver |
US6073256A (en) * | 1997-04-11 | 2000-06-06 | Preview Systems, Inc. | Digital product execution control |
US6112181A (en) * | 1997-11-06 | 2000-08-29 | Intertrust Technologies Corporation | Systems and methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information |
US6119165A (en) * | 1997-11-17 | 2000-09-12 | Trend Micro, Inc. | Controlled distribution of application programs in a computer network |
US6178242B1 (en) * | 1997-02-07 | 2001-01-23 | Nds Limited | Digital recording protection system |
US6189097B1 (en) * | 1997-03-24 | 2001-02-13 | Preview Systems, Inc. | Digital Certificate |
US6191782B1 (en) * | 1996-08-30 | 2001-02-20 | Matsushita Electric Industrial Co., Ltd. | Terminal apparatus and method for achieving interactive operations by displaying a desired piece of image information at high speed using cache memories, out of a large amount of image information sent in a one-way direction |
US6192354B1 (en) * | 1997-03-21 | 2001-02-20 | International Business Machines Corporation | Apparatus and method for optimizing the performance of computer tasks using multiple intelligent agents having varied degrees of domain knowledge |
US6201948B1 (en) * | 1996-05-22 | 2001-03-13 | Netsage Corporation | Agent based instruction system and method |
US6223287B1 (en) * | 1998-07-24 | 2001-04-24 | International Business Machines Corporation | Method for establishing a secured communication channel over the internet |
US6226794B1 (en) * | 1996-09-17 | 2001-05-01 | Sarnoff Corporation | Set top terminal for an interactive information distribution system |
US6247950B1 (en) * | 1998-03-20 | 2001-06-19 | Nds Limited | Secure smart card and tool for removing same |
US6272636B1 (en) * | 1997-04-11 | 2001-08-07 | Preview Systems, Inc | Digital product execution control and security |
US6285985B1 (en) * | 1998-04-03 | 2001-09-04 | Preview Systems, Inc. | Advertising-subsidized and advertising-enabled software |
US6292569B1 (en) * | 1996-08-12 | 2001-09-18 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6298441B1 (en) * | 1994-03-10 | 2001-10-02 | News Datacom Ltd. | Secure document access system |
US20020001385A1 (en) * | 2000-06-30 | 2002-01-03 | Hirotsugu Kawada | Recording method and apparatus, optical disk, and computer-readable storage medium |
US20020015498A1 (en) * | 2000-02-17 | 2002-02-07 | Houlberg Christian L. | Method which uses a Non-Volatile Memory to store a crypto key and a check word for an encryption device |
US20020021805A1 (en) * | 1999-01-06 | 2002-02-21 | Schumann Robert Wilhelm | Digital content distribution system and method |
US6367009B1 (en) * | 1998-12-17 | 2002-04-02 | International Business Machines Corporation | Extending SSL to a multi-tier environment using delegation of authentication and authority |
US6405369B1 (en) * | 1996-03-18 | 2002-06-11 | News Datacom Limited | Smart card chaining in pay television systems |
US6409080B2 (en) * | 2000-03-27 | 2002-06-25 | Kabushiki Kaisha Toshiba | Portable electronic device and loyalty point system |
US6409089B1 (en) * | 1997-12-10 | 2002-06-25 | Thomson Licensing S.A. | Method for protecting the audio/visual data across the NRSS interface |
US6415031B1 (en) * | 1999-03-12 | 2002-07-02 | Diva Systems Corporation | Selective and renewable encryption for secure distribution of video on-demand |
US20020087883A1 (en) * | 2000-11-06 | 2002-07-04 | Curt Wohlgemuth | Anti-piracy system for remotely served computer applications |
US20020089410A1 (en) * | 2000-11-13 | 2002-07-11 | Janiak Martin J. | Biometric authentication device for use with a personal digital assistant |
US20020104004A1 (en) * | 2001-02-01 | 2002-08-01 | Bruno Couillard | Method and apparatus for synchronizing real-time clocks of time stamping cryptographic modules |
US6449719B1 (en) * | 1999-11-09 | 2002-09-10 | Widevine Technologies, Inc. | Process and streaming server for encrypting a data stream |
