US20090044266A1 - System and method for providing transactional security for an end-user device - Google Patents

System and method for providing transactional security for an end-user device Download PDF

Info

Publication number
US20090044266A1
US20090044266A1 US12/111,777 US11177708A US2009044266A1 US 20090044266 A1 US20090044266 A1 US 20090044266A1 US 11177708 A US11177708 A US 11177708A US 2009044266 A1 US2009044266 A1 US 2009044266A1
Authority
US
United States
Prior art keywords
network
transaction
user device
security mechanism
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/111,777
Inventor
John C. Sharp
Wee Tuck Teo
Helmuth Freericks
Oleg Kouznetsov
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wontok Inc
Safeguard Delaware Inc
Original Assignee
Authentium Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=38833899&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20090044266(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Authentium Inc filed Critical Authentium Inc
Priority to US12/111,777 priority Critical patent/US20090044266A1/en
Assigned to AUTHENTIUM, INC. reassignment AUTHENTIUM, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SHARP, JOHN C., FREERICKS, HELMUTH, KOUZNETSOV, OLEG
Assigned to AUTHENTIUM, INC. reassignment AUTHENTIUM, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE RECORDATION OF PAGE 2 THAT WAS OMITTED FROM INITIAL RECORDATION PREVIOUSLY RECORDED ON REEL 021122 FRAME 0556. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT FILED ON JUNE 19, 2008 WAS MISSING PAGE 2 OF THE ASSIGNMENT. Assignors: SHARP, JOHN C., FREERICKS, HELMUTH, KOUZNETSOV, OLEG
Assigned to SAFEGUARD DELAWARE, INC. reassignment SAFEGUARD DELAWARE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AUTHENTIUM, INC.
Publication of US20090044266A1 publication Critical patent/US20090044266A1/en
Assigned to SAFECENTRAL, INC. reassignment SAFECENTRAL, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: AUTHENTIUM, INC.
Priority to US13/075,569 priority patent/US20110209222A1/en
Assigned to WONTOK, INC. reassignment WONTOK, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SAFECENTRAL, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • This invention relates generally to network systems, and more particularly provides a system and method for providing transactional security to an end-user device.
  • Security is a key concern during online transactions.
  • Commercial Internet transactions e.g., Internet banking, credit card purchases, etc.
  • Traditional security solutions focus on server-side infrastructure security, e.g., HTTPS web site, two-factor authentication, etc. While the server side has security expert management and maintenance, the end user's computers do not have such benefit.
  • shared Internet resources e.g., DNS servers, intermediate routers, etc.
  • shared Internet resources are not managed by web site owners or end users, making securing these shared resources outside the control of the stakeholders.
  • a system and method that facilitates protection of an end-user device are needed.
  • embodiments of the invention instead of ensuring that an end-user device is permanently secure, which requires ongoing security management, embodiments of the invention ensure that the end-user device is secure only during a transaction, e.g., an online transaction. This reduces end-user security management overhead. For example, an end-user device may be infected with keyloggers or remote backdoors during normal operation. However, according to embodiments of the invention, these threats need only be disabled during the transaction. According to another embodiment, instead of depending on an end user to manage the security software, software that enables a trusted network transaction (TNT) environment is managed and provided by a trusted source that provides the security software or security policy on demand.
  • TNT trusted network transaction
  • the security software or security policy may be delivered/pushed from a transaction site, from a service provider site (e.g., the end user's Internet service provider, the transaction site's security provider, an independent service provider, or the like) onto the end-user device.
  • the security software delivered/pushed onto an end-user device may remove dependencies on shared Internet resources.
  • the IP address of a destination web or VPN server may be provided directly to the end-user device to determine or force a new connection over the Internet with the destination web or VPN server.
  • Yet another embodiment secures data exchange by ensuring that confidential data cannot be permanently captured by malicious software residing on an end-user device, or that confidential data captured cannot be sent or misdirected to untrusted remote sites.
  • the present invention provides a network system comprising a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism for at lest partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to (e.g., installing or configuring the security mechanism on) the end-user device so that the appropriate security mechanism for the expected transaction protects the end-user device during the transaction.
  • the transaction network may provide a banking site and/or a gaming site.
  • the trusted source may reside on an ISP network, SAS (software-as-a-service) operator network or on the transaction network.
  • the trusted source and the transaction network may be managed by the same entity.
  • the security mechanism any include a security engine and/or a security profile.
  • the security mechanism may include a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism; an application lockout module for suspending at least one application not needed to effect the transaction; a file/network I/O control module for disabling at least one file or network operation during the transaction; a trusted driver module for determining whether a driver, e.g., a keyboard driver, on the end-user devices matches a known trusted driver; a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user; a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver; and/or a VPN manager capable of establishing a directional or undirectional secure tunnel between the end-user device and the transaction network.
  • a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism
  • an application lockout module for suspending at least one
  • the security mechanism may include an IP address to a server within the transaction network.
  • the agent or another agent may be capable of removing the security mechanism upon completion of the transaction.
  • the agent may include an install agent downloaded from the trusted source, an install agent downloaded from a third-party server, and/or a connection agent preloaded onto the end-user device.
  • the present invention provides a method comprising initiating the security mechanism for a secure transaction by an end user a request with a transaction network providing a transaction; receiving from a trusted source a security mechanism for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; activating the security mechanism; establishing a secure connection between an end-user device and the transaction network; and enabling the transaction.
  • the transaction network may provide a banking site and/or a gaming site.
  • the trusted source may reside on an ISP network, SAS operator network or on the transaction network.
  • the trusted source and the transaction network may be managed by the same entity.
  • the security mechanism may include a security engine and/or a security profile.
  • the security mechanism may include a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism; an application lockout module for suspending at least one application not needed to effect the transaction; a file/network I/O control module for disabling at least one file or network operation during the transaction; a trusted driver module for determining whether a driver, e.g., a keyboard driver, on the end-user device matches a known trusted driver; a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user; a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver; and/or a VPN manager capable of establishing a secure tunnel between the end-user device and the transaction network.
  • the security mechanism may include an IP address to a server within the transaction network. The method may further comprise removing the security mechanism upon completion of the transaction.
  • FIG. 1 is a block diagram of a network system operative to secure an end-user device, in accordance with an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating details of the security engine of FIG. 1 , in accordance with an embodiment of the present invention.
  • FIG. 3 is a block diagram illustrating a network system operative to effect a trusted network transaction with an Internet banking portal, in accordance with an embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating a network system operative to effect a trusted network transaction managed by the end user's Internet service provider, in accordance with an embodiment of the present invention.
  • FIG. 5 is a block diagram illustrating a network system operative to effect security engine installation, in accordance with an embodiment of the present invention.
  • FIG. 6 is a timing diagram illustrating keyboard-input processing, in accordance with an embodiment of the present invention.
  • FIG. 7 is a block diagram illustrating a network system operative to effect tunnel datagram processing, in accordance with an embodiment of the present invention.
  • FIG. 8 is a screen shot of an end-user device before spyware infection or spoofing attack.
  • FIG. 9 is a screen shot of an end-user device after spyware infection.
  • FIG. 10 is a screen shot of an end-user device with a window illustrating keylogger infection.
  • FIG. 11 is a screen shot of an end-user device with a window illustrating keystroke capture.
  • FIG. 12 is a screen shot of an end-user device before DNS poisoning.
  • FIG. 13 is a screen shot of an end-user device with a window illustrating a legitimate IP address in a DNS cache, before DNS poisoning.
  • FIG. 14 is a screen shot of an end-user device after DNS poisoning.
  • FIG. 15 is a screen shot of an end-user device with a window illustrating a spoofed IP address in the DNS cache, after DNS poisoning.
  • FIG. 16 is a screen shot of an end-user device with a browser window illustrating the spoofed site at the IP address of FIG. 15 .
  • FIG. 17 is a screen shot of an end-user device with a browser window illustrating the spoofed site and with a security alert.
  • FIG. 18 is a screen shot of an end-user device with a browser window illustrating the spoofed site and with a spoofed security certificate.
  • FIG. 19 is a screen shot of an end-user device after keylogger infection and DNS poisoning and before protection by embodiments of the invention.
  • FIG. 20 is a screen shot of an end-user device with a window illustrating continuous pinging of the Yahoo website to evidence the availability of outbound communication.
  • FIG. 21 is a screen shot of an end-user device with a window illustrating that a download agent, e.g., an ActiveX control, is being delivered to the end-user device.
  • a download agent e.g., an ActiveX control
  • FIG. 22 is a screen shot of an end-user device with a window illustrating that the download agent is being executed and is establishing a VPN connection with a trusted source of a security engine.
  • FIG. 23 is a screen shot of an end-user device with a window illustrating that the download agent has established a VPN connection with the trusted source, has downloaded and installed the security engine, and is presenting a button to navigate to the legitimate banking site.
  • FIG. 24 is a screen shot of an end-user device with a window illustrating that the continuous pinging of the Yahoo website has stopped, evidencing that outbound communication has been suspended.
  • FIG. 25 is a screen shot of an end-user device with a window illustrating the legitimate IP address of the legitimate banking site.
  • FIG. 26 is a screen shot of an end-user device with a window illustrating application lockout.
  • FIG. 27 is a screen shot of an end-user device with a window illustrating the button to navigate to the legitimate banking site.
  • FIG. 28 is a screen shot of an end-user device with a browser window illustrating the legitimate banking site.
  • FIG. 29 is a screen shot of an end-user device with a window illustrating the legitimate banking site certificate of the legitimate banking site.
  • FIG. 30 is a screen shot of an end-user device with a browser window illustrating the legitimate banking site and illustrating that the keylogger is no longer active.
  • FIG. 31 is a screen shot of an end-user device with a browser window just before the security engine is deactivated and/or removed.
  • FIG. 32 is a screen shot of an end-user device with a window illustrating that outbound communication has resumed.
  • FIG. 33 is a screen shot of an end-user device with a window illustrating resumed vulnerability to the DNS poisoning of the DNS cache.
  • FIG. 34 is a screen shot of an end-user device with a window illustrating that the security engine protected the memory space from registering the browser window.
  • FIG. 35 is a screen shot of an end-user device with a window illustrating that the keylogger infection has been neutralized.
  • embodiments of the invention instead of ensuring that an end-user device is permanently secure, which requires ongoing security management, embodiments of the invention only ensure that the end-user device is secure during a data sensitive transaction. This reduces end-user security management overhead. For example, an end-user device may be infected with keyloggers or remote backdoors during normal operation. However, according to embodiments of the invention, these threats need only be disabled during the transaction. According to another embodiment, instead of depending on an end user to manage the security software, software that enables a trusted network transaction (TNT) environment is managed and provided by a trusted source that provides the security software on demand.
  • TNT trusted network transaction
  • the security software may be delivered/pushed from an online transaction site, from a service provider site (e.g., the end user's Internet service provider, the transaction site's security provider, an independent service provider, or the like) onto the end-user device.
  • the security software delivered/pushed onto an end-user device may remove dependencies on shared Internet resources.
  • the IP address of a destination VPN server may be provided directly to the end-user device to force a new connection over the Internet with the destination VPN server.
  • Yet another embodiment secures data exchange by ensuring that confidential data cannot be permanently captured by malicious software residing on an end-user device, or that confidential data captured cannot be sent or misdirected to untrusted remote sites.
  • TNT mechanisms security engines, security profiles, and/or the like
  • the transaction is not necessarily an online transaction; it could be a local transaction, e.g. opening an encrypted local file.
  • FIG. 1 is a block diagram of a network system 100 operative to secure an end-user device 105 , in accordance with an embodiment of the present invention.
  • the network system 100 includes an end-user device 105 coupled via a trusted network 110 to an Internet service provider (ISP) network 115 , which is coupled via an untrusted network 112 to a transaction network (e.g., server, network of servers, etc.) 120 (e.g., bankofamerica.com, amazon.com, ebay.com, etc.) and to another network 125 .
  • ISP Internet service provider
  • the end-user device 105 includes a browser 135 (e.g., Microsoft Internet Explorer or Netscape Navigator), an operating system (e.g., Microsoft Vista or Apple Mac OS X) and device drivers 140 , and other applications 145 .
  • the end-user device 105 also includes a connection agent 130 capable of communicating with a trusted source of a security mechanism (e.g., security engine and/or security profiles) that secures the end-user device 105 during an online transaction.
  • the end-user device 105 may also maintain a local DNS cache 150 .
  • the ISP network 120 includes a server 165 , a DNS server/cache 170 , and an end-user security controller 175 .
  • components of the end-user security controller 175 may be located elsewhere (e.g., the security engine can be on the trusted network and the security policy can be on the transaction network), such as on the transaction network 120 or on another trusted source.
  • the end-user security controller 175 includes a security engine 177 and security profiles 180 for download to the end-user device 105 .
  • the security engine 177 contains software that sets up a secure data exchange between the end-user device 105 and a remote network application running on a trusted device in a trusted network, e.g., a trusted server on the transaction network 120 .
  • the security profiles 177 contain the rules, definitions and/or identification information for the security engine 180 to block unexpected behaviors due to, e.g., viruses, spyware, adware, Trojans, etc.
  • the ISP network 120 may support multiple transaction networks 120 , and may include multiple security controllers 175 (each dedicated to a particular transaction network 120 ).
  • the ISP network 120 may have a single security controller 175 , and may customize the security engine 177 and/or security profiles 180 on the fly for the particular transaction network 120 .
  • the security engine 177 and/or security profiles 180 may be updated on a regular basis by a security manager. Then, as needed, possibly on an irregular basis as the end user connects to the ISP network 120 and/or to the transaction network 120 , the end-user security controller 175 downloads the security engine 177 and/or security profiles 180 to the end-user device 105 .
  • the security engine 177 and/or security profiles 180 are maintained only during the transaction session, and are removed upon completion of the transaction. In another embodiment, the security engine 177 and/or security profiles are not removed, and are updated before each new transaction begins.
  • the security engine 177 and/or security profiles 180 are operative between transactions, and serve to protect the end-user device 105 in the current state until a subsequent transaction request deploys an update. Additional details of the security engine 177 are shown and described with reference to FIG. 2 .
  • the transaction network 120 includes at least one web server 185 , which includes a login script 190 .
  • the login script 190 may request confidential information from the end user.
  • the security engine 177 and security profiles 180 protect the confidential data being provided by the end user from unintended capture, undesired transfer to third parties, etc.
  • the other network 125 includes at least one web server 193 , which includes a login script 197 .
  • the other network 125 may provide a malicious site developed to mimic the site provided by transaction network 120 .
  • the security engine 177 and security profiles 180 protect the end user from being misdirected to the other network 125 , e.g., via DNS poisoning, etc.
  • connection agent 130 is securely delivered and pre-installed on the end-user device 105 . Whenever secure data exchange is required, the connection agent 130 downloads a trusted copy of the security engine 177 and/or security profiles 180 .
  • the connection agent 130 can be implemented as a standalone executable application, as a plug-in to the browser 135 , as a part of the operating system 140 , etc. In one embodiment, it is assumed that the connection agent 130 is delivered, pre-installed and executed on the end-user device 105 without modification. If the connection agent 130 does not come from a trusted source, then secure data exchange may be compromised.
  • the connection agent 130 uses a pre-configured and unchangeable network address to contact a secure network address resolution service to obtain the IP address of the trusted source providing the security engine 177 and/or security profiles 180 .
  • a secure network address resolution service to obtain the IP address of the trusted source providing the security engine 177 and/or security profiles 180 .
  • IP address of a trusted DNS security extensions (DNSSEC) server may be embedded in the connection agent 130 .
  • DNSSEC trusted DNS security extensions
  • the connection agent 130 may use this IP address to connect to the DNSSEC server to resolve the domain name of the trusted source to an IP address.
  • DNSSEC trusted DNS security extensions
  • a secure data exchange may be established to provide a secure connection to the trusted source, preventing network traffic from the end-user device 105 from being misdirected to untrusted sources and guarding against other forms of network intrusion and attacks.
  • connection agent 130 may use the resolved IP address to connect to the trusted source, e.g., via a secure tunnel.
  • This connection technique ensures that the IP address is accurate (e.g., not poisoned by a DNS attack), and assures that the end-user device 105 connects to the intended trusted source.
  • communication protocols employed in the secure network address resolution service ensures that communication to and from the end-user device 105 is authenticated, authoritative and accurate.
  • the end-user device 105 can download the security engine 177 and/or security profiles 180 , e.g., using protocols like HTTP or FTP.
  • the secure tunnel established by the connection agent 130 ensures that data traffic between the end-user device 105 and the trusted source is secure and cannot be compromised, even when insecure protocols like HTTP and FTP are used.
  • the end-user device 105 executes the security engine 177 .
  • the security engine 177 effectively secures the end-user device 105 , e.g., allows the end-user device 105 to communicate only with trusted sites, prevents other applications 145 running on the end-user device 105 from capturing or sending information, especially to untrusted sites, etc. The user can then access and interact with the transaction network 120 in confidence.
  • connection agent 130 and security engine 177 are pre-loaded onto the end-user device 105 . Then, using the techniques described above to obtain the security engine 177 and/or security profiles 180 , the connection agent 130 and security engine 177 may obtain current security profiles 180 to configure and/or operate with the pre-loaded security engine 177 .
  • connection agent 130 may cooperate with the end-user security controller 175 to establish a preliminary VPN tunnel (e.g., Microsoft PPTP or L2TP/IPSEC) before obtaining the security engine 177 and/or security profiles 180 .
  • a preliminary VPN tunnel ensures that the security engine 177 and/or security profiles 180 are not modified or replaced in transit.
  • the preliminary VPN tunnel is dynamically established using IP (instead of DNS) as the destination address. This bypasses the dependency on the Internet-shared DNS service.
  • security engine 177 may establish a transaction network VPN tunnel (e.g., Microsoft PPTP or L2TP/IPSEC) with the transaction network 120 .
  • This VPN tunnel ensures that confidential data communicated with the transaction network 120 is not captured.
  • the VPN tunnel is dynamically established using IP (instead of DNS) as the destination address.
  • IP instead of DNS
  • the IP address can be securely updated immediately (as compared to using DNS) because the IP address can be directly set in the security engine 177 and/or security profiles 180 (which is directly managed by the trusted party). This bypasses the dependency on the Internet-shared DNS service.
  • the preliminary VPN tunnel may connect with the transaction network 120 . Accordingly, in such embodiments, the security engine 177 need not establish a different tunnel.
  • FIG. 2 is a block diagram illustrating details of the security engine 177 , in accordance with an embodiment of the present invention.
  • the security engine 177 includes a security manager 210 , a start/stop trigger module 215 , an application lockout module 220 , a network/file I/O control module 225 , a trusted driver manager 230 , a keystrokes generator driver 235 , a keystrokes deletion hook 240 , a security profile manager 245 , and a transaction network VPN manager 250 .
  • the security manager 210 includes hardware, software and/or firmware to manage the execution of and interaction between the various components of the security engine 177 .
  • the start/stop trigger module 215 includes hardware, software and/or firmware to determine where and when data protection is needed.
  • the application lockout module 220 includes hardware, software and/or firmware to effectively suspend other applications not needed during the online transaction (e.g., Authentium Trusted Security Extensions, SecureWave Sanctuary, and/or the like).
  • the network/file I/O control module 225 includes hardware, software and/or firmware to prevent network and/or file I/O by other applications, e.g., by other applications that cannot be suspended.
  • the trusted driver manager 230 includes hardware, software and/or firmware to determine whether device drivers, e.g., the keyboard input driver, on the end-user device 105 can be trusted.
  • the keystrokes generator driver 235 includes hardware, software and/or firmware to generate additional keystrokes and/or replace keystrokes generated by the keyboard input driver 140 , e.g., to input fake keystrokes in a keyboard input pattern.
  • the keystrokes deletion hook 240 includes hardware, software and/or firmware to remove the additional keystrokes and/or replace the original keystrokes generated by the keyboard input driver 140 , e.g., to regenerate the original keyboard input pattern modified by the keystrokes generator driver 235 .
  • the security profile manager 245 includes hardware, software and/or firmware to replace and/or update the security profiles 180 .
  • the transaction network VPN manager 250 includes hardware, software and/or firmware to establish a VPN tunnel with the transaction network 120 .
  • the application lockout module 220 treats all applications not explicitly needed to use the transaction network 120 as a security threat and disables them for the duration of the online transaction. For example, during the online transaction, the application lockout module 220 allows only the browser 135 and browser-helper applications (e.g., PDF reader) to continue normal execution, while effectively suspending all other applications 145 (regardless of whether they are benign or malevolent). Optionally, the application lockout module 220 could permanently terminate (instead of temporarily suspend) well-known spyware or Trojans.
  • the application lockout module 220 could permanently terminate (instead of temporarily suspend) well-known spyware or Trojans.
  • the application lockout module 220 in a first stage to suspend unrequired applications 145 by placing them into background mode, by preventing OS event (e.g., Microsoft windows event messages) from being received by these applications 145 , by intercepting all keyboard and mouse operations to these applications 145 , and/or the like. Further, in a second stage, the application lockout module 220 may stop new applications or processes from being executed, e.g., to prevent changes to the security engine 177 and/or security profiles 180 during the transaction. Thus, unrequired or infected applications that bypass the first stage of protection cannot create another process to capture confidential information or disable the security software.
  • OS event e.g., Microsoft windows event messages
  • the application lockout module 220 may suspend all unrequired applications 145 and OS processes (e.g., the OS timer), as such might create unintended side effects (e.g., application crashes).
  • the network/file I/O control module 225 may provide a second level of global security. The network/file I/O control module 225 effectively prevents information leakage by these unrequired applications 145 . Since unrequired applications 145 need to store and/or transmit the captured information, preventing file I/O operations and/or network I/O transmissions can stop permanent storage and/or transfer of the data. Thus, even if the information is captured by the malicious code, no one can obtain the compromised data.
  • the network/file I/O control module 225 can deny write attempts to all files/directories or the OS registry not required by the browser 135 . Using a VPN tunnel may prevent the confidential data from being sent to the Internet by spyware, Trojans, or the like.
  • Embodiments of the invention attempt to enforce protection and/or application/network lockout on demand during a secured data exchange session with less user disruption.
  • Traditional end-point protection and/or lockout solutions e.g., SecureWave, Bit9, etc., apply full protection or lockout of the end-user device 105 to ensure that only valid or authorized applications are allowed to run.
  • this approach is intrusive and disruptive to the end user, who loses the capability to perform normal computing tasks.
  • Embodiments of the invention achieve protection and/or lockout by determining interaction points where and when important sensitive information is being sent to and/or received by the user; by activating end-point protection and/or lockout mechanisms only during these sensitive interaction points; and by de-activating protection and/or lockout outside these interaction points where and when the user is doing things that do not compromise security.
  • the start/stop trigger module 215 determines the interaction points during a user's data exchange session where and when sensitive data needs protection.
  • the start/stop trigger module 215 generates a Sensitive_Start flag when sensitive information is present, e.g., when sensitive information is about to be sent, sensitive data is about to be received, sensitive data is about to be displayed, combinations of these points, etc.
  • the start/stop trigger module 215 generates a Sensitive_Stop flag when no sensitive information is present, e.g., when no sensitive data is being sent, received, displayed, etc.
  • the start/stop trigger module 215 could determine when the user's keyboard focus is on the Paypal browser instance, e.g., the user is likely to be sending sensitive login credentials or credit card information to complete the payment, or when any part of the Paypal browser is visible, e.g., personal Paypal user information or transaction data may be displayed. Full security protection may be enforced when this event is detected.
  • the start/stop trigger module 215 may issue a Sensitive_Stop flag, e.g., when it determines that the Paypal browser 135 that it is protecting no longer has keyboard focus (such that no sensitive information meant for Paypal can be captured by keyloggers), or when it determines that the Paypal browser 135 no longer has window focus and no visible area is shown (such that no sensitive personal information related to Paypal can be captured through screen capturing software).
  • Sensitive_Stop flag e.g., when it determines that the Paypal browser 135 that it is protecting no longer has keyboard focus (such that no sensitive information meant for Paypal can be captured by keyloggers), or when it determines that the Paypal browser 135 no longer has window focus and no visible area is shown (such that no sensitive personal information related to Paypal can be captured through screen capturing software).
  • the timing for the start/stop trigger module 215 to issue Sensitive_Start and Sensitive_Stop flags can be further customized and refined to fit various security levels for various applications. For example, it may be deemed important to protect the user's login credentials only for an online gaming application and not the gaming screen. Therefore, the Sensitive_Start and Sensitive_Stop flag requirement can be refined to detect only keyboard focus acquired or lost in the gaming application, and not to require detection of window focus.
  • the start/stop trigger module 215 may listen for a window-focus loss event of the protected application and may minimize the protected application's window. Then, the start/stop trigger module 215 may trigger the Sensitive_Stop event, since it is certain that the protected area is not visible when minimized.
  • a fast-switching engine may provide seamless transition when switching between a protected application and a non-protected application.
  • End-point protection may be turned on quickly when the user is working on the protected application and may be turned off quickly when the user switches to a non-protected application.
  • traditional techniques like network tunnel pre-establishment or keep-alive and application pre-loading of the end-point protection process can be used.
  • the pre-establishment and pre-loading can be done when the OS starts up and/or when the end-point protection mechanism is first activated. The corresponding cleanup can be done when the last protected application is closed and/or when the OS shutdown.
  • An example process incorporating start/stop triggers includes:
  • the end user opens a browser 135 session, and activates the connection agent 130 to access his Internet Banking site (e.g., Citibank), which has implemented TNT security software, to transfer funds to his friend.
  • his Internet Banking site e.g., Citibank
  • connection agent 130 establishes a secure data exchange to the Citibank site.
  • An install agent 182 e.g., Citibank ActiveX object, is downloaded and loaded into memory.
  • the install agent 182 downloads and installs the security engine 177 and/or security profiles 180 .
  • the start/stop trigger module 215 determines that the Citibank Webpage is in focus, issues a Sensitive_Start flag, and activates the security engine 177 . All traffic goes through the compulsory non-hijack tunnel and other applications are blocked. The MSN and skype connections break during this stage.
  • the start/stop trigger module 215 detects the window focus loss event, minimizes the Citibank browser 135 session, issues the Sensitive_Stop flag, and disables the security engine 177 . Thus, traffic is allowed to go through the original route and not the compulsory tunnel. Further, application blocking is turned off.
  • MSN detects network connectivity and reconnects, allowing the end user to chat with his friend.
  • the end user switches back to the Citibank website.
  • the start/stop trigger module 215 notes the Sensitive_Start flag and re-enables the security engine 177 .
  • the MSN and skype connections break again.
  • the security engine 177 and/or security profiles 180 are unloaded from memory.
  • keylogger protection mechanisms employ anti-virus detection logic to find and remove resident keyloggers on the end-user device. Unlike computer virus or worms, keyloggers on their own do not attempt to propagate, making keyloggers hard to detect or block using heuristics. Generally, keyloggers hook onto processes available in the end-user device operating system to capture but not modify keystrokes entered by the end user using any keyboard input device or software (e.g., visual keyboard). In certain embodiments, as an alternative approach, the trusted driver manager 230 allows resident intended or unintended keyloggers to continue execution, but renders the keylogging operation ineffective when necessary.
  • the keyboard input device driver 140 must be trusted.
  • the trusted driver manager 230 validates the current driver 140 by comparing a secure 11 D a secure hash, and/or the like against a list of trusted and/or untrusted keyboard input secure drivers, IDs, hashes, and/or the like.
  • the trusted driver manager 230 can temporarily or permanently replace the unknown driver 140 with a trusted driver, possibly only for the duration of the data exchange session.
  • resident keyloggers may capture keystrokes from any available OSI level beginning from keyboard input device driver 140 to the user space application 145 . Since keyloggers invisibly and passively capture keystrokes, it is reasonable to assume that the keyloggers (unlike the end user, end user application or remote application) cannot differentiate valid or invalid keystrokes from keyboard input devices. Accordingly, the keystrokes generator driver 235 an modify the sequence of end user supplied keystrokes. The modified pattern can be application sensitive, such that it is only generated when specific applications that require keylogger protection are active.
  • the keyboard data exchange end-point protection may follow one of various implementation models, e.g., a standalone keystrokes generator driver 235 with application monitoring hook 250 (standalone mode); or a dual keystrokes generator driver 235 and keystrokes deletion hook 240 with optional application monitoring hook 250 (producer consumer mode).
  • a standalone keystrokes generator driver 235 with application monitoring hook 250 standalone mode
  • a dual keystrokes generator driver 235 and keystrokes deletion hook 240 with optional application monitoring hook 250 producer consumer mode
  • the keystrokes generator driver 235 In standalone mode, the keystrokes generator driver 235 generates fake keystrokes when the keystrokes input by the end user need to be protected. For example, the keystrokes generator driver 235 can generate invalid keystrokes such as non-existent application shortcut menu options that will be silently dropped by the browser 135 when confidential data is input by the end user.
  • the application monitoring hook 250 which in one embodiment may be part of the start/stop trigger module 215 , determines when the keystrokes input by the end user need to be protected based on the current application status receiving the keystrokes. A non-exhaustive list of relevant application status information includes the application process name, current active text input frame (e.g., application configuration input or user specific data input), valid and invalid application keystrokes, etc.
  • the keystrokes generator driver 235 determines the keystrokes to generate.
  • the application monitoring hook 250 analyzes the application status and determine the keystrokes for the keystrokes generator driver 235 to generate.
  • the keystrokes generator driver 235 and keystrokes deletion hook 240 control keystroke generation and deletion.
  • the keystrokes generator driver 235 may embed identification of the fake keystrokes within the keystrokes data flow (inband mode), may be managed by an external controller such as the application monitoring hook 250 (outband mode), or may employ a combination of inband and outband controls.
  • the keystrokes deletion hook 140 can be implemented as an OS hook or application-specific plug-in installed at the last possible level of the keyboard input processing flow shown in FIG. 6 .
  • the execution point of the keystrokes deletion hook 240 is operatively contradictory to keyloggers implementation requirement, which attempts to be at the earliest input processing flow closest to avoid being circumvented.
  • the keystrokes deletion hook 240 deletes fake keystrokes generated by the keystrokes generator driver 235 , before the fake keystrokes are processed by the protected end-user applications.
  • I/O blocking logic can cause such keyloggers to lose keystrokes data or malfunction.
  • One example process includes:
  • the keystrokes generator driver 235 Before the end user inputs confidential data, the keystrokes generator driver 235 generates fake keystrokes to fill up keyloggers limited memory buffer or causes the keyloggers to lose data.
  • the keystrokes generator driver 235 After the end inputs confidential data, the keystrokes generator driver 235 generates fake keystrokes to overwrite any keyloggers limited memory buffer or causes the keyloggers to lose data.
  • VPN tunneling is a well-established concept used to authenticate access to a remote network with private resources, to provision access to the remote network with the private resources, and to secure the confidentiality and integrity of the private data exchanged between the end-user device and the remote network.
  • VPN tunneling can also indirectly prevent access to other public resources originally accessible to the end-user device.
  • VPN tunneling may be used for server authentication (authenticating the transaction network 120 ) and for client authentication (authenticating the end-user device 105 ).
  • VPN tunnel encryption indirectly prevents tunnel hijacking, since encrypted data cannot be spoofed.
  • VPN tunneling may be used to allow access to a predetermined set of resources without requiring network revamp. This predetermined set of resources can be a combination of public resources (e.g., resources the end-user device 105 can remotely access before the VPN tunnel is established) and private resources (resourced that the end-user device 105 can only access after the VPN tunnel is established).
  • a VPN may be valued to authenticate the remote network, to provision access to the authenticated remote network resources, to prevent access to all other remote resources outside the authenticated remote network, and to ensure the integrity of the data exchanged between the two end-points (the end-user device and the authenticated remote network).
  • connection agent 130 and/or transaction network VPN manager 250 may authenticate the remote network (e.g., the transaction network 120 ) using any predefined direct or indirect trust relationship. Authentication can be achieved indirectly using existing public key infrastructure (PKI) mechanisms or directly using a predefined secret key.
  • PKI public key infrastructure
  • connection agent 130 and/or transaction network VPN manager 250 may employ a key exchange process with the authentication router, e.g., using Diffie-Hellman key exchange.
  • This key exchange process may be integrated with the authentication process as a single phase, e.g. Perfect Forward Secrecy.
  • the transaction network 120 may use the ephemeral key negotiated by the key exchange process to ensure data integrity between the two end-points, to verify data integrity received from the end-user device 105 , and/or to generate message authentication code for the data sent from the remote network to the end-user device 105 , e.g. Message-Digest algorithm 5.
  • the same reverse logic applies to the connection agent 130 and/or transaction network VPN manager 250 .
  • the message authentication code can be inband (part of the data exchange, e.g. IPSEC Authentication Header) or outband (e.g., using a different communication channel).
  • Tunneling, authentication and data integrity verification can be decoupled in implementation, i.e., they may be performed by independent entities.
  • the VPN tunnel can be established between the end-user device 105 and a hardware-based dedicated tunneling router.
  • Authentication may be performed between the end-user device 105 and a server behind the tunneling router. Since in one embodiment tunneling involves only encapsulation and decapsulation, a dedicated tunneling router can perform it efficiently. If traffic integrity checking is performed inband of the tunnel, then, based on the source and the destination IP address of the traffic with message authentication code, the tunneling router could route or load balance the traffic to different authentication servers to perform data integrity checking.
  • connection agent 130 and/or VPN manager 250 may establish a compulsory tunnel from the end-user device 105 to the transaction network 120 . Conversely, traffic from the transaction network 120 to the end-user device 105 need not necessarily be tunneled.
  • a bi-directional or unidirectional tunnel may be used, a virtual IP may be allocated to the end-user device 105 , and/or ingress or egress filtering may be used.
  • a virtual IP is allocated to each end-user device 105 to access the remote network resources, all end-user devices 105 can be grouped under a common pool of IP addresses. As illustrated in FIG. 7 , ingress filtering of these virtual IP addresses can be used to prevent data from the end-user devices 105 from being routed out of the authenticated remote network. Ingress filtering may not be possible if a uniquely identifiable virtual IP address pool is not allocated. In the case where ingress filtering is not possible, egress filtering can be done after the tunnel decapsulation router to ensure that only resources within the authenticated network are accessible.
  • the tunnel state information may include the WAN IP to virtual IP association of the end-user device 105 , to encapsulate and tunnel data back to the end-user device 105 .
  • the expiry of the tunnel state information may be effected via keep-alive messages sent from the connection agent 130 directly or indirectly to the default router(s).
  • tunneling protocols can reuse the IP address of the end-user device 105 for both the tunnel IP header (traffic between the end-user device 105 and the decapsulation router) and the application IP header (traffic between the end-user device 105 and the remote network resources). If the tunneling protocol can reuse the IP address of the end-user device 105 for both tunneling and application communication, virtual IP provisioning by the remote network may be unnecessary. If computing device IP address reuse is not automatic, the remote network may use the virtual IP provisioning mechanism to decide if a localized virtual IP may be used for application communication or allocate the computing device IP address as the virtual IP.
  • the remote network virtual IP provisioning system may determine if the end-user device 105 is behind a Network Address Translation (NAT) or Network Address and Port Translation (NAPT) router, to determine what application communication IP address and tunneling protocol to use. By reusing the IP address of the end-user device 105 instead of a localized virtual IP for the tunnel IP header, bi-directional tunneling can be avoided.