US6459427B1 (en) * | 1998-04-01 | 2002-10-01 | Liberate Technologies | Apparatus and method for web-casting over digital broadcast TV network |
US20020141582A1 (en) * | 2001-03-28 | 2002-10-03 | Kocher Paul C. | Content security layer providing long-term renewable security |
US6466670B1 (en) * | 1998-05-21 | 2002-10-15 | Nds Limited | System for preventing playback of unauthorized digital video recordings |
US6505299B1 (en) * | 1999-03-01 | 2003-01-07 | Sharp Laboratories Of America, Inc. | Digital image scrambling for image coding systems |
US20030007568A1 (en) * | 1997-11-17 | 2003-01-09 | Dominique Hamery | Packet filtering |
US6584567B1 (en) * | 1999-06-30 | 2003-06-24 | International Business Machines Corporation | Dynamic connection to multiple origin servers in a transcoding proxy |
US6587561B1 (en) * | 1998-03-04 | 2003-07-01 | Nds Ltd. | Key delivery in a secure broadcasting system |
US6629243B1 (en) * | 1998-10-07 | 2003-09-30 | Nds Limited | Secure communications system |
US6634028B2 (en) * | 1993-08-19 | 2003-10-14 | News Datacom, Ltd. | Television system communicating individually addressed information |
US6674717B1 (en) * | 2000-03-30 | 2004-01-06 | Network Physics, Inc. | Method for reducing packet loss and increasing internet flow by feedback control |
US6681331B1 (en) * | 1999-05-11 | 2004-01-20 | Cylant, Inc. | Dynamic software system intrusion detection |
US6681327B1 (en) * | 1998-04-02 | 2004-01-20 | Intel Corporation | Method and system for managing secure client-server transactions |
US6718388B1 (en) * | 1999-05-18 | 2004-04-06 | Jp Morgan Chase Bank | Secured session sequencing proxy system and method therefor |
US20050063303A1 (en) * | 2003-07-29 | 2005-03-24 | Samuels Allen R. | TCP selective acknowledgements for communicating delivered and missed data packets |
US20050074007A1 (en) * | 2003-07-29 | 2005-04-07 | Samuels Allen R. | Transaction boundary detection for reduction in timeout penalties |
US20050108420A1 (en) * | 2000-08-09 | 2005-05-19 | Microsoft Corporation | Fast dynamic measurement of bandwidth in a TCP network environment |
US20050187979A1 (en) * | 2004-02-09 | 2005-08-25 | Microsoft Corporation | System and method for message-level connection management |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CH682614A5 (en) | 1990-02-21 | 1993-10-15 | Kudelski Sa | Method for scrambling and unscrambling a video signal. |
IL107967A (en) | 1993-12-09 | 1996-12-05 | News Datacom Research Ltd | Apparatus and method for securing communication systems |
US5880769A (en) | 1994-01-19 | 1999-03-09 | Smarttv Co. | Interactive smart card system for integrating the provision of remote and local services |
MY125706A (en) | 1994-08-19 | 2006-08-30 | Thomson Consumer Electronics | High speed signal processing smart card |
KR100332743B1 (en) | 1994-11-26 | 2002-11-07 | 엘지전자주식회사 | Device and method for preventing illegal copy or unauthorized watching of digital image |
US6658568B1 (en) | 1995-02-13 | 2003-12-02 | Intertrust Technologies Corporation | Trusted infrastructure support system, methods and techniques for secure electronic commerce transaction and rights management |
US5621793A (en) | 1995-05-05 | 1997-04-15 | Rubin, Bednarek & Associates, Inc. | TV set top box using GPS |
US6151643A (en) * | 1996-06-07 | 2000-11-21 | Networks Associates, Inc. | Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer |
US6668325B1 (en) | 1997-06-09 | 2003-12-23 | Intertrust Technologies | Obfuscation techniques for enhancing software security |
US6009525A (en) | 1997-08-29 | 1999-12-28 | Preview Systems, Inc. | Multi-tier electronic software distribution |
EP0932124B1 (en) | 1998-01-14 | 2002-05-02 | Irdeto Access B.V. | Integrated circuit and smart card comprising such a circuit |