  • the application traffic from the remote network resources may be sent directly to the end-user device 105 .
  • virtual IP default router(s) to encapsulate the return traffic may be necessary.
  • a unidirectional transport level tunneling protocol that is NAT and NAPT friendly may be used. Instead of having both a tunnel IP header and an application IP header, there may be only one IP header.
  • the unidirectional transport level tunneling protocol may be intended for application traffic from the end-user device 105 to the remote network decapsulation router.
  • the end-user device 105 generates application data and application IP header (i.e., an application IP datagram).
  • the tunneling driver inserts the original destination IP address in the transport header field (e.g., the TCP option field) or between the transport header and the application payload.
  • the transport header field e.g., the TCP option field
  • the tunneling driver replaces the destination IP address with the IP address of the remote network decapsulation router.
  • the tunneling driver may set the IP header type-of-service field to indicate the datagram is encapsulated.
  • the tunneling driver adjusts the IP header total length and re-computes the IP header checksum.
  • the encapsulated IP datagram is transmitted.
  • An example tunneling decapsulation procedure is as follows:
  • the decapsulation router checks if the datagram is encapsulated, e.g., checks the IP header type-of-service field or TCP option field.
  • the decapsulation router replaces the destination IP address with the original embedded application destination IP address.
  • the embedded application destination IP address may or may not be removed by the decapsulation router.
  • the decapsulation router re-computes the IP header checksum and adjusts the IP header total length if necessary.
  • Embodiments of the tunneling protocol achieve functionality similar to TCP or UDP port forwarding, without the need for the decapsulation router to keep state or port to IP address mapping configuration information. Such information is encapsulated in the tunneled datagram.
  • the remote network provisioning system can verify that the traffic from the end-user device 105 will not be NATed, standard tunneling protocols (e.g., GRE, IP-in-IP, etc.) can be used.
  • the IP of the end-user device 105 can be reused for both the tunnel IP header and application IP header using standard tunneling protocol.
  • the tunneled traffic can be decapsulated by standard routers and the remote network resources can directly reply to the end-user device 105 without bi-directional tunneling.
  • Embodiments of the invention enable application-specific encryption (e.g., HTTPS) to be used in conjunction with the tunneling mechanism described herein to ensure privacy of confidential data. That is, there can be a combination of encrypted and unencrypted data exchange through the tunnel. This reduces encryption and decryption overhead to only confidential data, instead of maintaining encryption and decryption overhead for all data in a VPN architecture.
  • HTTPS application-specific encryption
  • FIG. 3 is a block diagram illustrating a network system 300 operative to effect a trusted network transaction (TNT) with an Internet banking portal, in accordance with an embodiment of the present invention.
  • TNT trusted network transaction
  • step 1 the end user accesses his original Internet banking portal URL via a browser 135 installed on an insecure end-user device 105 .
  • the existing Internet banking login page detects whether the end user's browser 135 is capable of supporting TNT, e.g., supports ActiveX controls. If so, the Internet server 315 displays the Internet banking login page with an additional “button” for the end user to selectively enable TNT security. If the end-user device 105 cannot support TNT, then the original Internet banking login page is displayed without the TNT button.
  • step 3 the end user clicks on the TNT button, which causes the Internet banking server 315 to download the install agent 182 , e.g., an ActiveX control, to the end-user device 105 .
  • the end-user device 105 confirms that the install agent 182 is digitally signed by the bank, which is a trusted party by the end-user device 105 .
  • the end-user device 105 allows the trusted install agent 182 to execute.
  • the install agent 182 establishes a VPN tunnel to a predefined VPN server 320 in the banking server farm 310 and establishes predefined VPN authentication credentials. After the VPN tunnel is established, all network traffic from the end-user device 105 is sent to the VPN server 320 . That is, the end-user device 105 is disconnected from the rest of the Internet.
  • the VPN server 320 (or a firewall) manages network resources accessible by the end-user device 105 . That is, only network resources (e.g., the Internet banking web site) required for Internet banking transactions are made accessible to the end-user device 105 .
  • step 5 the security engine 177 is downloaded over the VPN.
  • an application lockout module 220 may be used to suspend applications not required for the Internet banking transaction and to prevent new applications from being executed.
  • step 6 after the end user completes all Internet banking transactions and requests logout, the install agent 182 may be downloaded again.
  • the install agent 182 detects the previously existing active TNT session, removes the security engine 177 , and terminates the VPN tunnel before ending the install agent 182 process.
  • FIG. 4 is a block diagram illustrating a network system 400 operative to effect a TNT by an end-user device 405 with a banking portal, the TNT being managed by the end user's ISP network 440 , in accordance with an embodiment of the present invention.
  • the end user's ISP network 440 may provide TNT protection for multiple transaction sites 120 .
  • the network system includes the ISP network 440 coupled via the Internet 450 to a banking server farm 445 .
  • the ISP network 440 includes the end-user device 405 coupled via an intranet 435 to an ISP server 410 , to a VPN server 415 , and to a VPN router 420 .
  • the banking server farm 445 includes a banking server 425 and a VPN router 430 .
  • the VPN router 420 of the ISP network 440 is coupled to the VPN router of the banking server farm 445 via the Internet 450 .
  • the end-user device 405 accesses the banking server 425 via a software application, e.g., the connection agent 130 , that enables the user to select from multiple specific URLs of TNT-enabled sites 120 .
  • the software application is configured to direct the browser 135 to the selected URL.
  • the list of specific URLs may be installed on the end-user device 405 by the ISP 410 or may be available on the portal page of the ISP 410 .
  • the end-user device 405 may navigate directly to the banking server 425 , possibly via a TNT “button” from the site presented by the ISP server 410 .
  • step 2 the end user selects the URL of the transaction network 120 to access with TNT protection.
  • the connection agent 130 establishes a preliminary VPN with the ISP server 410 .
  • the install agent 182 is downloaded from the ISP server 410 (or other trusted source dedicated to supporting TNT for the banking site 425 ).
  • the end-user device 405 is informed that the install agent 182 is digitally signed by the ISP server 410 , which is a trusted by the end-user device 405 .
  • the end-user device 405 allows the install agent 182 to execute.
  • the install agent 182 may be embedded with the latest IP addresses of the TNT-enabled sites or VPN servers (independent of DNS updates propagation delays or DNS security risks).
  • the OS host file of the end-user device 105 may be updated by the install agent 182 with the IP addresses to prevent URL redirection for TNT protected sites due to DNS poisoning. Any changes to the TNT-managed IP addresses may be controlled by the ISP server 410 .
  • a transaction network 120 e.g., banking server 425 , informs the ISP server 410 whenever changes in the IP addresses of web servers occur (instead of depending on Internet DNS updates).
  • the install agent 182 establishes a VPN tunnel to the VPN server 415 using predefined VPN authentication credentials specified in the ISP server's web page (from the URL selected in Step 2 ).
  • the VPN authentication credentials can be uniquely created from each TNT session to associate the specific end-user device 405 to access the banking server 425 , even if the end-user device 405 is hidden behind an NAT router.
  • the VPN login userid could be the subscriber ISP userid+end-user device 105 MAC address or computer name (detected by the TNT ActiveX control)+target TNT site.
  • the ISP server 410 allows the ISP server 410 to track down the actual end-user device 405 performing online TNT transactions if there is any audit requirements or to “blacklist” an end-user device 105 (instead of the end user who can continuously change his login credentials) that regularly posts false offers for online auctions web sites, etc.
  • step 4 after the temp VPN tunnel is established, all network traffic from the end-user device 405 is sent to the VPN server 415 . That is, the end-user device 405 is disconnected from the rest of the Internet.
  • the VPN server 415 (or a firewall) within the ISP network 440 manages the network resources accessible by the end-user device 405 . That is, only network resources (e.g., the banking server 425 ) required for the Internet banking transactions are made accessible.
  • step 5 the security engine 177 and/or security profiles 180 are downloaded, installed and executed.
  • the security engine 177 blocks applications not required for the Internet banking transactions and prevents new applications from being executed.
  • Other TNT protection mechanisms may also be used.
  • the transaction network VPN manager 250 establishes a VPN tunnel with the VPN server 415 .
  • the VPN server 415 is deployed.
  • a permanent VPN tunnel may be established between the ISP network 440 and the banking server 425 , e.g., using the ISP-managed VPN router 420 and the bank-managed VPN router 430 .
  • This ensures that intermediate Internet routers between the ISP network 440 and the banking server 425 cannot hijack traffic to and/or from the end-user device 405 .
  • This also allows the banking server 425 to manage additional network security policies within their own network on top of those provided by the ISP network 440 .
  • step 7 after the end user completes his Internet banking transactions and requests logout, the install agent 182 is downloaded again from the ISP server 410 .
  • the install agent 182 detects the previous existing active INT session, removes the security engine 177 , and terminates the VPN tunnel before ending the install agent 182 process.
  • FIG. 5 is a block diagram illustrating a network system 500 operative to effect security engine installation, in accordance with an embodiment of the present invention.
  • connection agent 130 uses a pre-configured and unchangeable network address to contact a secure network address resolution service 520 to obtain the network address of a trusted source of the security engine 515 or a list of trusted sources.
  • a secure network address resolution service 520 For example, an IP address of a trusted DNS security extensions (DNSSEC) server 520 may be pre-configured in the connection agent 130 .
  • DNSSEC trusted DNS security extensions
  • connection agent 130 uses this IP address to connect to the DNSSEC server 520 to resolve the domain name of the trusted source to an IP address.
  • the DNSSEC server 520 may download a list of approved sites, from which the end-user device 505 may select a URL of the trusted source of the security engine 515 .
  • connection agent 130 uses the network address of the trusted source, preventing network traffic from the end-user device 105 from being misdirected to untrusted sources and guarding against other forms of network intrusion and attacks.
  • connection agent 130 may use the resolved IP address to connect to the trusted source, e.g., via a secure tunnel.
  • This connection technique ensures that the network address is accurate (e.g., not poisoned by a DNS attack), and assures that the end-user device 105 connects to the intended trusted source.
  • Further communication protocols employed in the secure network address resolution service 520 ensures that communication to and from the end-user device 105 is authenticated, authoritative and accurate.
  • step 4 with a secure exchange established, the end-user device 105 downloads the security engine 515 , e.g., using protocols like HTTP or FTP.
  • the secure tunnel established by the connection agent 130 ensures that data traffic between the end-user device 105 and the trusted source is secure and cannot be compromised, even when insecure protocols like HTTP and FTP are used.
  • step 5 after delivery of the security engine 515 , the end-user device 105 executes the security engine 515 .
  • the security engine 515 effectively secures the end-user device 105 , e.g., allows the end-user device 105 to communicate only with trusted transaction sites, e.g., trusted remote network 535 , prevents other applications 145 running on the end-user device 105 from capturing or sending information, especially to untrusted sites, etc. The user can then access and interact with the transaction sites in confidence.
  • trusted transaction sites e.g., trusted remote network 535
  • FIG. 6 is a hierarchical level diagram illustrating keyboard-input processing flow 600 , in accordance with an embodiment of the present invention.
  • Flow 600 is divided into physical space 605 , kernel space 610 , and application space 615 .
  • physical space 605 the end user makes keystrokes on the keyboard at level 620 .
  • kernel space 610 the trusted keyboard driver receives keystrokes at level 625 .
  • the keystrokes generator driver resides and generates fake keystrokes at level 630 .
  • the potential untrusted keylogger driver captures keystrokes at level 620 or thereafter.
  • application space 615 a potential untrusted keylogger hook potentially captures keystrokes at level 640 .
  • the keystrokes deletion hook removes fake keystrokes at level 645 .
  • the application receives the cleaned keystroke pattern at level 650 .
  • an application monitoring hook, plugin and/or driver monitors application status, and possibly feeds information to the keystrokes generator driver at level 630 .
  • FIG. 7 is a block diagram illustrating a network system 700 operative to effect tunnel datagram processing, in accordance with an embodiment of the present invention.
  • the embodiment uses standard GRE and IPsec AH mechanisms to illustrate the tunneling mechanism.
  • Embodiments of the invention may be applicable to other combinations of tunneling and data integrity protocols.
  • the tunneling driver adds an AH header to the IP packet generated by the computing device 705 .
  • the AH header is used to authenticate with the authentication router 750 a or 750 b .
  • the IP packet with AH header is further encapsulated in a GRE packet before it is sent out.
  • the GRE packet is transferred through the GRE tunnel via the Internet 710 , until it reaches the GRE router 735 .
  • the GRE router 735 decapsulates the GRE packet back to the IP packet with AH header. Further, based on the source and destination IP addresses, the GRE router 735 routes the decapsulated packet to an authentication router 750 a or 750 b.
  • the packet Before the packet reaches the authentication router 750 a or 750 b , it passes through a firewall 745 , which performs egress filtering to ensure that access only to intended resources is allowed and that access to forbidden resources is blocked.
  • the authentication router 750 a and 750 b Upon receiving the IP AH packet, the authentication router 750 a and 750 b performs an authentication check to ensure that the packet comes from the computing device 705 . It removes the AH header and routes the packet to the intended resources 720 a , 720 b or 720 c . That is, the packet is returned back to the format as originally generated by the computer device 705 .
  • the intended resource processes the packet and generates a reply to the authentication router 750 a or 750 b.
  • the authentication router 750 a or 750 b adds an AH header to the reply packet.
  • the AH header is used to authenticate any remote network resources 720 a , 720 b or 720 c .
  • the authentication router 750 a or 750 b routes the new IP AH packet back to the GRE server 735 .
  • the GRE router 735 encapsulates the reply packet and sends it back to the end-user device 705 via the tunnel.
  • the tunneling driver on the end-user device 705 decapsulates the packet and verifies the AH header. If the AH header passes the check, the packet is trusted as coming from the authenticated remote network resources 720 a , 720 b or 720 c . The AH header is removed before the packet is passed to the upper layer of the network stack for further processing. If the AH header fails the check, then a security measure is taken. The measure could include breaking the tunnel or alerting the end user.
  • the authentication server 750 a or 750 b can be moved outband of the communication between the end-user device 705 and the network resources 720 a , 720 b or 720 c .
  • the authentication server 750 a or 750 b can communicate with the GRE router 735 to retrieve a checksum of packets received from the tunnel and can encrypt it with a private key whose public key is known to the tunneling software.
  • the encrypted checksum may be transferred to the tunnel software regularly in a separate channel so that the tunnel software is able to ensure that it is communicating with the actual remote network resource 720 a , 720 b or 720 c.
  • Certain embodiments facilitate the use of data protection mechanisms to have negligible demand on the end user and end-user device.
  • the end user need only select the network software application that the end user wants to use to exchange data and the trusted remote network with which the end user wishes to establish a secure data exchange session. After the data protection mechanism are enabled, the end user need not differentiate between trusted and untrusted software and remote networks. Further, certain embodiments enable minimal change to existing Internet banking or shopping sites, minimal TNT deployment effort, and minimal change to end user web site usage experience.
  • FIG. 8 is a screen shot of a desktop 805 on an end-user device 105 before spyware infection or spoofing attack.
  • FIG. 9 is a screen shot of the desktop 805 on an end-user device 105 after spyware infection.
  • FIG. 10 is a screen shot of the desktop 805 of an end-user device 105 with a window 1005 illustrating keylogger infection.
  • FIG. 11 is a screen shot of the desktop 805 on an end-user device 105 with a window 1105 illustrating keystroke capture.
  • FIG. 12 is a screen shot of the desktop 805 on an end-user device 105 before DNS poisoning.
  • FIG. 13 is a screen shot of the desktop 805 on an end-user device 105 with a window 1305 illustrating a legitimate IP address in a DNS cache before DNS poisoning.
  • FIG. 14 is a screen shot of the desktop 105 on an end-user device 105 with the window 1305 after DNS poisoning.
  • FIG. 15 is a screen shot of the desktop 805 on an end-user device 105 with a window 1505 illustrating a spoofed IP address in the DNS cache, after DNS poisoning.
  • FIG. 16 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site at the IP address of FIG. 15 .
  • FIG. 17 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site and with a security alert 1705 .
  • FIG. 18 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site and with a spoofed security certificate 1805 .
  • FIG. 19 is a screen shot of the desktop 805 on an end-user device 105 with a window 1905 illustrating keylogger infection and after DNS poisoning but before protection by embodiments of the invention.
  • FIG. 20 is a screen shot of the desktop 805 on an end-user device 105 with a window 2005 illustrating continuous pinging of the Yahoo website to evidence the availability of outbound communication.
  • FIG. 21 is a screen shot of the desktop 805 on an end-user device 105 with a window 2105 illustrating that a download agent, e.g., an ActiveX control, is being delivered to the end-user device.
  • a download agent e.g., an ActiveX control
  • FIG. 22 is a screen shot of the desktop 805 on an end-user device 105 with a window 2205 illustrating that the download agent is being executed and is establishing a VPN connection with a trusted source of a security engine 177 .
  • FIG. 23 is a screen shot of the desktop 805 on an end-user device 105 with a window 2305 illustrating that the download agent has established a VPN connection with the trusted source, has downloaded and installed the security engine 177 , and is presenting a button 2310 to navigate to the legitimate banking site.
  • Installation of the security engine 177 enables network communication lockout, application lockout, driver management, keystroke pattern modification, and like TNT mechanisms.
  • FIG. 24 is a screen shot of the desktop 805 on an end-user device 105 with a window 2405 illustrating that the continuous pinging of the Yahoo website has stopped, evidencing that outbound communication has been suspended.
  • FIG. 25 is a screen shot of the desktop 805 on an end-user device 105 with a window 2505 illustrating the legitimate IP address of the legitimate banking site.
  • FIG. 26 is a screen shot of the desktop 805 on an end-user device 105 with a window 2605 illustrating application lockout.
  • FIG. 27 is a screen shot of the desktop 805 on an end-user device 105 with the window 2305 illustrating the button 2310 to navigate to the legitimate banking site.
  • FIG. 28 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 2805 illustrating the legitimate banking site.
  • FIG. 29 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 and the legitimate banking site certificate 2905 of the legitimate banking site.
  • FIG. 30 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 of the legitimate banking site and illustrating that the keylogger is no longer active when the keylogger reveal word, “frklg,” is typed in the address field 3005 .
  • FIG. 31 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 and after entry of confidential data into the login window 3105 , just before the security engine 177 is deactivated and/or removed.
  • FIG. 32 is a screen shot of the desktop 805 on an end-user device 105 with a window 3205 illustrating that outbound communication has resumed.
  • FIG. 33 is a screen shot of the desktop 805 on an end-user device 105 with a window 3305 illustrating resumed vulnerability to the DNS poisoning of the DNS cache.
  • FIG. 34 is a screen shot of the desktop 805 on an end-user device 105 with a window 3405 illustrating that the security engine 177 protected the memory space from registering the browser window 2805 .
  • FIG. 35 is a screen shot of the desktop 805 on an end-user device 105 with a window 3505 illustrating that the keylogger infection has been permanently neutralized.

Abstract

A network system comprises a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism (e.g., a start/stop trigger module, an application lockout module, a network/file I/O control module, a trusted driver manager, a keystrokes generator driver, a keystrokes deletion hook, and/or a transaction network VPN manager) for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to the end-user device to protect the end-user device during the transaction

Description

    PRIORITY CLAIM
  • This application is a continuation of and claims benefit of utility patent application Ser. No. 11/694,476, filed Mar. 30, 2007, by inventor, Wee Tuck Teo, entitled: “System and Method for Providing Transactional Security For An End-User Device; provisional patent application Ser. No. 60/787,457, entitled “Trusted Network Transaction,” filed on Mar. 30, 2006, by inventor Wee Tuck Teo; and provisional patent application Ser. No. 60/814,828 entitled “End Point Remote Data Exchange Security,” filed on Jun. 19, 2006, by inventor Wee Tuck Teo.
  • COPYRIGHT NOTICE
  • A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
  • TECHNICAL FIELD
  • This invention relates generally to network systems, and more particularly provides a system and method for providing transactional security to an end-user device.
  • BACKGROUND
  • Security is a key concern during online transactions. Commercial Internet transactions, e.g., Internet banking, credit card purchases, etc., are only as secure as the weakest link, Traditional security solutions focus on server-side infrastructure security, e.g., HTTPS web site, two-factor authentication, etc. While the server side has security expert management and maintenance, the end user's computers do not have such benefit.
  • Current online transaction risks increase due to poor end user security practices. The current solution to end user security tends to focus on end user education, e.g., training end users to recognize phishing attempts and ignore spoofed emails, and installing end-user security software to clean up and secure end-user devices from malicious code, e.g., viruses, spyware, adware, keyloggers, backdoors, Trojans, etc. Solving the end-user device vulnerabilities using the above approach is dependent on end-user efforts, e.g., regular installation of security software updates such as signature files, regular execution of scans, regular application of the security patches, etc.
  • Additionally, the generally open nature of the Internet makes shared Internet resources, e.g., DNS servers, intermediate routers, etc., susceptible to web site hijacking. Shared Internet resources are not managed by web site owners or end users, making securing these shared resources outside the control of the stakeholders.
  • A system and method that facilitates protection of an end-user device are needed.
  • SUMMARY
  • According to one embodiment, instead of ensuring that an end-user device is permanently secure, which requires ongoing security management, embodiments of the invention ensure that the end-user device is secure only during a transaction, e.g., an online transaction. This reduces end-user security management overhead. For example, an end-user device may be infected with keyloggers or remote backdoors during normal operation. However, according to embodiments of the invention, these threats need only be disabled during the transaction. According to another embodiment, instead of depending on an end user to manage the security software, software that enables a trusted network transaction (TNT) environment is managed and provided by a trusted source that provides the security software or security policy on demand. For example, the security software or security policy may be delivered/pushed from a transaction site, from a service provider site (e.g., the end user's Internet service provider, the transaction site's security provider, an independent service provider, or the like) onto the end-user device. According to yet another embodiment, the security software delivered/pushed onto an end-user device may remove dependencies on shared Internet resources. For example, the IP address of a destination web or VPN server may be provided directly to the end-user device to determine or force a new connection over the Internet with the destination web or VPN server. Yet another embodiment secures data exchange by ensuring that confidential data cannot be permanently captured by malicious software residing on an end-user device, or that confidential data captured cannot be sent or misdirected to untrusted remote sites. These and other TNT mechanisms (security engines, security profiles, and/or the like) can be deployed independently or in different combinations.
  • According to one embodiment, the present invention provides a network system comprising a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism for at lest partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to (e.g., installing or configuring the security mechanism on) the end-user device so that the appropriate security mechanism for the expected transaction protects the end-user device during the transaction.
  • The transaction network may provide a banking site and/or a gaming site. The trusted source may reside on an ISP network, SAS (software-as-a-service) operator network or on the transaction network. The trusted source and the transaction network may be managed by the same entity. The security mechanism any include a security engine and/or a security profile. The security mechanism may include a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism; an application lockout module for suspending at least one application not needed to effect the transaction; a file/network I/O control module for disabling at least one file or network operation during the transaction; a trusted driver module for determining whether a driver, e.g., a keyboard driver, on the end-user devices matches a known trusted driver; a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user; a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver; and/or a VPN manager capable of establishing a directional or undirectional secure tunnel between the end-user device and the transaction network. The security mechanism may include an IP address to a server within the transaction network. The agent or another agent may be capable of removing the security mechanism upon completion of the transaction. The agent may include an install agent downloaded from the trusted source, an install agent downloaded from a third-party server, and/or a connection agent preloaded onto the end-user device.
  • According to another embodiment, the present invention provides a method comprising initiating the security mechanism for a secure transaction by an end user a request with a transaction network providing a transaction; receiving from a trusted source a security mechanism for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; activating the security mechanism; establishing a secure connection between an end-user device and the transaction network; and enabling the transaction.
  • The transaction network may provide a banking site and/or a gaming site. The trusted source may reside on an ISP network, SAS operator network or on the transaction network. The trusted source and the transaction network may be managed by the same entity. The security mechanism may include a security engine and/or a security profile. The security mechanism may include a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism; an application lockout module for suspending at least one application not needed to effect the transaction; a file/network I/O control module for disabling at least one file or network operation during the transaction; a trusted driver module for determining whether a driver, e.g., a keyboard driver, on the end-user device matches a known trusted driver; a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user; a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver; and/or a VPN manager capable of establishing a secure tunnel between the end-user device and the transaction network. The security mechanism may include an IP address to a server within the transaction network. The method may further comprise removing the security mechanism upon completion of the transaction.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram of a network system operative to secure an end-user device, in accordance with an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating details of the security engine of FIG. 1, in accordance with an embodiment of the present invention.
  • FIG. 3 is a block diagram illustrating a network system operative to effect a trusted network transaction with an Internet banking portal, in accordance with an embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating a network system operative to effect a trusted network transaction managed by the end user's Internet service provider, in accordance with an embodiment of the present invention.
  • FIG. 5 is a block diagram illustrating a network system operative to effect security engine installation, in accordance with an embodiment of the present invention.
  • FIG. 6 is a timing diagram illustrating keyboard-input processing, in accordance with an embodiment of the present invention.
  • FIG. 7 is a block diagram illustrating a network system operative to effect tunnel datagram processing, in accordance with an embodiment of the present invention.
  • FIG. 8 is a screen shot of an end-user device before spyware infection or spoofing attack.
  • FIG. 9 is a screen shot of an end-user device after spyware infection.
  • FIG. 10 is a screen shot of an end-user device with a window illustrating keylogger infection.
  • FIG. 11 is a screen shot of an end-user device with a window illustrating keystroke capture.
  • FIG. 12 is a screen shot of an end-user device before DNS poisoning.
  • FIG. 13 is a screen shot of an end-user device with a window illustrating a legitimate IP address in a DNS cache, before DNS poisoning.
  • FIG. 14 is a screen shot of an end-user device after DNS poisoning.
  • FIG. 15 is a screen shot of an end-user device with a window illustrating a spoofed IP address in the DNS cache, after DNS poisoning.
  • FIG. 16 is a screen shot of an end-user device with a browser window illustrating the spoofed site at the IP address of FIG. 15.
  • FIG. 17 is a screen shot of an end-user device with a browser window illustrating the spoofed site and with a security alert.
  • FIG. 18 is a screen shot of an end-user device with a browser window illustrating the spoofed site and with a spoofed security certificate.
  • FIG. 19 is a screen shot of an end-user device after keylogger infection and DNS poisoning and before protection by embodiments of the invention.
  • FIG. 20 is a screen shot of an end-user device with a window illustrating continuous pinging of the Yahoo website to evidence the availability of outbound communication.
  • FIG. 21 is a screen shot of an end-user device with a window illustrating that a download agent, e.g., an ActiveX control, is being delivered to the end-user device.
  • FIG. 22 is a screen shot of an end-user device with a window illustrating that the download agent is being executed and is establishing a VPN connection with a trusted source of a security engine.
  • FIG. 23 is a screen shot of an end-user device with a window illustrating that the download agent has established a VPN connection with the trusted source, has downloaded and installed the security engine, and is presenting a button to navigate to the legitimate banking site.
  • FIG. 24 is a screen shot of an end-user device with a window illustrating that the continuous pinging of the Yahoo website has stopped, evidencing that outbound communication has been suspended.
  • FIG. 25 is a screen shot of an end-user device with a window illustrating the legitimate IP address of the legitimate banking site.
  • FIG. 26 is a screen shot of an end-user device with a window illustrating application lockout.
  • FIG. 27 is a screen shot of an end-user device with a window illustrating the button to navigate to the legitimate banking site.
  • FIG. 28 is a screen shot of an end-user device with a browser window illustrating the legitimate banking site.
  • FIG. 29 is a screen shot of an end-user device with a window illustrating the legitimate banking site certificate of the legitimate banking site.
  • FIG. 30 is a screen shot of an end-user device with a browser window illustrating the legitimate banking site and illustrating that the keylogger is no longer active.
  • FIG. 31 is a screen shot of an end-user device with a browser window just before the security engine is deactivated and/or removed.
  • FIG. 32 is a screen shot of an end-user device with a window illustrating that outbound communication has resumed.
  • FIG. 33 is a screen shot of an end-user device with a window illustrating resumed vulnerability to the DNS poisoning of the DNS cache.
  • FIG. 34 is a screen shot of an end-user device with a window illustrating that the security engine protected the memory space from registering the browser window.
  • FIG. 35 is a screen shot of an end-user device with a window illustrating that the keylogger infection has been neutralized.
  • DETAILED DESCRIPTION
  • The following description is provided to enable any person skilled in the art to make and use the invention and is provided in the context of a particular application. Various modifications to the embodiments are possible, and the generic principles defined herein may be applied to these and other embodiments and applications without departing from the spirit and scope of the invention. Thus, the invention is not intended to be limited to the embodiments and applications shown, but is to be accorded the widest scope consistent with the principles, features and teachings disclosed herein.
  • According to one embodiment, instead of ensuring that an end-user device is permanently secure, which requires ongoing security management, embodiments of the invention only ensure that the end-user device is secure during a data sensitive transaction. This reduces end-user security management overhead. For example, an end-user device may be infected with keyloggers or remote backdoors during normal operation. However, according to embodiments of the invention, these threats need only be disabled during the transaction. According to another embodiment, instead of depending on an end user to manage the security software, software that enables a trusted network transaction (TNT) environment is managed and provided by a trusted source that provides the security software on demand. For example, the security software may be delivered/pushed from an online transaction site, from a service provider site (e.g., the end user's Internet service provider, the transaction site's security provider, an independent service provider, or the like) onto the end-user device. According to yet another embodiment, the security software delivered/pushed onto an end-user device may remove dependencies on shared Internet resources. For example, the IP address of a destination VPN server may be provided directly to the end-user device to force a new connection over the Internet with the destination VPN server. Yet another embodiment secures data exchange by ensuring that confidential data cannot be permanently captured by malicious software residing on an end-user device, or that confidential data captured cannot be sent or misdirected to untrusted remote sites. These and other TNT mechanisms (security engines, security profiles, and/or the like) can be deployed independently or in different combinations. It will be appreciated that the transaction is not necessarily an online transaction; it could be a local transaction, e.g. opening an encrypted local file.
  • FIG. 1 is a block diagram of a network system 100 operative to secure an end-user device 105, in accordance with an embodiment of the present invention. The network system 100 includes an end-user device 105 coupled via a trusted network 110 to an Internet service provider (ISP) network 115, which is coupled via an untrusted network 112 to a transaction network (e.g., server, network of servers, etc.) 120 (e.g., bankofamerica.com, amazon.com, ebay.com, etc.) and to another network 125.
  • The end-user device 105 includes a browser 135 (e.g., Microsoft Internet Explorer or Netscape Navigator), an operating system (e.g., Microsoft Vista or Apple Mac OS X) and device drivers 140, and other applications 145. The end-user device 105 also includes a connection agent 130 capable of communicating with a trusted source of a security mechanism (e.g., security engine and/or security profiles) that secures the end-user device 105 during an online transaction. The end-user device 105 may also maintain a local DNS cache 150.
  • The ISP network 120 includes a server 165, a DNS server/cache 170, and an end-user security controller 175. In another embodiment, components of the end-user security controller 175 may be located elsewhere (e.g., the security engine can be on the trusted network and the security policy can be on the transaction network), such as on the transaction network 120 or on another trusted source. The end-user security controller 175 includes a security engine 177 and security profiles 180 for download to the end-user device 105. The security engine 177 contains software that sets up a secure data exchange between the end-user device 105 and a remote network application running on a trusted device in a trusted network, e.g., a trusted server on the transaction network 120. The security profiles 177 contain the rules, definitions and/or identification information for the security engine 180 to block unexpected behaviors due to, e.g., viruses, spyware, adware, Trojans, etc. It will be appreciated that the ISP network 120 may support multiple transaction networks 120, and may include multiple security controllers 175 (each dedicated to a particular transaction network 120). Alternatively, the ISP network 120 may have a single security controller 175, and may customize the security engine 177 and/or security profiles 180 on the fly for the particular transaction network 120.
  • It will be appreciated that the security engine 177 and/or security profiles 180 may be updated on a regular basis by a security manager. Then, as needed, possibly on an irregular basis as the end user connects to the ISP network 120 and/or to the transaction network 120, the end-user security controller 175 downloads the security engine 177 and/or security profiles 180 to the end-user device 105. In one embodiment, the security engine 177 and/or security profiles 180 are maintained only during the transaction session, and are removed upon completion of the transaction. In another embodiment, the security engine 177 and/or security profiles are not removed, and are updated before each new transaction begins. In another embodiment, the security engine 177 and/or security profiles 180 are operative between transactions, and serve to protect the end-user device 105 in the current state until a subsequent transaction request deploys an update. Additional details of the security engine 177 are shown and described with reference to FIG. 2.
  • The transaction network 120 includes at least one web server 185, which includes a login script 190. The login script 190 may request confidential information from the end user. After download, the security engine 177 and security profiles 180 protect the confidential data being provided by the end user from unintended capture, undesired transfer to third parties, etc.
  • The other network 125 includes at least one web server 193, which includes a login script 197. In one embodiment, the other network 125 may provide a malicious site developed to mimic the site provided by transaction network 120. In such embodiment, the security engine 177 and security profiles 180 protect the end user from being misdirected to the other network 125, e.g., via DNS poisoning, etc.
  • In one embodiment, the connection agent 130 is securely delivered and pre-installed on the end-user device 105. Whenever secure data exchange is required, the connection agent 130 downloads a trusted copy of the security engine 177 and/or security profiles 180. The connection agent 130 can be implemented as a standalone executable application, as a plug-in to the browser 135, as a part of the operating system 140, etc. In one embodiment, it is assumed that the connection agent 130 is delivered, pre-installed and executed on the end-user device 105 without modification. If the connection agent 130 does not come from a trusted source, then secure data exchange may be compromised.
  • In one embodiment, the connection agent 130 uses a pre-configured and unchangeable network address to contact a secure network address resolution service to obtain the IP address of the trusted source providing the security engine 177 and/or security profiles 180. For example, an IP address of a trusted DNS security extensions (DNSSEC) server may be embedded in the connection agent 130. The connection agent 130 may use this IP address to connect to the DNSSEC server to resolve the domain name of the trusted source to an IP address. Using the network address of the trusted source, a secure data exchange may be established to provide a secure connection to the trusted source, preventing network traffic from the end-user device 105 from being misdirected to untrusted sources and guarding against other forms of network intrusion and attacks. For example, in a TCP/IP network, the connection agent 130 may use the resolved IP address to connect to the trusted source, e.g., via a secure tunnel. This connection technique ensures that the IP address is accurate (e.g., not poisoned by a DNS attack), and assures that the end-user device 105 connects to the intended trusted source. Further, communication protocols employed in the secure network address resolution service ensures that communication to and from the end-user device 105 is authenticated, authoritative and accurate.
  • With a secure data exchange established, the end-user device 105 can download the security engine 177 and/or security profiles 180, e.g., using protocols like HTTP or FTP. The secure tunnel established by the connection agent 130 ensures that data traffic between the end-user device 105 and the trusted source is secure and cannot be compromised, even when insecure protocols like HTTP and FTP are used.
  • After delivery of the security engine 177 and/or security profiles 180, the end-user device 105 executes the security engine 177. The security engine 177 effectively secures the end-user device 105, e.g., allows the end-user device 105 to communicate only with trusted sites, prevents other applications 145 running on the end-user device 105 from capturing or sending information, especially to untrusted sites, etc. The user can then access and interact with the transaction network 120 in confidence.
  • In another embodiment, the connection agent 130 and security engine 177 are pre-loaded onto the end-user device 105. Then, using the techniques described above to obtain the security engine 177 and/or security profiles 180, the connection agent 130 and security engine 177 may obtain current security profiles 180 to configure and/or operate with the pre-loaded security engine 177.
  • It will be appreciated that the connection agent 130 may cooperate with the end-user security controller 175 to establish a preliminary VPN tunnel (e.g., Microsoft PPTP or L2TP/IPSEC) before obtaining the security engine 177 and/or security profiles 180. This preliminary VPN tunnel ensures that the security engine 177 and/or security profiles 180 are not modified or replaced in transit. In one embodiment, the preliminary VPN tunnel is dynamically established using IP (instead of DNS) as the destination address. This bypasses the dependency on the Internet-shared DNS service.
  • It will be further appreciated that security engine 177 may establish a transaction network VPN tunnel (e.g., Microsoft PPTP or L2TP/IPSEC) with the transaction network 120. This VPN tunnel ensures that confidential data communicated with the transaction network 120 is not captured. In one embodiment, the VPN tunnel is dynamically established using IP (instead of DNS) as the destination address. The IP address can be securely updated immediately (as compared to using DNS) because the IP address can be directly set in the security engine 177 and/or security profiles 180 (which is directly managed by the trusted party). This bypasses the dependency on the Internet-shared DNS service. In certain embodiments, the preliminary VPN tunnel may connect with the transaction network 120. Accordingly, in such embodiments, the security engine 177 need not establish a different tunnel.