US6334213B1 (en) | 1998-01-20 | 2001-12-25 | Preview Systems | Merging of separate executable computer programs to form a single executable computer program |
US6009401A (en) | 1998-04-06 | 1999-12-28 | Preview Systems, Inc. | Relicensing of electronically purchased software |
NZ508136A (en) | 1998-04-21 | 2003-02-28 | Chr Hansen As | Genetically modified lactic acid bacteria having modified diacetyl reductase activities |
WO1999062261A1 (en) | 1998-05-29 | 1999-12-02 | Diva Systems Corporation | Interactive information distribution system and method |
US6499109B1 (en) * | 1998-12-08 | 2002-12-24 | Networks Associates Technology, Inc. | Method and apparatus for securing software distributed over a network |
US6330588B1 (en) * | 1998-12-21 | 2001-12-11 | Philips Electronics North America Corporation | Verification of software agents and agent activities |
JP3816689B2 (en) | 1999-03-31 | 2006-08-30 | 株式会社東芝 | Information distribution apparatus, information reception apparatus, and communication method |
WO2001033864A1 (en) | 1999-10-29 | 2001-05-10 | Koninklijke Philips Electronics N.V. | Video encoding-method |
KR100378791B1 (en) | 1999-12-02 | 2003-04-07 | 엘지전자 주식회사 | Packet identifier section filter |
US7165175B1 (en) | 2000-09-06 | 2007-01-16 | Widevine Technologies, Inc. | Apparatus, system and method for selectively encrypting different portions of data sent over a network |
-
2001
- 2001-12-14 US US10/020,524 patent/US7150045B2/en active Active
-
2006
- 2006-10-05 US US11/539,140 patent/US20070083937A1/en not_active Abandoned
Patent Citations (99)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4535355A (en) * | 1982-06-23 | 1985-08-13 | Microdesign Limited | Method and apparatus for scrambling and unscrambling data streams using encryption and decryption |
US4694489A (en) * | 1983-12-22 | 1987-09-15 | Frederiksen Jeffrey E | Video transmission system |
US5144663A (en) * | 1986-04-18 | 1992-09-01 | Kudelski S.A. Fabrique D'engregistreurs Nagra | Method of interactive communication between a subscriber and a decoder of a system of pay-television and decoder thereof |
US5067035A (en) * | 1987-05-22 | 1991-11-19 | Kudelski Sa Fabrique De'enregistreurs Nagra | Error prevention in a recording and reproducing device with at least one rotating head |
US5134656A (en) * | 1989-02-22 | 1992-07-28 | Kudelski S.A. Fabrique D'enregistruers Nagra | Pre-payment television system using a memory card associated with a decoder |
US5319638A (en) * | 1991-09-12 | 1994-06-07 | Bell Communications Research, Inc. | Link-by-link congestion control for packet transmission systems |
US5640546A (en) * | 1993-02-23 | 1997-06-17 | Network Programs, Inc. | Composition of systems of objects by interlocking coordination, projection, and distribution |
US5539450A (en) * | 1993-04-16 | 1996-07-23 | News Datacom Limited | Methods and systems for providing additional service applications in pay television |
US5592212A (en) * | 1993-04-16 | 1997-01-07 | News Datacom Ltd. | Methods and systems for non-program applications for subscriber television |
US5774527A (en) * | 1993-08-19 | 1998-06-30 | News Datacom Ltd. | Integrated telephone and cable communication networks |
US6634028B2 (en) * | 1993-08-19 | 2003-10-14 | News Datacom, Ltd. | Television system communicating individually addressed information |
US5799089A (en) * | 1993-10-14 | 1998-08-25 | Irdeto B.V. | System and apparatus for blockwise encryption/decryption of data |
US5621799A (en) * | 1993-10-19 | 1997-04-15 | Matsushita Electric Industrial Co., Ltd. | Scrambled transmission system |
US6298441B1 (en) * | 1994-03-10 | 2001-10-02 | News Datacom Ltd. | Secure document access system |
US5920625A (en) * | 1994-04-08 | 1999-07-06 | Irdeto Bv | Method and apparatus for transmitting and receiving encrypted signals |