  • FIG. 2 is a block diagram illustrating details of the security engine 177, in accordance with an embodiment of the present invention. The security engine 177 includes a security manager 210, a start/stop trigger module 215, an application lockout module 220, a network/file I/O control module 225, a trusted driver manager 230, a keystrokes generator driver 235, a keystrokes deletion hook 240, a security profile manager 245, and a transaction network VPN manager 250.
  • The security manager 210 includes hardware, software and/or firmware to manage the execution of and interaction between the various components of the security engine 177. The start/stop trigger module 215 includes hardware, software and/or firmware to determine where and when data protection is needed. The application lockout module 220 includes hardware, software and/or firmware to effectively suspend other applications not needed during the online transaction (e.g., Authentium Trusted Security Extensions, SecureWave Sanctuary, and/or the like). The network/file I/O control module 225 includes hardware, software and/or firmware to prevent network and/or file I/O by other applications, e.g., by other applications that cannot be suspended. The trusted driver manager 230 includes hardware, software and/or firmware to determine whether device drivers, e.g., the keyboard input driver, on the end-user device 105 can be trusted. The keystrokes generator driver 235 includes hardware, software and/or firmware to generate additional keystrokes and/or replace keystrokes generated by the keyboard input driver 140, e.g., to input fake keystrokes in a keyboard input pattern. The keystrokes deletion hook 240 includes hardware, software and/or firmware to remove the additional keystrokes and/or replace the original keystrokes generated by the keyboard input driver 140, e.g., to regenerate the original keyboard input pattern modified by the keystrokes generator driver 235. The security profile manager 245 includes hardware, software and/or firmware to replace and/or update the security profiles 180. The transaction network VPN manager 250 includes hardware, software and/or firmware to establish a VPN tunnel with the transaction network 120.
  • It will be appreciated that one method of security leaks of confidential data (e.g., userid, password, credit card number, visual login screen, etc.) require the data to be locally captured and network transmitted. Thus, in some embodiments, instead of focusing on updating traditional anti-virus/anti-spyware with the latest security protection, the application lockout module 220 treats all applications not explicitly needed to use the transaction network 120 as a security threat and disables them for the duration of the online transaction. For example, during the online transaction, the application lockout module 220 allows only the browser 135 and browser-helper applications (e.g., PDF reader) to continue normal execution, while effectively suspending all other applications 145 (regardless of whether they are benign or malevolent). Optionally, the application lockout module 220 could permanently terminate (instead of temporarily suspend) well-known spyware or Trojans.
  • Depending on the OS and applications control component features, it is possible for the application lockout module 220 in a first stage to suspend unrequired applications 145 by placing them into background mode, by preventing OS event (e.g., Microsoft windows event messages) from being received by these applications 145, by intercepting all keyboard and mouse operations to these applications 145, and/or the like. Further, in a second stage, the application lockout module 220 may stop new applications or processes from being executed, e.g., to prevent changes to the security engine 177 and/or security profiles 180 during the transaction. Thus, unrequired or infected applications that bypass the first stage of protection cannot create another process to capture confidential information or disable the security software.
  • In some embodiments, it might not be technically possible for the application lockout module 220 to suspend all unrequired applications 145 and OS processes (e.g., the OS timer), as such might create unintended side effects (e.g., application crashes). When an application 145 cannot be suspended, the network/file I/O control module 225 may provide a second level of global security. The network/file I/O control module 225 effectively prevents information leakage by these unrequired applications 145. Since unrequired applications 145 need to store and/or transmit the captured information, preventing file I/O operations and/or network I/O transmissions can stop permanent storage and/or transfer of the data. Thus, even if the information is captured by the malicious code, no one can obtain the compromised data. In the extreme case, if the leaked information is cached in memory, rebooting the OS would clear the data. The network/file I/O control module 225 can deny write attempts to all files/directories or the OS registry not required by the browser 135. Using a VPN tunnel may prevent the confidential data from being sent to the Internet by spyware, Trojans, or the like.
  • Embodiments of the invention attempt to enforce protection and/or application/network lockout on demand during a secured data exchange session with less user disruption. Traditional end-point protection and/or lockout solutions, e.g., SecureWave, Bit9, etc., apply full protection or lockout of the end-user device 105 to ensure that only valid or authorized applications are allowed to run. However, this approach is intrusive and disruptive to the end user, who loses the capability to perform normal computing tasks. Embodiments of the invention achieve protection and/or lockout by determining interaction points where and when important sensitive information is being sent to and/or received by the user; by activating end-point protection and/or lockout mechanisms only during these sensitive interaction points; and by de-activating protection and/or lockout outside these interaction points where and when the user is doing things that do not compromise security.
  • The start/stop trigger module 215 determines the interaction points during a user's data exchange session where and when sensitive data needs protection. The start/stop trigger module 215 generates a Sensitive_Start flag when sensitive information is present, e.g., when sensitive information is about to be sent, sensitive data is about to be received, sensitive data is about to be displayed, combinations of these points, etc. The start/stop trigger module 215 generates a Sensitive_Stop flag when no sensitive information is present, e.g., when no sensitive data is being sent, received, displayed, etc.
  • These flags activate or de-activate end-point protection and/or lockout mechanisms by the application lockout module 220 and/or network/file I/O control module 225 in a more granular manner, which is less intrusive to the end user. For example, assuming the security software is deployed to protect a payment transaction performed on Paypal, the start/stop trigger module 215 could determine when the user's keyboard focus is on the Paypal browser instance, e.g., the user is likely to be sending sensitive login credentials or credit card information to complete the payment, or when any part of the Paypal browser is visible, e.g., personal Paypal user information or transaction data may be displayed. Full security protection may be enforced when this event is detected.
  • If the user opens a word documents for editing, the start/stop trigger module 215 may issue a Sensitive_Stop flag, e.g., when it determines that the Paypal browser 135 that it is protecting no longer has keyboard focus (such that no sensitive information meant for Paypal can be captured by keyloggers), or when it determines that the Paypal browser 135 no longer has window focus and no visible area is shown (such that no sensitive personal information related to Paypal can be captured through screen capturing software). Thus, security mechanisms can be turned off when this even occurs.
  • The timing for the start/stop trigger module 215 to issue Sensitive_Start and Sensitive_Stop flags can be further customized and refined to fit various security levels for various applications. For example, it may be deemed important to protect the user's login credentials only for an online gaming application and not the gaming screen. Therefore, the Sensitive_Start and Sensitive_Stop flag requirement can be refined to detect only keyboard focus acquired or lost in the gaming application, and not to require detection of window focus.
  • In certain embodiments, the start/stop trigger module 215 may listen for a window-focus loss event of the protected application and may minimize the protected application's window. Then, the start/stop trigger module 215 may trigger the Sensitive_Stop event, since it is certain that the protected area is not visible when minimized.
  • As an enhancement to achieve transparent and seamless end-point protection, current end-point protection and/or lockout mechanisms on the end-user device 105 may need to be modified to support fast and on-demand activation and de-activation. Working in collaboration with the start/stop trigger module 215, a fast-switching engine may provide seamless transition when switching between a protected application and a non-protected application. End-point protection may be turned on quickly when the user is working on the protected application and may be turned off quickly when the user switches to a non-protected application. To achieve fast switching, traditional techniques like network tunnel pre-establishment or keep-alive and application pre-loading of the end-point protection process can be used. In one embodiment, the pre-establishment and pre-loading can be done when the OS starts up and/or when the end-point protection mechanism is first activated. The corresponding cleanup can be done when the last protected application is closed and/or when the OS shutdown.
  • An example process incorporating start/stop triggers includes:
  • (1) The end user boots up computer and launches messaging software like MSN and skype.
  • (2) The end user opens a browser 135 session, and activates the connection agent 130 to access his Internet Banking site (e.g., Citibank), which has implemented TNT security software, to transfer funds to his friend.
  • (3) The connection agent 130 establishes a secure data exchange to the Citibank site.
  • (4) An install agent 182, e.g., Citibank ActiveX object, is downloaded and loaded into memory.
  • (5) The install agent 182 downloads and installs the security engine 177 and/or security profiles 180.
  • (6) The start/stop trigger module 215 determines that the Citibank Webpage is in focus, issues a Sensitive_Start flag, and activates the security engine 177. All traffic goes through the compulsory non-hijack tunnel and other applications are blocked. The MSN and skype connections break during this stage.
  • (7) The end user logs securely into the Citibank Internet banking site and his login credentials are protected by the security engine 177.
  • (8) Before completing the fund transfer transaction, the end user switches to his MSN application to chat with his friend to confirm the amount of transfer.
  • (9) Since focus is lost from the Citibank Internet banking site, the start/stop trigger module 215 detects the window focus loss event, minimizes the Citibank browser 135 session, issues the Sensitive_Stop flag, and disables the security engine 177. Thus, traffic is allowed to go through the original route and not the compulsory tunnel. Further, application blocking is turned off.
  • (10) MSN detects network connectivity and reconnects, allowing the end user to chat with his friend.
  • (11) The end user launches his Excel application and updates his daily expenses spreadsheet.
  • (12) The end user switches back to the Citibank website. The start/stop trigger module 215 notes the Sensitive_Start flag and re-enables the security engine 177. The MSN and skype connections break again.
  • (13) The end user completes the fund-transfer transaction and closes the Citibank browser 135 session.
  • (14) The security engine 177 and/or security profiles 180 are unloaded from memory.
  • It will be appreciated that traditional keylogger protection mechanisms employ anti-virus detection logic to find and remove resident keyloggers on the end-user device. Unlike computer virus or worms, keyloggers on their own do not attempt to propagate, making keyloggers hard to detect or block using heuristics. Generally, keyloggers hook onto processes available in the end-user device operating system to capture but not modify keystrokes entered by the end user using any keyboard input device or software (e.g., visual keyboard). In certain embodiments, as an alternative approach, the trusted driver manager 230 allows resident intended or unintended keyloggers to continue execution, but renders the keylogging operation ineffective when necessary.
  • In certain embodiments, the keyboard input device driver 140 must be trusted. The trusted driver manager 230 validates the current driver 140 by comparing a secure 11D a secure hash, and/or the like against a list of trusted and/or untrusted keyboard input secure drivers, IDs, hashes, and/or the like. When the keyboard input device driver 140 is unknown, i.e., not in the list of trusted and/or untrusted drivers, the trusted driver manager 230 can temporarily or permanently replace the unknown driver 140 with a trusted driver, possibly only for the duration of the data exchange session.
  • In certain embodiments, resident keyloggers may capture keystrokes from any available OSI level beginning from keyboard input device driver 140 to the user space application 145. Since keyloggers invisibly and passively capture keystrokes, it is reasonable to assume that the keyloggers (unlike the end user, end user application or remote application) cannot differentiate valid or invalid keystrokes from keyboard input devices. Accordingly, the keystrokes generator driver 235 an modify the sequence of end user supplied keystrokes. The modified pattern can be application sensitive, such that it is only generated when specific applications that require keylogger protection are active.
  • The keyboard data exchange end-point protection may follow one of various implementation models, e.g., a standalone keystrokes generator driver 235 with application monitoring hook 250 (standalone mode); or a dual keystrokes generator driver 235 and keystrokes deletion hook 240 with optional application monitoring hook 250 (producer consumer mode).
  • In standalone mode, the keystrokes generator driver 235 generates fake keystrokes when the keystrokes input by the end user need to be protected. For example, the keystrokes generator driver 235 can generate invalid keystrokes such as non-existent application shortcut menu options that will be silently dropped by the browser 135 when confidential data is input by the end user. The application monitoring hook 250, which in one embodiment may be part of the start/stop trigger module 215, determines when the keystrokes input by the end user need to be protected based on the current application status receiving the keystrokes. A non-exhaustive list of relevant application status information includes the application process name, current active text input frame (e.g., application configuration input or user specific data input), valid and invalid application keystrokes, etc. In one embodiment, the keystrokes generator driver 235 determines the keystrokes to generate. In another embodiment, the application monitoring hook 250 analyzes the application status and determine the keystrokes for the keystrokes generator driver 235 to generate.
  • In producer consumer mode, the keystrokes generator driver 235 and keystrokes deletion hook 240 control keystroke generation and deletion. In one embodiment, the keystrokes generator driver 235 may embed identification of the fake keystrokes within the keystrokes data flow (inband mode), may be managed by an external controller such as the application monitoring hook 250 (outband mode), or may employ a combination of inband and outband controls. The keystrokes deletion hook 140 can be implemented as an OS hook or application-specific plug-in installed at the last possible level of the keyboard input processing flow shown in FIG. 6. The execution point of the keystrokes deletion hook 240 is operatively contradictory to keyloggers implementation requirement, which attempts to be at the earliest input processing flow closest to avoid being circumvented. The keystrokes deletion hook 240 deletes fake keystrokes generated by the keystrokes generator driver 235, before the fake keystrokes are processed by the protected end-user applications.
  • For keyloggers requiring local or remote keystrokes disk storage with limited keystrokes memory buffer, I/O blocking logic (possibly combined with either or both of the above mentioned approaches) can cause such keyloggers to lose keystrokes data or malfunction. One example process includes:
  • (1) Start I/O blocking
  • (2) Before the end user inputs confidential data, the keystrokes generator driver 235 generates fake keystrokes to fill up keyloggers limited memory buffer or causes the keyloggers to lose data.
  • (3) After the end inputs confidential data, the keystrokes generator driver 235 generates fake keystrokes to overwrite any keyloggers limited memory buffer or causes the keyloggers to lose data.
  • (4) Stop I/O blocking.
  • It will be appreciated that VPN tunneling is a well-established concept used to authenticate access to a remote network with private resources, to provision access to the remote network with the private resources, and to secure the confidentiality and integrity of the private data exchanged between the end-user device and the remote network. VPN tunneling can also indirectly prevent access to other public resources originally accessible to the end-user device. Further, VPN tunneling may be used for server authentication (authenticating the transaction network 120) and for client authentication (authenticating the end-user device 105). VPN tunnel encryption indirectly prevents tunnel hijacking, since encrypted data cannot be spoofed. VPN tunneling may be used to allow access to a predetermined set of resources without requiring network revamp. This predetermined set of resources can be a combination of public resources (e.g., resources the end-user device 105 can remotely access before the VPN tunnel is established) and private resources (resourced that the end-user device 105 can only access after the VPN tunnel is established).
  • For certain embodiments of the invention, a VPN may be valued to authenticate the remote network, to provision access to the authenticated remote network resources, to prevent access to all other remote resources outside the authenticated remote network, and to ensure the integrity of the data exchanged between the two end-points (the end-user device and the authenticated remote network).
  • To authenticate the remote network, the connection agent 130 and/or transaction network VPN manager 250 may authenticate the remote network (e.g., the transaction network 120) using any predefined direct or indirect trust relationship. Authentication can be achieved indirectly using existing public key infrastructure (PKI) mechanisms or directly using a predefined secret key.
  • To ensure the integrity of the data exchanged, after the authentication phase, the connection agent 130 and/or transaction network VPN manager 250 may employ a key exchange process with the authentication router, e.g., using Diffie-Hellman key exchange. This key exchange process may be integrated with the authentication process as a single phase, e.g. Perfect Forward Secrecy. The transaction network 120 may use the ephemeral key negotiated by the key exchange process to ensure data integrity between the two end-points, to verify data integrity received from the end-user device 105, and/or to generate message authentication code for the data sent from the remote network to the end-user device 105, e.g. Message-Digest algorithm 5. The same reverse logic applies to the connection agent 130 and/or transaction network VPN manager 250. The message authentication code can be inband (part of the data exchange, e.g. IPSEC Authentication Header) or outband (e.g., using a different communication channel).
  • Tunneling, authentication and data integrity verification can be decoupled in implementation, i.e., they may be performed by independent entities. For example, the VPN tunnel can be established between the end-user device 105 and a hardware-based dedicated tunneling router. Authentication may be performed between the end-user device 105 and a server behind the tunneling router. Since in one embodiment tunneling involves only encapsulation and decapsulation, a dedicated tunneling router can perform it efficiently. If traffic integrity checking is performed inband of the tunnel, then, based on the source and the destination IP address of the traffic with message authentication code, the tunneling router could route or load balance the traffic to different authentication servers to perform data integrity checking.
  • To prevent access to remote resources, the connection agent 130 and/or VPN manager 250 may establish a compulsory tunnel from the end-user device 105 to the transaction network 120. Conversely, traffic from the transaction network 120 to the end-user device 105 need not necessarily be tunneled. To provide access to authenticated resources and to prevent access to all other remote resources, a bi-directional or unidirectional tunnel may be used, a virtual IP may be allocated to the end-user device 105, and/or ingress or egress filtering may be used.
  • If a virtual IP is allocated to each end-user device 105 to access the remote network resources, all end-user devices 105 can be grouped under a common pool of IP addresses. As illustrated in FIG. 7, ingress filtering of these virtual IP addresses can be used to prevent data from the end-user devices 105 from being routed out of the authenticated remote network. Ingress filtering may not be possible if a uniquely identifiable virtual IP address pool is not allocated. In the case where ingress filtering is not possible, egress filtering can be done after the tunnel decapsulation router to ensure that only resources within the authenticated network are accessible.
  • There may be one or more default routers for the pool of virtual IP addresses. All data sent to these virtual IP address may be routed to these default routers. Bi-directional tunneling may be used if a virtual IP address is allocated, because the virtual IP address is only routable within the remote network. An exception may be employed when the virtual IP address used is a publicly routable IP address belonging to the end-user device 105. When bi-directional tunneling is employed, the virtual IP addresses default routers can encapsulate the data from the remote network back to the end-user device 105. Unlike the tunnel decapsulation router that is stateless, the default routers can maintain the tunnel state information. The tunnel state information may include the WAN IP to virtual IP association of the end-user device 105, to encapsulate and tunnel data back to the end-user device 105. The expiry of the tunnel state information may be effected via keep-alive messages sent from the connection agent 130 directly or indirectly to the default router(s).
  • In one embodiment, tunneling protocols can reuse the IP address of the end-user device 105 for both the tunnel IP header (traffic between the end-user device 105 and the decapsulation router) and the application IP header (traffic between the end-user device 105 and the remote network resources). If the tunneling protocol can reuse the IP address of the end-user device 105 for both tunneling and application communication, virtual IP provisioning by the remote network may be unnecessary. If computing device IP address reuse is not automatic, the remote network may use the virtual IP provisioning mechanism to decide if a localized virtual IP may be used for application communication or allocate the computing device IP address as the virtual IP.
  • The remote network virtual IP provisioning system may determine if the end-user device 105 is behind a Network Address Translation (NAT) or Network Address and Port Translation (NAPT) router, to determine what application communication IP address and tunneling protocol to use. By reusing the IP address of the end-user device 105 instead of a localized virtual IP for the tunnel IP header, bi-directional tunneling can be avoided. The application traffic from the remote network resources may be sent directly to the end-user device 105. Thus, virtual IP default router(s) to encapsulate the return traffic may be necessary.