US5774546A (en) * | 1994-10-03 | 1998-06-30 | News Datacom Ltd. | Secure access system utilizing an access card having more than one embedded integrated circuit and/or plurality of security levels |
US5666412A (en) * | 1994-10-03 | 1997-09-09 | News Datacom Ltd. | Secure access systems and methods utilizing two access cards |
US5878134A (en) * | 1994-10-03 | 1999-03-02 | News Data Com Ltd. | Secure access systems utilizing more than one IC card |
US5758257A (en) * | 1994-11-29 | 1998-05-26 | Herz; Frederick | System and method for scheduling broadcast of and access to video programs and other data using customer profiles |
US5917912A (en) * | 1995-02-13 | 1999-06-29 | Intertrust Technologies Corporation | System and methods for secure transaction management and electronic rights protection |
US5949876A (en) * | 1995-02-13 | 1999-09-07 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
US6237786B1 (en) * | 1995-02-13 | 2001-05-29 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6253193B1 (en) * | 1995-02-13 | 2001-06-26 | Intertrust Technologies Corporation | Systems and methods for the secure transaction management and electronic rights protection |
US5910987A (en) * | 1995-02-13 | 1999-06-08 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US5915019A (en) * | 1995-02-13 | 1999-06-22 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6185683B1 (en) * | 1995-02-13 | 2001-02-06 | Intertrust Technologies Corp. | Trusted and secure techniques, systems and methods for item delivery and execution |
US6363488B1 (en) * | 1995-02-13 | 2002-03-26 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6640304B2 (en) * | 1995-02-13 | 2003-10-28 | Intertrust Technologies Corporation | Systems and methods for secure transaction management and electronic rights protection |
US6389402B1 (en) * | 1995-02-13 | 2002-05-14 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US5922208A (en) * | 1995-06-08 | 1999-07-13 | Defil N.V. Holland Intertrust (Antilles) N.V. | Filter device |
US6021197A (en) * | 1995-06-23 | 2000-02-01 | Irdeto B.V. | Method and apparatus for controlling the operation of a signal decoder in a broadcasting system |
US6035037A (en) * | 1995-08-04 | 2000-03-07 | Thomson Electronic Consumers, Inc. | System for processing a video signal via series-connected high speed signal processing smart cards |
US5825890A (en) * | 1995-08-25 | 1998-10-20 | Netscape Communications Corporation | Secure socket layer application program apparatus and method |
US5923666A (en) * | 1995-10-24 | 1999-07-13 | Nds Limited | Decoding carriers encoded using orthogonal frequency division multiplexing |
US5684876A (en) * | 1995-11-15 | 1997-11-04 | Scientific-Atlanta, Inc. | Apparatus and method for cipher stealing when encrypting MPEG transport packets |
US5870474A (en) * | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
US5933498A (en) * | 1996-01-11 | 1999-08-03 | Mrj, Inc. | System for controlling access and distribution of digital property |
US5805705A (en) * | 1996-01-29 | 1998-09-08 | International Business Machines Corporation | Synchronization of encryption/decryption keys in a data communication network |
US6405369B1 (en) * | 1996-03-18 | 2002-06-11 | News Datacom Limited | Smart card chaining in pay television systems |
US6256668B1 (en) * | 1996-04-18 | 2001-07-03 | Microsoft Corporation | Method for identifying and obtaining computer software from a network computer using a tag |
US6049671A (en) * | 1996-04-18 | 2000-04-11 | Microsoft Corporation | Method for identifying and obtaining computer software from a network computer |
US6201948B1 (en) * | 1996-05-22 | 2001-03-13 | Netsage Corporation | Agent based instruction system and method |
US5953005A (en) * | 1996-06-28 | 1999-09-14 | Sun Microsystems, Inc. | System and method for on-line multimedia access |
US5943422A (en) * | 1996-08-12 | 1999-08-24 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
US6292569B1 (en) * | 1996-08-12 | 2001-09-18 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6618484B2 (en) * | 1996-08-12 | 2003-09-09 | Intertrust Technologies Corporation | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
US6449367B2 (en) * | 1996-08-12 | 2002-09-10 | Intertrust Technologies Corp. | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
US6240185B1 (en) * | 1996-08-12 | 2001-05-29 | Intertrust Technologies Corporation | Steganographic techniques for securely delivering electronic digital rights management control information over insecure communication channels |
US5892900A (en) * | 1996-08-30 | 1999-04-06 | Intertrust Technologies Corp. | Systems and methods for secure transaction management and electronic rights protection |
US6191782B1 (en) * | 1996-08-30 | 2001-02-20 | Matsushita Electric Industrial Co., Ltd. | Terminal apparatus and method for achieving interactive operations by displaying a desired piece of image information at high speed using cache memories, out of a large amount of image information sent in a one-way direction |
US6226794B1 (en) * | 1996-09-17 | 2001-05-01 | Sarnoff Corporation | Set top terminal for an interactive information distribution system |
US5939975A (en) * | 1996-09-19 | 1999-08-17 | Nds Ltd. | Theft prevention system and method |
US5883957A (en) * | 1996-09-20 | 1999-03-16 | Laboratory Technologies Corporation | Methods and apparatus for encrypting and decrypting MIDI files |
US5825879A (en) * | 1996-09-30 | 1998-10-20 | Intel Corporation | System and method for copy-protecting distributed video content |
US6038433A (en) * | 1996-10-02 | 2000-03-14 | Irdeto B.V. | Method for automatically searching a frequency range for signal channels in a receiver for digitally modulated signals, and receiver for applying such a method |
US6178242B1 (en) * | 1997-02-07 | 2001-01-23 | Nds Limited | Digital recording protection system |
US6138119A (en) * | 1997-02-25 | 2000-10-24 | Intertrust Technologies Corp. | Techniques for defining, using and manipulating rights management data structures |
US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6192354B1 (en) * | 1997-03-21 | 2001-02-20 | International Business Machines Corporation | Apparatus and method for optimizing the performance of computer tasks using multiple intelligent agents having varied degrees of domain knowledge |
US6189097B1 (en) * | 1997-03-24 | 2001-02-13 | Preview Systems, Inc. | Digital Certificate |
US5937159A (en) * | 1997-03-28 | 1999-08-10 | Data General Corporation | Secure computer system |
US6073256A (en) * | 1997-04-11 | 2000-06-06 | Preview Systems, Inc. | Digital product execution control |
US6272636B1 (en) * | 1997-04-11 | 2001-08-07 | Preview Systems, Inc | Digital product execution control and security |
US6061454A (en) * | 1997-06-27 | 2000-05-09 | International Business Machines Corp. | System, method, and computer program for communicating a key recovery block to enable third party monitoring without modification to the intended receiver |
US6055503A (en) * | 1997-08-29 | 2000-04-25 | Preview Systems | Software program self-modification |
US6112181A (en) * | 1997-11-06 | 2000-08-29 | Intertrust Technologies Corporation | Systems and methods for matching, selecting, narrowcasting, and/or classifying based on rights management and/or other information |
US20030007568A1 (en) * | 1997-11-17 | 2003-01-09 | Dominique Hamery | Packet filtering |
US6119165A (en) * | 1997-11-17 | 2000-09-12 | Trend Micro, Inc. | Controlled distribution of application programs in a computer network |
US6052785A (en) * | 1997-11-21 | 2000-04-18 | International Business Machines Corporation | Multiple remote data access security mechanism for multitiered internet computer networks |
US6409089B1 (en) * | 1997-12-10 | 2002-06-25 | Thomson Licensing S.A. | Method for protecting the audio/visual data across the NRSS interface |