  • If the end-user device is behind a NAT or NAPT router, a unidirectional transport level tunneling protocol that is NAT and NAPT friendly may be used. Instead of having both a tunnel IP header and an application IP header, there may be only one IP header. The unidirectional transport level tunneling protocol may be intended for application traffic from the end-user device 105 to the remote network decapsulation router.
  • An example tunneling encapsulation procedure is provided as follows:
  • (1) The end-user device 105 generates application data and application IP header (i.e., an application IP datagram).
  • (2) The application IP datagram is sent to the tunneling driver.
  • (3) The tunneling driver inserts the original destination IP address in the transport header field (e.g., the TCP option field) or between the transport header and the application payload.
  • (4) The tunneling driver replaces the destination IP address with the IP address of the remote network decapsulation router.
  • (5) The tunneling driver may set the IP header type-of-service field to indicate the datagram is encapsulated.
  • (6) The tunneling driver adjusts the IP header total length and re-computes the IP header checksum.
  • (7) The encapsulated IP datagram is transmitted.
  • An example tunneling decapsulation procedure is as follows:
  • (1) The decapsulation router checks if the datagram is encapsulated, e.g., checks the IP header type-of-service field or TCP option field.
  • (2) If the datagram is encapsulated, the decapsulation router replaces the destination IP address with the original embedded application destination IP address.
  • (3) The embedded application destination IP address may or may not be removed by the decapsulation router.
  • (4) The decapsulation router re-computes the IP header checksum and adjusts the IP header total length if necessary.
  • (5) The decapsulated IP datagram is transmitted.
  • Embodiments of the tunneling protocol achieve functionality similar to TCP or UDP port forwarding, without the need for the decapsulation router to keep state or port to IP address mapping configuration information. Such information is encapsulated in the tunneled datagram.
  • If the remote network provisioning system can verify that the traffic from the end-user device 105 will not be NATed, standard tunneling protocols (e.g., GRE, IP-in-IP, etc.) can be used. The IP of the end-user device 105 can be reused for both the tunnel IP header and application IP header using standard tunneling protocol. The tunneled traffic can be decapsulated by standard routers and the remote network resources can directly reply to the end-user device 105 without bi-directional tunneling.
  • Embodiments of the invention enable application-specific encryption (e.g., HTTPS) to be used in conjunction with the tunneling mechanism described herein to ensure privacy of confidential data. That is, there can be a combination of encrypted and unencrypted data exchange through the tunnel. This reduces encryption and decryption overhead to only confidential data, instead of maintaining encryption and decryption overhead for all data in a VPN architecture.
  • FIG. 3 is a block diagram illustrating a network system 300 operative to effect a trusted network transaction (TNT) with an Internet banking portal, in accordance with an embodiment of the present invention.
  • As shown, in step 1, the end user accesses his original Internet banking portal URL via a browser 135 installed on an insecure end-user device 105.
  • In step 2, the existing Internet banking login page detects whether the end user's browser 135 is capable of supporting TNT, e.g., supports ActiveX controls. If so, the Internet server 315 displays the Internet banking login page with an additional “button” for the end user to selectively enable TNT security. If the end-user device 105 cannot support TNT, then the original Internet banking login page is displayed without the TNT button.
  • In step 3, the end user clicks on the TNT button, which causes the Internet banking server 315 to download the install agent 182, e.g., an ActiveX control, to the end-user device 105. The end-user device 105 confirms that the install agent 182 is digitally signed by the bank, which is a trusted party by the end-user device 105. The end-user device 105 allows the trusted install agent 182 to execute.
  • In step 4, the install agent 182 establishes a VPN tunnel to a predefined VPN server 320 in the banking server farm 310 and establishes predefined VPN authentication credentials. After the VPN tunnel is established, all network traffic from the end-user device 105 is sent to the VPN server 320. That is, the end-user device 105 is disconnected from the rest of the Internet. The VPN server 320 (or a firewall) manages network resources accessible by the end-user device 105. That is, only network resources (e.g., the Internet banking web site) required for Internet banking transactions are made accessible to the end-user device 105.
  • In step 5, the security engine 177 is downloaded over the VPN. Armed with the security engine 177, an application lockout module 220 may be used to suspend applications not required for the Internet banking transaction and to prevent new applications from being executed.
  • In step 6, after the end user completes all Internet banking transactions and requests logout, the install agent 182 may be downloaded again. The install agent 182 detects the previously existing active TNT session, removes the security engine 177, and terminates the VPN tunnel before ending the install agent 182 process.
  • FIG. 4 is a block diagram illustrating a network system 400 operative to effect a TNT by an end-user device 405 with a banking portal, the TNT being managed by the end user's ISP network 440, in accordance with an embodiment of the present invention. In one embodiment, the end user's ISP network 440 may provide TNT protection for multiple transaction sites 120. The network system includes the ISP network 440 coupled via the Internet 450 to a banking server farm 445. The ISP network 440 includes the end-user device 405 coupled via an intranet 435 to an ISP server 410, to a VPN server 415, and to a VPN router 420. The banking server farm 445 includes a banking server 425 and a VPN router 430. The VPN router 420 of the ISP network 440 is coupled to the VPN router of the banking server farm 445 via the Internet 450.
  • In step 1, the end-user device 405 accesses the banking server 425 via a software application, e.g., the connection agent 130, that enables the user to select from multiple specific URLs of TNT-enabled sites 120. Upon selection of a URL, the software application is configured to direct the browser 135 to the selected URL. The list of specific URLs may be installed on the end-user device 405 by the ISP 410 or may be available on the portal page of the ISP 410. Alternatively, the end-user device 405 may navigate directly to the banking server 425, possibly via a TNT “button” from the site presented by the ISP server 410.
  • In step 2, the end user selects the URL of the transaction network 120 to access with TNT protection. The connection agent 130 establishes a preliminary VPN with the ISP server 410. The install agent 182 is downloaded from the ISP server 410 (or other trusted source dedicated to supporting TNT for the banking site 425). The end-user device 405 is informed that the install agent 182 is digitally signed by the ISP server 410, which is a trusted by the end-user device 405. The end-user device 405 allows the install agent 182 to execute. The install agent 182 may be embedded with the latest IP addresses of the TNT-enabled sites or VPN servers (independent of DNS updates propagation delays or DNS security risks). The OS host file of the end-user device 105 may be updated by the install agent 182 with the IP addresses to prevent URL redirection for TNT protected sites due to DNS poisoning. Any changes to the TNT-managed IP addresses may be controlled by the ISP server 410. A transaction network 120, e.g., banking server 425, informs the ISP server 410 whenever changes in the IP addresses of web servers occur (instead of depending on Internet DNS updates).
  • In step 3, the install agent 182 establishes a VPN tunnel to the VPN server 415 using predefined VPN authentication credentials specified in the ISP server's web page (from the URL selected in Step 2). The VPN authentication credentials can be uniquely created from each TNT session to associate the specific end-user device 405 to access the banking server 425, even if the end-user device 405 is hidden behind an NAT router. For example, the VPN login userid could be the subscriber ISP userid+end-user device 105 MAC address or computer name (detected by the TNT ActiveX control)+target TNT site. This allows the ISP server 410 to track down the actual end-user device 405 performing online TNT transactions if there is any audit requirements or to “blacklist” an end-user device 105 (instead of the end user who can continuously change his login credentials) that regularly posts false offers for online auctions web sites, etc.
  • In step 4, after the temp VPN tunnel is established, all network traffic from the end-user device 405 is sent to the VPN server 415. That is, the end-user device 405 is disconnected from the rest of the Internet. The VPN server 415 (or a firewall) within the ISP network 440 manages the network resources accessible by the end-user device 405. That is, only network resources (e.g., the banking server 425) required for the Internet banking transactions are made accessible.
  • In step 5, the security engine 177 and/or security profiles 180 are downloaded, installed and executed. Using the application lockout module, the security engine 177 blocks applications not required for the Internet banking transactions and prevents new applications from being executed. Other TNT protection mechanisms may also be used. The transaction network VPN manager 250 establishes a VPN tunnel with the VPN server 415.
  • In step 6, the VPN server 415 is deployed. To ensure network security over the Internet 450 from the ISP network 440 to the banking server 425, a permanent VPN tunnel may be established between the ISP network 440 and the banking server 425, e.g., using the ISP-managed VPN router 420 and the bank-managed VPN router 430. This ensures that intermediate Internet routers between the ISP network 440 and the banking server 425 cannot hijack traffic to and/or from the end-user device 405. This also allows the banking server 425 to manage additional network security policies within their own network on top of those provided by the ISP network 440.
  • In step 7, after the end user completes his Internet banking transactions and requests logout, the install agent 182 is downloaded again from the ISP server 410. The install agent 182 detects the previous existing active INT session, removes the security engine 177, and terminates the VPN tunnel before ending the install agent 182 process.
  • Combinations of the various techniques described in this invention could be used in an actual deployment of TNT. Various alternative technologies, e.g., a Java applet instead of Microsoft ActiveX, SSL instead of PPTP VPN tunnel, etc., can be used.
  • FIG. 5 is a block diagram illustrating a network system 500 operative to effect security engine installation, in accordance with an embodiment of the present invention.
  • In step 1, the connection agent 130 uses a pre-configured and unchangeable network address to contact a secure network address resolution service 520 to obtain the network address of a trusted source of the security engine 515 or a list of trusted sources. For example, an IP address of a trusted DNS security extensions (DNSSEC) server 520 may be pre-configured in the connection agent 130.
  • In step 2, the connection agent 130 uses this IP address to connect to the DNSSEC server 520 to resolve the domain name of the trusted source to an IP address. In another embodiment, the DNSSEC server 520 may download a list of approved sites, from which the end-user device 505 may select a URL of the trusted source of the security engine 515.
  • In step 3, using the network address of the trusted source, the connection agent 130 establishes a secure data exchange with the trusted source, preventing network traffic from the end-user device 105 from being misdirected to untrusted sources and guarding against other forms of network intrusion and attacks. For example, in a TCP/IP network, in connection agent 130 may use the resolved IP address to connect to the trusted source, e.g., via a secure tunnel. This connection technique ensures that the network address is accurate (e.g., not poisoned by a DNS attack), and assures that the end-user device 105 connects to the intended trusted source. Further communication protocols employed in the secure network address resolution service 520 ensures that communication to and from the end-user device 105 is authenticated, authoritative and accurate.
  • In step 4, with a secure exchange established, the end-user device 105 downloads the security engine 515, e.g., using protocols like HTTP or FTP. The secure tunnel established by the connection agent 130 ensures that data traffic between the end-user device 105 and the trusted source is secure and cannot be compromised, even when insecure protocols like HTTP and FTP are used.
  • In step 5, after delivery of the security engine 515, the end-user device 105 executes the security engine 515. The security engine 515 effectively secures the end-user device 105, e.g., allows the end-user device 105 to communicate only with trusted transaction sties, e.g., trusted remote network 535, prevents other applications 145 running on the end-user device 105 from capturing or sending information, especially to untrusted sites, etc. The user can then access and interact with the transaction sites in confidence.
  • FIG. 6 is a hierarchical level diagram illustrating keyboard-input processing flow 600, in accordance with an embodiment of the present invention. Flow 600 is divided into physical space 605, kernel space 610, and application space 615. In physical space 605, the end user makes keystrokes on the keyboard at level 620. In kernel space 610, the trusted keyboard driver receives keystrokes at level 625. The keystrokes generator driver resides and generates fake keystrokes at level 630. The potential untrusted keylogger driver captures keystrokes at level 620 or thereafter. In application space 615, a potential untrusted keylogger hook potentially captures keystrokes at level 640. The keystrokes deletion hook removes fake keystrokes at level 645. The application receives the cleaned keystroke pattern at level 650. Somewhere between level 630 in kernel space and level 645 in application space 615, an application monitoring hook, plugin and/or driver monitors application status, and possibly feeds information to the keystrokes generator driver at level 630.
  • FIG. 7 is a block diagram illustrating a network system 700 operative to effect tunnel datagram processing, in accordance with an embodiment of the present invention. The embodiment uses standard GRE and IPsec AH mechanisms to illustrate the tunneling mechanism. Embodiments of the invention may be applicable to other combinations of tunneling and data integrity protocols.
  • It is assumed that a GRE tunnel has been established between the end-user device 705 and a GRE router 735. The tunneling driver adds an AH header to the IP packet generated by the computing device 705. The AH header is used to authenticate with the authentication router 750 a or 750 b. The IP packet with AH header is further encapsulated in a GRE packet before it is sent out.
  • The GRE packet is transferred through the GRE tunnel via the Internet 710, until it reaches the GRE router 735. The GRE router 735 decapsulates the GRE packet back to the IP packet with AH header. Further, based on the source and destination IP addresses, the GRE router 735 routes the decapsulated packet to an authentication router 750 a or 750 b.
  • Before the packet reaches the authentication router 750 a or 750 b, it passes through a firewall 745, which performs egress filtering to ensure that access only to intended resources is allowed and that access to forbidden resources is blocked.
  • Upon receiving the IP AH packet, the authentication router 750 a and 750 b performs an authentication check to ensure that the packet comes from the computing device 705. It removes the AH header and routes the packet to the intended resources 720 a, 720 b or 720 c. That is, the packet is returned back to the format as originally generated by the computer device 705.
  • The intended resource processes the packet and generates a reply to the authentication router 750 a or 750 b.
  • The authentication router 750 a or 750 b adds an AH header to the reply packet. The AH header is used to authenticate any remote network resources 720 a, 720 b or 720 c. The authentication router 750 a or 750 b routes the new IP AH packet back to the GRE server 735.
  • The GRE router 735 encapsulates the reply packet and sends it back to the end-user device 705 via the tunnel.
  • The tunneling driver on the end-user device 705 decapsulates the packet and verifies the AH header. If the AH header passes the check, the packet is trusted as coming from the authenticated remote network resources 720 a, 720 b or 720 c. The AH header is removed before the packet is passed to the upper layer of the network stack for further processing. If the AH header fails the check, then a security measure is taken. The measure could include breaking the tunnel or alerting the end user.
  • There are many other possible variation of the example described. The authentication server 750 a or 750 b can be moved outband of the communication between the end-user device 705 and the network resources 720 a, 720 b or 720 c. The authentication server 750 a or 750 b can communicate with the GRE router 735 to retrieve a checksum of packets received from the tunnel and can encrypt it with a private key whose public key is known to the tunneling software. The encrypted checksum may be transferred to the tunnel software regularly in a separate channel so that the tunnel software is able to ensure that it is communicating with the actual remote network resource 720 a, 720 b or 720 c.
  • Certain embodiments facilitate the use of data protection mechanisms to have negligible demand on the end user and end-user device. In one embodiment, the end user need only select the network software application that the end user wants to use to exchange data and the trusted remote network with which the end user wishes to establish a secure data exchange session. After the data protection mechanism are enabled, the end user need not differentiate between trusted and untrusted software and remote networks. Further, certain embodiments enable minimal change to existing Internet banking or shopping sites, minimal TNT deployment effort, and minimal change to end user web site usage experience.
  • FIG. 8 is a screen shot of a desktop 805 on an end-user device 105 before spyware infection or spoofing attack.
  • FIG. 9 is a screen shot of the desktop 805 on an end-user device 105 after spyware infection.
  • FIG. 10 is a screen shot of the desktop 805 of an end-user device 105 with a window 1005 illustrating keylogger infection.
  • FIG. 11 is a screen shot of the desktop 805 on an end-user device 105 with a window 1105 illustrating keystroke capture.
  • FIG. 12 is a screen shot of the desktop 805 on an end-user device 105 before DNS poisoning.
  • FIG. 13 is a screen shot of the desktop 805 on an end-user device 105 with a window 1305 illustrating a legitimate IP address in a DNS cache before DNS poisoning.
  • FIG. 14 is a screen shot of the desktop 105 on an end-user device 105 with the window 1305 after DNS poisoning.
  • FIG. 15 is a screen shot of the desktop 805 on an end-user device 105 with a window 1505 illustrating a spoofed IP address in the DNS cache, after DNS poisoning.
  • FIG. 16 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site at the IP address of FIG. 15.
  • FIG. 17 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site and with a security alert 1705.
  • FIG. 18 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 1605 illustrating the spoofed site and with a spoofed security certificate 1805.
  • FIG. 19 is a screen shot of the desktop 805 on an end-user device 105 with a window 1905 illustrating keylogger infection and after DNS poisoning but before protection by embodiments of the invention.
  • FIG. 20 is a screen shot of the desktop 805 on an end-user device 105 with a window 2005 illustrating continuous pinging of the Yahoo website to evidence the availability of outbound communication.
  • FIG. 21 is a screen shot of the desktop 805 on an end-user device 105 with a window 2105 illustrating that a download agent, e.g., an ActiveX control, is being delivered to the end-user device.
  • FIG. 22 is a screen shot of the desktop 805 on an end-user device 105 with a window 2205 illustrating that the download agent is being executed and is establishing a VPN connection with a trusted source of a security engine 177.
  • FIG. 23 is a screen shot of the desktop 805 on an end-user device 105 with a window 2305 illustrating that the download agent has established a VPN connection with the trusted source, has downloaded and installed the security engine 177, and is presenting a button 2310 to navigate to the legitimate banking site. Installation of the security engine 177 enables network communication lockout, application lockout, driver management, keystroke pattern modification, and like TNT mechanisms.
  • FIG. 24 is a screen shot of the desktop 805 on an end-user device 105 with a window 2405 illustrating that the continuous pinging of the Yahoo website has stopped, evidencing that outbound communication has been suspended.
  • FIG. 25 is a screen shot of the desktop 805 on an end-user device 105 with a window 2505 illustrating the legitimate IP address of the legitimate banking site.
  • FIG. 26 is a screen shot of the desktop 805 on an end-user device 105 with a window 2605 illustrating application lockout.
  • FIG. 27 is a screen shot of the desktop 805 on an end-user device 105 with the window 2305 illustrating the button 2310 to navigate to the legitimate banking site.
  • FIG. 28 is a screen shot of the desktop 805 on an end-user device 105 with a browser window 2805 illustrating the legitimate banking site.
  • FIG. 29 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 and the legitimate banking site certificate 2905 of the legitimate banking site.
  • FIG. 30 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 of the legitimate banking site and illustrating that the keylogger is no longer active when the keylogger reveal word, “frklg,” is typed in the address field 3005.
  • FIG. 31 is a screen shot of the desktop 805 on an end-user device 105 with the browser window 2805 and after entry of confidential data into the login window 3105, just before the security engine 177 is deactivated and/or removed.
  • FIG. 32 is a screen shot of the desktop 805 on an end-user device 105 with a window 3205 illustrating that outbound communication has resumed.
  • FIG. 33 is a screen shot of the desktop 805 on an end-user device 105 with a window 3305 illustrating resumed vulnerability to the DNS poisoning of the DNS cache.
  • FIG. 34 is a screen shot of the desktop 805 on an end-user device 105 with a window 3405 illustrating that the security engine 177 protected the memory space from registering the browser window 2805.
  • FIG. 35 is a screen shot of the desktop 805 on an end-user device 105 with a window 3505 illustrating that the keylogger infection has been permanently neutralized.
  • The foregoing description of the preferred embodiments of the present invention is by way of example only, and other variations and modifications of the above-described embodiments and methods are possible in light of the foregoing teaching. Although the network sites are being described as separate and distinct sites, one skilled in the art will recognize that these sites may be a part of an integral site, may each include portions of multiple sites, or may include combinations of single and multiple sites. The various embodiments set forth herein maybe implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functions set forth herein. Components may be implemented using a programmed general-purpose digital computer, using application specific integrated circuits, or using a network of interconnected conventional components and circuits. Connections may be wired, wireless, modem, etc. The embodiments described herein are not intended to be exhaustive or limiting, The present invention is limited only by the following claims.

Claims (42)

1. A network system comprising: a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to the end-user device to protect the end-user device during the transaction.
2. The network system of claim 1, wherein the transaction network provides banking site.
3. The network system of claim 1, wherein the transaction network provides a gaming site.
4. The network system of claim 1, wherein the trusted source resides on an ISP network.
5. The network system of claim 1, wherein the trusted source and the transaction network are managed by the same entity.
6. The network system of claim 1, wherein the trusted source resides on the transaction network.
7. The network system of claim 1, wherein the security mechanism includes a security engine.
8. The network system of claim 1, wherein the security mechanism includes a security profile.
9. The network system of claim 1, wherein the security mechanism includes a security engine and a security profile.
10. The network system of claim 1, wherein the security mechanism includes a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism.
11. The network system of claim 1, wherein the security mechanism includes an application lockout module for suspending at least one application not needed to effect the transaction.
12. The network system of claim 1, wherein the security mechanism includes a file/network I/O control module for disabling at least one file or network operation during the transaction.
13. The network system of claim 1, wherein the security mechanism includes a trusted driver module for determining whether a driver on the end-user device matches a known trusted driver.
14. The network system of claim 13, wherein driver is a keyboard driver.
15. The network system of claim 1, wherein the security mechanism includes a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user.
16. The network system of claim 15, wherein the security mechanism includes a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver.
17. The network system of claim 1, wherein the security mechanism includes an IP address to a server with the transaction network.
18. The network system of claim 1, wherein the security mechanism includes a VPN manager capable of establishing a secure tunnel between the end-user device and the transaction network.
19. The network system of claim 1, wherein the agent is capable of removing the security mechanism upon completion of the transaction.
20. The network system of claim 1, further comprising a second agent being capable of removing the security mechanism upon completion of the transaction.
21. The network system of claim 1, wherein the agent includes an install agent downloaded from the trusted source.
22. The network system of claim 1, wherein the agent includes an install agent downloaded from a third-party server.
23. The network system of claim 1, wherein the agent includes a connection agent preloaded onto the end-user device.
24. A method comprising: requesting by an end user a secure transaction with a transaction network providing a transaction; receiving from a trusted source a security mechanism for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; activating the security mechanism; establishing a secure connection between an end-user device and the transaction network; and enabling the transaction.
25. The method of claim 24, wherein the transaction network provides a banking site.
26. The method of claim 24, wherein the transaction network provides a gaming site.
27. The method of claim 24, wherein the trusted source resides on an ISP network.
28. The method of claim 24, wherein the trusted source and the transaction network are managed by the same entity.
29. The method of claim 24, wherein the trusted source resides on the transaction network.
30. The method of claim 24, wherein the security mechanism includes a security engine.
31. The method of claim 24, wherein the security mechanism includes a security profile.
32. The method of claim 24, wherein the security mechanism includes a security engine and a security profile.
33. The method of claim 24, wherein the security mechanism includes a start/stop trigger module for controlling when to initiate one or more aspects of the security mechanism and when to deactivate the one or more aspects of the security mechanism.
34. The method of claim 24, wherein the security mechanism includes an application lockout module for suspending at least one application not needed to effect the transaction.
35. The method of claim 24, wherein the security mechanism includes a file/network I/O control module for disabling at least one file or network operation during the transaction.
36. The method of claim 24, wherein the security mechanism includes a trusted driver module for determining whether a driver on the end-user device matches a known trusted driver.
37. The method of claim 36, wherein driver is a keyboard driver.
38. The method of claim 24, wherein the security mechanism includes a keystrokes generator driver for generating additional keystrokes to a keystroke pattern generated by the end user.
39. The method of claim 38, wherein the security mechanism includes a keystrokes deletion hook for deleting the additional keystrokes generated by the keystrokes generator driver.
40. The method of claim 24, wherein the security mechanism includes an IP address to a server within the transaction network.
41. The method of claim 24, wherein the security mechanism includes a VPN manager capable of establishing a secure tunnel between the end-user device and the transaction network.
42. The method of claim 24, further comprising removing the security mechanism upon completion of the transaction.
US12/111,777 2006-03-30 2008-04-29 System and method for providing transactional security for an end-user device Abandoned US20090044266A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/111,777 US20090044266A1 (en) 2006-03-30 2008-04-29 System and method for providing transactional security for an end-user device
US13/075,569 US20110209222A1 (en) 2006-03-30 2011-03-30 System and method for providing transactional security for an end-user device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US78745706P 2006-03-30 2006-03-30
US81482806P 2006-06-19 2006-06-19
US11/694,476 US8434148B2 (en) 2006-03-30 2007-03-30 System and method for providing transactional security for an end-user device
US12/111,777 US20090044266A1 (en) 2006-03-30 2008-04-29 System and method for providing transactional security for an end-user device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/694,476 Continuation US8434148B2 (en) 2006-03-30 2007-03-30 System and method for providing transactional security for an end-user device

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/075,569 Division US20110209222A1 (en) 2006-03-30 2011-03-30 System and method for providing transactional security for an end-user device

Publications (1)

Publication Number Publication Date
US20090044266A1 true US20090044266A1 (en) 2009-02-12

Family

ID=38833899

Family Applications (3)

Application Number Title Priority Date Filing Date
US11/694,476 Active 2030-03-13 US8434148B2 (en) 2006-03-30 2007-03-30 System and method for providing transactional security for an end-user device
US12/111,777 Abandoned US20090044266A1 (en) 2006-03-30 2008-04-29 System and method for providing transactional security for an end-user device
US13/075,569 Abandoned US20110209222A1 (en) 2006-03-30 2011-03-30 System and method for providing transactional security for an end-user device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/694,476 Active 2030-03-13 US8434148B2 (en) 2006-03-30 2007-03-30 System and method for providing transactional security for an end-user device

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/075,569 Abandoned US20110209222A1 (en) 2006-03-30 2011-03-30 System and method for providing transactional security for an end-user device

Country Status (2)

Country Link
US (3) US8434148B2 (en)
WO (1) WO2007149140A2 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070234061A1 (en) * 2006-03-30 2007-10-04 Teo Wee T System And Method For Providing Transactional Security For An End-User Device
US20090037976A1 (en) * 2006-03-30 2009-02-05 Wee Tuck Teo System and Method for Securing a Network Session
US20090187991A1 (en) * 2008-01-22 2009-07-23 Authentium, Inc. Trusted secure desktop
US20110035478A1 (en) * 2007-10-24 2011-02-10 Lantronix, Inc. Systems and methods for creation of reverse virtual internet protocol addresses
US8065695B1 (en) * 2008-06-30 2011-11-22 United Services Automobile Association Systems and methods for increased security during logging in to web site
US20130031607A1 (en) * 2011-07-25 2013-01-31 Vikas Aditya Software delivery models
US8707437B1 (en) * 2011-04-18 2014-04-22 Trend Micro Incorporated Techniques for detecting keyloggers in computer systems
US20140215569A1 (en) * 2012-11-12 2014-07-31 Optim Corporation User terminal, unauthorized site information management server, and method and program for blocking unauthorized request
US8918865B2 (en) 2008-01-22 2014-12-23 Wontok, Inc. System and method for protecting data accessed through a network connection
US20160156642A1 (en) * 2014-12-02 2016-06-02 Wontok Inc. Security information and event management
US20160330238A1 (en) * 2015-05-05 2016-11-10 Christopher J. HADNAGY Phishing-as-a-Service (PHaas) Used To Increase Corporate Security Awareness
CN106254505A (en) * 2016-08-25 2016-12-21 厦门雅迅网络股份有限公司 A kind of system and method monitoring ftp server end files passe progress
CN107026863A (en) * 2017-04-13 2017-08-08 深信服科技股份有限公司 A kind of mobile terminal network partition method and system
US11075893B2 (en) * 2014-06-23 2021-07-27 Vmware, Inc. Cryptographic proxy service

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8196200B1 (en) * 2006-09-28 2012-06-05 Symantec Corporation Piggybacking malicious code blocker
WO2008135844A2 (en) * 2007-05-04 2008-11-13 Alcatel Lucent Method for charging for services, such as push mail
US20090047930A1 (en) * 2007-08-17 2009-02-19 Qualcomm Incorporated Method for a heterogeneous wireless ad hoc mobile service provider
US20090047964A1 (en) 2007-08-17 2009-02-19 Qualcomm Incorporated Handoff in ad-hoc mobile broadband networks
US9398453B2 (en) * 2007-08-17 2016-07-19 Qualcomm Incorporated Ad hoc service provider's ability to provide service for a wireless network
US20090047966A1 (en) * 2007-08-17 2009-02-19 Qualcomm Incorporated Method for a heterogeneous wireless ad hoc mobile internet access service
US20090046644A1 (en) * 2007-08-17 2009-02-19 Qualcomm Incorporated Service set manager for ad hoc mobile service provider
US20090172389A1 (en) * 2007-12-31 2009-07-02 Intel Corporation Secure client/server transactions
US20090172410A1 (en) * 2007-12-31 2009-07-02 Intel Corporation Personal vault
US20090172388A1 (en) * 2007-12-31 2009-07-02 Intel Corporation Personal guard
US20090172396A1 (en) * 2007-12-31 2009-07-02 Intel Corporation Secure input
JP2009165041A (en) * 2008-01-09 2009-07-23 Sony Corp Net work apparatus, address revision notifying method, and notifying program of address revision
US8555380B2 (en) * 2008-02-28 2013-10-08 Intel Corporation Automatic modification of executable code
US20090235359A1 (en) * 2008-03-12 2009-09-17 Comodo Ca Limited Method and system for performing security and vulnerability scans on devices behind a network security device
US9596250B2 (en) * 2009-04-22 2017-03-14 Trusted Knight Corporation System and method for protecting against point of sale malware using memory scraping
US8272039B2 (en) * 2008-05-02 2012-09-18 International Business Machines Corporation Pass-through hijack avoidance technique for cascaded authentication
US8468356B2 (en) * 2008-06-30 2013-06-18 Intel Corporation Software copy protection via protected execution of applications
US20100010992A1 (en) * 2008-07-10 2010-01-14 Morris Robert P Methods And Systems For Resolving A Location Information To A Network Identifier
US20100011048A1 (en) * 2008-07-10 2010-01-14 Morris Robert P Methods And Systems For Resolving A Geospatial Query Region To A Network Identifier
US20100010975A1 (en) * 2008-07-10 2010-01-14 Morris Robert P Methods And Systems For Resolving A Query Region To A Network Identifier
US9032536B2 (en) * 2008-10-10 2015-05-12 Safend Ltd. System and method for incapacitating a hardware keylogger
US20100145963A1 (en) * 2008-12-04 2010-06-10 Morris Robert P Methods, Systems, And Computer Program Products For Resolving A Network Identifier Based On A Geospatial Domain Space Harmonized With A Non-Geospatial Domain Space
US7933272B2 (en) * 2009-03-11 2011-04-26 Deep River Systems, Llc Methods and systems for resolving a first node identifier in a first identifier domain space to a second node identifier in a second identifier domain space
US20100250777A1 (en) * 2009-03-30 2010-09-30 Morris Robert P Methods, Systems, And Computer Program Products For Resolving A First Source Node Identifier To A Second Source Node Identifier
US9179367B2 (en) 2009-05-26 2015-11-03 Qualcomm Incorporated Maximizing service provider utility in a heterogeneous wireless ad-hoc network
US20110029702A1 (en) * 2009-07-28 2011-02-03 Motorola, Inc. Method and apparatus pertaining to portable transaction-enablement platform-based secure transactions
US8713325B2 (en) 2011-04-19 2014-04-29 Authentify Inc. Key management using quasi out of band authentication architecture
US8955131B2 (en) 2010-01-27 2015-02-10 Mcafee Inc. Method and system for proactive detection of malicious shared libraries via a remote reputation system
US20110185428A1 (en) * 2010-01-27 2011-07-28 Mcafee, Inc. Method and system for protection against unknown malicious activities observed by applications downloaded from pre-classified domains
US8819826B2 (en) 2010-01-27 2014-08-26 Mcafee, Inc. Method and system for detection of malware that connect to network destinations through cloud scanning and web reputation
US8474039B2 (en) 2010-01-27 2013-06-25 Mcafee, Inc. System and method for proactive detection and repair of malware memory infection via a remote memory reputation system
US9147071B2 (en) * 2010-07-20 2015-09-29 Mcafee, Inc. System and method for proactive detection of malware device drivers via kernel forensic behavioral monitoring and a back-end reputation system
US8458786B1 (en) * 2010-08-13 2013-06-04 Zscaler, Inc. Automated dynamic tunnel management
US9536089B2 (en) 2010-09-02 2017-01-03 Mcafee, Inc. Atomic detection and repair of kernel memory
US8763092B2 (en) * 2010-09-30 2014-06-24 International Business Machines Corporation Implementing secured, event-based layered logout from a computer system
US9832183B2 (en) 2011-04-19 2017-11-28 Early Warning Services, Llc Key management using quasi out of band authentication architecture
US8776040B2 (en) * 2011-08-19 2014-07-08 International Business Machines Corporation Protection for unauthorized firmware and software upgrades to consumer electronic devices
USRE49491E1 (en) * 2012-06-08 2023-04-11 Samsung Electronics Co., Ltd. Method and system for selective protection of data exchanged between user equipment and network
US9356948B2 (en) 2013-02-08 2016-05-31 PhishMe, Inc. Collaborative phishing attack detection
EP2854088B1 (en) * 2013-09-26 2017-09-27 AO Kaspersky Lab A system and method for ensuring safety of online transactions
RU2587423C2 (en) 2013-09-26 2016-06-20 Закрытое акционерное общество "Лаборатория Касперского" System and method of providing safety of online transactions
US11165770B1 (en) * 2013-12-06 2021-11-02 A10 Networks, Inc. Biometric verification of a human internet user
US20160007201A1 (en) * 2014-05-27 2016-01-07 Telmate, Llc Vpn-based mobile device security
US20160104476A1 (en) 2014-10-09 2016-04-14 International Business Machines Corporation Cognitive Security for Voice Phishing Activity
RU2595511C2 (en) * 2014-12-05 2016-08-27 Закрытое акционерное общество "Лаборатория Касперского" System and method of trusted applications operation in the presence of suspicious applications
CN105991604A (en) * 2015-02-27 2016-10-05 中兴通讯股份有限公司 Method and device for preventing form domain name hijacking
US10361920B2 (en) 2015-04-01 2019-07-23 Threatstop, Inc. Domain name system based VPN management
US9930010B2 (en) * 2015-04-06 2018-03-27 Nicira, Inc. Security agent for distributed network security system
US9906539B2 (en) 2015-04-10 2018-02-27 PhishMe, Inc. Suspicious message processing and incident response
US10425234B2 (en) * 2015-08-27 2019-09-24 Cavium, Llc Systems and methods for perfect forward secrecy (PFS) traffic monitoring via a hardware security module
US10334060B1 (en) * 2015-11-20 2019-06-25 United Services Automobile Association (Usaa) System for determining a time zone difference between a user's computer and an ISP server
US10530803B1 (en) * 2016-07-05 2020-01-07 Wells Fargo Bank, N.A. Secure online transactions
US20180075233A1 (en) * 2016-09-13 2018-03-15 Veracode, Inc. Systems and methods for agent-based detection of hacking attempts
CN108804915B (en) * 2017-05-03 2021-03-26 腾讯科技(深圳)有限公司 Virus program cleaning method, storage device and electronic terminal
US20190097968A1 (en) * 2017-09-28 2019-03-28 Unisys Corporation Scip and ipsec over nat/pat routers
US11323426B2 (en) * 2017-10-19 2022-05-03 Check Point Software Technologies Ltd. Method to identify users behind a shared VPN tunnel
US10298611B1 (en) * 2018-12-10 2019-05-21 Securitymetrics, Inc. Network vulnerability assessment
US11575646B2 (en) * 2020-03-12 2023-02-07 Vmware, Inc. Domain name service (DNS) server cache table validation
US11423153B2 (en) * 2020-08-18 2022-08-23 Raytheon Company Detection of malicious operating system booting and operating system loading

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5983348A (en) * 1997-09-10 1999-11-09 Trend Micro Incorporated Computer network malicious code scanner
US20020029342A1 (en) * 2000-09-07 2002-03-07 Keech Winston Donald Systems and methods for identity verification for secure transactions
US20030079143A1 (en) * 2001-10-22 2003-04-24 Dean Mikel One pass security
US20030177389A1 (en) * 2002-03-06 2003-09-18 Zone Labs, Inc. System and methodology for security policy arbitration
US20050071282A1 (en) * 2003-09-29 2005-03-31 Lu Hongqian Karen System and method for preventing identity theft using a secure computing device
US20050216957A1 (en) * 2004-03-25 2005-09-29 Banzhof Carl E Method and apparatus for protecting a remediated computer network from entry of a vulnerable computer system thereinto
US20060010252A1 (en) * 2004-03-04 2006-01-12 Miltonberger Thomas W Geo-location and geo-compliance utilizing a client agent
US20060090196A1 (en) * 2004-10-21 2006-04-27 Van Bemmel Jeroen Method, apparatus and system for enforcing security policies
US20060143706A1 (en) * 2004-12-28 2006-06-29 Hitomi Kawasaki Security control apparatus, security control method, and storage medium
US7086086B2 (en) * 1999-02-27 2006-08-01 Alonzo Ellis System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment
US20060185015A1 (en) * 2005-02-14 2006-08-17 International Business Machines Corporation Anti-virus fix for intermittently connected client computers
US20060206936A1 (en) * 2005-03-11 2006-09-14 Yung-Chang Liang Method and apparatus for securing a computer network
US20070036300A1 (en) * 2005-07-29 2007-02-15 Research In Motion Limited Device and method for generating user notifications associated with tasks that are pending completion
US20070067833A1 (en) * 2005-09-20 2007-03-22 Colnot Vincent C Methods and Apparatus for Enabling Secure Network-Based Transactions
US20070234061A1 (en) * 2006-03-30 2007-10-04 Teo Wee T System And Method For Providing Transactional Security For An End-User Device
US20090037976A1 (en) * 2006-03-30 2009-02-05 Wee Tuck Teo System and Method for Securing a Network Session
US7516476B1 (en) * 2003-03-24 2009-04-07 Cisco Technology, Inc. Methods and apparatus for automated creation of security policy
US7827611B2 (en) * 2001-08-01 2010-11-02 Mcafee, Inc. Malware scanning user interface for wireless devices