US6587561B1 (en) * | 1998-03-04 | 2003-07-01 | Nds Ltd. | Key delivery in a secure broadcasting system |
US6247950B1 (en) * | 1998-03-20 | 2001-06-19 | Nds Limited | Secure smart card and tool for removing same |
US6459427B1 (en) * | 1998-04-01 | 2002-10-01 | Liberate Technologies | Apparatus and method for web-casting over digital broadcast TV network |
US6681327B1 (en) * | 1998-04-02 | 2004-01-20 | Intel Corporation | Method and system for managing secure client-server transactions |
US6285985B1 (en) * | 1998-04-03 | 2001-09-04 | Preview Systems, Inc. | Advertising-subsidized and advertising-enabled software |
US6466670B1 (en) * | 1998-05-21 | 2002-10-15 | Nds Limited | System for preventing playback of unauthorized digital video recordings |
US6223287B1 (en) * | 1998-07-24 | 2001-04-24 | International Business Machines Corporation | Method for establishing a secured communication channel over the internet |
US6629243B1 (en) * | 1998-10-07 | 2003-09-30 | Nds Limited | Secure communications system |
US6367009B1 (en) * | 1998-12-17 | 2002-04-02 | International Business Machines Corporation | Extending SSL to a multi-tier environment using delegation of authentication and authority |
US20020021805A1 (en) * | 1999-01-06 | 2002-02-21 | Schumann Robert Wilhelm | Digital content distribution system and method |
US6505299B1 (en) * | 1999-03-01 | 2003-01-07 | Sharp Laboratories Of America, Inc. | Digital image scrambling for image coding systems |
US6415031B1 (en) * | 1999-03-12 | 2002-07-02 | Diva Systems Corporation | Selective and renewable encryption for secure distribution of video on-demand |
US6681331B1 (en) * | 1999-05-11 | 2004-01-20 | Cylant, Inc. | Dynamic software system intrusion detection |
US6718388B1 (en) * | 1999-05-18 | 2004-04-06 | Jp Morgan Chase Bank | Secured session sequencing proxy system and method therefor |
US6584567B1 (en) * | 1999-06-30 | 2003-06-24 | International Business Machines Corporation | Dynamic connection to multiple origin servers in a transcoding proxy |
US6449719B1 (en) * | 1999-11-09 | 2002-09-10 | Widevine Technologies, Inc. | Process and streaming server for encrypting a data stream |
US20020015498A1 (en) * | 2000-02-17 | 2002-02-07 | Houlberg Christian L. | Method which uses a Non-Volatile Memory to store a crypto key and a check word for an encryption device |
US6409080B2 (en) * | 2000-03-27 | 2002-06-25 | Kabushiki Kaisha Toshiba | Portable electronic device and loyalty point system |
US6674717B1 (en) * | 2000-03-30 | 2004-01-06 | Network Physics, Inc. | Method for reducing packet loss and increasing internet flow by feedback control |
US20020001385A1 (en) * | 2000-06-30 | 2002-01-03 | Hirotsugu Kawada | Recording method and apparatus, optical disk, and computer-readable storage medium |
US20050108420A1 (en) * | 2000-08-09 | 2005-05-19 | Microsoft Corporation | Fast dynamic measurement of bandwidth in a TCP network environment |
US20020087883A1 (en) * | 2000-11-06 | 2002-07-04 | Curt Wohlgemuth | Anti-piracy system for remotely served computer applications |
US20020089410A1 (en) * | 2000-11-13 | 2002-07-11 | Janiak Martin J. | Biometric authentication device for use with a personal digital assistant |
US20020104004A1 (en) * | 2001-02-01 | 2002-08-01 | Bruno Couillard | Method and apparatus for synchronizing real-time clocks of time stamping cryptographic modules |
US20020141582A1 (en) * | 2001-03-28 | 2002-10-03 | Kocher Paul C. | Content security layer providing long-term renewable security |
US20050063303A1 (en) * | 2003-07-29 | 2005-03-24 | Samuels Allen R. | TCP selective acknowledgements for communicating delivered and missed data packets |
US20050074007A1 (en) * | 2003-07-29 | 2005-04-07 | Samuels Allen R. | Transaction boundary detection for reduction in timeout penalties |
US20050187979A1 (en) * | 2004-02-09 | 2005-08-25 | Microsoft Corporation | System and method for message-level connection management |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110131652A1 (en) * | 2009-05-29 | 2011-06-02 | Autotrader.Com, Inc. | Trained predictive services to interdict undesired website accesses |
EP2544118A2 (en) | 2011-07-04 | 2013-01-09 | Siemens AG Österreich | Method for protecting data content |
US8732850B2 (en) | 2011-07-04 | 2014-05-20 | Siemens Convergence Creators Gmbh | Method for protecting data contents |
US20160366214A9 (en) * | 2013-03-15 | 2016-12-15 | Jean Alexandera Munemann | Dual node network system and method |
Also Published As
Publication number | Publication date |
---|---|
US20020164023A1 (en) | 2002-11-07 |
US7150045B2 (en) | 2006-12-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7150045B2 (en) | Method and apparatus for protection of electronic media | |
US10699011B2 (en) | Efficient white listing of user-modifiable files | |
EP3602999B1 (en) | Initialisation vector identification for encrypted malware traffic detection | |
JP4490994B2 (en) | Packet classification in network security devices | |
US8819835B2 (en) | Silent-mode signature testing in anti-malware processing | |
JP4284072B2 (en) | System and method for monitoring unauthorized transport of digital content | |
US8010469B2 (en) | Systems and methods for processing data flows | |
US7512808B2 (en) | Anti-computer viral agent suitable for innoculation of computing devices | |
US8402540B2 (en) | Systems and methods for processing data flows | |
EP1702449B1 (en) | Method for identifying the content of files in a network | |
US20070039051A1 (en) | Apparatus And Method For Acceleration of Security Applications Through Pre-Filtering | |
US20160366160A1 (en) | Systems and Methods for Processing Data Flows | |
US20040064737A1 (en) | Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses | |
US7096497B2 (en) | File checking using remote signing authority via a network | |
US20060174343A1 (en) | Apparatus and method for acceleration of security applications through pre-filtering | |
EP2442525A1 (en) | Systems and methods for processing data flows | |
US20050273856A1 (en) | Method and system for isolating suspicious email | |
CA2545916A1 (en) | Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data | |
JP2007507763A (en) | High performance network content analysis platform | |
JP2014509007A (en) | Method and apparatus for dealing with malware | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
CN1969524B (en) | Method and system for identifying the content of files in a network | |
CN113328976B (en) | Security threat event identification method, device and equipment | |
Hu et al. | Detecting unknown massive mailing viruses using proactive methods | |
Balthrop | RIOT: A responsive system for mitigating computer network epidemics and attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: WIDEVINE TECHNOLOGIES, INC., WASHINGTON Free format text: NOTICE UNDER 35 USC 261 REGARDING ASSIGNMENT IWTH ATTACHED EMPLOYMENT AGREEMENT;ASSIGNOR:WORZEL, WILLIAM P.;REEL/FRAME:020008/0284 Effective date: 20000330 Owner name: WIDEVINE TECHNOLOGIES, INC., WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KOELLE, KATHARINA VERONIKA;REEL/FRAME:020006/0736 Effective date: 20011208 |
|
AS | Assignment |
Owner name: VENTURE LENDING & LEASING V, INC., CALIFORNIA Free format text: SECURITY AGREEMENT;ASSIGNOR:WIDEVINE TECHNOLOGIES, INC.;REEL/FRAME:023044/0724 Effective date: 20090730 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: GOOGLE INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WIDEVINE TECHNOLOGIES, INC.;REEL/FRAME:026535/0065 Effective date: 20110608 |
|
AS | Assignment |
Owner name: GOOGLE LLC, CALIFORNIA Free format text: CHANGE OF NAME;ASSIGNOR:GOOGLE INC.;REEL/FRAME:044142/0357 Effective date: 20170929 |