Family Cites Families (74)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0766864B2 (en) * 1989-07-28 1995-07-19 東芝ライテック株式会社 Discharge lamp lighting device
US7251637B1 (en) * 1993-09-20 2007-07-31 Fair Isaac Corporation Context vector generation and retrieval
JP2812312B2 (en) * 1996-01-12 1998-10-22 三菱電機株式会社 Encryption system
US5932976A (en) * 1997-01-14 1999-08-03 Matsushita Electric Works R&D Laboratory, Inc. Discharge lamp driving
US7418504B2 (en) * 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US6502135B1 (en) * 1998-10-30 2002-12-31 Science Applications International Corporation Agile network protocol for secure communications with assured system availability
US6988199B2 (en) * 2000-07-07 2006-01-17 Message Secure Secure and reliable document delivery
US6866581B2 (en) * 1999-09-24 2005-03-15 Igt Video gaming apparatus for wagering with universal computerized controller and I/O interface for unique architecture
US6757661B1 (en) * 2000-04-07 2004-06-29 Netzero High volume targeting of advertisements to user of online service
US20030159070A1 (en) * 2001-05-28 2003-08-21 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20040034794A1 (en) * 2000-05-28 2004-02-19 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US7080407B1 (en) * 2000-06-27 2006-07-18 Cisco Technology, Inc. Virus detection and removal system and method for network-based systems
US7231606B2 (en) * 2000-10-31 2007-06-12 Software Research, Inc. Method and system for testing websites
US6968462B2 (en) * 2000-12-11 2005-11-22 International Business Machines Corporation Verifying physical universal serial bus keystrokes
WO2002071227A1 (en) * 2001-03-01 2002-09-12 Cyber Operations, Llc System and method for anti-network terrorism
US6732279B2 (en) * 2001-03-14 2004-05-04 Terry George Hoffman Anti-virus protection system and method
US7325193B2 (en) * 2001-06-01 2008-01-29 International Business Machines Corporation Automated management of internet and/or web site content
US20030002072A1 (en) * 2001-06-29 2003-01-02 Berkema Alan C. Print by reference communication methods for portable wireless device printing
US8429201B2 (en) * 2001-11-13 2013-04-23 International Business Machines Corporation Updating a database from a browser
US6871192B2 (en) * 2001-12-20 2005-03-22 Pace Anti-Piracy System and method for preventing unauthorized use of protected software utilizing a portable security device
US7096500B2 (en) * 2001-12-21 2006-08-22 Mcafee, Inc. Predictive malware scanning of internet data
US7269851B2 (en) * 2002-01-07 2007-09-11 Mcafee, Inc. Managing malware protection upon a computer network
US6772345B1 (en) * 2002-02-08 2004-08-03 Networks Associates Technology, Inc. Protocol-level malware scanner
EP2211520A3 (en) * 2002-02-14 2010-11-10 Avaya Inc. Presence and availability tracking
US7779062B2 (en) * 2004-08-18 2010-08-17 Ripple Effects Holdings Limited System for preventing keystroke logging software from accessing or identifying keystrokes
EP1349316A1 (en) * 2002-03-27 2003-10-01 BRITISH TELECOMMUNICATIONS public limited company Policy based system management
US7218066B2 (en) * 2002-07-22 2007-05-15 Koninklijke Philips Electronics N.V. Driver for a gas discharge lamp
US7249380B2 (en) * 2002-09-05 2007-07-24 Yinan Yang Method and apparatus for evaluating trust and transitivity of trust of online services
US7353533B2 (en) * 2002-12-18 2008-04-01 Novell, Inc. Administration of protection of data accessible by a mobile device
US7526800B2 (en) * 2003-02-28 2009-04-28 Novell, Inc. Administration of protection of data accessible by a mobile device
JP2006512205A (en) * 2002-12-23 2006-04-13 バルワー エス.アー.エス. Fluid dispenser member and dispenser having such member
US20040249974A1 (en) * 2003-03-31 2004-12-09 Alkhatib Hasan S. Secure virtual address realm
US7757291B2 (en) * 2003-09-15 2010-07-13 Trigence Corp. Malware containment by application encapsulation
US7366916B2 (en) * 2003-09-20 2008-04-29 Avaya Technology Corp. Method and apparatus for an encrypting keyboard
WO2005043360A1 (en) * 2003-10-21 2005-05-12 Green Border Technologies Systems and methods for secure client applications
US7949329B2 (en) * 2003-12-18 2011-05-24 Alcatel-Lucent Usa Inc. Network support for mobile handset anti-virus protection
FR2864655B1 (en) * 2003-12-31 2006-03-24 Trusted Logic METHOD OF CONTROLLING INTEGRITY OF PROGRAMS BY VERIFYING IMPRESSIONS OF EXECUTION TRACES
US20050183143A1 (en) * 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity
US20050229250A1 (en) * 2004-02-26 2005-10-13 Ring Sandra E Methodology, system, computer readable medium, and product providing a security software suite for handling operating system exploitations
US7484247B2 (en) * 2004-08-07 2009-01-27 Allen F Rozman System and method for protecting a computer system from malicious software
US20060036731A1 (en) * 2004-08-16 2006-02-16 Mossman Associates Novel method and system of keyless data entry and navigation in an online user interface console for preventing unauthorized data capture by stealth key logging spy programs
US7685640B2 (en) * 2004-09-21 2010-03-23 Agere Systems Inc. Methods and apparatus for interface adapter integrated virus protection
US7765410B2 (en) * 2004-11-08 2010-07-27 Microsoft Corporation System and method of aggregating the knowledge base of antivirus software applications
US7673341B2 (en) * 2004-12-15 2010-03-02 Microsoft Corporation System and method of efficiently identifying and removing active malware from a computer
US7627896B2 (en) * 2004-12-24 2009-12-01 Check Point Software Technologies, Inc. Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US7539682B2 (en) * 2005-03-14 2009-05-26 Microsoft Corporation Multilevel secure database
JP4407556B2 (en) * 2005-03-29 2010-02-03 日本電気株式会社 Session relay apparatus, session relay method and program
US7975300B2 (en) * 2005-04-15 2011-07-05 Toshiba America Research, Inc. Secure isolation and recovery in wireless networks
US20060259967A1 (en) * 2005-05-13 2006-11-16 Microsoft Corporation Proactively protecting computers in a networking environment from malware
US8430300B2 (en) * 2005-05-26 2013-04-30 Codebroker, Llc Using validity events to control the use of coupons containing barcodes in mobile devices that display the barcodes for reading by barcode readers
US7591002B2 (en) * 2005-06-09 2009-09-15 Microsoft Corporation Conditional activation of security policies
JP4462119B2 (en) * 2005-06-10 2010-05-12 セイコーエプソン株式会社 Ballast and projector
US7757283B2 (en) * 2005-07-08 2010-07-13 Alcatel Lucent System and method for detecting abnormal traffic based on early notification
US7874001B2 (en) * 2005-07-15 2011-01-18 Microsoft Corporation Detecting user-mode rootkits
US7647636B2 (en) * 2005-08-24 2010-01-12 Microsoft Corporation Generic RootKit detector
US7725737B2 (en) * 2005-10-14 2010-05-25 Check Point Software Technologies, Inc. System and methodology providing secure workspace environment
US7716731B2 (en) * 2005-10-24 2010-05-11 Cisco Technology, Inc. Method for dynamically tunneling over an unreliable protocol or a reliable protocol, based on network conditions
US20070094496A1 (en) * 2005-10-25 2007-04-26 Michael Burtscher System and method for kernel-level pestware management
US8689016B2 (en) * 2005-12-02 2014-04-01 Google Inc. Tamper prevention and detection for video provided over a network to a client
US20070245343A1 (en) * 2005-12-30 2007-10-18 Marvin Shannon System and Method of Blocking Keyloggers
US20070162975A1 (en) * 2006-01-06 2007-07-12 Microssoft Corporation Efficient collection of data
US8566608B2 (en) * 2006-02-02 2013-10-22 Strikeforce Technologies, Inc. Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser
US20070199044A1 (en) * 2006-02-17 2007-08-23 Samsung Electronics Co., Ltd. Systems and methods for distributed security policy management
US20070240212A1 (en) * 2006-03-30 2007-10-11 Check Point Software Technologies, Inc. System and Methodology Protecting Against Key Logger Spyware
EP2030486B1 (en) * 2006-05-31 2012-10-31 Koninklijke Philips Electronics N.V. Lamp driving circuit
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US8769672B2 (en) * 2006-08-03 2014-07-01 Symantec Corporation Code injection prevention
US8869262B2 (en) * 2006-08-03 2014-10-21 Citrix Systems, Inc. Systems and methods for application based interception of SSL/VPN traffic
JP2010509718A (en) * 2006-11-09 2010-03-25 オスラム ゲゼルシャフト ミット ベシュレンクテル ハフツング Discharge lamp ignition circuit device
US7685179B2 (en) * 2007-03-13 2010-03-23 Microsoft Corporation Network flow for constrained replica placement
US8266671B2 (en) * 2007-08-02 2012-09-11 Alcatel Lucent Policy-enabled aggregation of IM user communities
US8918865B2 (en) * 2008-01-22 2014-12-23 Wontok, Inc. System and method for protecting data accessed through a network connection
WO2009094371A1 (en) * 2008-01-22 2009-07-30 Authentium, Inc. Trusted secure desktop
WO2009130994A1 (en) * 2008-04-24 2009-10-29 パナソニック電工株式会社 High voltage discharge lamp lighting device and light fixture

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5983348A (en) * 1997-09-10 1999-11-09 Trend Micro Incorporated Computer network malicious code scanner
US7086086B2 (en) * 1999-02-27 2006-08-01 Alonzo Ellis System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment
US20020029342A1 (en) * 2000-09-07 2002-03-07 Keech Winston Donald Systems and methods for identity verification for secure transactions
US7827611B2 (en) * 2001-08-01 2010-11-02 Mcafee, Inc. Malware scanning user interface for wireless devices
US20030079143A1 (en) * 2001-10-22 2003-04-24 Dean Mikel One pass security
US20030177389A1 (en) * 2002-03-06 2003-09-18 Zone Labs, Inc. System and methodology for security policy arbitration
US7516476B1 (en) * 2003-03-24 2009-04-07 Cisco Technology, Inc. Methods and apparatus for automated creation of security policy
US20050071282A1 (en) * 2003-09-29 2005-03-31 Lu Hongqian Karen System and method for preventing identity theft using a secure computing device
US20060010252A1 (en) * 2004-03-04 2006-01-12 Miltonberger Thomas W Geo-location and geo-compliance utilizing a client agent
US20050216957A1 (en) * 2004-03-25 2005-09-29 Banzhof Carl E Method and apparatus for protecting a remediated computer network from entry of a vulnerable computer system thereinto
US20060090196A1 (en) * 2004-10-21 2006-04-27 Van Bemmel Jeroen Method, apparatus and system for enforcing security policies
US20060143706A1 (en) * 2004-12-28 2006-06-29 Hitomi Kawasaki Security control apparatus, security control method, and storage medium
US20060185015A1 (en) * 2005-02-14 2006-08-17 International Business Machines Corporation Anti-virus fix for intermittently connected client computers
US20060206936A1 (en) * 2005-03-11 2006-09-14 Yung-Chang Liang Method and apparatus for securing a computer network
US20070036300A1 (en) * 2005-07-29 2007-02-15 Research In Motion Limited Device and method for generating user notifications associated with tasks that are pending completion
US20070067833A1 (en) * 2005-09-20 2007-03-22 Colnot Vincent C Methods and Apparatus for Enabling Secure Network-Based Transactions
US20070234061A1 (en) * 2006-03-30 2007-10-04 Teo Wee T System And Method For Providing Transactional Security For An End-User Device
US20090037976A1 (en) * 2006-03-30 2009-02-05 Wee Tuck Teo System and Method for Securing a Network Session

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Communication and Recovery Issues in Grid Environment"; Wenjie et al., Nov. 14-16, 2004; InfoSecu04 *
"Throttling Viruses : Restricting propagation to defeat malicious code" ; Matthew M Williamson; IEEE, 2002 *

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8434148B2 (en) 2006-03-30 2013-04-30 Advanced Network Technology Laboratories Pte Ltd. System and method for providing transactional security for an end-user device
US20090037976A1 (en) * 2006-03-30 2009-02-05 Wee Tuck Teo System and Method for Securing a Network Session
US20110209222A1 (en) * 2006-03-30 2011-08-25 Safecentral, Inc. System and method for providing transactional security for an end-user device
US9112897B2 (en) 2006-03-30 2015-08-18 Advanced Network Technology Laboratories Pte Ltd. System and method for securing a network session
US20070234061A1 (en) * 2006-03-30 2007-10-04 Teo Wee T System And Method For Providing Transactional Security For An End-User Device
US20110035478A1 (en) * 2007-10-24 2011-02-10 Lantronix, Inc. Systems and methods for creation of reverse virtual internet protocol addresses
US8793353B2 (en) * 2007-10-24 2014-07-29 Lantronix, Inc. Systems and methods for creation of reverse virtual internet protocol addresses
US20090187991A1 (en) * 2008-01-22 2009-07-23 Authentium, Inc. Trusted secure desktop
US8225404B2 (en) 2008-01-22 2012-07-17 Wontok, Inc. Trusted secure desktop
US8918865B2 (en) 2008-01-22 2014-12-23 Wontok, Inc. System and method for protecting data accessed through a network connection
US8074263B1 (en) * 2008-06-30 2011-12-06 United Services Automobile Association Systems and methods for increased security during logging in to web site
US8065695B1 (en) * 2008-06-30 2011-11-22 United Services Automobile Association Systems and methods for increased security during logging in to web site
US8359639B1 (en) 2008-06-30 2013-01-22 United States Automobile Association (USAA) Systems and methods for increased security during logging in to web site
US8832803B1 (en) 2008-06-30 2014-09-09 United Services Automobile Association (Usaa) Systems and methods for increased security during logging in to web site
US8707437B1 (en) * 2011-04-18 2014-04-22 Trend Micro Incorporated Techniques for detecting keyloggers in computer systems
US8856875B2 (en) * 2011-07-25 2014-10-07 Intel Corporation Software delivery models
US20130031607A1 (en) * 2011-07-25 2013-01-31 Vikas Aditya Software delivery models
US20140215569A1 (en) * 2012-11-12 2014-07-31 Optim Corporation User terminal, unauthorized site information management server, and method and program for blocking unauthorized request
US9407657B2 (en) * 2012-11-12 2016-08-02 Optim Corporation User terminal, unauthorized site information management server, and method and program for blocking unauthorized request
US11075893B2 (en) * 2014-06-23 2021-07-27 Vmware, Inc. Cryptographic proxy service
US20160156642A1 (en) * 2014-12-02 2016-06-02 Wontok Inc. Security information and event management
US9509708B2 (en) * 2014-12-02 2016-11-29 Wontok Inc. Security information and event management
US20160330238A1 (en) * 2015-05-05 2016-11-10 Christopher J. HADNAGY Phishing-as-a-Service (PHaas) Used To Increase Corporate Security Awareness
US9635052B2 (en) * 2015-05-05 2017-04-25 Christopher J. HADNAGY Phishing as-a-service (PHaas) used to increase corporate security awareness
CN106254505A (en) * 2016-08-25 2016-12-21 厦门雅迅网络股份有限公司 A kind of system and method monitoring ftp server end files passe progress
CN107026863A (en) * 2017-04-13 2017-08-08 深信服科技股份有限公司 A kind of mobile terminal network partition method and system

Also Published As

Publication number Publication date
US20110209222A1 (en) 2011-08-25
US20070234061A1 (en) 2007-10-04
US8434148B2 (en) 2013-04-30
WO2007149140A3 (en) 2008-04-10
WO2007149140A2 (en) 2007-12-27

Similar Documents

Publication Publication Date Title
US8434148B2 (en) System and method for providing transactional security for an end-user device
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US8875272B2 (en) Firewall for controlling connections between a client machine and a network
US8800024B2 (en) System and method for host-initiated firewall discovery in a network environment
KR101568713B1 (en) System and method for interlocking a host and a gateway
US9356909B2 (en) System and method for redirected firewall discovery in a network environment
US9112897B2 (en) System and method for securing a network session
US9436820B1 (en) Controlling access to resources in a network
US9674173B2 (en) Automatic certificate enrollment in a special-purpose appliance
US9210128B2 (en) Filtering of applications for access to an enterprise network
CN114615328A (en) Safety access control system and method
US11595385B2 (en) Secure controlled access to protected resources
Hindocha et al. Malicious threats and vulnerabilities in instant messaging
US20090217375A1 (en) Mobile Data Handling Device
De Ryck et al. Eradicating bearer tokens for session management
US11757839B2 (en) Virtual private network application platform
Thangavel et al. Threats and vulnerabilities of mobile applications
Tesfaye An analysis of BYOD architectures in relation to mitigating security risks
Las Augmenting Perimeter Security Networks With Cisco Self-Defending Networks
Thurimella et al. Cloak and Dagger
Nandi 8 Cyber Security Trends
WO2009006003A9 (en) System and method for securing a network session

Legal Events

Date Code Title Description
AS Assignment

Owner name: AUTHENTIUM, INC., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHARP, JOHN C.;FREERICKS, HELMUTH;KOUZNETSOV, OLEG;REEL/FRAME:021122/0556;SIGNING DATES FROM 20080603 TO 20080604

AS Assignment

Owner name: AUTHENTIUM, INC., FLORIDA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE RECORDATION OF PAGE 2 THAT WAS OMITTED FROM INITIAL RECORDATION PREVIOUSLY RECORDED ON REEL 021122 FRAME 0556;ASSIGNORS:SHARP, JOHN C.;FREERICKS, HELMUTH;KOUZNETSOV, OLEG;REEL/FRAME:021237/0432;SIGNING DATES FROM 20080603 TO 20080604

AS Assignment

Owner name: SAFEGUARD DELAWARE, INC., DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AUTHENTIUM, INC.;REEL/FRAME:021368/0144

Effective date: 20080730

AS Assignment

Owner name: SAFECENTRAL, INC., FLORIDA

Free format text: CHANGE OF NAME;ASSIGNOR:AUTHENTIUM, INC.;REEL/FRAME:025376/0553

Effective date: 20100903

AS Assignment

Owner name: WONTOK, INC., FLORIDA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SAFECENTRAL, INC.;REEL/FRAME:027424/0250

Effective date: 20110909

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION